Bug #1900451 “nova-manage still shows deprecation” : Bugs : OpenStack Compute (nova)

Revision history for this message

Thomas Goirand (thomas-goirand) wrote on 2020-10-19:

#1

Download full text (5.7 KiB)

I've switch Nova in Victoria to using yaml file by default, stored in:

/etc/nova/policy.d/00_default_policy.yaml

In fact, I've switched absolutely all Debian packages to use yaml files this way, and generating whatever oslopolicy-sample-generator outputs. Then, surprisingly, here's the output of nova-manage:

controller-1>_ ~ # su nova -s /bin/sh -c "nova-manage cell_v2 discover_hosts"
/usr/lib/python3/dist-packages/oslo_policy/policy.py:703: UserWarning: Policy "rule:admin_api":"is_admin:True" was deprecated in 21.0.0 in favor of "system_admin_api":"role:admin and system_scope:all". Reason:
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
. Either ensure your deployment is ready for the new default or copy/paste the deprecated policy into your policy file and maintain it manually.
  warnings.warn(deprecated_msg)
/usr/lib/python3/dist-packages/oslo_policy/policy.py:703: UserWarning: Policy "rule:admin_api":"is_admin:True" was deprecated in 21.0.0 in favor of "system_reader_api":"role:reader and system_scope:all". Reason:
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
. Either ensure your deployment is ready for the new default or copy/paste the deprecated policy into your policy file and maintain it manually.
  warnings.warn(deprecated_msg)
/usr/lib/python3/dist-packages/oslo_policy/policy.py:703: UserWarning: Policy "rule:admin_api":"is_admin:True" was deprecated in 21.0.0 in favor of "project_admin_api":"role:admin and project_id:%(project_id)s". Reason:
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
. Either ensure your deployment is ready for the new default or copy/paste the deprecated policy into your policy file and maintain it manually.
  warnings.warn(deprecated_msg)
/usr/lib/python3/dist-packages/oslo_policy/policy.py:703: UserWarning: Policy "rule:admin_or_owner":"is_admin:True or project_id:%(project_id)s" was deprecated in 21.0.0 in favor of "project_member_api":"role:member and project_id:%(project_id)s". Reason:
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
. Either ensure your deployment is ready for the new default or copy/paste the deprecated policy into your policy file and maintain it manually.
  warnings.warn(deprecated_msg)
/usr/lib/python3/dist-packages/oslo_policy/policy.py:703: UserWarning: Policy "rule:admin_or_owner":"is_admin:True or project_id:%(project_id)s" was deprecated in 21.0.0 in favor of "system_admin_or_owner":"rule:system_admin_api or rule:project_member_api". Reason:
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
. Either ensure your deployment is ready for the new default or copy/paste the deprecated policy into ...

I've switch Nova in Victoria to using yaml file by default, stored in:

/etc/nova/policy.d/00_default_policy.yaml

In fact, I've switched absolutely all Debian packages to use yaml files this way, and generating whatever oslopolicy-sample-generator outputs. Then, surprisingly, here's the output of nova-manage:

