[openstack-dev] [nova][oslo] API extension policy deprecation warnings

Lance Bragstad lbragstad at gmail.com
Fri Jan 5 20:50:31 UTC 2018

I recreated this locally. Turns out I missed an attribute that the
oslo_policy.policy:Enforcer class had called self.file_rules, which
appear to the be specific policies pulled from policy.json or
policy.yaml files. I modified the check to compare the deprecated policy
against that instead of self.rules [0].

I'll slap together a test and we should be able to get this in before
library freeze for sure. Thanks for raising the issue.

[0] https://review.openstack.org/#/c/531497/

On 01/05/2018 01:08 PM, Lance Bragstad wrote:
> I thought we planned for that case, but it looks like we log a warning
> regardless (obviously from your trace) so that operators don't miss
> opportunities to clean up code. In addition to that, the removal of a
> policy might make a role obsolete, which is harder to check for than
> just seeing if they have overridden the policy from a file. I can dig
> into oslo.policy and see if there is a way to determine if a policy is
> coming from a file or in-code.
> [0]
> https://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L610-L625
> On 01/05/2018 12:45 PM, Matt Riedemann wrote:
>> I've noticed that our CI logs have API extension policy deprecation
>> warnings in them on startup, even though we don't use any non-default
>> policy rules in our CI runs, so everything is just loaded from policy
>> in code.
>> Jan 05 16:58:48.794318 ubuntu-xenial-rax-dfw-0001705089
>> nova-compute[11289]: DEBUG oslo_policy.policy [None
>> req-2f69f372-721c-4550-9c28-5fa610a84201 None None] The policy file
>> policy.json could not be found. {{(pid=11289) load_rules
>> /usr/local/lib/python2.7/dist-packages/oslo_policy/policy.py:548}}
>> Jan 05 16:58:48.797597 ubuntu-xenial-rax-dfw-0001705089
>> nova-compute[11289]:
>> /usr/local/lib/python2.7/dist-packages/oslo_policy/policy.py:623:
>> UserWarning: Policy
>> "os_compute_api:os-extended-volumes":"rule:admin_or_owner" was
>> deprecated for removal in 17.0.0. Reason: Nova API extension concept
>> has been removed in Pike. Those extensions have their own policies
>> enforcement. As there is no extensions now,
>> "os_compute_api:os-extended-volumes" policy which was added for
>> extensions is not needed any more. Its value may be silently ignored
>> in the future.
>> Isn't there a way to not log a warning if the rule isn't actually set
>> in the policy file? Similar to deprecated config options, you only get
>> the warning on those if you've set a deprecated config option in the
>> file, but you don't get the warnings just because they are in code and
>> not removed yet.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180105/add3aae1/attachment.sig>

More information about the OpenStack-dev mailing list