Make policy deprecation reasons less verbose

oslo.policy emits a deprecation warning for every single rule that we have deprecated at least once when a request comes in, and possibly subsequent times if keystone is running in multiple processes, and even more after keystone is reloaded. It's not useful to repeat nearly identical multi-line messages for each policy every time: logs aren't meant to justify our reasoning, they're just meant to be informative. The relevant information and rationalization can be found in the release notes. Repeating these identical multi-line messages starts to use up space quickly and makes the logs unreadable. This patch reduces the DEPRECATED_REASON for each policy to one brief line, which should help make the logs more readable in general and especially when run in a multiprocess environment, reduce the disk footprint of the logs, and help with log indexing. Change-Id: I98a0c06586b18dbd2f6681a24a5af1ea2de70951 Partial-bug: #1836568
2019-08-06 14:40:30 -07:00 · 2019-08-06 14:40:30 -07:00 · 0526718fee
parent 7c3ba315de
commit 0526718fee
25 changed files with 74 additions and 169 deletions
--- a/keystone/common/policies/application_credential.py
+++ b/keystone/common/policies/application_credential.py
@ -31,13 +31,10 @@ deprecated_delete_application_credentials_for_user = policy.DeprecatedRule(
    check_str=base.RULE_ADMIN_OR_OWNER
 )

-DEPRECATED_REASON = """
-As of the Train release, the application credential API understands how to
-handle system-scoped tokens in addition to project tokens, making the API
-more accessible to users without compromising security or manageability for
-administrators. The new default policies for this API account for these changes
-automatically.
-"""
+DEPRECATED_REASON = (
+    "The application credential API is now aware of system scope and default "
+    "roles."
+)

 application_credential_policies = [
    policy.DocumentedRuleDefault(
--- a/keystone/common/policies/consumer.py
+++ b/keystone/common/policies/consumer.py
@ -36,13 +36,9 @@ deprecated_delete_consumer = policy.DeprecatedRule(
    check_str=base.RULE_ADMIN_REQUIRED
 )

-DEPRECATED_REASON = """
-As of the Train release, the OAUTH1 consumer API understands how to
-handle system-scoped tokens in addition to project tokens, making the API
-more accessible to users without compromising security or manageability for
-administrators. The new default policies for this API account for these changes
-automatically.
-"""
+DEPRECATED_REASON = (
+    "The OAUTH1 consumer API is now aware of system scope and default roles."
+)

 consumer_policies = [
    policy.DocumentedRuleDefault(
--- a/keystone/common/policies/credential.py
+++ b/keystone/common/policies/credential.py
@ -25,12 +25,9 @@ SYSTEM_ADMIN_OR_CRED_OWNER = (
 )

 DEPRECATED_REASON = (
-    'As of the Stein release, the credential API now understands how to '
-    'handle system-scoped tokens in addition to project-scoped tokens, making '
-    'the API more accessible to users without compromising security or '
-    'manageability for administrators. The new default policies for this API '
-    'account for these changes automatically.'
+    "The credential API is now aware of system scope and default roles."
 )
+
 deprecated_get_credential = policy.DeprecatedRule(
    name=base.IDENTITY % 'get_credential',
    check_str=base.RULE_ADMIN_REQUIRED
--- a/keystone/common/policies/domain.py
+++ b/keystone/common/policies/domain.py
@ -15,13 +15,9 @@ from oslo_policy import policy

 from keystone.common.policies import base

-DEPRECATED_REASON = """
-As of the Stein release, the domain API now understands how to handle
-system-scoped tokens in addition to project-scoped tokens, making the API more
-accessible to users without compromising security or manageability for
-administrators. The new default policies for this API account for these changes
-automatically
-"""
+DEPRECATED_REASON = (
+    "The domain API is now aware of system scope and default roles."
+)

 deprecated_list_domains = policy.DeprecatedRule(
    name=base.IDENTITY % 'list_domains',
--- a/keystone/common/policies/domain_config.py
+++ b/keystone/common/policies/domain_config.py
@ -41,13 +41,9 @@ deprecated_delete_domain_config = policy.DeprecatedRule(
 )


-DEPRECATED_REASON = """
-As of the Train release, the domain config API now understands default roles and
-system-scoped tokens, making the API more granular by default without
-compromising security. The new policy defaults account for these changes
-automatically. Be sure to take these new defaults into consideration if you are
-relying on overrides in your deployment for the domain config API.
-"""
+DEPRECATED_REASON = (
+    "The domain config API is now aware of system scope and default roles."
+)

 domain_config_policies = [
    policy.DocumentedRuleDefault(
--- a/keystone/common/policies/ec2_credential.py
+++ b/keystone/common/policies/ec2_credential.py
@ -41,13 +41,9 @@ deprecated_ec2_delete_credentials = policy.DeprecatedRule(
    check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER
 )

