Log policy filters in one line

Rather than generating an entire log line for each policy that
filters out an attribute, we can instead log the excluded attributes
once after all of the policy checks are done.

This only applies to the policy checks, policy enforcements
(e.g. preventing a user from entering a field value on create)
are still logged individually.

Partial-Bug: #1707307
Change-Id: I77401e30cb220901dacd61028acde4c79001ed9b
(cherry picked from commit 62c1a4b687)
This commit is contained in:
Kevin Benton 2017-08-10 00:07:31 -07:00 committed by Ihar Hrachyshka
parent 8498f40c7e
commit de712bf467
2 changed files with 6 additions and 3 deletions

View File

@ -15,6 +15,7 @@
import copy import copy
from oslo_log import log as logging
from oslo_policy import policy as oslo_policy from oslo_policy import policy as oslo_policy
from oslo_utils import excutils from oslo_utils import excutils
from pecan import hooks from pecan import hooks
@ -29,6 +30,8 @@ from neutron.pecan_wsgi.controllers import quota
from neutron.pecan_wsgi.hooks import utils from neutron.pecan_wsgi.hooks import utils
from neutron import policy from neutron import policy
LOG = logging.getLogger(__name__)
def _custom_getter(resource, resource_id): def _custom_getter(resource, resource_id):
"""Helper function to retrieve resources not served by any plugin.""" """Helper function to retrieve resources not served by any plugin."""
@ -250,4 +253,7 @@ class PolicyHook(hooks.PecanHook):
# This should be migrated to project_id later. # This should be migrated to project_id later.
if attr_name == 'tenant_id': if attr_name == 'tenant_id':
attributes_to_exclude.append('project_id') attributes_to_exclude.append('project_id')
if attributes_to_exclude:
LOG.debug("Attributes excluded by policy engine: %s",
attributes_to_exclude)
return attributes_to_exclude return attributes_to_exclude

View File

@ -368,9 +368,6 @@ def check(context, action, target, plugin=None, might_not_exist=False,
target, target,
credentials, credentials,
pluralized=pluralized) pluralized=pluralized)
# logging applied rules in case of failure
if not result:
log_rule_list(match_rule)
return result return result