Make policy deprecation reasons less verbose
oslo.policy emits a deprecation warning for every single rule that we have deprecated at least once when a request comes in, and possibly subsequent times if keystone is running in multiple processes, and even more after keystone is reloaded. It's not useful to repeat nearly identical multi-line messages for each policy every time: logs aren't meant to justify our reasoning, they're just meant to be informative. The relevant information and rationalization can be found in the release notes. Repeating these identical multi-line messages starts to use up space quickly and makes the logs unreadable. This patch reduces the DEPRECATED_REASON for each policy to one brief line, which should help make the logs more readable in general and especially when run in a multiprocess environment, reduce the disk footprint of the logs, and help with log indexing. Change-Id: I98a0c06586b18dbd2f6681a24a5af1ea2de70951 Partial-bug: #1836568
This commit is contained in:
parent
7c3ba315de
commit
0526718fee
|
@ -31,13 +31,10 @@ deprecated_delete_application_credentials_for_user = policy.DeprecatedRule(
|
|||
check_str=base.RULE_ADMIN_OR_OWNER
|
||||
)
|
||||
|
||||
DEPRECATED_REASON = """
|
||||
As of the Train release, the application credential API understands how to
|
||||
handle system-scoped tokens in addition to project tokens, making the API
|
||||
more accessible to users without compromising security or manageability for
|
||||
administrators. The new default policies for this API account for these changes
|
||||
automatically.
|
||||
"""
|
||||
DEPRECATED_REASON = (
|
||||
"The application credential API is now aware of system scope and default "
|
||||
"roles."
|
||||
)
|
||||
|
||||
application_credential_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
|
|
|
@ -36,13 +36,9 @@ deprecated_delete_consumer = policy.DeprecatedRule(
|
|||
check_str=base.RULE_ADMIN_REQUIRED
|
||||
)
|
||||
|
||||
DEPRECATED_REASON = """
|
||||
As of the Train release, the OAUTH1 consumer API understands how to
|
||||
handle system-scoped tokens in addition to project tokens, making the API
|
||||
more accessible to users without compromising security or manageability for
|
||||
administrators. The new default policies for this API account for these changes
|
||||
automatically.
|
||||
"""
|
||||
DEPRECATED_REASON = (
|
||||
"The OAUTH1 consumer API is now aware of system scope and default roles."
|
||||
)
|
||||
|
||||
consumer_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
|
|
|
@ -25,12 +25,9 @@ SYSTEM_ADMIN_OR_CRED_OWNER = (
|
|||
)
|
||||
|
||||
DEPRECATED_REASON = (
|
||||
'As of the Stein release, the credential API now understands how to '
|
||||
'handle system-scoped tokens in addition to project-scoped tokens, making '
|
||||
'the API more accessible to users without compromising security or '
|
||||
'manageability for administrators. The new default policies for this API '
|
||||
'account for these changes automatically.'
|
||||
"The credential API is now aware of system scope and default roles."
|
||||
)
|
||||
|
||||
deprecated_get_credential = policy.DeprecatedRule(
|
||||
name=base.IDENTITY % 'get_credential',
|
||||
check_str=base.RULE_ADMIN_REQUIRED
|
||||
|
|
|
@ -15,13 +15,9 @@ from oslo_policy import policy
|
|||
|
||||
from keystone.common.policies import base
|
||||
|
||||
DEPRECATED_REASON = """
|
||||
As of the Stein release, the domain API now understands how to handle
|
||||
system-scoped tokens in addition to project-scoped tokens, making the API more
|
||||
accessible to users without compromising security or manageability for
|
||||
administrators. The new default policies for this API account for these changes
|
||||
automatically
|
||||
"""
|
||||
DEPRECATED_REASON = (
|
||||
"The domain API is now aware of system scope and default roles."
