Make policy deprecation reasons less verbose

oslo.policy emits a deprecation warning for every single rule that we
have deprecated at least once when a request comes in, and possibly
subsequent times if keystone is running in multiple processes, and even
more after keystone is reloaded. It's not useful to repeat nearly
identical multi-line messages for each policy every time: logs aren't
meant to justify our reasoning, they're just meant to be informative.
The relevant information and rationalization can be found in the release
notes. Repeating these identical multi-line messages starts to use up
space quickly and makes the logs unreadable.

This patch reduces the DEPRECATED_REASON for each policy to one brief
line, which should help make the logs more readable in general and
especially when run in a multiprocess environment, reduce the disk
footprint of the logs, and help with log indexing.

Change-Id: I98a0c06586b18dbd2f6681a24a5af1ea2de70951
Partial-bug: #1836568

keystone/common/policies/application_credential.py

@@ -31,13 +31,10 @@ deprecated_delete_application_credentials_for_user = policy.DeprecatedRule(
     check_str=base.RULE_ADMIN_OR_OWNER
 )
 
-DEPRECATED_REASON = """
+DEPRECATED_REASON = (
-As of the Train release, the application credential API understands how to
+    "The application credential API is now aware of system scope and default "
-handle system-scoped tokens in addition to project tokens, making the API
+    "roles."
-more accessible to users without compromising security or manageability for
+)
-administrators. The new default policies for this API account for these changes
-automatically.
-"""
 
 application_credential_policies = [
     policy.DocumentedRuleDefault(

keystone/common/policies/consumer.py

@@ -36,13 +36,9 @@ deprecated_delete_consumer = policy.DeprecatedRule(
     check_str=base.RULE_ADMIN_REQUIRED
 )
 
-DEPRECATED_REASON = """
+DEPRECATED_REASON = (
-As of the Train release, the OAUTH1 consumer API understands how to
+    "The OAUTH1 consumer API is now aware of system scope and default roles."
-handle system-scoped tokens in addition to project tokens, making the API
+)
-more accessible to users without compromising security or manageability for
-administrators. The new default policies for this API account for these changes
-automatically.
-"""
 
 consumer_policies = [
     policy.DocumentedRuleDefault(

keystone/common/policies/credential.py

@@ -25,12 +25,9 @@ SYSTEM_ADMIN_OR_CRED_OWNER = (
 )
 
 DEPRECATED_REASON = (
-    'As of the Stein release, the credential API now understands how to '
+    "The credential API is now aware of system scope and default roles."
-    'handle system-scoped tokens in addition to project-scoped tokens, making '
-    'the API more accessible to users without compromising security or '
-    'manageability for administrators. The new default policies for this API '
-    'account for these changes automatically.'
 )
+
 deprecated_get_credential = policy.DeprecatedRule(
     name=base.IDENTITY % 'get_credential',
     check_str=base.RULE_ADMIN_REQUIRED

keystone/common/policies/domain.py

@@ -15,13 +15,9 @@ from oslo_policy import policy
 
 from keystone.common.policies import base
 
-DEPRECATED_REASON = """
+DEPRECATED_REASON = (
-As of the Stein release, the domain API now understands how to handle
+    "The domain API is now aware of system scope and default roles."
-system-scoped tokens in addition to project-scoped tokens, making the API more
+)
-accessible to users without compromising security or manageability for
-administrators. The new default policies for this API account for these changes
-automatically
-"""
 
 deprecated_list_domains = policy.DeprecatedRule(
     name=base.IDENTITY % 'list_domains',

keystone/common/policies/domain_config.py

@@ -41,13 +41,9 @@ deprecated_delete_domain_config = policy.DeprecatedRule(
 )
 
 
-DEPRECATED_REASON = """
+DEPRECATED_REASON = (
-As of the Train release, the domain config API now understands default roles and
+    "The domain config API is now aware of system scope and default roles."
-system-scoped tokens, making the API more granular by default without
+)
-compromising security. The new policy defaults account for these changes
-automatically. Be sure to take these new defaults into consideration if you are
-relying on overrides in your deployment for the domain config API.
-"""
 
 domain_config_policies = [
     policy.DocumentedRuleDefault(

keystone/common/policies/ec2_credential.py

@@ -41,13 +41,9 @@ deprecated_ec2_delete_credentials = policy.DeprecatedRule(
     check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER
 )
 
