Log policy filters in one line

Rather than generating an entire log line for each policy that filters out an attribute, we can instead log the excluded attributes once after all of the policy checks are done. This only applies to the policy checks, policy enforcements (e.g. preventing a user from entering a field value on create) are still logged individually. Partial-Bug: #1707307 Change-Id: I77401e30cb220901dacd61028acde4c79001ed9b
2017-08-10 00:07:31 -07:00 · 2017-08-10 00:07:31 -07:00 · 62c1a4b687
commit 62c1a4b687
parent d224effd26
2 changed files with 6 additions and 3 deletions
--- a/neutron/pecan_wsgi/hooks/policy_enforcement.py
+++ b/neutron/pecan_wsgi/hooks/policy_enforcement.py
@ -15,6 +15,7 @@

 import copy

+from oslo_log import log as logging
 from oslo_policy import policy as oslo_policy
 from oslo_utils import excutils
 from pecan import hooks
@ -29,6 +30,8 @@ from neutron.pecan_wsgi.controllers import quota
 from neutron.pecan_wsgi.hooks import utils
 from neutron import policy

+LOG = logging.getLogger(__name__)
+

 def _custom_getter(resource, resource_id):
    """Helper function to retrieve resources not served by any plugin."""
@ -250,4 +253,7 @@ class PolicyHook(hooks.PecanHook):
            # This should be migrated to project_id later.
            if attr_name == 'tenant_id':
                attributes_to_exclude.append('project_id')
+        if attributes_to_exclude:
+            LOG.debug("Attributes excluded by policy engine: %s",
+                      attributes_to_exclude)
        return attributes_to_exclude
--- a/neutron/policy.py
+++ b/neutron/policy.py
@ -369,9 +369,6 @@ def check(context, action, target, plugin=None, might_not_exist=False,
                               target,
                               credentials,
                               pluralized=pluralized)
-    # logging applied rules in case of failure
-    if not result:
-        log_rule_list(match_rule)
    return result