resolve status of policy target deprecated in stein
Bug #1873110 reported by
Brian Rosmaita
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Fix Released
|
Medium
|
Brian Rosmaita |
Bug Description
Change Iba58e785df934d
To post a comment you must log in.
This is the deprecated policy. It has always had this default value. Originally, it covered all of the get, post, put, delete operations: extension: volume_ type_encryption ": "rule:admin_api"
#"volume_
These are the fine-grained policies introduced by Change Iba58e785df934d 1c4175c0877d266 193ac0167b7: extension: volume_ type_encryption :create" : "rule:volume_ extension: volume_ type_encryption " extension: volume_ type_encryption :get": "rule:volume_ extension: volume_ type_encryption " extension: volume_ type_encryption :update" : "rule:volume_ extension: volume_ type_encryption " extension: volume_ type_encryption :delete" : "rule:volume_ extension: volume_ type_encryption "
#"volume_
#"volume_
#"volume_
#"volume_
So the way this is set up is:
- if you did nothing, you get the default of "rule:admin_api" for all operations
- if you modified the original policy, you get that same behavior for all the fine-grained policies
- if you modify the fine-grained policies, you can fine-tune their behavior
I suggest we do nothing, that is, we should un-deprecate the original policy.
- for current operators who have modified their policy config, there will be no effect
- for "new" operators who want to modify their config, they have the option of modifying one policy to affect all four classes of action, or they can use the fine-grained policies
There were comments on the review introducing the new policies that suggested that it was pretty unlikely people needed this level of control. My proposal respects that: operators have an easy way to adjust all policies at once, but also have the option for fine-grained control should they want it.
The other aspect of Change Iba58e785df934d 1c4175c0877d266 193ac0167b7 was some elaborate code [0,1] to check whether the deprecated policy was set to a non-default value, and if so, log a warning telling the operator to migrate to the fine-grained policy appropriate to the action. I believe this code has a subtle bug, namely, if an operator decided to customize the deprecated policy to control 3 of the actions and only wanted to use fine-grained control on the remaining action, the fine-grained policy would be ignored and the deprecated value would be used instead for that action, despite what was defined in the policy configuration file. Policy configuration is difficult enough for operators without this additional weirdness.
So to be clear about what I'm proposing: extension: volume_ type_encryption " policy target, keep its current default value, and un-deprecate it
(1) Keep the "volume_
(2) Leave the default values as they are for the fine-grained policies
(3) Rip out the policy-deprecation code (not just the stuff in volume_type.py, but also the infrastructure for this in policy.py)
Finally, this is consistent with a current proposal to introduce some fine-grained policies for a different set of actions. See https:/ /launchpad. net/cinder/ +bug/1841587 and the discussion on the patch https:/ /review. opendev. org/#/c/ 678799/
[0] https:/ /opendev. org/openstack/ cinder/ src/commit/ edd5bcace2a3132 5fd3dce47cc6150 59fdeb295d/ cinder/ api/contrib/ volume_ type_encryption .py#L61- L74 /opendev. org/openstack/ cinder/ src/commit/ edd5bcace2a3132 5fd3dce47cc6...
[1] https:/