Merge "Consolidate policy deprecation warnings"
This commit is contained in:
commit
40e0f3f10f
|
@ -53,6 +53,40 @@ class RBACEnforcer(object):
|
||||||
# BORG pattern.
|
# BORG pattern.
|
||||||
self.__dict__ = self.__shared_state__
|
self.__dict__ = self.__shared_state__
|
||||||
|
|
||||||
|
def _check_deprecated_rule(self, action):
|
||||||
|
def _name_is_changing(rule):
|
||||||
|
deprecated_rule = rule.deprecated_rule
|
||||||
|
return (deprecated_rule and
|
||||||
|
deprecated_rule.name != rule.name and
|
||||||
|
deprecated_rule.name in self._enforcer.file_rules)
|
||||||
|
|
||||||
|
def _check_str_is_changing(rule):
|
||||||
|
deprecated_rule = rule.deprecated_rule
|
||||||
|
return (deprecated_rule and
|
||||||
|
deprecated_rule.check_str != rule.check_str and
|
||||||
|
rule.name not in self._enforcer.file_rules)
|
||||||
|
|
||||||
|
def _is_deprecated_for_removal(rule):
|
||||||
|
return (rule.deprecated_for_removal and
|
||||||
|
rule.name in self._enforcer.file_rules)
|
||||||
|
|
||||||
|
def _emit_warning():
|
||||||
|
if not self._enforcer._warning_emitted:
|
||||||
|
LOG.warning("Deprecated policy rules found. Use "
|
||||||
|
"oslopolicy-policy-generator and "
|
||||||
|
"oslopolicy-policy-upgrade to detect and resolve "
|
||||||
|
"deprecated policies in your configuration.")
|
||||||
|
self._enforcer._warning_emitted = True
|
||||||
|
|
||||||
|
registered_rule = self._enforcer.registered_rules.get(action)
|
||||||
|
|
||||||
|
if not registered_rule:
|
||||||
|
return
|
||||||
|
if (_name_is_changing(registered_rule) or
|
||||||
|
_check_str_is_changing(registered_rule) or
|
||||||
|
_is_deprecated_for_removal(registered_rule)):
|
||||||
|
_emit_warning()
|
||||||
|
|
||||||
def _enforce(self, credentials, action, target, do_raise=True):
|
def _enforce(self, credentials, action, target, do_raise=True):
|
||||||
"""Verify that the action is valid on the target in this context.
|
"""Verify that the action is valid on the target in this context.
|
||||||
|
|
||||||
|
@ -80,8 +114,10 @@ class RBACEnforcer(object):
|
||||||
do_raise=do_raise)
|
do_raise=do_raise)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
return self._enforcer.enforce(
|
result = self._enforcer.enforce(
|
||||||
rule=action, target=target, creds=credentials, **extra)
|
rule=action, target=target, creds=credentials, **extra)
|
||||||
|
self._check_deprecated_rule(action)
|
||||||
|
return result
|
||||||
except common_policy.InvalidScope:
|
except common_policy.InvalidScope:
|
||||||
raise exception.ForbiddenAction(action=action)
|
raise exception.ForbiddenAction(action=action)
|
||||||
|
|
||||||
|
@ -94,9 +130,22 @@ class RBACEnforcer(object):
|
||||||
# The raw oslo-policy enforcer object
|
# The raw oslo-policy enforcer object
|
||||||
if self.__ENFORCER is None:
|
if self.__ENFORCER is None:
|
||||||
self.__ENFORCER = common_policy.Enforcer(CONF)
|
self.__ENFORCER = common_policy.Enforcer(CONF)
|
||||||
|
# NOTE(cmurphy) when running in the keystone server, suppress
|
||||||
|
# deprecation warnings for individual policy rules. Instead, we log
|
||||||
|
# a single notification at enforcement time indicating the
|
||||||
|
# oslo.policy tools the operator can use to detect and resolve
|
||||||
|
# deprecated policies. If there is no request context here, that
|
||||||
|
# means external tooling such as the oslo.policy tools are running
|
||||||
|
# this code, in which case we do want the full deprecation warnings
|
||||||
|
# emitted for individual polcy rules.
|
||||||
|
if flask.has_request_context():
|
||||||
|
self.__ENFORCER.suppress_deprecation_warnings = True
|
||||||
|
# NOTE(cmurphy) Tests may explicitly disable these warnings to
|
||||||
|
# prevent an explosion of test logs
|
||||||
if self.suppress_deprecation_warnings:
|
if self.suppress_deprecation_warnings:
|
||||||
self.__ENFORCER.suppress_deprecation_warnings = True
|
self.__ENFORCER.suppress_deprecation_warnings = True
|
||||||
self.register_rules(self.__ENFORCER)
|
self.register_rules(self.__ENFORCER)
|
||||||
|
self.__ENFORCER._warning_emitted = False
|
||||||
return self.__ENFORCER
|
return self.__ENFORCER
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
|
|
|
@ -0,0 +1,10 @@
|
||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
[`bug 1836568 <https://bugs.launchpad.net/keystone/+bug/1836568>`_
|
||||||
|
Addresses a side effect of the large series of policy migrations in which
|
||||||
|
the volume of deprecation warnings that were emitted had become too massive
|
||||||
|
to be helpful. Instead of emitting warnings for individual policy rules,
|
||||||
|
the keystone server now emits a single warning indicating problematic rules
|
||||||
|
were found. Operators can use oslopolicy-policy-generator and
|
||||||
|
oslopolicy-policy-upgrade to find and resolve deprecated policies.
|
Loading…
Reference in New Issue