From 65604daae00fd742783e8d17b41b879d7daa1144 Mon Sep 17 00:00:00 2001 From: Brian Rosmaita Date: Thu, 16 Apr 2020 09:14:38 -0400 Subject: [PATCH] Resolve deprecation of encryption policy target Commit ebc9a12a19bff61bd6101def5cc997513d329bc2 in Stein deprecated the "volume_extension:volume_type_encryption" policy target for later removal. Instead of removing the target, this patch removes the deprecation notice and retains the target as a base policy that can be used to set the four finer-grained policies in one place. Also removes the supporting code that was logging a warning about the deprecated policy. See Bug #1873110 for a more thorough discussion of why the deprecation is being resolved in this way. Change-Id: I24fe5cedea9384d8708d44efb2f70a9cabfab6ca Closes-bug: #1873110 --- cinder/api/contrib/volume_type_encryption.py | 27 ++++------------- cinder/policies/volume_type.py | 19 +++++++----- cinder/policy.py | 30 ------------------- cinder/tests/unit/test_policy.py | 24 --------------- ...tion-api-policy-base-4334ca94d73df238.yaml | 21 +++++++++++++ 5 files changed, 37 insertions(+), 84 deletions(-) create mode 100644 releasenotes/notes/volume-type-encryption-api-policy-base-4334ca94d73df238.yaml diff --git a/cinder/api/contrib/volume_type_encryption.py b/cinder/api/contrib/volume_type_encryption.py index adcac8a9a9f..a1e8d31d758 100644 --- a/cinder/api/contrib/volume_type_encryption.py +++ b/cinder/api/contrib/volume_type_encryption.py @@ -25,9 +25,7 @@ from cinder.api import validation from cinder import db from cinder import exception from cinder.i18n import _ -from cinder.policies import base from cinder.policies import volume_type as policy -from cinder import policy as cinder_policy from cinder import rpc from cinder.volume import volume_types @@ -58,25 +56,10 @@ class VolumeTypeEncryptionController(wsgi.Controller): else: return False - def _authorize_policy(self, context, new_policy): - # TODO(cl566n): In future release, this _authorize_policy function - # can be removed. The call to it can be replaced by - # context.authorize(new_policy) once the old - # policy.ENCRYPTION_POLICY is deprecated. - - using_old_action = cinder_policy.verify_deprecated_policy( - policy.ENCRYPTION_POLICY, - new_policy, - base.RULE_ADMIN_API, - context) - - if not using_old_action: - context.authorize(new_policy) - def index(self, req, type_id): """Returns the encryption specs for a given volume type.""" context = req.environ['cinder.context'] - self._authorize_policy(context, policy.GET_ENCRYPTION_POLICY) + context.authorize(policy.GET_ENCRYPTION_POLICY) self._check_type(context, type_id) return self._get_volume_type_encryption(context, type_id) @@ -85,7 +68,7 @@ class VolumeTypeEncryptionController(wsgi.Controller): def create(self, req, type_id, body): """Create encryption specs for an existing volume type.""" context = req.environ['cinder.context'] - self._authorize_policy(context, policy.CREATE_ENCRYPTION_POLICY) + context.authorize(policy.CREATE_ENCRYPTION_POLICY) key_size = body['encryption'].get('key_size') if key_size is not None: @@ -113,7 +96,7 @@ class VolumeTypeEncryptionController(wsgi.Controller): def update(self, req, type_id, id, body): """Update encryption specs for a given volume type.""" context = req.environ['cinder.context'] - self._authorize_policy(context, policy.UPDATE_ENCRYPTION_POLICY) + context.authorize(policy.UPDATE_ENCRYPTION_POLICY) key_size = body['encryption'].get('key_size') if key_size is not None: @@ -137,7 +120,7 @@ class VolumeTypeEncryptionController(wsgi.Controller): def show(self, req, type_id, id): """Return a single encryption item.""" context = req.environ['cinder.context'] - self._authorize_policy(context, policy.GET_ENCRYPTION_POLICY) + context.authorize(policy.GET_ENCRYPTION_POLICY) self._check_type(context, type_id) @@ -151,7 +134,7 @@ class VolumeTypeEncryptionController(wsgi.Controller): def delete(self, req, type_id, id): """Delete encryption specs for a given volume type.""" context = req.environ['cinder.context'] - self._authorize_policy(context, policy.DELETE_ENCRYPTION_POLICY) + context.authorize(policy.DELETE_ENCRYPTION_POLICY) if self._encrypted_type_in_use(context, type_id): expl = _('Cannot delete encryption specs. Volume type in use.') diff --git a/cinder/policies/volume_type.py b/cinder/policies/volume_type.py index f92cb68eafb..bca803a017a 100644 --- a/cinder/policies/volume_type.py +++ b/cinder/policies/volume_type.py @@ -20,7 +20,7 @@ from cinder.policies import base MANAGE_POLICY = "volume_extension:types_manage" ENCRYPTION_POLICY = "volume_extension:volume_type_encryption" -BASE_POLICY_RULE = 'rule:%s' % ENCRYPTION_POLICY +ENCRYPTION_BASE_POLICY_RULE = 'rule:%s' % ENCRYPTION_POLICY CREATE_ENCRYPTION_POLICY = "volume_extension:volume_type_encryption:create" GET_ENCRYPTION_POLICY = "volume_extension:volume_type_encryption:get" UPDATE_ENCRYPTION_POLICY = "volume_extension:volume_type_encryption:update" @@ -72,9 +72,12 @@ volume_type_policies = [ policy.DocumentedRuleDefault( name=ENCRYPTION_POLICY, check_str=base.RULE_ADMIN_API, - description="List, show, create, update and delete volume " - "type encryption. This is deprecated in the Stein " - "release and will be removed in the future.", + description="Base policy for all volume type encryption type " + "operations. This can be used to set the policies " + "for a volume type's encryption type create, show, " + "update, and delete actions in one place, or any of " + "those may be set individually using the following " + "policy targets for finer grained control.", operations=[ { 'method': 'POST', @@ -99,7 +102,7 @@ volume_type_policies = [ ]), policy.DocumentedRuleDefault( name=CREATE_ENCRYPTION_POLICY, - check_str=BASE_POLICY_RULE, + check_str=ENCRYPTION_BASE_POLICY_RULE, description="Create volume type encryption.", operations=[ { @@ -109,7 +112,7 @@ volume_type_policies = [ ]), policy.DocumentedRuleDefault( name=GET_ENCRYPTION_POLICY, - check_str=BASE_POLICY_RULE, + check_str=ENCRYPTION_BASE_POLICY_RULE, description="Show, list volume type encryption.", operations=[ { @@ -123,7 +126,7 @@ volume_type_policies = [ ]), policy.DocumentedRuleDefault( name=UPDATE_ENCRYPTION_POLICY, - check_str=BASE_POLICY_RULE, + check_str=ENCRYPTION_BASE_POLICY_RULE, description="Update volume type encryption.", operations=[ { @@ -133,7 +136,7 @@ volume_type_policies = [ ]), policy.DocumentedRuleDefault( name=DELETE_ENCRYPTION_POLICY, - check_str=BASE_POLICY_RULE, + check_str=ENCRYPTION_BASE_POLICY_RULE, description="Delete volume type encryption.", operations=[ { diff --git a/cinder/policy.py b/cinder/policy.py index 7d399ef43f6..51142520612 100644 --- a/cinder/policy.py +++ b/cinder/policy.py @@ -179,33 +179,3 @@ def check_is_admin(context): credentials = context.to_policy_values() target = credentials return _ENFORCER.authorize('context_is_admin', target, credentials) - - -def verify_deprecated_policy(old_policy, new_policy, default_rule, context): - """Check the rule of the deprecated policy action - - If the current rule of the deprecated policy action is set to a non-default - value, then a warning message is logged stating that the new policy - action should be used to dictate permissions as the old policy action is - being deprecated. - - :param old_policy: policy action that is being deprecated - :param new_policy: policy action that is replacing old_policy - :param default_rule: the old_policy action default rule value - :param context: the cinder context - """ - - if _ENFORCER: - current_rule = str(_ENFORCER.rules[old_policy]) - else: - current_rule = None - - if current_rule != default_rule: - LOG.warning('Start using the new action %(new_policy)s. The existing ' - 'action %(old_policy)s is being deprecated and will be ' - 'removed in future release.', - {'new_policy': new_policy, 'old_policy': old_policy}) - - context.authorize(old_policy) - return True - return False diff --git a/cinder/tests/unit/test_policy.py b/cinder/tests/unit/test_policy.py index 6a6277091b8..5ae5a278551 100644 --- a/cinder/tests/unit/test_policy.py +++ b/cinder/tests/unit/test_policy.py @@ -13,7 +13,6 @@ # License for the specific language governing permissions and limitations # under the License. import os.path -from unittest import mock from oslo_config import cfg from oslo_config import fixture as config_fixture @@ -132,26 +131,3 @@ class PolicyTestCase(test.TestCase): roles=['AdMiN']) policy.authorize(admin_context, lowercase_action, self.target) policy.authorize(admin_context, uppercase_action, self.target) - - @mock.patch.object(policy.LOG, 'warning') - def test_verify_deprecated_policy_using_old_action(self, mock_warning): - - old_policy = "old_action_not_default" - new_policy = "new_action" - default_rule = "rule:admin_api" - - using_old_action = policy.verify_deprecated_policy( - old_policy, new_policy, default_rule, self.context) - - self.assertTrue(mock_warning.called) - self.assertTrue(using_old_action) - - def test_verify_deprecated_policy_using_new_action(self): - old_policy = "old_action_default" - new_policy = "new_action" - default_rule = "rule:admin_api" - - using_old_action = policy.verify_deprecated_policy( - old_policy, new_policy, default_rule, self.context) - - self.assertFalse(using_old_action) diff --git a/releasenotes/notes/volume-type-encryption-api-policy-base-4334ca94d73df238.yaml b/releasenotes/notes/volume-type-encryption-api-policy-base-4334ca94d73df238.yaml new file mode 100644 index 00000000000..ab307fbb2eb --- /dev/null +++ b/releasenotes/notes/volume-type-encryption-api-policy-base-4334ca94d73df238.yaml @@ -0,0 +1,21 @@ +--- +upgrade: + - | + The ``volume_extension:volume_type_encryption`` policy, which was + deprecated in Stein, has been un-deprecated for the convenience of + operators who would like to set the policies for the create, get, + update, and delete operations for a volume type's encryption type + in one place. The default value for this policy target has not + changed. + + As a reminder, the finer-grained policies are: + + - ``volume_extension:volume_type_encryption:create`` + - ``volume_extension:volume_type_encryption:get`` + - ``volume_extension:volume_type_encryption:update`` + - ``volume_extension:volume_type_encryption:delete`` + + The default values for these policies have also not changed. See + the `sample Cinder policy file + `_ + for more information.