I recreated this locally. Turns out I missed an attribute that the oslo_policy.policy:Enforcer class had called self.file_rules, which appear to the be specific policies pulled from policy.json or policy.yaml files. I modified the check to compare the deprecated policy against that instead of self.rules [0].
I'll slap together a test and we should be able to get this in before library freeze for sure. Thanks for raising the issue. [0] https://review.openstack.org/#/c/531497/ On 01/05/2018 01:08 PM, Lance Bragstad wrote: > I thought we planned for that case, but it looks like we log a warning > regardless (obviously from your trace) so that operators don't miss > opportunities to clean up code. In addition to that, the removal of a > policy might make a role obsolete, which is harder to check for than > just seeing if they have overridden the policy from a file. I can dig > into oslo.policy and see if there is a way to determine if a policy is > coming from a file or in-code. > > [0] > https://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L610-L625 > > > On 01/05/2018 12:45 PM, Matt Riedemann wrote: >> I've noticed that our CI logs have API extension policy deprecation >> warnings in them on startup, even though we don't use any non-default >> policy rules in our CI runs, so everything is just loaded from policy >> in code. >> >> Jan 05 16:58:48.794318 ubuntu-xenial-rax-dfw-0001705089 >> nova-compute[11289]: DEBUG oslo_policy.policy [None >> req-2f69f372-721c-4550-9c28-5fa610a84201 None None] The policy file >> policy.json could not be found. {{(pid=11289) load_rules >> /usr/local/lib/python2.7/dist-packages/oslo_policy/policy.py:548}} >> Jan 05 16:58:48.797597 ubuntu-xenial-rax-dfw-0001705089 >> nova-compute[11289]: >> /usr/local/lib/python2.7/dist-packages/oslo_policy/policy.py:623: >> UserWarning: Policy >> "os_compute_api:os-extended-volumes":"rule:admin_or_owner" was >> deprecated for removal in 17.0.0. Reason: Nova API extension concept >> has been removed in Pike. Those extensions have their own policies >> enforcement. As there is no extensions now, >> "os_compute_api:os-extended-volumes" policy which was added for >> extensions is not needed any more. Its value may be silently ignored >> in the future. >> >> Isn't there a way to not log a warning if the rule isn't actually set >> in the policy file? Similar to deprecated config options, you only get >> the warning on those if you've set a deprecated config option in the >> file, but you don't get the warnings just because they are in code and >> not removed yet. >> >
signature.asc
Description: OpenPGP digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev