<div dir="ltr">BTW, We plan to release 5.33 with the patch <a target="_blank" rel="noreferrer" href="https://review.openstack.org/#/c/500456/">https://review.openstack.org/#<wbr>/c/500456/</a> please let me know if you need hold the release.<br><br>[ Unreleased changes in openstack/oslo.messaging (master) ]<br><br>Changes between 5.32.0 and a9d10d3<br><br>* 3a9c01f 2017-09-24 20:25:38 -0700 Fix default value of RPC dispatcher access_policy<br>| * 6efa86a 2017-09-22 17:13:26 -0700 Fix wrong transport warnings in functional tests<br>|/ <br>* c2338ee 2017-09-20 16:23:04 +0000 Updated from global requirements<br><br></div><div class="gmail_extra"><br><div class="gmail_quote">2017-09-28 20:11 GMT+08:00 ChangBo Guo <span dir="ltr"><<a href="mailto:glongwave@gmail.com" target="_blank">glongwave@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Ken, thanks for raising this , Oslo team will send notice early when we have major changes like this .<br></div><div class="gmail_extra"><div><div class="h5"><br><div class="gmail_quote">2017-09-27 4:17 GMT+08:00 Ken Giusti <span dir="ltr"><<a href="mailto:kgiusti@gmail.com" target="_blank">kgiusti@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Folks,<br>
<br>
Just a head's up:<br>
<br>
In Queens the default access policy for RPC Endpoints will change from<br>
LegacyRPCAccessPolicy to DefaultRPCAccessPolicy. RPC calls to private<br>
('_' prefix) methods will no longer be possible. If you want to allow<br>
RPC Clients to invoke private methods, you must explicitly set the<br>
access_policy to LegacyRPCAccessPolicy when you call get_rpc_server()<br>
or instantiate an RPCDispatcher. This change [0] has been merged to<br>
oslo.messaging master and will appear in the next release of<br>
oslo.messaging.<br>
<br>
"Umm.... What?"<br>
<br>
Good question! Here's the TL;DR details:<br>
<br>
Since forever it's been possible for a client to make an RPC call<br>
against _any_ method defined in the RPC Endpoint object. And by "any"<br>
we mean "all methods including private ones (method names prefixed by<br>
'_' )"<br>
<br>
Naturally this ability came as a surprise many folk [1], including<br>
yours truly and others on the oslo team [2]. It was agreed that<br>
having this be the default behavior was indeed A Bad Thing.<br>
<br>
So starting in Ocata oslo.messaging has provided a means for<br>
controlling access to Endpoint methods [3]. Oslo.messaging now<br>
defines three different "access control policies" that can be applied<br>
to an RPC Server:<br>
<br>
LegacyRPCAccessPolicy: original behavior - any method can be invoked<br>
by an RPC client<br>
DefaultRPCAccessPolicy: prevent RPC access to private '_' methods, all<br>
others may be invoked<br>
ExplicitRPCAccessPolicy: only allow access to those methods that have<br>
been decorated with @expose decorator<br>
<br>
See [4] for more details.<br>
<br>
In order not to break anything at the time the default access policy<br>
was set to 'LegacyRPCAccessPolicy'. This has been the default for<br>
Ocata and Pike.<br>
<br>
Starting in Queens this will no longer be the case.<br>
DefaultRPCAccessPolicy will become the default if no access policy is<br>
specified when calling get_rpc_server() or directly instantiating an<br>
RPCDispatcher. To keep the old behavior you must explicitly set the<br>
access policy to LegacyRPCAccessPolicy:<br>
<br>
from oslo_messaging.rpc import LegacyRPCAccessPolicy<br>
...<br>
server = get_rpc_server(transport, target, endpoints,<br>
access_policy=LegacyRPCAccess<wbr>Policy)<br>
<br>
<br>
<br>
Reply here if you have any questions or hit any issues, thanks!<br>
<br>
-K<br>
<br>
[0] <a href="https://review.openstack.org/#/c/500456/" rel="noreferrer" target="_blank">https://review.openstack.org/#<wbr>/c/500456/</a><br>
[1] <a href="https://bugs.launchpad.net/oslo.messaging/+bug/1194279" rel="noreferrer" target="_blank">https://bugs.launchpad.net/osl<wbr>o.messaging/+bug/1194279</a><br>
[2] <a href="https://bugs.launchpad.net/oslo.messaging/+bug/1555845" rel="noreferrer" target="_blank">https://bugs.launchpad.net/osl<wbr>o.messaging/+bug/1555845</a><br>
[3] <a href="https://review.openstack.org/#/c/358359/" rel="noreferrer" target="_blank">https://review.openstack.org/#<wbr>/c/358359/</a><br>
[4] <a href="https://docs.openstack.org/oslo.messaging/latest/reference/server.html" rel="noreferrer" target="_blank">https://docs.openstack.org/osl<wbr>o.messaging/latest/reference/<wbr>server.html</a><br>
<span class="m_2818090134599321599HOEnZb"><font color="#888888">--<br>
Ken Giusti (<a href="mailto:kgiusti@gmail.com" target="_blank">kgiusti@gmail.com</a>)<br>
<br>
______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.op<wbr>enstack.org?subject:unsubscrib<wbr>e</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi<wbr>-bin/mailman/listinfo/openstac<wbr>k-dev</a><br>
</font></span></blockquote></div><br><br clear="all"><br></div></div><span class="HOEnZb"><font color="#888888">-- <br><div class="m_2818090134599321599gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div>ChangBo Guo(gcb)<br></div><div>Community Director @EasyStack<br></div></div></div></div></div>
</font></span></div>
</blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div>ChangBo Guo(gcb)<br></div><div>Community Director @EasyStack<br></div></div></div></div></div>
</div>