openstack/cinder
Code Issues Proposed changes

Resolve deprecation of encryption policy target

Browse Source 
Commit ebc9a12a19 in Stein deprecated
the "volume_extension:volume_type_encryption" policy target for later
removal.  Instead of removing the target, this patch removes the
deprecation notice and retains the target as a base policy that can
be used to set the four finer-grained policies in one place.  Also
removes the supporting code that was logging a warning about the
deprecated policy.

See Bug #1873110 for a more thorough discussion of why the
deprecation is being resolved in this way.

Change-Id: I24fe5cedea9384d8708d44efb2f70a9cabfab6ca
Closes-bug: #1873110
This commit is contained in:
Brian Rosmaita 2020-04-16 09:14:38 -04:00
parent 1e0e7042ac
commit 65604daae0
5 changed files with 37 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
cinder/api/contrib/volume_type_encryption.py
View File

@ -25,9 +25,7 @@ from cinder.api import validation
from cinder import db
from cinder import exception
from cinder.i18n import _
from cinder.policies import base
from cinder.policies import volume_type as policy
from cinder import policy as cinder_policy
from cinder import rpc
from cinder.volume import volume_types
@ -58,25 +56,10 @@ class VolumeTypeEncryptionController(wsgi.Controller):
else:
return False
def _authorize_policy(self, context, new_policy):
# TODO(cl566n): In future release, this _authorize_policy function
# can be removed. The call to it can be replaced by
# context.authorize(new_policy) once the old
# policy.ENCRYPTION_POLICY is deprecated.
using_old_action = cinder_policy.verify_deprecated_policy(
policy.ENCRYPTION_POLICY,
new_policy,
base.RULE_ADMIN_API,
context)
if not using_old_action:
context.authorize(new_policy)
def index(self, req, type_id):
"""Returns the encryption specs for a given volume type."""
context = req.environ['cinder.context']
self._authorize_policy(context, policy.GET_ENCRYPTION_POLICY)
context.authorize(policy.GET_ENCRYPTION_POLICY)
self._check_type(context, type_id)
return self._get_volume_type_encryption(context, type_id)
@ -85,7 +68,7 @@ class VolumeTypeEncryptionController(wsgi.Controller):
def create(self, req, type_id, body):
"""Create encryption specs for an existing volume type."""
context = req.environ['cinder.context']
self._authorize_policy(context, policy.CREATE_ENCRYPTION_POLICY)
context.authorize(policy.CREATE_ENCRYPTION_POLICY)
key_size = body['encryption'].get('key_size')
if key_size is not None:
@ -113,7 +96,7 @@ class VolumeTypeEncryptionController(wsgi.Controller):
def update(self, req, type_id, id, body):
"""Update encryption specs for a given volume type."""
context = req.environ['cinder.context']
self._authorize_policy(context, policy.UPDATE_ENCRYPTION_POLICY)
context.authorize(policy.UPDATE_ENCRYPTION_POLICY)
key_size = body['encryption'].get('key_size')
if key_size is not None:
@ -137,7 +120,7 @@ class VolumeTypeEncryptionController(wsgi.Controller):
def show(self, req, type_id, id):
"""Return a single encryption item."""
context = req.environ['cinder.context']
self._authorize_policy(context, policy.GET_ENCRYPTION_POLICY)
context.authorize(policy.GET_ENCRYPTION_POLICY)
self._check_type(context, type_id)
@ -151,7 +134,7 @@ class VolumeTypeEncryptionController(wsgi.Controller):
def delete(self, req, type_id, id):
"""Delete encryption specs for a given volume type."""
context = req.environ['cinder.context']
self._authorize_policy(context, policy.DELETE_ENCRYPTION_POLICY)
context.authorize(policy.DELETE_ENCRYPTION_POLICY)
if self._encrypted_type_in_use(context, type_id):
expl = _('Cannot delete encryption specs. Volume type in use.')

