Open Stack

Hi all,

there is a patch for neutron that switches neutron policy engine from  
passing context.to_dict() into oslo.policy to using  
context.to_policy_values() that was added recently to oslo.context.

The patch is: https://review.openstack.org/#/c/370499/

The new function from oslo.context returns a dict that has less keys in it  
than .to_dict() result.

For Neutron matters, considering the patch contents, here is the diff  
between two dicts.

1. new dict misses the following keys:
- domain;
- read_only;
- show_deleted;
- auth_token;
- request_id;
- resource_uuid;
- user_identity;
- user;
- tenant;
- timestamp;
- tenant_name;
- project_name;
- user_name.

2. The following keys are renamed in the new dict:
- user_domain -> user_domain_id;
- project_domain -> project_domain_id.

Since policy.json is a file that can be modified by operators, and we can’t  
really control how they parse context in their custom rules, the change  
proposed seems backwards incompatible to me. I understand that some  
missing/renamed keys are pretty safe to drop (who would base their policy  
rules on ‘read_only’ or ‘request_id’?), but others are of more concern  
(user and tenant synonyms to user_id and project_id are dropped;  
user_domain and project_domain renamed; …)

Now, for oslo library matters, it does not seem like a big deal, because no  
existing users of to_dict are affected, and only those adopting the new  
method need to take care of potential breakages. But for Neutron to adopt  
the new method, we should consider those implications.

I would suggest we keep the list of keys available to policy engine intact,  
meaning overriding the original to_policy_values method so that the missing  
keys are still there.

Ihar