-DEPRECATED_REASON = """
+DEPRECATED_REASON = (
-As of the Train release, the EC2 credential API understands how to handle
+    "The EC2 credential API is now aware of system scope and default roles."
-system-scoped tokens in addition to project tokens, making the API more
+)
-accessible to users without compromising security or manageability for
-administrators. The new default policies for this API account for these changes
-automatically.
-"""
 
 ec2_credential_policies = [
     policy.DocumentedRuleDefault(

keystone/common/policies/endpoint.py

@@ -31,13 +31,9 @@ deprecated_delete_endpoint = policy.DeprecatedRule(
     name=base.IDENTITY % 'delete_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
 )
 
-DEPRECATED_REASON = """
+DEPRECATED_REASON = (
-As of the Stein release, the endpoint API now understands default roles and
+    "The endpoint API is now aware of system scope and default roles."
-system-scoped tokens, making the API more granular by default without
+)
-compromising security. The new policy defaults account for these changes
-automatically. Be sure to take these new defaults into consideration if you are
-relying on overrides in your deployment for the endpoint API.
-"""
 
 
 endpoint_policies = [

keystone/common/policies/endpoint_group.py

@@ -71,13 +71,9 @@ deprecated_remove_endpoint_group_from_project = policy.DeprecatedRule(
 )
 
 
-DEPRECATED_REASON = """
+DEPRECATED_REASON = (
-As of the Train release, the endpoint groups API now understands default roles
+    "The endpoint groups API is now aware of system scope and default roles."
-and system-scoped tokens, making the API more granular by default without
+)
-compromising security. The new policy defaults account for these changes
-automatically. Be sure to take these new defaults into consideration if you are
-relying on overrides in your deployment for the endpoint groups API.
-"""
 
 
 group_endpoint_policies = [

keystone/common/policies/grant.py

@@ -101,13 +101,9 @@ deprecated_revoke_grant = policy.DeprecatedRule(
     name=base.IDENTITY % 'revoke_grant', check_str=base.RULE_ADMIN_REQUIRED
 )
 
-DEPRECATED_REASON = """
+DEPRECATED_REASON = (
-As of the Stein release, the assignment API now understands default roles and
+    "The assignment API is now aware of system scope and default roles."
-system-scoped tokens, making the API more granular by default without
+)
-compromising security. The new policy defaults account for these changes
-automatically. Be sure to take these new defaults into consideration if you are
-relying on overrides in your deployment for the system assignment API.
-"""
 
 resource_paths = [
     '/projects/{project_id}/users/{user_id}/roles/{role_id}',

keystone/common/policies/group.py

@@ -45,12 +45,9 @@ SYSTEM_ADMIN_OR_DOMAIN_ADMIN = (
     '(role:admin and domain_id:%(target.group.domain_id)s)'
 )
 
-DEPRECATED_REASON = """
+DEPRECATED_REASON = (
-As of the Stein release, the group API understands how to handle system-scoped
+    "The group API is now aware of system scope and default roles."
-tokens in addition to project and domain tokens, making the API more accessible
+)
-to users without compromising security or manageability for administrators. The
-new default policies for this API account for these changes automatically.
-"""
 
 deprecated_get_group = policy.DeprecatedRule(
     name=base.IDENTITY % 'get_group',

keystone/common/policies/identity_provider.py

@@ -36,13 +36,9 @@ deprecated_delete_idp = policy.DeprecatedRule(
     check_str=base.RULE_ADMIN_REQUIRED
 )
 
-DEPRECATED_REASON = """
+DEPRECATED_REASON = (
-As of the Stein release, the identity provider API now understands default
+    "The identity provider API is now aware of system scope and default roles."
-roles and system-scoped tokens, making the API more granular by default without
+)
-compromising security. The new policy defaults account for these changes
-automatically. Be sure to take these new defaults into consideration if you are
-relying on overrides in your deployment for the identity provider API.
-"""
 
 identity_provider_policies = [
     policy.DocumentedRuleDefault(

keystone/common/policies/implied_role.py

@@ -40,13 +40,9 @@ deprecated_delete_implied_role = policy.DeprecatedRule(
     check_str=base.RULE_ADMIN_REQUIRED,
 )
 
