Make sure exceptions during policy checks are logged.

If the invocation of f bombs out, the policy check fails (i.e. returns False), however it does not log the root cause, which makes very difficult to understand why this is happening. Fixes bug #1191948 Change-Id: Ic40053f3965b71199baf9fe3902e8ffc9745076f
2013-06-17 13:33:46 -07:00 · 2013-06-17 13:33:46 -07:00 · 8eea1ae574
parent 248375ed0b
commit 8eea1ae574
2 changed files with 26 additions and 4 deletions
--- a/quantum/policy.py
+++ b/quantum/policy.py
@ -233,10 +233,14 @@ class OwnerCheck(policy.Check):
            # f *must* exist, if not found it is better to let quantum
            # explode. Check will be performed with admin context
            context = importutils.import_module('quantum.context')
-            data = f(context.get_admin_context(),
-                     target[parent_foreign_key],
-                     fields=[parent_field])
-            target[self.target_field] = data[parent_field]
+            try:
+                data = f(context.get_admin_context(),
+                         target[parent_foreign_key],
+                         fields=[parent_field])
+                target[self.target_field] = data[parent_field]
+            except Exception:
+                LOG.exception(_('Policy check error while calling %s!'), f)
+                raise
        match = self.match % target
        if self.kind in creds:
            return match == unicode(creds[self.kind])
--- a/quantum/tests/unit/test_policy.py
+++ b/quantum/tests/unit/test_policy.py
@ -344,6 +344,24 @@ class QuantumPolicyTestCase(base.BaseTestCase):
            result = policy.enforce(self.context, action, target)
            self.assertTrue(result)

+    def test_enforce_plugin_failure(self):
+
+        def fakegetnetwork(*args, **kwargs):
+            raise NotImplementedError('Blast!')
+
+        # the policy check and plugin method we use in this test are irrelevant
+        # so long that we verify that, if *f* blows up, the behavior of the
+        # policy engine to propagate the exception is preserved
+        action = "create_port:mac"
+        with mock.patch.object(manager.QuantumManager.get_instance().plugin,
+                               'get_network', new=fakegetnetwork):
+            target = {'network_id': 'whatever'}
+            self.assertRaises(NotImplementedError,
+                              policy.enforce,
+                              self.context,
+                              action,
+                              target)
+
    def test_enforce_tenant_id_check_parent_resource_bw_compatibility(self):

        def fakegetnetwork(*args, **kwargs):