controller-1>_ ~ # su nova -s /bin/sh -c "nova-manage cell_v2 discover_hosts"
/usr/lib/python3/dist-packages/oslo_policy/policy.py:703: UserWarning: Policy "rule:admin_api":"is_admin:True" was deprecated in 21.0.0 in favor of "system_admin_api":"role:admin and system_scope:all". Reason:
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
. Either ensure your deployment is ready for the new default or copy/paste the deprecated policy into your policy file and maintain it manually.
  warnings.warn(deprecated_msg)
/usr/lib/python3/dist-packages/oslo_policy/policy.py:703: UserWarning: Policy "rule:admin_api":"is_admin:True" was deprecated in 21.0.0 in favor of "system_reader_api":"role:reader and system_scope:all". Reason:
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
. Either ensure your deployment is ready for the new default or copy/paste the deprecated policy into your policy file and maintain it manually.
  warnings.warn(deprecated_msg)
/usr/lib/python3/dist-packages/oslo_policy/policy.py:703: UserWarning: Policy "rule:admin_api":"is_admin:True" was deprecated in 21.0.0 in favor of "project_admin_api":"role:admin and project_id:%(project_id)s". Reason:
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
. Either ensure your deployment is ready for the new default or copy/paste the deprecated policy into your policy file and maintain it manually.
  warnings.warn(deprecated_msg)
/usr/lib/python3/dist-packages/oslo_policy/policy.py:703: UserWarning: Policy "rule:admin_or_owner":"is_admin:True or project_id:%(project_id)s" was deprecated in 21.0.0 in favor of "project_member_api":"role:member and project_id:%(project_id)s". Reason:
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
. Either ensure your deployment is ready for the new default or copy/paste the deprecated policy into your policy file and maintain it manually.
  warnings.warn(deprecated_msg)
/usr/lib/python3/dist-packages/oslo_policy/policy.py:703: UserWarning: Policy "rule:admin_or_owner":"is_admin:True or project_id:%(project_id)s" was deprecated in 21.0.0 in favor of "system_admin_or_owner":"rule:system_admin_api or rule:project_member_api". Reason:
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
. Either ensure your deployment is ready for the new default or copy/paste the deprecated policy into your policy file and maintain it manually.
  warnings.warn(deprecated_msg)
/usr/lib/python3/dist-packages/oslo_policy/policy.py:703: UserWarning: Policy "rule:admin_or_owner":"is_admin:True or project_id:%(project_id)s" was deprecated in 21.0.0 in favor of "system_or_project_reader":"rule:system_reader_api or rule:project_reader_api". Reason:
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
. Either ensure your deployment is ready for the new default or copy/paste the deprecated policy into your policy file and maintain it manually.
  warnings.warn(deprecated_msg)
/usr/lib/python3/dist-packages/oslo_policy/policy.py:703: UserWarning: Policy "os_compute_api:os-agents":"rule:admin_api" was deprecated in 21.0.0 in favor of "os_compute_api:os-agents:list":"rule:system_reader_api". Reason:
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
. Either ensure your deployment is ready for the new default or copy/paste the deprecated policy into your policy file and maintain it manually.
  warnings.warn(deprecated_msg)
/usr/lib/python3/dist-packages/oslo_policy/policy.py:703: UserWarning: Policy "os_compute_api:os-agents":"rule:admin_api" was deprecated in 21.0.0 in favor of "os_compute_api:os-agents:create":"rule:system_admin_api". Reason:
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
. Either ensure your deployment is ready for the new default or copy/paste the deprecated policy into your policy file and maintain it manually.
  warnings.warn(deprecated_msg)
/usr/lib/python3/dist-packages/oslo_policy/policy.py:703: UserWarning: Policy "os_compute_api:os-agents":"rule:admin_api" was deprecated in 21.0.0 in favor of "os_compute_api:os-agents:update":"rule:system_admin_api". Reason:
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
. Either ensure your deployment is ready for the new default or copy/paste the deprecated policy into your policy file and maintain it manually.
  warnings.warn(deprecated_msg)

[...]

Not pasting everything, because if fills-up 2 screens.

Can this crazyness be fixed? How can I fix this on my side (at least from the package maintainer point of view)? Is there a patch available somewhere for it?

Balazs Gibizer (balazs-gibizer) on 2020-10-20

tags:

added: policy

Revision history for this message

Ghanshyam Mann (ghanshyammann) wrote on 2020-10-20:

#2

we talked about it in Open Infra Forum sessions - https://etherpad.opendev.org/p/consistent-and-secure-default-policies-wallaby

and will continue the discussion in PTG too.

Changed in nova:
assignee:	nobody → Ghanshyam Mann (ghanshyammann)

Balazs Gibizer (balazs-gibizer) on 2020-11-04

Changed in nova:
importance:	Undecided → Medium
status:	New → Confirmed

Revision history for this message

Mesut Muhammet Şahin (messah) wrote on 2023-12-07:

#3

Hi,

This issue still exist. It would be great if we could somehow disable these types of warnings.

OpenStack Compute (nova)

nova-manage still shows deprecation

Bug Description

Other bug subscribers

Remote bug watches