Disable some policy warnings

Recently, we updated the default check strings for all API RBAC policies in manila. These policy changes cause a lot of deprecation warnings in the logs. In case a deployer never modified their defaults and accepted service defaults, these warnings aren't really helpful. If the deployer did modify the default, these warnings are not emitted. So we're in a bit of a pickle whether these are helpful. Other services [1][2][3] have made the decision that these deprecated default check string warnings aren't really helpful and actionable. Further, any kind of oslo_policy deprecation warnings aren't helpful during unit tests. They fill up the logs and cause unnecessary noise. [1] openstack/nova: Iaa6baf6877890babb6205bdb3ee2e1a2b28ebd9c [2] openstack/neutron: Iab3966bad81b469eccf1050f0e0e48b9e2573750 [3] openstack/placement: I2853c7bd7c0afdeeed89ef412fc8830f04381d7b Change-Id: I08de69312016389f2b4c88f2adbd749dbe4d3261 Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
2021-03-19 17:52:50 -07:00 · 2021-03-19 17:52:50 -07:00 · 163bda5fbe
commit 163bda5fbe
parent 398c849acc
3 changed files with 25 additions and 8 deletions
--- a/manila/policy.py
+++ b/manila/policy.py
@ -46,16 +46,16 @@ def reset():
        _ENFORCER = None


-def init(rules=None, use_conf=True):
+def init(rules=None, use_conf=True, suppress_deprecation_warnings=False):
    """Init an Enforcer class.

        :param policy_file: Custom policy file to use, if none is specified,
                          `CONF.policy_file` will be used.
        :param rules: Default dictionary / Rules to use. It will be
                    considered just in the first instantiation.
-        :param default_rule: Default rule to use, CONF.default_rule will
-                           be used if none is specified.
        :param use_conf: Whether to load rules from config file.
+        :param suppress_deprecation_warnings: Whether to suppress policy
+                                            deprecation warnings.
    """

    global _ENFORCER
@ -63,6 +63,18 @@ def init(rules=None, use_conf=True):
        _ENFORCER = policy.Enforcer(CONF,
                                    rules=rules,
                                    use_conf=use_conf)
+
+        # NOTE(gouthamr): Explicitly disable the warnings for policies
+        # changing their default check_str. During
+        # secure-rbac / policy-defaults-refresh work, all the policy
+        # defaults have been changed and warning for each policy started
+        # filling the log limits for various tools. Once we move to new
+        # defaults only world then we can enable these warning again.
+        _ENFORCER.suppress_default_change_warnings = True
+        # Suppressing deprecation warnings is fine for tests. However we
+        # won't do it by default
+        _ENFORCER.suppress_deprecation_warnings = suppress_deprecation_warnings
+
        register_rules(_ENFORCER)


--- a/manila/test.py
+++ b/manila/test.py
@ -39,6 +39,7 @@ from manila import coordination
 from manila.db import migration
 from manila.db.sqlalchemy import api as db_api
 from manila.db.sqlalchemy import models as db_models
+from manila import policy
 from manila import rpc
 from manila import service
 from manila.tests import conf_fixture
@ -161,6 +162,10 @@ class TestCase(base_test.BaseTestCase):
        coordination.LOCK_COORDINATOR.start()
        self.addCleanup(coordination.LOCK_COORDINATOR.stop)

+        # policy
+        policy.init(suppress_deprecation_warnings=True)
+        self.addCleanup(policy.reset)
+
    def _disable_osprofiler(self):
        """Disable osprofiler.

--- a/manila/tests/test_policy.py
+++ b/manila/tests/test_policy.py
@ -46,7 +46,7 @@ class PolicyTestCase(test.TestCase):
                                      "role:ADMIN"),
        ]
        policy.reset()
-        policy.init()
+        policy.init(suppress_deprecation_warnings=True)
        # before a policy rule can be used, its default has to be registered.
        policy._ENFORCER.register_defaults(rules)
        self.context = context.RequestContext('fake', 'fake', roles=['member'])
@ -105,7 +105,7 @@ class PolicyTestCase(test.TestCase):
        project_context = context.RequestContext(project_id='fake-project-id',
                                                 roles=['bar'])
        policy.reset()
-        policy.init()
+        policy.init(suppress_deprecation_warnings=True)
        rule = common_policy.RuleDefault('foo', 'role:bar',
                                         scope_types=['system'])
        policy._ENFORCER.register_defaults([rule])
@ -120,7 +120,7 @@ class PolicyTestCase(test.TestCase):
        project_context = context.RequestContext(project_id='fake-project-id',
                                                 roles=['bar'])
        policy.reset()
-        policy.init()
+        policy.init(suppress_deprecation_warnings=True)
        rule = common_policy.RuleDefault('foo', 'role:bar',
                                         scope_types=['system'])
        policy._ENFORCER.register_defaults([rule])
@ -138,7 +138,7 @@ class DefaultPolicyTestCase(test.TestCase):
    def setUp(self):
        super(DefaultPolicyTestCase, self).setUp()
        policy.reset()
-        policy.init()
+        policy.init(suppress_deprecation_warnings=True)

        self.rules = {
            "default": [],
@ -180,7 +180,7 @@ class ContextIsAdminPolicyTestCase(test.TestCase):
    def setUp(self):
        super(ContextIsAdminPolicyTestCase, self).setUp()
        policy.reset()
-        policy.init()
+        policy.init(suppress_deprecation_warnings=True)

    def _set_rules(self, rules, default_rule):
        these_rules = common_policy.Rules.from_dict(rules,