<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 22 April 2015 at 14:49, Doug Hellmann <span dir="ltr"><<a href="mailto:doug@doughellmann.com" target="_blank">doug@doughellmann.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Excerpts from Ihar Hrachyshka's message of 2015-04-22 12:33:52 +0200:<br>
<div><div class="h5">> On 04/22/2015 05:01 AM, Doug Hellmann wrote:<br>
> > Excerpts from Ihar Hrachyshka's message of 2015-04-17 14:45:58<br>
> > +0200:<br>
> >> Hi,<br>
> >><br>
> >> tl;dr neutron has special semantics for policy targets that<br>
> >> relies on private symbols from oslo.policy, and it's impossible<br>
> >> to introduce this semantics into oslo.policy itself due to<br>
> >> backwards compatibility concerns, meaning we need to expose some<br>
> >> more symbols as part of public API for the library to facilitate<br>
> >> neutron switch to it.<br>
> >><br>
> >> ===<br>
> >><br>
> >> oslo.policy was graduated during Kilo [1]. Neutron considered<br>
> >> the switch to it [2], but failed to achieve it because some<br>
> >> library symbols that were originally public (or at least looked<br>
> >> like public) in policy.py from oslo-incubator, became private in<br>
> >> oslo.policy. Specifically, Neutron policy code [3] relies on the<br>
> >> following symbols that are now hidden inside oslo_policy._checks<br>
> >> (note the underscore in the name of the module that suggests we<br>
> >> cannot use the module directly):<br>
> >><br>
> >> - - RoleCheck - - RuleCheck - - AndCheck<br>
> ><br>
> > I'm not sure I followed all of the rest of what you wrote below,<br>
> > but it seems like this is the real problem. We are pretty<br>
> > aggressive about making things private when we release a new<br>
> > library, because it's easier to make them public later if we need<br>
> > to than it is to make public things private.<br>
> ><br>
> > In this case, it looks like we made some symbols private even<br>
> > though they were already being used, and that seems like a mistake<br>
> > on our part. So, if we make those public, would that address the<br>
> > issues with neutron adopting the library?<br>
> ><br>
><br>
> Yes, that would help. I will also check Adam's suggestion, maybe it<br>
> will allow us to avoid exposing RoleCheck.<br>
<br>
</div></div>Keeping stuff private is less of a priority if we can demonstrate<br>
that having it public makes it more useful.<br>
<div><div class="h5"><br>
> >> Those symbols are used for the following matters: (all the<br>
> >> relevant neutron code is in neutron/policy.py)<br>
> >><br>
> >> 1. debug logging in case policy does not authorize an action<br>
> >> (RuleCheck, AndCheck) [log_rule_list]<br>
> >><br>
> >> 2. filling in admin context with admin roles (RoleCheck,<br>
> >> RuleCheck, AndCheck/OrCheck internals) [get_admin_roles]<br>
> >><br>
> >> 3. aggregating core, attribute and subattribute policies<br>
> >> (RuleCheck, AndCheck) [_prepare_check]<br>
> >><br>
> >><br>
> >> == 1. debug logging in case policy does not authorize an action<br>
> >> ==<br>
> >><br>
> >> Neutron logs rules that failed to match if policy module does<br>
> >> not authorize an action. Not sure whether Neutron developers<br>
> >> really want to have those debug logs, and whether we cannot just<br>
> >> kill them to avoid this specific usage of private symbols; though<br>
> >> it also seems that we could easily use __str__ that is present<br>
> >> for all types of Checks instead. So it does not look like a<br>
> >> blocker for the switch.<br>
> >><br>
> >><br>
> >> == 2. filling in admin context with admin roles ==<br>
> >><br>
> >> Admin context object is filled with .roles attribute that is a<br>
> >> list of roles considered granting admin permissions [4]. The<br>
> >> attribute would then be used by plugins that would like to do<br>
> >> explicit policy checks. As per Salvatore, this attribute can<br>
> >> probably be dropped now that all plugins and services don't rely<br>
> >> on it (Salvatore mentioned lbaas mixins as the ones that<br>
> >> previously relied on it, but are now not doing it since service<br>
> >> split from neutron tree (?)).<br>
> >><br>
> >> The problem with dropping the .roles attribute from context<br>
> >> object in Liberty is that we, as a responsible upstream with lots<br>
> >> of plugins maintained out-of-tree (see the ongoing vendor<br>
> >> decomposition effort) would need to support the attribute while<br>
> >> it's marked as deprecated for at least one cycle, meaning that if<br>
> >> we don't get those oslo.policy internals we rely on in Liberty,<br>
> >> we would need to postpone the switch till Mizzle, or rely on<br>
> >> private symbols during the switch (while a new release of<br>
> >> oslo.policy can easily break us).<br>
> >><br>
> >> (BTW the code to extract admin roles is not really robust and<br>
> >> has bugs, f.e. it does not handle AndChecks that could be used<br>
> >> in context_is_admin. In theory, 'and' syntax would mean that both<br>
> >> roles are needed to claim someone is an admin, while the code to<br>
> >> extract admin roles handles 'and' the same way as 'or'. For the<br>
> >> deprecation time being, we may need to document this<br>
> >> limitation.)<br>
> >><br>
> >><br>
> >> == 3. aggregating core, attribute and subattribute policies ==<br>
> >><br>
> >> That's the most interesting issue.<br>
> >><br>
> >> For oslo.policy, policies are described as "target: rule", where<br>
> >> rule is interpreted as per registered checks, while target is<br>
> >> opaque to the library.<br>
> >><br>
> >> Neutron extended the syntax for target as:<br>
