From 2625c00375bb0ae407ecfb8ac60f80d6b10f5305 Mon Sep 17 00:00:00 2001 From: Hiromu Asahina Date: Mon, 23 May 2022 02:50:42 +0900 Subject: [PATCH] Remove deprecated attributes from context MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The oslo.context emits a warning for attributes that are not listed in [1] and considered to be deprecated. According to the warning message, the policy file should be modified to use $(project_id)s instead of $(tenant_id)s. Also, context.user is deprecated. We should remove lines using context.user and use context.user_id only. The following deprecation warnings are gone with the patch: - context.py:100: DeprecationWarning: Policy enforcement is depending on the value of tenant_id. This key is deprecated. Please update your policy file to use the standard policy values. - test_auth.py:75: DeprecationWarning: Property ‘user’ has moved to ‘user_id’ in version ‘2.6’ and will be removed in version ‘3.0’ [1] https://github.com/openstack/oslo.context/blob/master/oslo_context/context.py#L313-L327 Change-Id: Ib06cd0d54772d17838789943b6a09c581b899435 Closes-Bug: #1976219 (cherry picked from commit 39925d1141be6e58a318256c2e5cd42cc417c8f4) --- tacker/api/v1/base.py | 9 ++++++++- tacker/context.py | 3 +-- tacker/policies/base.py | 2 +- tacker/tests/etc/policy.yaml | 2 +- tacker/tests/unit/test_auth.py | 1 - 5 files changed, 11 insertions(+), 6 deletions(-) diff --git a/tacker/api/v1/base.py b/tacker/api/v1/base.py index 797618c70..9aef532fa 100644 --- a/tacker/api/v1/base.py +++ b/tacker/api/v1/base.py @@ -488,6 +488,7 @@ class Controller(object): if is_create and 'tenant_id' not in res_dict: if context.tenant_id: res_dict['tenant_id'] = context.tenant_id + res_dict['project_id'] = context.tenant_id else: msg = _("Running without keystone AuthN requires " "that tenant_id is specified") @@ -591,7 +592,13 @@ class Controller(object): @staticmethod def _verify_attributes(res_dict, attr_info): - extra_keys = set(res_dict.keys()) - set(attr_info.keys()) + # TODO(h-asahina): The `project_id` is not included in attr_info, but + # it is used as an alternative of `tenant_id` which is already + # deprecated in oslo.context. Excluding `project_id` from the + # verification is a workaround to avoid directly modifying attr_info + # which has a strong influence on the existing code. + excluded = {'project_id'} + extra_keys = set(res_dict.keys()) - set(attr_info.keys()) - excluded if extra_keys: msg = _("Unrecognized attribute(s) '%s'") % ', '.join(extra_keys) raise webob.exc.HTTPBadRequest(msg) diff --git a/tacker/context.py b/tacker/context.py index 2dcde9e11..b5746ac7e 100644 --- a/tacker/context.py +++ b/tacker/context.py @@ -103,7 +103,6 @@ class ContextBase(oslo_context.RequestContext): def to_policy_values(self): values = super(ContextBase, self).to_policy_values() - values['tenant_id'] = self.project_id values['is_admin'] = self.is_admin # NOTE(jamielennox): These are almost certainly unused and non-standard @@ -150,7 +149,7 @@ class ContextBase(oslo_context.RequestContext): authorized and False if not authorized and fatal is False. """ if target is None: - target = {'tenant_id': self.tenant_id, + target = {'project_id': self.tenant_id, 'user_id': self.user_id} try: return policy.authorize(self, action, target) diff --git a/tacker/policies/base.py b/tacker/policies/base.py index e7812a016..bd2caebf5 100644 --- a/tacker/policies/base.py +++ b/tacker/policies/base.py @@ -28,7 +28,7 @@ rules = [ "Decides what is required for the 'is_admin:True' check to succeed."), policy.RuleDefault( "admin_or_owner", - "is_admin:True or tenant_id:%(tenant_id)s", + "is_admin:True or project_id:%(project_id)s", "Default rule for most non-Admin APIs."), policy.RuleDefault( "admin_only", diff --git a/tacker/tests/etc/policy.yaml b/tacker/tests/etc/policy.yaml index 87439085e..4a008271e 100644 --- a/tacker/tests/etc/policy.yaml +++ b/tacker/tests/etc/policy.yaml @@ -1,4 +1,4 @@ -"admin_or_owner": "rule:context_is_admin or tenant_id:%(tenant_id)s" +"admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s" "admin_only": "rule:context_is_admin" "regular_user": "" "shared": "field:vims:shared=True" diff --git a/tacker/tests/unit/test_auth.py b/tacker/tests/unit/test_auth.py index ffda641b6..2ad9edc97 100644 --- a/tacker/tests/unit/test_auth.py +++ b/tacker/tests/unit/test_auth.py @@ -72,7 +72,6 @@ class TackerKeystoneContextTestCase(test_base.BaseTestCase): response = self.request.get_response(self.middleware) self.assertEqual('200 OK', response.status) self.assertEqual('testuserid', self.context.user_id) - self.assertEqual('testuserid', self.context.user) def test_with_tenant_id(self): self.request.headers['X_PROJECT_ID'] = 'testtenantid'