-DEPRECATED_REASON = """
-As of the Train release, the EC2 credential API understands how to handle
-system-scoped tokens in addition to project tokens, making the API more
-accessible to users without compromising security or manageability for
-administrators. The new default policies for this API account for these changes
-automatically.
-"""
+DEPRECATED_REASON = (
+    "The EC2 credential API is now aware of system scope and default roles."
+)

 ec2_credential_policies = [
    policy.DocumentedRuleDefault(
--- a/keystone/common/policies/endpoint.py
+++ b/keystone/common/policies/endpoint.py
@ -31,13 +31,9 @@ deprecated_delete_endpoint = policy.DeprecatedRule(
    name=base.IDENTITY % 'delete_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
 )

-DEPRECATED_REASON = """
-As of the Stein release, the endpoint API now understands default roles and
-system-scoped tokens, making the API more granular by default without
-compromising security. The new policy defaults account for these changes
-automatically. Be sure to take these new defaults into consideration if you are
-relying on overrides in your deployment for the endpoint API.
-"""
+DEPRECATED_REASON = (
+    "The endpoint API is now aware of system scope and default roles."
+)


 endpoint_policies = [
--- a/keystone/common/policies/endpoint_group.py
+++ b/keystone/common/policies/endpoint_group.py
@ -71,13 +71,9 @@ deprecated_remove_endpoint_group_from_project = policy.DeprecatedRule(
 )


-DEPRECATED_REASON = """
-As of the Train release, the endpoint groups API now understands default roles
-and system-scoped tokens, making the API more granular by default without
-compromising security. The new policy defaults account for these changes
-automatically. Be sure to take these new defaults into consideration if you are
-relying on overrides in your deployment for the endpoint groups API.
-"""
+DEPRECATED_REASON = (
+    "The endpoint groups API is now aware of system scope and default roles."
+)


 group_endpoint_policies = [
--- a/keystone/common/policies/grant.py
+++ b/keystone/common/policies/grant.py
@ -101,13 +101,9 @@ deprecated_revoke_grant = policy.DeprecatedRule(
    name=base.IDENTITY % 'revoke_grant', check_str=base.RULE_ADMIN_REQUIRED
 )

-DEPRECATED_REASON = """
-As of the Stein release, the assignment API now understands default roles and
-system-scoped tokens, making the API more granular by default without
-compromising security. The new policy defaults account for these changes
-automatically. Be sure to take these new defaults into consideration if you are
-relying on overrides in your deployment for the system assignment API.
-"""
+DEPRECATED_REASON = (
+    "The assignment API is now aware of system scope and default roles."
+)

 resource_paths = [
    '/projects/{project_id}/users/{user_id}/roles/{role_id}',
--- a/keystone/common/policies/group.py
+++ b/keystone/common/policies/group.py
@ -45,12 +45,9 @@ SYSTEM_ADMIN_OR_DOMAIN_ADMIN = (
    '(role:admin and domain_id:%(target.group.domain_id)s)'
 )

-DEPRECATED_REASON = """
-As of the Stein release, the group API understands how to handle system-scoped
-tokens in addition to project and domain tokens, making the API more accessible
-to users without compromising security or manageability for administrators. The
-new default policies for this API account for these changes automatically.
-"""
+DEPRECATED_REASON = (
+    "The group API is now aware of system scope and default roles."
+)

 deprecated_get_group = policy.DeprecatedRule(
    name=base.IDENTITY % 'get_group',
--- a/keystone/common/policies/identity_provider.py
+++ b/keystone/common/policies/identity_provider.py
@ -36,13 +36,9 @@ deprecated_delete_idp = policy.DeprecatedRule(
    check_str=base.RULE_ADMIN_REQUIRED
 )

-DEPRECATED_REASON = """
-As of the Stein release, the identity provider API now understands default
-roles and system-scoped tokens, making the API more granular by default without
-compromising security. The new policy defaults account for these changes
-automatically. Be sure to take these new defaults into consideration if you are
-relying on overrides in your deployment for the identity provider API.
-"""
+DEPRECATED_REASON = (
+    "The identity provider API is now aware of system scope and default roles."
+)

 identity_provider_policies = [
    policy.DocumentedRuleDefault(
--- a/keystone/common/policies/implied_role.py
+++ b/keystone/common/policies/implied_role.py
@ -40,13 +40,9 @@ deprecated_delete_implied_role = policy.DeprecatedRule(
    check_str=base.RULE_ADMIN_REQUIRED,
 )