> >> target[:attribute[:subattribute]].<br>
> ><br>
> > This extension of the syntax is a bit more problematic. We should<br>
> > talk about a way to fold that into the library so it can be used<br>
> > consistently across projects. FTR, making it less easy to extend<br>
> > common behaviors in application-specific ways is one reason we<br>
> > like to make symbols private whenever possible.<br>
> ><br>
> > Although it is not well-documented, we do support chained<br>
> > attribute names on the right-side of the expression [1]. Does that<br>
> > do what you are describing here, or do we need to extend it to<br>
> > support a similar syntax on the left side of the expression.<br>
> ><br>
> > [1]<br>
> > <a href="http://git.openstack.org/cgit/openstack/oslo.policy/tree/oslo_policy/_" target="_blank">http://git.openstack.org/cgit/openstack/oslo.policy/tree/oslo_policy/_</a><br>
> checks.py#n288<br>
><br>
> The<br>
> ><br>
> gut of the neutron 'feature' is: applying multiple separate<br>
> policies for the same target based on which attributes are set for the<br>
> target. As I described in the original email, there are existing<br>
> consumers of the library that would be broken if we add the feature to<br>
> oslo.policy (at least with the existing syntax; we could think of<br>
> distinguishing it somehow with new syntax rules).<br>
<br>
</div></div>That feature sounds like it could be useful outside of neutron, so let's<br>
see if we can come up with a new syntax to make it portable. Bonus<br>
points if the new syntax results in a proper DSL.<br>
<div><div class="h5"><br>
><br>
> ><br>
> > [snip]<br>
> ><br>
> >> So the question to oslo.policy maintainers is: whether all that<br>
> >> is said above makes sense, and if so, whether we may now<br>
> >> consider exposing those private symbols (+ maybe OrCheck,<br>
> >> NotCheck, and other primitives that are logically bound to<br>
> >> AndCheck) as part of public API. If community agrees with my<br>
> >> analysis and justification for the change, I am happy to propose<br>
> >> a patch that would do just that.<br>
> ><br>
> > I think so, yes.<br>
> ><br>
> >> PS: one more question to oslo.policy maintainers is whether<br>
> >> consuming projects may rely on Enforcer.rules attribute being<br>
> >> present, and following dict semantics, as it currently does.<br>
> >> Neutron and other projects (like Nova) relies on the attribute,<br>
> >> while it's not really documented in official library<br>
> >> documentation. We may need clarification on whether its usage is<br>
> >> supported, and document it appropriately.<br>
> ><br>
> > I think it's a really really bad idea for any project to be<br>
> > building application-specific behavior on top of the policy engine.<br>
> > App-specific *policies* make sense. But making the evaluation of<br>
> > policy rules different across the applications largely defeats the<br>
> > purpose of having a common language for expressing those rules in<br>
> > the first place. Come contribute changes to oslo.policy if it<br>
> > doesn't do what you need. Oslo was started to provide a place for<br>
> > otherwise disparate teams to collaborate. We should do more of<br>
> > that.<br>
> ><br>
><br>
> I agree, the problem is that neutron is already in that position where<br>
> we have the feature implemented in a way that would not allow to move<br>
> it to oslo.policy without breaking someone (either neutron existing<br>
> users or other consumers of the library).<br>
><br>
> Long term, we can consider adding some new distinguished syntax for<br>
> attribute matching. Neutron would then switch to it, supporting both<br>
> for a cycle or two, and then dropping the existing one.<br>
<br>
</div></div>Yes, certainly, we need to take the current state of the world into<br>
account. My point was just that you don't have to solve this problem on<br>
your own, in isolation.<br></blockquote><div><br></div><div>In defence of Neutron and in partial defence of the developer who did this (who should be shot anyway), this happened sometime back in 2012.</div><div>At that time oslo-incubator was still pretty much an incubator and library graduation was a thing very far in the future.</div><div>Should that have happened now, development will surely have occurred straight into oslo_policy (and possibly rejected).</div><div><br></div><div>I believe it's now neutron developers' problem to sort out this situation. We surely don't want to implement our own policy engine diverging from oslo_policy.</div><div>Also, I don't think this kind of "fine grained" checks can be folded into oslo_policy, because of what Ihar said (it might break other consumers), and also probably because oslo_policy was never meant to work this way.</div><div><br></div><div>Perhaps the way forward is to define a plan to get rid of attribute and sub-attribute level checks performed using the policy engine, and find an alternate way for doing such checks. For instance we might decide to hardcode them, and run them once the "traditional" policy check is performed.</div><div>The downside is that by hardcoding things that were configurable beforehand we might be breaking some setups.</div><div>Nevertheless, it sounds like separating the "standard" operation-level check from the "specific" attribute-level check might be the way forward.</div><div><br></div><div>Salvatore</div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="HOEnZb"><font color="#888888">
Doug<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</div></div></blockquote></div><br></div></div>