[all][policy] Disable & making policy rule's default change warning configurable

Ghanshyam Mann gmann at ghanshyammann.com
Mon Jul 5 22:39:00 UTC 2021


Hello Everyone,

While implementing the new secure RBAC (scope and new defaults), you might have noticed
the lot of warnings in the log and sometime failing jobs also due to size of logs. Then you had
to disable those via "suppress_default_change_warnings" variable on policy enforcer.

The oslo policy log the warnings if the default value of policy rule (if not overridden) is changed, so
there are warnings for every policy rule on every API request, everytime policy is initialized which
end up a lot of warnings (thousands) in log. It might be happening in production also.

Many projects have disabled it via hardcoded "suppress_default_change_warnings". But there is no
way for the operator to disable/enable these warnings (enable in case they would like to check the
new policy RBAC).

To handle it on oslo policy side and generically for all the projects I am planning to:

1. Disable it by default in oslo policy side itself. 

2. Make it configurable so that operator can enable it on need basis.

NOTE: This proposal is about warnings for default value change, not for the policy name change.

I have submitted this proposal in gerrit too - https://review.opendev.org/c/openstack/oslo.policy/+/799539

Please let me know your opinon on this?

-gmann



More information about the openstack-discuss mailing list