-DEPRECATED_REASON = """
-As of the Train release, the implied role API understands how to
-handle system-scoped tokens in addition to project tokens, making the API
-more accessible to users without compromising security or manageability for
-administrators. The new default policies for this API account for these changes
-automatically.
-"""
+DEPRECATED_REASON = (
+    "The implied role API is now aware of system scope and default roles."
+)


 implied_role_policies = [
--- a/keystone/common/policies/mapping.py
+++ b/keystone/common/policies/mapping.py
@ -36,13 +36,9 @@ deprecated_delete_mapping = policy.DeprecatedRule(
    check_str=base.RULE_ADMIN_REQUIRED
 )

-DEPRECATED_REASON = """
-As of the Stein release, the federated mapping API now understands default
-roles and system-scoped tokens, making the API more granular by default without
-compromising security. The new policy defaults account for these changes
-automatically. Be sure to take these new defaults into consideration if you are
-relying on overrides in your deployment for the federated mapping API.
-"""
+DEPRECATED_REASON = (
+    "The federated mapping API is now aware of system scope and default roles."
+)

 mapping_policies = [
    policy.DocumentedRuleDefault(
--- a/keystone/common/policies/policy.py
+++ b/keystone/common/policies/policy.py
@ -40,13 +40,9 @@ deprecated_delete_policy = policy.DeprecatedRule(
    check_str=base.RULE_ADMIN_REQUIRED,
 )

-DEPRECATED_REASON = """
-As of the Train release, the policy API now understands default roles and
-system-scoped tokens, making the API more granular by default without
-compromising security. The new policy defaults account for these changes
-automatically. Be sure to take these new defaults into consideration if you are
-relying on overrides in your deployment for the policy API.
-"""
+DEPRECATED_REASON = (
+    "The policy API is now aware of system scope and default roles."
+)


 policy_policies = [
--- a/keystone/common/policies/policy_association.py
+++ b/keystone/common/policies/policy_association.py
@ -74,13 +74,9 @@ deprecated_delete_policy_association_for_region_and_service = policy.DeprecatedR
    check_str=base.RULE_ADMIN_REQUIRED,
 )

-DEPRECATED_REASON = """
-As of the Train release, the policy association API now understands default
-roles and system-scoped tokens, making the API more granular by default without
-compromising security. The new policy defaults account for these changes
-automatically. Be sure to take these new defaults into consideration if you are
-relying on overrides in your deployment for the policy association API.
-"""
+DEPRECATED_REASON = (
+    "The policy association API is now aware of system scope and default roles."
+)

 policy_association_policies = [
    policy.DocumentedRuleDefault(
--- a/keystone/common/policies/project.py
+++ b/keystone/common/policies/project.py
@ -102,13 +102,9 @@ deprecated_delete_project_tags = policy.DeprecatedRule(
 )


-DEPRECATED_REASON = """
-As of the Stein release, the project API understands how to handle
-system-scoped tokens in addition to project and domain tokens, making the API
-more accessible to users without compromising security or manageability for
-administrators. The new default policies for this API account for these changes
-automatically.
-"""
+DEPRECATED_REASON = (
+    "The project API is now aware of system scope and default roles."
+)

 TAGS_DEPRECATED_REASON = """
 As of the Train release, the project tags API understands how to handle
--- a/keystone/common/policies/protocol.py
+++ b/keystone/common/policies/protocol.py
@ -36,13 +36,10 @@ deprecated_delete_protocol = policy.DeprecatedRule(
    check_str=base.RULE_ADMIN_REQUIRED
 )

-DEPRECATED_REASON = """
-As of the Stein release, the federated protocol API now understands default
-roles and system-scoped tokens, making the API more granular by default without
-compromising security. The new policy defaults account for these changes
-automatically. Be sure to take these new defaults into consideration if you are
-relying on overrides in your deployment for the protocol API.
-"""
+DEPRECATED_REASON = (
+    "The federated protocol API is now aware of system scope and default "
+    "roles."
+)

 protocol_policies = [
    policy.DocumentedRuleDefault(
--- a/keystone/common/policies/region.py
+++ b/keystone/common/policies/region.py
@ -29,12 +29,7 @@ deprecated_delete_region = policy.DeprecatedRule(
 )

 DEPRECATED_REASON = (
-    'As of the Stein release, the region API now understands default roles '
-    'and system-scoped tokens, making the API more granular without '
-    'compromising security. The new policies for this API account for these '
-    'changes automatically. Be sure to take these new defaults into '
-    'consideration if you are relying on overrides in your deployment for the '
-    'region API.'
+    "The region API is now aware of system scope and default roles."
 )

 region_policies = [
--- a/keystone/common/policies/role.py
+++ b/keystone/common/policies/role.py
@ -56,13 +56,9 @@ deprecated_delete_domain_role = policy.DeprecatedRule(
    check_str=base.RULE_ADMIN_REQUIRED
 )

