Disable some policy warnings

Recently, we updated the default check strings
for all API RBAC policies in manila. These policy
changes cause a lot of deprecation warnings in
the logs. In case a deployer never modified their
defaults and accepted service defaults, these
warnings aren't really helpful. If the deployer
did modify the default, these warnings are not
emitted. So we're in a bit of a pickle whether
these are helpful.

Other services [1][2][3] have made the decision
that these deprecated default check string
warnings aren't really helpful and actionable.

Further, any kind of oslo_policy deprecation
warnings aren't helpful during unit tests.
They fill up the logs and cause unnecessary
noise.

[1] openstack/nova: Iaa6baf6877890babb6205bdb3ee2e1a2b28ebd9c
[2] openstack/neutron: Iab3966bad81b469eccf1050f0e0e48b9e2573750
[3] openstack/placement: I2853c7bd7c0afdeeed89ef412fc8830f04381d7b

Change-Id: I08de69312016389f2b4c88f2adbd749dbe4d3261
Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
This commit is contained in:
Goutham Pacha Ravi 2021-03-19 17:52:50 -07:00
parent 398c849acc
commit 163bda5fbe
3 changed files with 25 additions and 8 deletions

View File

@ -46,16 +46,16 @@ def reset():
_ENFORCER = None
def init(rules=None, use_conf=True):
def init(rules=None, use_conf=True, suppress_deprecation_warnings=False):
"""Init an Enforcer class.
:param policy_file: Custom policy file to use, if none is specified,
`CONF.policy_file` will be used.
:param rules: Default dictionary / Rules to use. It will be
considered just in the first instantiation.
:param default_rule: Default rule to use, CONF.default_rule will
be used if none is specified.
:param use_conf: Whether to load rules from config file.
:param suppress_deprecation_warnings: Whether to suppress policy
deprecation warnings.
"""
global _ENFORCER
@ -63,6 +63,18 @@ def init(rules=None, use_conf=True):
_ENFORCER = policy.Enforcer(CONF,
rules=rules,
use_conf=use_conf)
# NOTE(gouthamr): Explicitly disable the warnings for policies
# changing their default check_str. During
# secure-rbac / policy-defaults-refresh work, all the policy
# defaults have been changed and warning for each policy started
# filling the log limits for various tools. Once we move to new
# defaults only world then we can enable these warning again.
_ENFORCER.suppress_default_change_warnings = True
# Suppressing deprecation warnings is fine for tests. However we
# won't do it by default
_ENFORCER.suppress_deprecation_warnings = suppress_deprecation_warnings
register_rules(_ENFORCER)

View File

@ -39,6 +39,7 @@ from manila import coordination
from manila.db import migration
from manila.db.sqlalchemy import api as db_api
from manila.db.sqlalchemy import models as db_models
from manila import policy
from manila import rpc
from manila import service
from manila.tests import conf_fixture
@ -161,6 +162,10 @@ class TestCase(base_test.BaseTestCase):
coordination.LOCK_COORDINATOR.start()
self.addCleanup(coordination.LOCK_COORDINATOR.stop)
# policy
policy.init(suppress_deprecation_warnings=True)
self.addCleanup(policy.reset)
def _disable_osprofiler(self):
"""Disable osprofiler.

View File

@ -46,7 +46,7 @@ class PolicyTestCase(test.TestCase):
"role:ADMIN"),
]
policy.reset()
policy.init()
policy.init(suppress_deprecation_warnings=True)
# before a policy rule can be used, its default has to be registered.
policy._ENFORCER.register_defaults(rules)
self.context = context.RequestContext('fake', 'fake', roles=['member'])
@ -105,7 +105,7 @@ class PolicyTestCase(test.TestCase):
project_context = context.RequestContext(project_id='fake-project-id',
roles=['bar'])
policy.reset()
policy.init()
policy.init(suppress_deprecation_warnings=True)
rule = common_policy.RuleDefault('foo', 'role:bar',
scope_types=['system'])
policy._ENFORCER.register_defaults([rule])
@ -120,7 +120,7 @@ class PolicyTestCase(test.TestCase):
project_context = context.RequestContext(project_id='fake-project-id',
roles=['bar'])
policy.reset()
policy.init()
policy.init(suppress_deprecation_warnings=True)
rule = common_policy.RuleDefault('foo', 'role:bar',
scope_types=['system'])
policy._ENFORCER.register_defaults([rule])
@ -138,7 +138,7 @@ class DefaultPolicyTestCase(test.TestCase):
def setUp(self):
super(DefaultPolicyTestCase, self).setUp()
policy.reset()
policy.init()
policy.init(suppress_deprecation_warnings=True)
self.rules = {
"default": [],
@ -180,7 +180,7 @@ class ContextIsAdminPolicyTestCase(test.TestCase):
def setUp(self):
super(ContextIsAdminPolicyTestCase, self).setUp()
policy.reset()
policy.init()
policy.init(suppress_deprecation_warnings=True)
def _set_rules(self, rules, default_rule):
these_rules = common_policy.Rules.from_dict(rules,