From 163bda5fbe7bf593e255898c66dab1b58fe794a6 Mon Sep 17 00:00:00 2001
From: Goutham Pacha Ravi <gouthampravi@gmail.com>
Date: Fri, 19 Mar 2021 17:52:50 -0700
Subject: [PATCH] Disable some policy warnings
Recently, we updated the default check strings
for all API RBAC policies in manila. These policy
changes cause a lot of deprecation warnings in
the logs. In case a deployer never modified their
defaults and accepted service defaults, these
warnings aren't really helpful. If the deployer
did modify the default, these warnings are not
emitted. So we're in a bit of a pickle whether
these are helpful.
Other services [1][2][3] have made the decision
that these deprecated default check string
warnings aren't really helpful and actionable.
Further, any kind of oslo_policy deprecation
warnings aren't helpful during unit tests.
They fill up the logs and cause unnecessary
noise.
[1] openstack/nova: Iaa6baf6877890babb6205bdb3ee2e1a2b28ebd9c
[2] openstack/neutron: Iab3966bad81b469eccf1050f0e0e48b9e2573750
[3] openstack/placement: I2853c7bd7c0afdeeed89ef412fc8830f04381d7b
Change-Id: I08de69312016389f2b4c88f2adbd749dbe4d3261
Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
---
manila/policy.py | 18 +++++++++++++++---
manila/test.py | 5 +++++
manila/tests/test_policy.py | 10 +++++-----
3 files changed, 25 insertions(+), 8 deletions(-)
diff --git a/manila/policy.py b/manila/policy.py
index f0501999a0..7dc0b6a38d 100644
--- a/manila/policy.py
+++ b/manila/policy.py
@@ -46,16 +46,16 @@ def reset():
_ENFORCER = None
-def init(rules=None, use_conf=True):
+def init(rules=None, use_conf=True, suppress_deprecation_warnings=False):
"""Init an Enforcer class.
:param policy_file: Custom policy file to use, if none is specified,
`CONF.policy_file` will be used.
:param rules: Default dictionary / Rules to use. It will be
considered just in the first instantiation.
- :param default_rule: Default rule to use, CONF.default_rule will
- be used if none is specified.
:param use_conf: Whether to load rules from config file.
+ :param suppress_deprecation_warnings: Whether to suppress policy
+ deprecation warnings.
"""
global _ENFORCER
@@ -63,6 +63,18 @@ def init(rules=None, use_conf=True):
_ENFORCER = policy.Enforcer(CONF,
rules=rules,
use_conf=use_conf)
+
+ # NOTE(gouthamr): Explicitly disable the warnings for policies
+ # changing their default check_str. During
+ # secure-rbac / policy-defaults-refresh work, all the policy
+ # defaults have been changed and warning for each policy started
+ # filling the log limits for various tools. Once we move to new
+ # defaults only world then we can enable these warning again.
+ _ENFORCER.suppress_default_change_warnings = True
+ # Suppressing deprecation warnings is fine for tests. However we
+ # won't do it by default
+ _ENFORCER.suppress_deprecation_warnings = suppress_deprecation_warnings
+
register_rules(_ENFORCER)
diff --git a/manila/test.py b/manila/test.py
index 4c2b96dd2d..0056f8b51a 100644
--- a/manila/test.py
+++ b/manila/test.py
@@ -39,6 +39,7 @@ from manila import coordination
from manila.db import migration
from manila.db.sqlalchemy import api as db_api
from manila.db.sqlalchemy import models as db_models
+from manila import policy
from manila import rpc
from manila import service
from manila.tests import conf_fixture
@@ -161,6 +162,10 @@ class TestCase(base_test.BaseTestCase):
coordination.LOCK_COORDINATOR.start()
self.addCleanup(coordination.LOCK_COORDINATOR.stop)
+ # policy
+ policy.init(suppress_deprecation_warnings=True)
+ self.addCleanup(policy.reset)
+
def _disable_osprofiler(self):
"""Disable osprofiler.
diff --git a/manila/tests/test_policy.py b/manila/tests/test_policy.py
index cab315f41d..de303e3b79 100644
--- a/manila/tests/test_policy.py
+++ b/manila/tests/test_policy.py
@@ -46,7 +46,7 @@ class PolicyTestCase(test.TestCase):
"role:ADMIN"),
]
policy.reset()
- policy.init()
+ policy.init(suppress_deprecation_warnings=True)
# before a policy rule can be used, its default has to be registered.
policy._ENFORCER.register_defaults(rules)
self.context = context.RequestContext('fake', 'fake', roles=['member'])
@@ -105,7 +105,7 @@ class PolicyTestCase(test.TestCase):
project_context = context.RequestContext(project_id='fake-project-id',
roles=['bar'])
policy.reset()
- policy.init()
+ policy.init(suppress_deprecation_warnings=True)
rule = common_policy.RuleDefault('foo', 'role:bar',
scope_types=['system'])
policy._ENFORCER.register_defaults([rule])
@@ -120,7 +120,7 @@ class PolicyTestCase(test.TestCase):
project_context = context.RequestContext(project_id='fake-project-id',
roles=['bar'])
policy.reset()
- policy.init()
+ policy.init(suppress_deprecation_warnings=True)
rule = common_policy.RuleDefault('foo', 'role:bar',
scope_types=['system'])
policy._ENFORCER.register_defaults([rule])
@@ -138,7 +138,7 @@ class DefaultPolicyTestCase(test.TestCase):
def setUp(self):
super(DefaultPolicyTestCase, self).setUp()
policy.reset()
- policy.init()
+ policy.init(suppress_deprecation_warnings=True)
self.rules = {
"default": [],
@@ -180,7 +180,7 @@ class ContextIsAdminPolicyTestCase(test.TestCase):
def setUp(self):
super(ContextIsAdminPolicyTestCase, self).setUp()
policy.reset()
- policy.init()
+ policy.init(suppress_deprecation_warnings=True)
def _set_rules(self, rules, default_rule):
these_rules = common_policy.Rules.from_dict(rules,