-DEPRECATED_REASON = """
-As of the Stein release, the role API now understands default roles and
-system-scoped tokens, making the API more granular by default without
-compromising security. The new policy defaults account for these changes
-automatically. Be sure to take these new defaults into consideration if you are
-relying on overrides in your deployment for the role API.
-"""
+DEPRECATED_REASON = (
+    "The role API is now aware of system scope and default roles."
+)

 role_policies = [
    policy.DocumentedRuleDefault(
--- a/keystone/common/policies/role_assignment.py
+++ b/keystone/common/policies/role_assignment.py
@ -25,13 +25,9 @@ deprecated_list_role_assignments = policy.DeprecatedRule(
    check_str=base.RULE_ADMIN_REQUIRED
 )

-DEPRECATED_REASON = """
-As of the Stein release, the role assignment API now understands how to
-handle system-scoped tokens in addition to project-scoped tokens, making
-the API more accessible to users without compromising security or
-manageability for administrators. The new default policies for this API
-account for these changes automatically.
-"""
+DEPRECATED_REASON = (
+    "The assignment API is now aware of system scope and default roles."
+)

 role_assignment_policies = [
    policy.DocumentedRuleDefault(
--- a/keystone/common/policies/service.py
+++ b/keystone/common/policies/service.py
@ -36,13 +36,9 @@ deprecated_delete_service = policy.DeprecatedRule(
    check_str=base.RULE_ADMIN_REQUIRED
 )

-DEPRECATED_REASON = """
-As of the Stein release, the service API now understands default roles and
-system-scoped tokens, making the API more granular by default without
-compromising security. The new policy defaults account for these changes
-automatically. Be sure to take these new defaults into consideration if you are
-relying on overrides in your deployment for the service API.
-"""
+DEPRECATED_REASON = (
+    "The service API is now aware of system scope and default roles."
+)

 service_policies = [
    policy.DocumentedRuleDefault(
--- a/keystone/common/policies/service_provider.py
+++ b/keystone/common/policies/service_provider.py
@ -36,13 +36,9 @@ deprecated_delete_sp = policy.DeprecatedRule(
    check_str=base.RULE_ADMIN_REQUIRED
 )

-DEPRECATED_REASON = """
-As of the Stein release, the service provider API now understands default
-roles and system-scoped tokens, making the API more granular by default without
-compromising security. The new policy defaults account for these changes
-automatically. Be sure to take these new defaults into consideration if you are
-relying on overrides in your deployment for the service provider API.
-"""
+DEPRECATED_REASON = (
+    "The service provider API is now aware of system scope and default roles."
+)

 service_provider_policies = [
    policy.DocumentedRuleDefault(
--- a/keystone/common/policies/token.py
+++ b/keystone/common/policies/token.py
@ -15,12 +15,9 @@ from oslo_policy import policy

 from keystone.common.policies import base

-DEPRECATED_REASON = """
-As of the Train release, the token API now understands how to handle
-system-scoped tokens, making the API more accessible to users without
-compromising security or manageability for administrators. This support
-includes a read-only role by default.
-"""
+DEPRECATED_REASON = (
+    "The token API is now aware of system scope and default roles."
+)

 deprecated_check_token = policy.DeprecatedRule(
    name=base.IDENTITY % 'check_token',
--- a/keystone/common/policies/trust.py
+++ b/keystone/common/policies/trust.py
@ -45,13 +45,9 @@ deprecated_get_trust = policy.DeprecatedRule(
    check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE
 )

-DEPRECATED_REASON = """
-As of the Train release, the trust API now understands default roles and
-system-scoped tokens, making the API more granular by default without
-compromising security. The new policy defaults account for these changes
-automatically. Be sure to take these new defaults into consideration if you are
-relying on overrides in your deployment for the service API.
-"""
+DEPRECATED_REASON = (
+    "The trust API is now aware of system scope and default roles."
+)

 trust_policies = [
    policy.DocumentedRuleDefault(
--- a/keystone/common/policies/user.py
+++ b/keystone/common/policies/user.py
@ -30,12 +30,9 @@ SYSTEM_ADMIN_OR_DOMAIN_ADMIN = (
    '(role:admin and token.domain.id:%(target.user.domain_id)s)'
 )

-DEPRECATED_REASON = """
-As of the Stein release, the user API understands how to handle system-scoped
-tokens in addition to project and domain tokens, making the API more accessible
-to users without compromising security or manageability for administrators. The
-new default policies for this API account for these changes automatically.
-"""
+DEPRECATED_REASON = (
+    "The user API is now aware of system scope and default roles."
+)

 deprecated_get_user = policy.DeprecatedRule(
    name=base.IDENTITY % 'get_user',