oslo.policy

sample-generator makes deprecated and active directives

Bug #1945336 reported by Thomas Goirand
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
oslo.policy
Fix Released
Undecided
Unassigned

Bug Description

Hi,

By default, in oslo.policy 3.8.2 at least, oslopolicy-sample-generator generates all DEPRECATED rules as active, when really, they should be commented out by default, like all the others.

For example, with Nova 24.0.0, we get:

# DEPRECATED
# "rule:admin_api":"is_admin:True" has been deprecated since 21.0.0 in
# favor of "system_admin_api":"role:admin and system_scope:all".
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"rule:admin_api": "rule:system_admin_api"

That last line just above should be commented out. Using the default, untouched, oslopolicy-sample-generator generated files for both Nova and Placement leads to a non-working OpenStack deployment. This isn't what one would expect.

As a package maintainer, I do generate policy files over here (example with Nova):

/etc/nova/policy.d/00_default_policy.yaml

I do expect Debian users to just use that file as a convenient example, that's just working, and showing what the defaults are. But that's not the case, and that's breaking both my expectation as a package maintainer, and what a user would expect.

Please make the generated file work by default, and showing what the defaults really are.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to oslo.policy (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/oslo.policy/+/830514

Changed in oslo.policy:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to oslo.policy (master)

Reviewed: https://review.opendev.org/c/openstack/oslo.policy/+/830514
Committed: https://opendev.org/openstack/oslo.policy/commit/b67e3c71a042719a6814621dd1c00c2e1818d2b1
Submitter: "Zuul (22348)"
Branch: master

commit b67e3c71a042719a6814621dd1c00c2e1818d2b1
Author: Julia Kreger <email address hidden>
Date: Tue Feb 22 11:08:56 2022 -0800

    make deprecated rule examples explicit

    Deprecated rules can be confusing and downright unfriendly when
    evaluating a generated sample output and seeing legacy rules being
    aliased to new rules. Technically this is also invalid and results
    in a broken sample file with overriding behavior.

    Under normal circumstances, this wouldn't be a big deal, but with
    the Secure RBAC effort, projects also performed some further
    delineation of RBAC policies instead of performing a 1:1 mapping.

    As a result of the policy enforcement model, a prior deprecated
    rule was required, which meant the prior deprecated rule would
    be reported multiple times in the output.

    Since we don't have an extra flag in the policy-in-code definitions
    of policies, all we can *really* do is both clarify the purpose
    and meaning of the entry, not enable the alias by default in
    sample output (as it is a sample! not an override of code!),
    and provide projects as well as operators with a knob to
    exclude deprecated policy inclusion into examples and sample
    output.

    Closes-Bug: #1945336
    Change-Id: I6d02eb4d8f94323a806fab991ba2f1c3bbf71d04

Changed in oslo.policy:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/oslo.policy 3.12.0

This issue was fixed in the openstack/oslo.policy 3.12.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.