On Mon, Jul 5, 2021 at 11:43 PM Ghanshyam Mann <gmann@ghanshyammann.com> wrote:
Hello Everyone,

While implementing the new secure RBAC (scope and new defaults), you might have noticed
the lot of warnings in the log and sometime failing jobs also due to size of logs. Then you had
to disable those via "suppress_default_change_warnings" variable on policy enforcer.

The oslo policy log the warnings if the default value of policy rule (if not overridden) is changed, so
there are warnings for every policy rule on every API request, everytime policy is initialized which
end up a lot of warnings (thousands) in log. It might be happening in production also.

Many projects have disabled it via hardcoded "suppress_default_change_warnings". But there is no
way for the operator to disable/enable these warnings (enable in case they would like to check the
new policy RBAC).

To handle it on oslo policy side and generically for all the projects I am planning to:

1. Disable it by default in oslo policy side itself.

2. Make it configurable so that operator can enable it on need basis.

NOTE: This proposal is about warnings for default value change, not for the policy name change.

I have submitted this proposal in gerrit too - https://review.opendev.org/c/openstack/oslo.policy/+/799539

Please let me know your opinon on this?

-gmann


Thanks Ganshyam!

I left the same comments in the review itself but TL;DR:

IMO we should have the warnings on by default. If the operator actually happens to read release notes it's an easy switch to flip it off, if not they would get notified of the change in the logs. What's the point of deprecations if we don't tell anyone about them?
How big of a change would it be to emit the warnings only when the policy engine loads the rules at service start rather than spamming about them on every API request?

Obviously we should turn them off on gate/tests. Thanks for tackling the spammyness of our logs.

- jokke