|
||||
)
|
||||
|
||||
deprecated_list_domains = policy.DeprecatedRule(
|
||||
name=base.IDENTITY % 'list_domains',
|
||||
|
|
|
@ -41,13 +41,9 @@ deprecated_delete_domain_config = policy.DeprecatedRule(
|
|||
)
|
||||
|
||||
|
||||
DEPRECATED_REASON = """
|
||||
As of the Train release, the domain config API now understands default roles and
|
||||
system-scoped tokens, making the API more granular by default without
|
||||
compromising security. The new policy defaults account for these changes
|
||||
automatically. Be sure to take these new defaults into consideration if you are
|
||||
relying on overrides in your deployment for the domain config API.
|
||||
"""
|
||||
DEPRECATED_REASON = (
|
||||
"The domain config API is now aware of system scope and default roles."
|
||||
)
|
||||
|
||||
domain_config_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
|
|
|
@ -41,13 +41,9 @@ deprecated_ec2_delete_credentials = policy.DeprecatedRule(
|
|||
check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER
|
||||
)
|
||||
|
||||
DEPRECATED_REASON = """
|
||||
As of the Train release, the EC2 credential API understands how to handle
|
||||
system-scoped tokens in addition to project tokens, making the API more
|
||||
accessible to users without compromising security or manageability for
|
||||
administrators. The new default policies for this API account for these changes
|
||||
automatically.
|
||||
"""
|
||||
DEPRECATED_REASON = (
|
||||
"The EC2 credential API is now aware of system scope and default roles."
|
||||
)
|
||||
|
||||
ec2_credential_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
|
|
|
@ -31,13 +31,9 @@ deprecated_delete_endpoint = policy.DeprecatedRule(
|
|||
name=base.IDENTITY % 'delete_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
|
||||
)
|
||||
|
||||
DEPRECATED_REASON = """
|
||||
As of the Stein release, the endpoint API now understands default roles and
|
||||
system-scoped tokens, making the API more granular by default without
|
||||
compromising security. The new policy defaults account for these changes
|
||||
automatically. Be sure to take these new defaults into consideration if you are
|
||||
relying on overrides in your deployment for the endpoint API.
|
||||
"""
|
||||
DEPRECATED_REASON = (
|
||||
"The endpoint API is now aware of system scope and default roles."
|
||||
)
|
||||
|
||||
|
||||
endpoint_policies = [
|
||||
|
|
|
@ -71,13 +71,9 @@ deprecated_remove_endpoint_group_from_project = policy.DeprecatedRule(
|
|||
)
|
||||
|
||||
|
||||
DEPRECATED_REASON = """
|
||||
As of the Train release, the endpoint groups API now understands default roles
|
||||
and system-scoped tokens, making the API more granular by default without
|
||||
compromising security. The new policy defaults account for these changes
|
||||
automatically. Be sure to take these new defaults into consideration if you are
|
||||
relying on overrides in your deployment for the endpoint groups API.
|
||||
"""
|
||||
DEPRECATED_REASON = (
|
||||
"The endpoint groups API is now aware of system scope and default roles."
|
||||
)
|
||||
|
||||
|
||||
group_endpoint_policies = [
|
||||
|
|
|
@ -101,13 +101,9 @@ deprecated_revoke_grant = policy.DeprecatedRule(
|
|||
name=base.IDENTITY % 'revoke_grant', check_str=base.RULE_ADMIN_REQUIRED
|
||||
)
|
||||
|
||||
DEPRECATED_REASON = """
|
||||
As of the Stein release, the assignment API now understands default roles and
|
||||
system-scoped tokens, making the API more granular by default without
|
||||
compromising security. The new policy defaults account for these changes
|
||||
automatically. Be sure to take these new defaults into consideration if you are
|
||||
relying on overrides in your deployment for the system assignment API.
|
||||
"""
|
||||
DEPRECATED_REASON = (
|
||||
"The assignment API is now aware of system scope and default roles."
|
||||
)
|
||||
|
||||
resource_paths = [
|
||||
'/projects/{project_id}/users/{user_id}/roles/{role_id}',
|
||||
|
|
|
@ -45,12 +45,9 @@ SYSTEM_ADMIN_OR_DOMAIN_ADMIN = (
|
|||
'(role:admin and domain_id:%(target.group.domain_id)s)'
|
||||
)
|
||||
|
||||
DEPRECATED_REASON = """
|
||||
As of the Stein release, the group API understands how to handle system-scoped
|
||||
tokens in addition to project and domain tokens, making the API more accessible
|
||||
to users without compromising security or manageability for administrators. The
|
||||
new default policies for this API account for these changes automatically.
|
||||
"""
|
||||
DEPRECATED_REASON = (
|
||||
"The group API is now aware of system scope and default roles."
|
||||
)
|
||||
|
||||
deprecated_get_group = policy.DeprecatedRule(
|
||||
name=base.IDENTITY % 'get_group',
|
||||
|
|
|
@ -36,13 +36,9 @@ deprecated_delete_idp = policy.DeprecatedRule(
|
|||
check_str=base.RULE_ADMIN_REQUIRED
|
||||
)
|
||||
|
||||
DEPRECATED_REASON = """
|
||||
As of the Stein release, the identity provider API now understands default
|
||||
roles and system-scoped tokens, making the API more granular by default without
|
||||
compromising security. The new policy defaults account for these changes
|
||||
automatically. Be sure to take these new defaults into consideration if you are
|
||||
relying on overrides in your deployment for the identity provider API.
|
||||
"""
|
||||
DEPRECATED_REASON = (
|
||||
"The identity provider API is now aware of system scope and default roles."
|
||||
)
|
||||
|
||||
identity_provider_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
|
|
|
@ -40,13 +40,9 @@ deprecated_delete_implied_role = policy.DeprecatedRule(
|
|||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
)
|
||||
|
||||
DEPRECATED_REASON = """
|
||||
As of the Train release, the implied role API understands how to
|
||||
handle system-scoped tokens in addition to project tokens, making the API
|
||||
more accessible to users without compromising security or manageability for
|
||||
administrators. The new default policies for this API account for these changes
|
||||
automatically.
|
||||
"""
|
||||
DEPRECATED_REASON = (
|
||||
"The implied role API is now aware of system scope and default roles."
|
||||
)
|
||||
|
||||
|
||||
implied_role_policies = [
|
||||
|
|
|
@ -36,13 +36,9 @@ deprecated_delete_mapping = policy.DeprecatedRule(
|
|||
check_str=base.RULE_ADMIN_REQUIRED
|
||||
)
|
||||
|
||||
DEPRECATED_REASON = """
|
||||
As of the Stein release, the federated mapping API now understands default
|
||||
roles and system-scoped tokens, making the API more granular by default without
|
||||
compromising security. The new policy defaults account for these changes
|
||||
automatically. Be sure to take these new defaults into consideration if you are
|
||||
relying on overrides in your deployment for the federated mapping API.
|
||||
"""
|
||||
DEPRECATED_REASON = (
|
||||
"The federated mapping API is now aware of system scope and default roles."
|
||||
)
|
||||
|
||||
mapping_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
|
|
|
@ -40,13 +40,9 @@ deprecated_delete_policy = policy.DeprecatedRule(
|
|||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
)
|
||||
|
||||
DEPRECATED_REASON = """
|
||||
As of the Train release, the policy API now understands default roles and
|
||||
system-scoped tokens, making the API more granular by default without
|
||||
compromising security. The new policy defaults account for these changes
|
||||
automatically. Be sure to take these new defaults into consideration if you are
|
||||
relying on overrides in your deployment for the policy API.
|
||||
"""
|
||||
DEPRECATED_REASON = (
|
||||
"The policy API is now aware of system scope and default roles."
|
||||
)
|
||||
|
||||
|
||||
policy_policies = [
|
||||
|
|
|
@ -74,13 +74,9 @@ deprecated_delete_policy_association_for_region_and_service = policy.DeprecatedR
|
|||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
)
|
||||
|
||||
DEPRECATED_REASON = """
|
||||
As of the Train release, the policy association API now understands default
|
||||
roles and system-scoped tokens, making the API more granular by default without
|
||||
compromising security. The new policy defaults account for these changes
|
||||
automatically. Be sure to take these new defaults into consideration if you are
|
||||
relying on overrides in your deployment for the policy association API.
|
||||
"""
|
||||
DEPRECATED_REASON = (
|
||||
"The policy association API is now aware of system scope and default roles."
|
||||
)
|
||||
|
||||
policy_association_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
|
|
|
@ -102,13 +102,9 @@ deprecated_delete_project_tags = policy.DeprecatedRule(
|
|||
)
|
||||
|
||||
|
||||
DEPRECATED_REASON = """
|
||||
As of the Stein release, the project API understands how to handle
|
||||
system-scoped tokens in addition to project and domain tokens, making the API
|
||||
more accessible to users without compromising security or manageability for
|
||||
administrators. The new default policies for this API account for these changes
|
||||
automatically.
|
||||
"""
|
||||
DEPRECATED_REASON = (
|
||||
"The project API is now aware of system scope and default roles."
|
||||
)
|
||||
|
||||
TAGS_DEPRECATED_REASON = """
|
||||
As of the Train release, the project tags API understands how to handle
|
||||
|
|
|
@ -36,13 +36,10 @@ deprecated_delete_protocol = policy.DeprecatedRule(
|
|||
check_str=base.RULE_ADMIN_REQUIRED
|
||||
)
|
||||
|
||||
DEPRECATED_REASON = """
|
||||
As of the Stein release, the federated protocol API now understands default
|
||||
roles and system-scoped tokens, making the API more granular by default without
|
||||
compromising security. The new policy defaults account for these changes
|
||||
automatically. Be sure to take these new defaults into consideration if you are
|
||||
relying on overrides in your deployment for the protocol API.
|
||||
"""
|
||||
DEPRECATED_REASON = (
|
||||
"The federated protocol API is now aware of system scope and default "
|
||||
"roles."
|
||||
)
|
||||
|
||||
protocol_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
|
|
|
@ -29,12 +29,7 @@ deprecated_delete_region = policy.DeprecatedRule(
|
|||
)
|
||||
|
||||
DEPRECATED_REASON = (
|
||||
'As of the Stein release, the region API now understands default roles '
|
||||
'and system-scoped tokens, making the API more granular without '
|
||||
'compromising security. The new policies for this API account for these '
|
||||
'changes automatically. Be sure to take these new defaults into '
|
||||
'consideration if you are relying on overrides in your deployment for the '
|
||||
'region API.'
|
||||
"The region API is now aware of system scope and default roles."
|
||||
)
|
||||
|
||||
region_policies = [
|
||||
|
|
|
@ -56,13 +56,9 @@ deprecated_delete_domain_role = policy.DeprecatedRule(
|
|||
check_str=base.RULE_ADMIN_REQUIRED
|
||||
)
|
||||
|
||||
DEPRECATED_REASON = """
|
||||
As of the Stein release, the role API now understands default roles and
|
||||
system-scoped tokens, making the API more granular by default without
|
||||
compromising security. The new policy defaults account for these changes
|
||||
automatically. Be sure to take these new defaults into consideration if you are
|
||||
relying on overrides in your deployment for the role API.
|
||||
"""
|
||||
DEPRECATED_REASON = (
|
||||
"The role API is now aware of system scope and default roles."
|
||||
)
|
||||
|
||||
role_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
|
|
|
@ -25,13 +25,9 @@ deprecated_list_role_assignments = policy.DeprecatedRule(
|
|||
check_str=base.RULE_ADMIN_REQUIRED
|
||||
)
|
||||
|
||||
DEPRECATED_REASON = """
|
||||
As of the Stein release, the role assignment API now understands how to
|
||||
handle system-scoped tokens in addition to project-scoped tokens, making
|
||||
the API more accessible to users without compromising security or
|
||||
manageability for administrators. The new default policies for this API
|
||||
account for these changes automatically.
