Remove deprecated attributes from context

The oslo.context emits a warning for attributes that are not listed in
[1] and considered to be deprecated. According to the warning message,
the policy file should be modified to use $(project_id)s instead of
$(tenant_id)s. Also, context.user is deprecated. We should remove lines
using context.user and use context.user_id only.

The following deprecation warnings are gone with the patch:

-💯 DeprecationWarning: Policy enforcement is depending on
  the value of tenant_id. This key is deprecated. Please update your
  policy file to use the standard policy values.

- DeprecationWarning: Property ‘user’ has moved to
  ‘user_id’ in version ‘2.6’ and will be removed in version ‘3.0’


Change-Id: Ib06cd0d54772d17838789943b6a09c581b899435
Closes-Bug: #1976219
(cherry picked from commit 39925d1141)
This commit is contained in:
Hiromu Asahina 2022-05-23 02:50:42 +09:00
parent 51ef6ca2cb
commit 2625c00375
5 changed files with 11 additions and 6 deletions

View File

@ -488,6 +488,7 @@ class Controller(object):
if is_create and 'tenant_id' not in res_dict:
if context.tenant_id:
res_dict['tenant_id'] = context.tenant_id
res_dict['project_id'] = context.tenant_id
msg = _("Running without keystone AuthN requires "
"that tenant_id is specified")
@ -591,7 +592,13 @@ class Controller(object):
def _verify_attributes(res_dict, attr_info):
extra_keys = set(res_dict.keys()) - set(attr_info.keys())
# TODO(h-asahina): The `project_id` is not included in attr_info, but
# it is used as an alternative of `tenant_id` which is already
# deprecated in oslo.context. Excluding `project_id` from the
# verification is a workaround to avoid directly modifying attr_info
# which has a strong influence on the existing code.
excluded = {'project_id'}
extra_keys = set(res_dict.keys()) - set(attr_info.keys()) - excluded
if extra_keys:
msg = _("Unrecognized attribute(s) '%s'") % ', '.join(extra_keys)
raise webob.exc.HTTPBadRequest(msg)

View File

@ -103,7 +103,6 @@ class ContextBase(oslo_context.RequestContext):
def to_policy_values(self):
values = super(ContextBase, self).to_policy_values()
values['tenant_id'] = self.project_id
values['is_admin'] = self.is_admin
# NOTE(jamielennox): These are almost certainly unused and non-standard
@ -150,7 +149,7 @@ class ContextBase(oslo_context.RequestContext):
authorized and False if not authorized and fatal is False.
if target is None:
target = {'tenant_id': self.tenant_id,
target = {'project_id': self.tenant_id,
'user_id': self.user_id}
return policy.authorize(self, action, target)

View File

@ -28,7 +28,7 @@ rules = [
"Decides what is required for the 'is_admin:True' check to succeed."),
"is_admin:True or tenant_id:%(tenant_id)s",
"is_admin:True or project_id:%(project_id)s",
"Default rule for most non-Admin APIs."),

View File

@ -1,4 +1,4 @@
"admin_or_owner": "rule:context_is_admin or tenant_id:%(tenant_id)s"
"admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s"
"admin_only": "rule:context_is_admin"
"regular_user": ""
"shared": "field:vims:shared=True"

View File

@ -72,7 +72,6 @@ class TackerKeystoneContextTestCase(test_base.BaseTestCase):
response = self.request.get_response(self.middleware)
self.assertEqual('200 OK', response.status)
self.assertEqual('testuserid', self.context.user_id)
self.assertEqual('testuserid', self.context.user)
def test_with_tenant_id(self):
self.request.headers['X_PROJECT_ID'] = 'testtenantid'