-DEPRECATED_REASON = """
+DEPRECATED_REASON = (
-As of the Train release, the implied role API understands how to
+    "The implied role API is now aware of system scope and default roles."
-handle system-scoped tokens in addition to project tokens, making the API
+)
-more accessible to users without compromising security or manageability for
-administrators. The new default policies for this API account for these changes
-automatically.
-"""
 
 
 implied_role_policies = [

keystone/common/policies/mapping.py

@@ -36,13 +36,9 @@ deprecated_delete_mapping = policy.DeprecatedRule(
     check_str=base.RULE_ADMIN_REQUIRED
 )
 
-DEPRECATED_REASON = """
+DEPRECATED_REASON = (
-As of the Stein release, the federated mapping API now understands default
+    "The federated mapping API is now aware of system scope and default roles."
-roles and system-scoped tokens, making the API more granular by default without
+)
-compromising security. The new policy defaults account for these changes
-automatically. Be sure to take these new defaults into consideration if you are
-relying on overrides in your deployment for the federated mapping API.
-"""
 
 mapping_policies = [
     policy.DocumentedRuleDefault(

keystone/common/policies/policy.py

@@ -40,13 +40,9 @@ deprecated_delete_policy = policy.DeprecatedRule(
     check_str=base.RULE_ADMIN_REQUIRED,
 )
 
-DEPRECATED_REASON = """
+DEPRECATED_REASON = (
-As of the Train release, the policy API now understands default roles and
+    "The policy API is now aware of system scope and default roles."
-system-scoped tokens, making the API more granular by default without
+)
-compromising security. The new policy defaults account for these changes
-automatically. Be sure to take these new defaults into consideration if you are
-relying on overrides in your deployment for the policy API.
-"""
 
 
 policy_policies = [

keystone/common/policies/policy_association.py

@@ -74,13 +74,9 @@ deprecated_delete_policy_association_for_region_and_service = policy.DeprecatedR
     check_str=base.RULE_ADMIN_REQUIRED,
 )
 
-DEPRECATED_REASON = """
+DEPRECATED_REASON = (
-As of the Train release, the policy association API now understands default
+    "The policy association API is now aware of system scope and default roles."
-roles and system-scoped tokens, making the API more granular by default without
+)
-compromising security. The new policy defaults account for these changes
-automatically. Be sure to take these new defaults into consideration if you are
-relying on overrides in your deployment for the policy association API.
-"""
 
 policy_association_policies = [
     policy.DocumentedRuleDefault(

keystone/common/policies/project.py

@@ -102,13 +102,9 @@ deprecated_delete_project_tags = policy.DeprecatedRule(
 )
 
 
-DEPRECATED_REASON = """
+DEPRECATED_REASON = (
-As of the Stein release, the project API understands how to handle
+    "The project API is now aware of system scope and default roles."
-system-scoped tokens in addition to project and domain tokens, making the API
+)
-more accessible to users without compromising security or manageability for
-administrators. The new default policies for this API account for these changes
-automatically.
-"""
 
 TAGS_DEPRECATED_REASON = """
 As of the Train release, the project tags API understands how to handle

keystone/common/policies/protocol.py

@@ -36,13 +36,10 @@ deprecated_delete_protocol = policy.DeprecatedRule(
     check_str=base.RULE_ADMIN_REQUIRED
 )
 
-DEPRECATED_REASON = """
+DEPRECATED_REASON = (
-As of the Stein release, the federated protocol API now understands default
+    "The federated protocol API is now aware of system scope and default "
-roles and system-scoped tokens, making the API more granular by default without
+    "roles."
-compromising security. The new policy defaults account for these changes
+)
-automatically. Be sure to take these new defaults into consideration if you are
-relying on overrides in your deployment for the protocol API.
-"""
 
 protocol_policies = [
     policy.DocumentedRuleDefault(

keystone/common/policies/region.py

@@ -29,12 +29,7 @@ deprecated_delete_region = policy.DeprecatedRule(
 )
 
 DEPRECATED_REASON = (
-    'As of the Stein release, the region API now understands default roles '
+    "The region API is now aware of system scope and default roles."
-    'and system-scoped tokens, making the API more granular without '
-    'compromising security. The new policies for this API account for these '
-    'changes automatically. Be sure to take these new defaults into '
-    'consideration if you are relying on overrides in your deployment for the '
-    'region API.'
 )
 
 region_policies = [

keystone/common/policies/role.py

@@ -56,13 +56,9 @@ deprecated_delete_domain_role = policy.DeprecatedRule(
     check_str=base.RULE_ADMIN_REQUIRED
 )
 
