[openstack-dev] [oslo][neutron] switch to to_policy_values for policy dict
Ihar Hrachyshka
ihrachys at redhat.com
Thu Sep 29 09:53:35 UTC 2016
Hi all,
there is a patch for neutron that switches neutron policy engine from
passing context.to_dict() into oslo.policy to using
context.to_policy_values() that was added recently to oslo.context.
The patch is: https://review.openstack.org/#/c/370499/
The new function from oslo.context returns a dict that has less keys in it
than .to_dict() result.
For Neutron matters, considering the patch contents, here is the diff
between two dicts.
1. new dict misses the following keys:
- domain;
- read_only;
- show_deleted;
- auth_token;
- request_id;
- resource_uuid;
- user_identity;
- user;
- tenant;
- timestamp;
- tenant_name;
- project_name;
- user_name.
2. The following keys are renamed in the new dict:
- user_domain -> user_domain_id;
- project_domain -> project_domain_id.
Since policy.json is a file that can be modified by operators, and we can’t
really control how they parse context in their custom rules, the change
proposed seems backwards incompatible to me. I understand that some
missing/renamed keys are pretty safe to drop (who would base their policy
rules on ‘read_only’ or ‘request_id’?), but others are of more concern
(user and tenant synonyms to user_id and project_id are dropped;
user_domain and project_domain renamed; …)
Now, for oslo library matters, it does not seem like a big deal, because no
existing users of to_dict are affected, and only those adopting the new
method need to take care of potential breakages. But for Neutron to adopt
the new method, we should consider those implications.
I would suggest we keep the list of keys available to policy engine intact,
meaning overriding the original to_policy_values method so that the missing
keys are still there.
Ihar
More information about the OpenStack-dev
mailing list