I thought we planned for that case, but it looks like we log a warning regardless (obviously from your trace) so that operators don't miss opportunities to clean up code. In addition to that, the removal of a policy might make a role obsolete, which is harder to check for than just seeing if they have overridden the policy from a file. I can dig into oslo.policy and see if there is a way to determine if a policy is coming from a file or in-code.
[0] https://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L610-L625 On 01/05/2018 12:45 PM, Matt Riedemann wrote: > I've noticed that our CI logs have API extension policy deprecation > warnings in them on startup, even though we don't use any non-default > policy rules in our CI runs, so everything is just loaded from policy > in code. > > Jan 05 16:58:48.794318 ubuntu-xenial-rax-dfw-0001705089 > nova-compute[11289]: DEBUG oslo_policy.policy [None > req-2f69f372-721c-4550-9c28-5fa610a84201 None None] The policy file > policy.json could not be found. {{(pid=11289) load_rules > /usr/local/lib/python2.7/dist-packages/oslo_policy/policy.py:548}} > Jan 05 16:58:48.797597 ubuntu-xenial-rax-dfw-0001705089 > nova-compute[11289]: > /usr/local/lib/python2.7/dist-packages/oslo_policy/policy.py:623: > UserWarning: Policy > "os_compute_api:os-extended-volumes":"rule:admin_or_owner" was > deprecated for removal in 17.0.0. Reason: Nova API extension concept > has been removed in Pike. Those extensions have their own policies > enforcement. As there is no extensions now, > "os_compute_api:os-extended-volumes" policy which was added for > extensions is not needed any more. Its value may be silently ignored > in the future. > > Isn't there a way to not log a warning if the rule isn't actually set > in the policy file? Similar to deprecated config options, you only get > the warning on those if you've set a deprecated config option in the > file, but you don't get the warnings just because they are in code and > not removed yet. >
signature.asc
Description: OpenPGP digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev