From 0526718feed24fe47c469bba7542a468c204585c Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Tue, 6 Aug 2019 14:40:30 -0700 Subject: [PATCH] Make policy deprecation reasons less verbose oslo.policy emits a deprecation warning for every single rule that we have deprecated at least once when a request comes in, and possibly subsequent times if keystone is running in multiple processes, and even more after keystone is reloaded. It's not useful to repeat nearly identical multi-line messages for each policy every time: logs aren't meant to justify our reasoning, they're just meant to be informative. The relevant information and rationalization can be found in the release notes. Repeating these identical multi-line messages starts to use up space quickly and makes the logs unreadable. This patch reduces the DEPRECATED_REASON for each policy to one brief line, which should help make the logs more readable in general and especially when run in a multiprocess environment, reduce the disk footprint of the logs, and help with log indexing. Change-Id: I98a0c06586b18dbd2f6681a24a5af1ea2de70951 Partial-bug: #1836568 --- keystone/common/policies/application_credential.py | 11 ++++------- keystone/common/policies/consumer.py | 10 +++------- keystone/common/policies/credential.py | 7 ++----- keystone/common/policies/domain.py | 10 +++------- keystone/common/policies/domain_config.py | 10 +++------- keystone/common/policies/ec2_credential.py | 10 +++------- keystone/common/policies/endpoint.py | 10 +++------- keystone/common/policies/endpoint_group.py | 10 +++------- keystone/common/policies/grant.py | 10 +++------- keystone/common/policies/group.py | 9 +++------ keystone/common/policies/identity_provider.py | 10 +++------- keystone/common/policies/implied_role.py | 10 +++------- keystone/common/policies/mapping.py | 10 +++------- keystone/common/policies/policy.py | 10 +++------- keystone/common/policies/policy_association.py | 10 +++------- keystone/common/policies/project.py | 10 +++------- keystone/common/policies/protocol.py | 11 ++++------- keystone/common/policies/region.py | 7 +------ keystone/common/policies/role.py | 10 +++------- keystone/common/policies/role_assignment.py | 10 +++------- keystone/common/policies/service.py | 10 +++------- keystone/common/policies/service_provider.py | 10 +++------- keystone/common/policies/token.py | 9 +++------ keystone/common/policies/trust.py | 10 +++------- keystone/common/policies/user.py | 9 +++------ 25 files changed, 74 insertions(+), 169 deletions(-) diff --git a/keystone/common/policies/application_credential.py b/keystone/common/policies/application_credential.py index f09b638453..cebb85b026 100644 --- a/keystone/common/policies/application_credential.py +++ b/keystone/common/policies/application_credential.py @@ -31,13 +31,10 @@ deprecated_delete_application_credentials_for_user = policy.DeprecatedRule( check_str=base.RULE_ADMIN_OR_OWNER ) -DEPRECATED_REASON = """ -As of the Train release, the application credential API understands how to -handle system-scoped tokens in addition to project tokens, making the API -more accessible to users without compromising security or manageability for -administrators. The new default policies for this API account for these changes -automatically. -""" +DEPRECATED_REASON = ( + "The application credential API is now aware of system scope and default " + "roles." +) application_credential_policies = [ policy.DocumentedRuleDefault( diff --git a/keystone/common/policies/consumer.py b/keystone/common/policies/consumer.py index 94d6ec054d..bf9a6bdd7a 100644 --- a/keystone/common/policies/consumer.py +++ b/keystone/common/policies/consumer.py @@ -36,13 +36,9 @@ deprecated_delete_consumer = policy.DeprecatedRule( check_str=base.RULE_ADMIN_REQUIRED ) -DEPRECATED_REASON = """ -As of the Train release, the OAUTH1 consumer API understands how to -handle system-scoped tokens in addition to project tokens, making the API -more accessible to users without compromising security or manageability for -administrators. The new default policies for this API account for these changes -automatically. -""" +DEPRECATED_REASON = ( + "The OAUTH1 consumer API is now aware of system scope and default roles." +) consumer_policies = [ policy.DocumentedRuleDefault( diff --git a/keystone/common/policies/credential.py b/keystone/common/policies/credential.py index 340f308b3c..f251f0a9d3 100644 --- a/keystone/common/policies/credential.py +++ b/keystone/common/policies/credential.py @@ -25,12 +25,9 @@ SYSTEM_ADMIN_OR_CRED_OWNER = ( ) DEPRECATED_REASON = ( - 'As of the Stein release, the credential API now understands how to ' - 'handle system-scoped tokens in addition to project-scoped tokens, making ' - 'the API more accessible to users without compromising security or ' - 'manageability for administrators. The new default policies for this API ' - 'account for these changes automatically.' + "The credential API is now aware of system scope and default roles." ) + deprecated_get_credential = policy.DeprecatedRule( name=base.IDENTITY % 'get_credential', check_str=base.RULE_ADMIN_REQUIRED diff --git a/keystone/common/policies/domain.py b/keystone/common/policies/domain.py index 342bcdf615..7d3e3d788e 100644 --- a/keystone/common/policies/domain.py +++ b/keystone/common/policies/domain.py @@ -15,13 +15,9 @@ from oslo_policy import policy from keystone.common.policies import base -DEPRECATED_REASON = """ -As of the Stein release, the domain API now understands how to handle -system-scoped tokens in addition to project-scoped tokens, making the API more -accessible to users without compromising security or manageability for -administrators. The new default policies for this API account for these changes -automatically -""" +DEPRECATED_REASON = ( + "The domain API is now aware of system scope and default roles." +) deprecated_list_domains = policy.DeprecatedRule( name=base.IDENTITY % 'list_domains', diff --git a/keystone/common/policies/domain_config.py b/keystone/common/policies/domain_config.py index 51b7a4006b..a157f0d5ca 100644 --- a/keystone/common/policies/domain_config.py +++ b/keystone/common/policies/domain_config.py @@ -41,13 +41,9 @@ deprecated_delete_domain_config = policy.DeprecatedRule( ) -DEPRECATED_REASON = """ -As of the Train release, the domain config API now understands default roles and -system-scoped tokens, making the API more granular by default without -compromising security. The new policy defaults account for these changes -automatically. Be sure to take these new defaults into consideration if you are -relying on overrides in your deployment for the domain config API. -""" +DEPRECATED_REASON = ( + "The domain config API is now aware of system scope and default roles." +) domain_config_policies = [ policy.DocumentedRuleDefault( diff --git a/keystone/common/policies/ec2_credential.py b/keystone/common/policies/ec2_credential.py index ea8603c7ed..b73f949884 100644 --- a/keystone/common/policies/ec2_credential.py +++ b/keystone/common/policies/ec2_credential.py @@ -41,13 +41,9 @@ deprecated_ec2_delete_credentials = policy.DeprecatedRule( check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER ) -DEPRECATED_REASON = """ -As of the Train release, the EC2 credential API understands how to handle -system-scoped tokens in addition to project tokens, making the API more -accessible to users without compromising security or manageability for -administrators. The new default policies for this API account for these changes -automatically. -""" +DEPRECATED_REASON = ( + "The EC2 credential API is now aware of system scope and default roles." +) ec2_credential_policies = [ policy.DocumentedRuleDefault( diff --git a/keystone/common/policies/endpoint.py b/keystone/common/policies/endpoint.py index 440280838f..b99a40e24c 100644 --- a/keystone/common/policies/endpoint.py +++ b/keystone/common/policies/endpoint.py @@ -31,13 +31,9 @@ deprecated_delete_endpoint = policy.DeprecatedRule( name=base.IDENTITY % 'delete_endpoint', check_str=base.RULE_ADMIN_REQUIRED, ) -DEPRECATED_REASON = """ -As of the Stein release, the endpoint API now understands default roles and -system-scoped tokens, making the API more granular by default without -compromising security. The new policy defaults account for these changes -automatically. Be sure to take these new defaults into consideration if you are -relying on overrides in your deployment for the endpoint API. -""" +DEPRECATED_REASON = ( + "The endpoint API is now aware of system scope and default roles." +) endpoint_policies = [ diff --git a/keystone/common/policies/endpoint_group.py b/keystone/common/policies/endpoint_group.py index 641d256bda..c9e34dff19 100644 --- a/keystone/common/policies/endpoint_group.py +++ b/keystone/common/policies/endpoint_group.py @@ -71,13 +71,9 @@ deprecated_remove_endpoint_group_from_project = policy.DeprecatedRule( ) -DEPRECATED_REASON = """ -As of the Train release, the endpoint groups API now understands default roles -and system-scoped tokens, making the API more granular by default without -compromising security. The new policy defaults account for these changes -automatically. Be sure to take these new defaults into consideration if you are -relying on overrides in your deployment for the endpoint groups API. -""" +DEPRECATED_REASON = ( + "The endpoint groups API is now aware of system scope and default roles." +) group_endpoint_policies = [ diff --git a/keystone/common/policies/grant.py b/keystone/common/policies/grant.py index e0c9740557..ab46fb0e8c 100644 --- a/keystone/common/policies/grant.py +++ b/keystone/common/policies/grant.py @@ -101,13 +101,9 @@ deprecated_revoke_grant = policy.DeprecatedRule( name=base.IDENTITY % 'revoke_grant', check_str=base.RULE_ADMIN_REQUIRED ) -DEPRECATED_REASON = """ -As of the Stein release, the assignment API now understands default roles and -system-scoped tokens, making the API more granular by default without -compromising security. The new policy defaults account for these changes -automatically. Be sure to take these new defaults into consideration if you are -relying on overrides in your deployment for the system assignment API. -""" +DEPRECATED_REASON = ( + "The assignment API is now aware of system scope and default roles." +) resource_paths = [ '/projects/{project_id}/users/{user_id}/roles/{role_id}', diff --git a/keystone/common/policies/group.py b/keystone/common/policies/group.py index 63324d41e7..d33da92892 100644 --- a/keystone/common/policies/group.py +++ b/keystone/common/policies/group.py @@ -45,12 +45,9 @@ SYSTEM_ADMIN_OR_DOMAIN_ADMIN = ( '(role:admin and domain_id:%(target.group.domain_id)s)' ) -DEPRECATED_REASON = """ -As of the Stein release, the group API understands how to handle system-scoped -tokens in addition to project and domain tokens, making the API more accessible -to users without compromising security or manageability for administrators. The -new default policies for this API account for these changes automatically. -""" +DEPRECATED_REASON = ( + "The group API is now aware of system scope and default roles." +) deprecated_get_group = policy.DeprecatedRule( name=base.IDENTITY % 'get_group', diff --git a/keystone/common/policies/identity_provider.py b/keystone/common/policies/identity_provider.py index fb9fe75d03..2236d2aeac 100644 --- a/keystone/common/policies/identity_provider.py +++ b/keystone/common/policies/identity_provider.py @@ -36,13 +36,9 @@ deprecated_delete_idp = policy.DeprecatedRule( check_str=base.RULE_ADMIN_REQUIRED ) -DEPRECATED_REASON = """ -As of the Stein release, the identity provider API now understands default -roles and system-scoped tokens, making the API more granular by default without -compromising security. The new policy defaults account for these changes -automatically. Be sure to take these new defaults into consideration if you are -relying on overrides in your deployment for the identity provider API. -""" +DEPRECATED_REASON = ( + "The identity provider API is now aware of system scope and default roles." +) identity_provider_policies = [ policy.DocumentedRuleDefault( diff --git a/keystone/common/policies/implied_role.py b/keystone/common/policies/implied_role.py index c2c4c8aaff..6d164b0350 100644 --- a/keystone/common/policies/implied_role.py +++ b/keystone/common/policies/implied_role.py @@ -40,13 +40,9 @@ deprecated_delete_implied_role = policy.DeprecatedRule( check_str=base.RULE_ADMIN_REQUIRED, ) -DEPRECATED_REASON = """ -As of the Train release, the implied role API understands how to -handle system-scoped tokens in addition to project tokens, making the API -more accessible to users without compromising security or manageability for -administrators. The new default policies for this API account for these changes -automatically. -""" +DEPRECATED_REASON = ( + "The implied role API is now aware of system scope and default roles." +) implied_role_policies = [ diff --git a/keystone/common/policies/mapping.py b/keystone/common/policies/mapping.py index d651a3b427..498bc7c842 100644 --- a/keystone/common/policies/mapping.py +++ b/keystone/common/policies/mapping.py @@ -36,13 +36,9 @@ deprecated_delete_mapping = policy.DeprecatedRule( check_str=base.RULE_ADMIN_REQUIRED ) -DEPRECATED_REASON = """ -As of the Stein release, the federated mapping API now understands default -roles and system-scoped tokens, making the API more granular by default without -compromising security. The new policy defaults account for these changes -automatically. Be sure to take these new defaults into consideration if you are -relying on overrides in your deployment for the federated mapping API. -""" +DEPRECATED_REASON = ( + "The federated mapping API is now aware of system scope and default roles." +) mapping_policies = [ policy.DocumentedRuleDefault( diff --git a/keystone/common/policies/policy.py b/keystone/common/policies/policy.py index b5163f975a..4c912f33cf 100644 --- a/keystone/common/policies/policy.py +++ b/keystone/common/policies/policy.py @@ -40,13 +40,9 @@ deprecated_delete_policy = policy.DeprecatedRule( check_str=base.RULE_ADMIN_REQUIRED, ) -DEPRECATED_REASON = """ -As of the Train release, the policy API now understands default roles and -system-scoped tokens, making the API more granular by default without -compromising security. The new policy defaults account for these changes -automatically. Be sure to take these new defaults into consideration if you are -relying on overrides in your deployment for the policy API. -""" +DEPRECATED_REASON = ( + "The policy API is now aware of system scope and default roles." +) policy_policies = [ diff --git a/keystone/common/policies/policy_association.py b/keystone/common/policies/policy_association.py index 9217d86479..e195d85c10 100644 --- a/keystone/common/policies/policy_association.py +++ b/keystone/common/policies/policy_association.py @@ -74,13 +74,9 @@ deprecated_delete_policy_association_for_region_and_service = policy.DeprecatedR check_str=base.RULE_ADMIN_REQUIRED, ) -DEPRECATED_REASON = """ -As of the Train release, the policy association API now understands default -roles and system-scoped tokens, making the API more granular by default without -compromising security. The new policy defaults account for these changes -automatically. Be sure to take these new defaults into consideration if you are -relying on overrides in your deployment for the policy association API. -""" +DEPRECATED_REASON = ( + "The policy association API is now aware of system scope and default roles." +) policy_association_policies = [ policy.DocumentedRuleDefault( diff --git a/keystone/common/policies/project.py b/keystone/common/policies/project.py index 50f8fa7826..c7b7c0a9d6 100644 --- a/keystone/common/policies/project.py +++ b/keystone/common/policies/project.py @@ -102,13 +102,9 @@ deprecated_delete_project_tags = policy.DeprecatedRule( ) -DEPRECATED_REASON = """ -As of the Stein release, the project API understands how to handle -system-scoped tokens in addition to project and domain tokens, making the API -more accessible to users without compromising security or manageability for -administrators. The new default policies for this API account for these changes -automatically. -""" +DEPRECATED_REASON = ( + "The project API is now aware of system scope and default roles." +) TAGS_DEPRECATED_REASON = """ As of the Train release, the project tags API understands how to handle diff --git a/keystone/common/policies/protocol.py b/keystone/common/policies/protocol.py index f57103e183..de2a7299e8 100644 --- a/keystone/common/policies/protocol.py +++ b/keystone/common/policies/protocol.py @@ -36,13 +36,10 @@ deprecated_delete_protocol = policy.DeprecatedRule( check_str=base.RULE_ADMIN_REQUIRED ) -DEPRECATED_REASON = """ -As of the Stein release, the federated protocol API now understands default -roles and system-scoped tokens, making the API more granular by default without -compromising security. The new policy defaults account for these changes -automatically. Be sure to take these new defaults into consideration if you are -relying on overrides in your deployment for the protocol API. -""" +DEPRECATED_REASON = ( + "The federated protocol API is now aware of system scope and default " + "roles." +) protocol_policies = [ policy.DocumentedRuleDefault( diff --git a/keystone/common/policies/region.py b/keystone/common/policies/region.py index 5b816e87a1..bf60f8ff91 100644 --- a/keystone/common/policies/region.py +++ b/keystone/common/policies/region.py @@ -29,12 +29,7 @@ deprecated_delete_region = policy.DeprecatedRule( ) DEPRECATED_REASON = ( - 'As of the Stein release, the region API now understands default roles ' - 'and system-scoped tokens, making the API more granular without ' - 'compromising security. The new policies for this API account for these ' - 'changes automatically. Be sure to take these new defaults into ' - 'consideration if you are relying on overrides in your deployment for the ' - 'region API.' + "The region API is now aware of system scope and default roles." ) region_policies = [ diff --git a/keystone/common/policies/role.py b/keystone/common/policies/role.py index 571ebdabfa..7d6a38e461 100644 --- a/keystone/common/policies/role.py +++ b/keystone/common/policies/role.py @@ -56,13 +56,9 @@ deprecated_delete_domain_role = policy.DeprecatedRule( check_str=base.RULE_ADMIN_REQUIRED ) -DEPRECATED_REASON = """ -As of the Stein release, the role API now understands default roles and -system-scoped tokens, making the API more granular by default without -compromising security. The new policy defaults account for these changes -automatically. Be sure to take these new defaults into consideration if you are -relying on overrides in your deployment for the role API. -""" +DEPRECATED_REASON = ( + "The role API is now aware of system scope and default roles." +) role_policies = [ policy.DocumentedRuleDefault( diff --git a/keystone/common/policies/role_assignment.py b/keystone/common/policies/role_assignment.py index e0dc9d7777..7a91e813d0 100644 --- a/keystone/common/policies/role_assignment.py +++ b/keystone/common/policies/role_assignment.py @@ -25,13 +25,9 @@ deprecated_list_role_assignments = policy.DeprecatedRule( check_str=base.RULE_ADMIN_REQUIRED ) -DEPRECATED_REASON = """ -As of the Stein release, the role assignment API now understands how to -handle system-scoped tokens in addition to project-scoped tokens, making -the API more accessible to users without compromising security or -manageability for administrators. The new default policies for this API -account for these changes automatically. -""" +DEPRECATED_REASON = ( + "The assignment API is now aware of system scope and default roles." +) role_assignment_policies = [ policy.DocumentedRuleDefault( diff --git a/keystone/common/policies/service.py b/keystone/common/policies/service.py index ef433e6043..66d3aaa727 100644 --- a/keystone/common/policies/service.py +++ b/keystone/common/policies/service.py @@ -36,13 +36,9 @@ deprecated_delete_service = policy.DeprecatedRule( check_str=base.RULE_ADMIN_REQUIRED ) -DEPRECATED_REASON = """ -As of the Stein release, the service API now understands default roles and -system-scoped tokens, making the API more granular by default without -compromising security. The new policy defaults account for these changes -automatically. Be sure to take these new defaults into consideration if you are -relying on overrides in your deployment for the service API. -""" +DEPRECATED_REASON = ( + "The service API is now aware of system scope and default roles." +) service_policies = [ policy.DocumentedRuleDefault( diff --git a/keystone/common/policies/service_provider.py b/keystone/common/policies/service_provider.py index 04bc032de4..4d0e3cb90e 100644 --- a/keystone/common/policies/service_provider.py +++ b/keystone/common/policies/service_provider.py @@ -36,13 +36,9 @@ deprecated_delete_sp = policy.DeprecatedRule( check_str=base.RULE_ADMIN_REQUIRED ) -DEPRECATED_REASON = """ -As of the Stein release, the service provider API now understands default -roles and system-scoped tokens, making the API more granular by default without -compromising security. The new policy defaults account for these changes -automatically. Be sure to take these new defaults into consideration if you are -relying on overrides in your deployment for the service provider API. -""" +DEPRECATED_REASON = ( + "The service provider API is now aware of system scope and default roles." +) service_provider_policies = [ policy.DocumentedRuleDefault( diff --git a/keystone/common/policies/token.py b/keystone/common/policies/token.py index 6db9913ec2..9fa3c52f16 100644 --- a/keystone/common/policies/token.py +++ b/keystone/common/policies/token.py @@ -15,12 +15,9 @@ from oslo_policy import policy from keystone.common.policies import base -DEPRECATED_REASON = """ -As of the Train release, the token API now understands how to handle -system-scoped tokens, making the API more accessible to users without -compromising security or manageability for administrators. This support -includes a read-only role by default. -""" +DEPRECATED_REASON = ( + "The token API is now aware of system scope and default roles." +) deprecated_check_token = policy.DeprecatedRule( name=base.IDENTITY % 'check_token', diff --git a/keystone/common/policies/trust.py b/keystone/common/policies/trust.py index 96fb698e58..4e9c7f4e18 100644 --- a/keystone/common/policies/trust.py +++ b/keystone/common/policies/trust.py @@ -45,13 +45,9 @@ deprecated_get_trust = policy.DeprecatedRule( check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE ) -DEPRECATED_REASON = """ -As of the Train release, the trust API now understands default roles and -system-scoped tokens, making the API more granular by default without -compromising security. The new policy defaults account for these changes -automatically. Be sure to take these new defaults into consideration if you are -relying on overrides in your deployment for the service API. -""" +DEPRECATED_REASON = ( + "The trust API is now aware of system scope and default roles." +) trust_policies = [ policy.DocumentedRuleDefault( diff --git a/keystone/common/policies/user.py b/keystone/common/policies/user.py index 7d1743f776..75a0062cf1 100644 --- a/keystone/common/policies/user.py +++ b/keystone/common/policies/user.py @@ -30,12 +30,9 @@ SYSTEM_ADMIN_OR_DOMAIN_ADMIN = ( '(role:admin and token.domain.id:%(target.user.domain_id)s)' ) -DEPRECATED_REASON = """ -As of the Stein release, the user API understands how to handle system-scoped -tokens in addition to project and domain tokens, making the API more accessible -to users without compromising security or manageability for administrators. The -new default policies for this API account for these changes automatically. -""" +DEPRECATED_REASON = ( + "The user API is now aware of system scope and default roles." +) deprecated_get_user = policy.DeprecatedRule( name=base.IDENTITY % 'get_user',