kolla-ansible

[keystone] [stein] - logs filled with policy deprecation warnings

Bug #1833756 reported by Radosław Piliszek on 2019-06-21

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	kolla-ansible	Triaged	Medium	Unassigned

Bug Description

After each reload, policy deprecation warnings appear for each of keystone's WSGI processes if policy is not customized.

2019-06-21 21:36:09.917685 2019-06-21 21:36:09.917 21 WARNING py.warnings [req-bf9c1264-e003-42fb-a945-975c3eb38e31 aded9f9dbd6a4b03b3e89989466d024f 1fdb93d9dab14b06bad0f3c231e24636 - default default] /var/lib/kolla/venv/lib/python2.7/site-packages/oslo_policy/policy.py:695: UserWarning: Policy "identity:list_system_grants_for_user":"rule:admin_required" was deprecated in S in favor of "identity:list_system_grants_for_user":"role:reader and system_scope:all". Reason:
2019-06-21 21:36:09.917701 As of the Stein release, the assignment API now understands default roles and
2019-06-21 21:36:09.917707 system-scoped tokens, making the API more granular by default without
2019-06-21 21:36:09.917713 compromising security. The new policy defaults account for these changes
2019-06-21 21:36:09.917719 automatically. Be sure to take these new defaults into consideration if you are
2019-06-21 21:36:09.917724 relying on overrides in your deployment for the system assignment API.
2019-06-21 21:36:09.917730 . Either ensure your deployment is ready for the new default or copy/paste the deprecated policy into your policy file and maintain it manually.
2019-06-21 21:36:09.917736 warnings.warn(deprecated_msg)
2019-06-21 21:36:09.917741 : ConfigFilesNotFoundError: Failed to find some config files: policy.d\x1b[00m
2019-06-21 21:36:09.918455 2019-06-21 21:36:09.917 21 WARNING py.warnings [req-bf9c1264-e003-42fb-a945-975c3eb38e31 aded9f9dbd6a4b03b3e89989466d024f 1fdb93d9dab14b06bad0f3c231e24636 - default default] /var/lib/kolla/venv/lib/python2.7/site-packages/oslo_policy/policy.py:695: UserWarning: Policy "identity:delete_region":"rule:admin_required" was deprecated in S in favor of "identity:delete_region":"role:admin and system_scope:all". Reason: As of the Stein release, the region API now understands default roles and system-scoped tokens, making the API more granular without compromising security. The new policies for this API account for these changes automatically. Be sure to take these new defaults into consideration if you are relying on overrides in your deployment for the region API.. Either ensure your deployment is ready for the new default or copy/paste the deprecated policy into your policy file and maintain it manually.
2019-06-21 21:36:09.918471 warnings.warn(deprecated_msg)
2019-06-21 21:36:09.918477 : ConfigFilesNotFoundError: Failed to find some config files: policy.d\x1b[00m
2019-06-21 21:36:09.925396 2019-06-21 21:36:09.924 21 WARNING py.warnings [req-bf9c1264-e003-42fb-a945-975c3eb38e31 aded9f9dbd6a4b03b3e89989466d024f 1fdb93d9dab14b06bad0f3c231e24636 - default default] /var/lib/kolla/venv/lib/python2.7/site-packages/oslo_policy/policy.py:958: UserWarning: Policy identity:list_domains failed scope check. The token used to make the request was project scoped but the policy requires ['system'] scope. This behavior may change in the future where using the intended scope is required
2019-06-21 21:36:09.925412 warnings.warn(msg)
2019-06-21 21:36:09.925418 \x1b[00m

See original description

Revision history for this message

Radosław Piliszek (yoctozepto) wrote on 2019-07-31:

according to keystone stein release notes https://docs.openstack.org/releasenotes/keystone/stein.html :

"""
... if you have not overridden a policy, the old default and the new default will be OR’d together. This means that, for example, where we have changed the policy rule from 'rule:admin_required' to 'role:reader and system_scope:all', both policy rules will be in effect. Please check your current policies and role assignments before upgrading to ensure the policies will not be too permissive for your deployment. To hide the deprecation warnings and opt into the less permissive rules, you can override the policy configuration to use the newer policy rule.
"""

hence we should probably install the new default policies because logs are full of this junk entries otherwise.

Revision history for this message

Radosław Piliszek (yoctozepto) wrote on 2019-07-31:

upstream knows about the problem: https://bugs.launchpad.net/keystone/+bug/1836568

Changed in kolla-ansible:
status:	New → Triaged
importance:	Undecided → Medium

Radosław Piliszek (yoctozepto) on 2019-08-03

summary:	- Fresh Stein deployment - keystone logs flooded with each action + [keystone] [stein] - logs filled with policy deprecation warnings
description:	updated

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.