|
||||
"""
|
||||
DEPRECATED_REASON = (
|
||||
"The assignment API is now aware of system scope and default roles."
|
||||
)
|
||||
|
||||
role_assignment_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
|
|
|
@ -36,13 +36,9 @@ deprecated_delete_service = policy.DeprecatedRule(
|
|||
check_str=base.RULE_ADMIN_REQUIRED
|
||||
)
|
||||
|
||||
DEPRECATED_REASON = """
|
||||
As of the Stein release, the service API now understands default roles and
|
||||
system-scoped tokens, making the API more granular by default without
|
||||
compromising security. The new policy defaults account for these changes
|
||||
automatically. Be sure to take these new defaults into consideration if you are
|
||||
relying on overrides in your deployment for the service API.
|
||||
"""
|
||||
DEPRECATED_REASON = (
|
||||
"The service API is now aware of system scope and default roles."
|
||||
)
|
||||
|
||||
service_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
|
|
|
@ -36,13 +36,9 @@ deprecated_delete_sp = policy.DeprecatedRule(
|
|||
check_str=base.RULE_ADMIN_REQUIRED
|
||||
)
|
||||
|
||||
DEPRECATED_REASON = """
|
||||
As of the Stein release, the service provider API now understands default
|
||||
roles and system-scoped tokens, making the API more granular by default without
|
||||
compromising security. The new policy defaults account for these changes
|
||||
automatically. Be sure to take these new defaults into consideration if you are
|
||||
relying on overrides in your deployment for the service provider API.
|
||||
"""
|
||||
DEPRECATED_REASON = (
|
||||
"The service provider API is now aware of system scope and default roles."
|
||||
)
|
||||
|
||||
service_provider_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
|
|
|
@ -15,12 +15,9 @@ from oslo_policy import policy
|
|||
|
||||
from keystone.common.policies import base
|
||||
|
||||
DEPRECATED_REASON = """
|
||||
As of the Train release, the token API now understands how to handle
|
||||
system-scoped tokens, making the API more accessible to users without
|
||||
compromising security or manageability for administrators. This support
|
||||
includes a read-only role by default.
|
||||
"""
|
||||
DEPRECATED_REASON = (
|
||||
"The token API is now aware of system scope and default roles."
|
||||
)
|
||||
|
||||
deprecated_check_token = policy.DeprecatedRule(
|
||||
name=base.IDENTITY % 'check_token',
|
||||
|
|
|
@ -45,13 +45,9 @@ deprecated_get_trust = policy.DeprecatedRule(
|
|||
check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE
|
||||
)
|
||||
|
||||
DEPRECATED_REASON = """
|
||||
As of the Train release, the trust API now understands default roles and
|
||||
system-scoped tokens, making the API more granular by default without
|
||||
compromising security. The new policy defaults account for these changes
|
||||
automatically. Be sure to take these new defaults into consideration if you are
|
||||
relying on overrides in your deployment for the service API.
|
||||
"""
|
||||
DEPRECATED_REASON = (
|
||||
"The trust API is now aware of system scope and default roles."
|
||||
)
|
||||
|
||||
trust_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
|
|
|
@ -30,12 +30,9 @@ SYSTEM_ADMIN_OR_DOMAIN_ADMIN = (
|
|||
'(role:admin and token.domain.id:%(target.user.domain_id)s)'
|
||||
)
|
||||
|
||||
DEPRECATED_REASON = """
|
||||
As of the Stein release, the user API understands how to handle system-scoped
|
||||
tokens in addition to project and domain tokens, making the API more accessible
|
||||
to users without compromising security or manageability for administrators. The
|
||||
new default policies for this API account for these changes automatically.
|
||||
"""
|
||||
DEPRECATED_REASON = (
|
||||
"The user API is now aware of system scope and default roles."
|
||||
)
|
||||
|
||||
deprecated_get_user = policy.DeprecatedRule(
|
||||
name=base.IDENTITY % 'get_user',
|
||||
|
|
Loading…
Reference in New Issue