Log policy filters in one line

Rather than generating an entire log line for each policy that filters out an attribute, we can instead log the excluded attributes once after all of the policy checks are done. This only applies to the policy checks, policy enforcements (e.g. preventing a user from entering a field value on create) are still logged individually. Partial-Bug: #1707307 Change-Id: I77401e30cb220901dacd61028acde4c79001ed9b (cherry picked from commit 62c1a4b687)
2017-08-10 00:07:31 -07:00 · 2017-08-10 00:07:31 -07:00 · de712bf467
commit de712bf467
parent 8498f40c7e
2 changed files with 6 additions and 3 deletions
--- a/neutron/pecan_wsgi/hooks/policy_enforcement.py
+++ b/neutron/pecan_wsgi/hooks/policy_enforcement.py
@ -15,6 +15,7 @@

 import copy

+from oslo_log import log as logging
 from oslo_policy import policy as oslo_policy
 from oslo_utils import excutils
 from pecan import hooks
@ -29,6 +30,8 @@ from neutron.pecan_wsgi.controllers import quota
 from neutron.pecan_wsgi.hooks import utils
 from neutron import policy

+LOG = logging.getLogger(__name__)
+

 def _custom_getter(resource, resource_id):
    """Helper function to retrieve resources not served by any plugin."""
@ -250,4 +253,7 @@ class PolicyHook(hooks.PecanHook):
            # This should be migrated to project_id later.
            if attr_name == 'tenant_id':
                attributes_to_exclude.append('project_id')
+        if attributes_to_exclude:
+            LOG.debug("Attributes excluded by policy engine: %s",
+                      attributes_to_exclude)
        return attributes_to_exclude
--- a/neutron/policy.py
+++ b/neutron/policy.py
@ -368,9 +368,6 @@ def check(context, action, target, plugin=None, might_not_exist=False,
                               target,
                               credentials,
                               pluralized=pluralized)
-    # logging applied rules in case of failure
-    if not result:
-        log_rule_list(match_rule)
    return result