19
cinder/policies/volume_type.py
View File

@ -20,7 +20,7 @@ from cinder.policies import base
MANAGE_POLICY = "volume_extension:types_manage"
ENCRYPTION_POLICY = "volume_extension:volume_type_encryption"
BASE_POLICY_RULE = 'rule:%s' % ENCRYPTION_POLICY
ENCRYPTION_BASE_POLICY_RULE = 'rule:%s' % ENCRYPTION_POLICY
CREATE_ENCRYPTION_POLICY = "volume_extension:volume_type_encryption:create"
GET_ENCRYPTION_POLICY = "volume_extension:volume_type_encryption:get"
UPDATE_ENCRYPTION_POLICY = "volume_extension:volume_type_encryption:update"
@ -72,9 +72,12 @@ volume_type_policies = [
policy.DocumentedRuleDefault(
name=ENCRYPTION_POLICY,
check_str=base.RULE_ADMIN_API,
description="List, show, create, update and delete volume "
"type encryption. This is deprecated in the Stein "
"release and will be removed in the future.",
description="Base policy for all volume type encryption type "
"operations. This can be used to set the policies "
"for a volume type's encryption type create, show, "
"update, and delete actions in one place, or any of "
"those may be set individually using the following "
"policy targets for finer grained control.",
operations=[
{
'method': 'POST',
@ -99,7 +102,7 @@ volume_type_policies = [
]),
policy.DocumentedRuleDefault(
name=CREATE_ENCRYPTION_POLICY,
check_str=BASE_POLICY_RULE,
check_str=ENCRYPTION_BASE_POLICY_RULE,
description="Create volume type encryption.",
operations=[
{
@ -109,7 +112,7 @@ volume_type_policies = [
]),
policy.DocumentedRuleDefault(
name=GET_ENCRYPTION_POLICY,
check_str=BASE_POLICY_RULE,
check_str=ENCRYPTION_BASE_POLICY_RULE,
description="Show, list volume type encryption.",
operations=[
{
@ -123,7 +126,7 @@ volume_type_policies = [
]),
policy.DocumentedRuleDefault(
name=UPDATE_ENCRYPTION_POLICY,
check_str=BASE_POLICY_RULE,
check_str=ENCRYPTION_BASE_POLICY_RULE,
description="Update volume type encryption.",
operations=[
{
@ -133,7 +136,7 @@ volume_type_policies = [
]),
policy.DocumentedRuleDefault(
name=DELETE_ENCRYPTION_POLICY,
check_str=BASE_POLICY_RULE,
check_str=ENCRYPTION_BASE_POLICY_RULE,
description="Delete volume type encryption.",
operations=[
{

30
cinder/policy.py
View File

@ -179,33 +179,3 @@ def check_is_admin(context):
credentials = context.to_policy_values()
target = credentials
return _ENFORCER.authorize('context_is_admin', target, credentials)
def verify_deprecated_policy(old_policy, new_policy, default_rule, context):
"""Check the rule of the deprecated policy action
If the current rule of the deprecated policy action is set to a non-default
value, then a warning message is logged stating that the new policy
action should be used to dictate permissions as the old policy action is
being deprecated.
:param old_policy: policy action that is being deprecated
:param new_policy: policy action that is replacing old_policy
:param default_rule: the old_policy action default rule value
:param context: the cinder context
"""
if _ENFORCER:
current_rule = str(_ENFORCER.rules[old_policy])
else:
current_rule = None
if current_rule != default_rule:
LOG.warning('Start using the new action %(new_policy)s. The existing '
'action %(old_policy)s is being deprecated and will be '
'removed in future release.',
{'new_policy': new_policy, 'old_policy': old_policy})
context.authorize(old_policy)
return True
return False

24
cinder/tests/unit/test_policy.py
View File

@ -13,7 +13,6 @@
# License for the specific language governing permissions and limitations
# under the License.
import os.path
from unittest import mock
from oslo_config import cfg
from oslo_config import fixture as config_fixture
@ -132,26 +131,3 @@ class PolicyTestCase(test.TestCase):
roles=['AdMiN'])
policy.authorize(admin_context, lowercase_action, self.target)
policy.authorize(admin_context, uppercase_action, self.target)
@mock.patch.object(policy.LOG, 'warning')
def test_verify_deprecated_policy_using_old_action(self, mock_warning):
old_policy = "old_action_not_default"
new_policy = "new_action"
default_rule = "rule:admin_api"
using_old_action = policy.verify_deprecated_policy(
old_policy, new_policy, default_rule, self.context)
self.assertTrue(mock_warning.called)
self.assertTrue(using_old_action)
def test_verify_deprecated_policy_using_new_action(self):
old_policy = "old_action_default"
new_policy = "new_action"
default_rule = "rule:admin_api"
using_old_action = policy.verify_deprecated_policy(
old_policy, new_policy, default_rule, self.context)
self.assertFalse(using_old_action)

21
releasenotes/notes/volume-type-encryption-api-policy-base-4334ca94d73df238.yaml Normal file
View File

@ -0,0 +1,21 @@
---
upgrade:
- |
The ``volume_extension:volume_type_encryption`` policy, which was
deprecated in Stein, has been un-deprecated for the convenience of
operators who would like to set the policies for the create, get,
update, and delete operations for a volume type's encryption type
in one place. The default value for this policy target has not
changed.
As a reminder, the finer-grained policies are:
- ``volume_extension:volume_type_encryption:create``
- ``volume_extension:volume_type_encryption:get``
- ``volume_extension:volume_type_encryption:update``
- ``volume_extension:volume_type_encryption:delete``
The default values for these policies have also not changed. See
the `sample Cinder policy file
<https://docs.openstack.org/cinder/ussuri/configuration/block-storage/samples/policy.yaml.html>`_
for more information.