[all][policy] Disable & making policy rule's default change warning configurable
Ghanshyam Mann
gmann at ghanshyammann.com
Tue Jul 6 14:07:42 UTC 2021
---- On Tue, 06 Jul 2021 05:20:06 -0500 Erno Kuvaja <ekuvaja at redhat.com> wrote ----
> On Mon, Jul 5, 2021 at 11:43 PM Ghanshyam Mann <gmann at ghanshyammann.com> wrote:
> Hello Everyone,
>
> While implementing the new secure RBAC (scope and new defaults), you might have noticed
> the lot of warnings in the log and sometime failing jobs also due to size of logs. Then you had
> to disable those via "suppress_default_change_warnings" variable on policy enforcer.
>
> The oslo policy log the warnings if the default value of policy rule (if not overridden) is changed, so
> there are warnings for every policy rule on every API request, everytime policy is initialized which
> end up a lot of warnings (thousands) in log. It might be happening in production also.
>
> Many projects have disabled it via hardcoded "suppress_default_change_warnings". But there is no
> way for the operator to disable/enable these warnings (enable in case they would like to check the
> new policy RBAC).
>
> To handle it on oslo policy side and generically for all the projects I am planning to:
>
> 1. Disable it by default in oslo policy side itself.
>
> 2. Make it configurable so that operator can enable it on need basis.
>
> NOTE: This proposal is about warnings for default value change, not for the policy name change.
>
> I have submitted this proposal in gerrit too - https://review.opendev.org/c/openstack/oslo.policy/+/799539
>
> Please let me know your opinon on this?
>
> -gmann
>
>
> Thanks Ganshyam!
> I left the same comments in the review itself but TL;DR:
> IMO we should have the warnings on by default. If the operator actually happens to read release notes it's an easy switch to flip it off, if not they would get notified of the change in the logs. What's the point of deprecations if we don't tell anyone about them?How big of a change would it be to emit the warnings only when the policy engine loads the rules at service start rather than spamming about them on every API request?
I think i did not mention to do disable it by default while we are in phase of migrating to new RBAC and
once projects are ready to switch to new RBAC (plan to remove the old legacy deprecated rule) then we
can enable it by default for regular policy changes.
During new RBAC migration we are changing all the policy rule's default so warning about all the policy rule repeatedly
is annoying info in log.
for regular default change (after we move to RBAC) then we can enable it by default.
-gmann
> Obviously we should turn them off on gate/tests. Thanks for tackling the spammyness of our logs.
> - jokke
>
More information about the openstack-discuss
mailing list