[all][policy] Disable & making policy rule's default change warning configurable

Erno Kuvaja ekuvaja at redhat.com
Tue Jul 6 10:20:06 UTC 2021


On Mon, Jul 5, 2021 at 11:43 PM Ghanshyam Mann <gmann at ghanshyammann.com>
wrote:

> Hello Everyone,
>
> While implementing the new secure RBAC (scope and new defaults), you might
> have noticed
> the lot of warnings in the log and sometime failing jobs also due to size
> of logs. Then you had
> to disable those via "suppress_default_change_warnings" variable on policy
> enforcer.
>
> The oslo policy log the warnings if the default value of policy rule (if
> not overridden) is changed, so
> there are warnings for every policy rule on every API request, everytime
> policy is initialized which
> end up a lot of warnings (thousands) in log. It might be happening in
> production also.
>
> Many projects have disabled it via hardcoded
> "suppress_default_change_warnings". But there is no
> way for the operator to disable/enable these warnings (enable in case they
> would like to check the
> new policy RBAC).
>
> To handle it on oslo policy side and generically for all the projects I am
> planning to:
>
> 1. Disable it by default in oslo policy side itself.
>
> 2. Make it configurable so that operator can enable it on need basis.
>
> NOTE: This proposal is about warnings for default value change, not for
> the policy name change.
>
> I have submitted this proposal in gerrit too -
> https://review.opendev.org/c/openstack/oslo.policy/+/799539
>
> Please let me know your opinon on this?
>
> -gmann
>
>
Thanks Ganshyam!

I left the same comments in the review itself but TL;DR:

IMO we should have the warnings on by default. If the operator actually
happens to read release notes it's an easy switch to flip it off, if not
they would get notified of the change in the logs. What's the point of
deprecations if we don't tell anyone about them?
How big of a change would it be to emit the warnings only when the policy
engine loads the rules at service start rather than spamming about them on
every API request?

Obviously we should turn them off on gate/tests. Thanks for tackling the
spammyness of our logs.

- jokke
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210706/116031ea/attachment.html>


More information about the openstack-discuss mailing list