-DEPRECATED_REASON = """
+DEPRECATED_REASON = (
-As of the Stein release, the role API now understands default roles and
+    "The role API is now aware of system scope and default roles."
-system-scoped tokens, making the API more granular by default without
+)
-compromising security. The new policy defaults account for these changes
-automatically. Be sure to take these new defaults into consideration if you are
-relying on overrides in your deployment for the role API.
-"""
 
 role_policies = [
     policy.DocumentedRuleDefault(

keystone/common/policies/role_assignment.py

@@ -25,13 +25,9 @@ deprecated_list_role_assignments = policy.DeprecatedRule(
     check_str=base.RULE_ADMIN_REQUIRED
 )
 
-DEPRECATED_REASON = """
+DEPRECATED_REASON = (
-As of the Stein release, the role assignment API now understands how to
+    "The assignment API is now aware of system scope and default roles."
-handle system-scoped tokens in addition to project-scoped tokens, making
+)
-the API more accessible to users without compromising security or
-manageability for administrators. The new default policies for this API
-account for these changes automatically.
-"""
 
 role_assignment_policies = [
     policy.DocumentedRuleDefault(

keystone/common/policies/service.py

@@ -36,13 +36,9 @@ deprecated_delete_service = policy.DeprecatedRule(
     check_str=base.RULE_ADMIN_REQUIRED
 )
 
-DEPRECATED_REASON = """
+DEPRECATED_REASON = (
-As of the Stein release, the service API now understands default roles and
+    "The service API is now aware of system scope and default roles."
-system-scoped tokens, making the API more granular by default without
+)
-compromising security. The new policy defaults account for these changes
-automatically. Be sure to take these new defaults into consideration if you are
-relying on overrides in your deployment for the service API.
-"""
 
 service_policies = [
     policy.DocumentedRuleDefault(

keystone/common/policies/service_provider.py

@@ -36,13 +36,9 @@ deprecated_delete_sp = policy.DeprecatedRule(
     check_str=base.RULE_ADMIN_REQUIRED
 )
 
-DEPRECATED_REASON = """
+DEPRECATED_REASON = (
-As of the Stein release, the service provider API now understands default
+    "The service provider API is now aware of system scope and default roles."
-roles and system-scoped tokens, making the API more granular by default without
+)
-compromising security. The new policy defaults account for these changes
-automatically. Be sure to take these new defaults into consideration if you are
-relying on overrides in your deployment for the service provider API.
-"""
 
 service_provider_policies = [
     policy.DocumentedRuleDefault(

keystone/common/policies/token.py

@@ -15,12 +15,9 @@ from oslo_policy import policy
 
 from keystone.common.policies import base
 
-DEPRECATED_REASON = """
+DEPRECATED_REASON = (
-As of the Train release, the token API now understands how to handle
+    "The token API is now aware of system scope and default roles."
-system-scoped tokens, making the API more accessible to users without
+)
-compromising security or manageability for administrators. This support
-includes a read-only role by default.
-"""
 
 deprecated_check_token = policy.DeprecatedRule(
     name=base.IDENTITY % 'check_token',

keystone/common/policies/trust.py

@@ -45,13 +45,9 @@ deprecated_get_trust = policy.DeprecatedRule(
     check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE
 )
 
-DEPRECATED_REASON = """
+DEPRECATED_REASON = (
-As of the Train release, the trust API now understands default roles and
+    "The trust API is now aware of system scope and default roles."
-system-scoped tokens, making the API more granular by default without
+)
-compromising security. The new policy defaults account for these changes
-automatically. Be sure to take these new defaults into consideration if you are
-relying on overrides in your deployment for the service API.
-"""
 
 trust_policies = [
     policy.DocumentedRuleDefault(

keystone/common/policies/user.py

@@ -30,12 +30,9 @@ SYSTEM_ADMIN_OR_DOMAIN_ADMIN = (
     '(role:admin and token.domain.id:%(target.user.domain_id)s)'
 )
 
-DEPRECATED_REASON = """
+DEPRECATED_REASON = (
-As of the Stein release, the user API understands how to handle system-scoped
+    "The user API is now aware of system scope and default roles."
-tokens in addition to project and domain tokens, making the API more accessible
+)
-to users without compromising security or manageability for administrators. The
-new default policies for this API account for these changes automatically.
-"""
 
 deprecated_get_user = policy.DeprecatedRule(
     name=base.IDENTITY % 'get_user',