openstack/tacker
Code Issues Proposed changes

Remove deprecated attributes from context

Browse Source 
The oslo.context emits a warning for attributes that are not listed in
[1] and considered to be deprecated. According to the warning message,
the policy file should be modified to use $(project_id)s instead of
$(tenant_id)s. Also, context.user is deprecated. We should remove lines
using context.user and use context.user_id only.

The following deprecation warnings are gone with the patch:

- context.py💯 DeprecationWarning: Policy enforcement is depending on
  the value of tenant_id. This key is deprecated. Please update your
  policy file to use the standard policy values.

- test_auth.py:75: DeprecationWarning: Property ‘user’ has moved to
  ‘user_id’ in version ‘2.6’ and will be removed in version ‘3.0’

[1] https://github.com/openstack/oslo.context/blob/master/oslo_context/context.py#L313-L327

Change-Id: Ib06cd0d54772d17838789943b6a09c581b899435
Closes-Bug: #1976219
(cherry picked from commit 39925d1141be6e58a318256c2e5cd42cc417c8f4)
This commit is contained in:
Hiromu Asahina 2022-05-23 02:50:42 +09:00
parent 51ef6ca2cb
commit 2625c00375
5 changed files with 11 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
tacker/api/v1/base.py
View File

@ -488,6 +488,7 @@ class Controller(object):
if is_create and 'tenant_id' not in res_dict:
if context.tenant_id:
res_dict['tenant_id'] = context.tenant_id
res_dict['project_id'] = context.tenant_id
else:
msg = _("Running without keystone AuthN requires "
"that tenant_id is specified")
@ -591,7 +592,13 @@ class Controller(object):
@staticmethod
def _verify_attributes(res_dict, attr_info):
extra_keys = set(res_dict.keys()) - set(attr_info.keys())
# TODO(h-asahina): The `project_id` is not included in attr_info, but
# it is used as an alternative of `tenant_id` which is already
# deprecated in oslo.context. Excluding `project_id` from the
# verification is a workaround to avoid directly modifying attr_info
# which has a strong influence on the existing code.
excluded = {'project_id'}
extra_keys = set(res_dict.keys()) - set(attr_info.keys()) - excluded
if extra_keys:
msg = _("Unrecognized attribute(s) '%s'") % ', '.join(extra_keys)
raise webob.exc.HTTPBadRequest(msg)

3
tacker/context.py
View File

@ -103,7 +103,6 @@ class ContextBase(oslo_context.RequestContext):
def to_policy_values(self):
values = super(ContextBase, self).to_policy_values()
values['tenant_id'] = self.project_id
values['is_admin'] = self.is_admin
# NOTE(jamielennox): These are almost certainly unused and non-standard
@ -150,7 +149,7 @@ class ContextBase(oslo_context.RequestContext):
authorized and False if not authorized and fatal is False.
"""
if target is None:
target = {'tenant_id': self.tenant_id,
target = {'project_id': self.tenant_id,
'user_id': self.user_id}
try:
return policy.authorize(self, action, target)

2
tacker/policies/base.py
View File

@ -28,7 +28,7 @@ rules = [
"Decides what is required for the 'is_admin:True' check to succeed."),
policy.RuleDefault(
"admin_or_owner",
"is_admin:True or tenant_id:%(tenant_id)s",
"is_admin:True or project_id:%(project_id)s",
"Default rule for most non-Admin APIs."),
policy.RuleDefault(
"admin_only",

2
tacker/tests/etc/policy.yaml
View File

@ -1,4 +1,4 @@
"admin_or_owner": "rule:context_is_admin or tenant_id:%(tenant_id)s"
"admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s"
"admin_only": "rule:context_is_admin"
"regular_user": ""
"shared": "field:vims:shared=True"

1
tacker/tests/unit/test_auth.py
View File

@ -72,7 +72,6 @@ class TackerKeystoneContextTestCase(test_base.BaseTestCase):
response = self.request.get_response(self.middleware)
self.assertEqual('200 OK', response.status)
self.assertEqual('testuserid', self.context.user_id)
self.assertEqual('testuserid', self.context.user)
def test_with_tenant_id(self):
self.request.headers['X_PROJECT_ID'] = 'testtenantid'