nova-manage still shows deprecation

Bug #1900451 reported by Thomas Goirand
24
This bug affects 4 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Confirmed
Medium
Ghanshyam Mann

Bug Description

When doing something like this:

su nova -s /bin/sh -c "nova-manage cell_v2 discover_hosts"

I see lots of deprecation warnings. There should be a way to disable the warnings, or having them off by default. Discussion should be open on how to fix this.

Tags: policy
Revision history for this message
Thomas Goirand (thomas-goirand) wrote :
Download full text (5.7 KiB)

I've switch Nova in Victoria to using yaml file by default, stored in:

/etc/nova/policy.d/00_default_policy.yaml

In fact, I've switched absolutely all Debian packages to use yaml files this way, and generating whatever oslopolicy-sample-generator outputs. Then, surprisingly, here's the output of nova-manage:

controller-1>_ ~ # su nova -s /bin/sh -c "nova-manage cell_v2 discover_hosts"
/usr/lib/python3/dist-packages/oslo_policy/policy.py:703: UserWarning: Policy "rule:admin_api":"is_admin:True" was deprecated in 21.0.0 in favor of "system_admin_api":"role:admin and system_scope:all". Reason:
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
. Either ensure your deployment is ready for the new default or copy/paste the deprecated policy into your policy file and maintain it manually.
  warnings.warn(deprecated_msg)
/usr/lib/python3/dist-packages/oslo_policy/policy.py:703: UserWarning: Policy "rule:admin_api":"is_admin:True" was deprecated in 21.0.0 in favor of "system_reader_api":"role:reader and system_scope:all". Reason:
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
. Either ensure your deployment is ready for the new default or copy/paste the deprecated policy into your policy file and maintain it manually.
  warnings.warn(deprecated_msg)
/usr/lib/python3/dist-packages/oslo_policy/policy.py:703: UserWarning: Policy "rule:admin_api":"is_admin:True" was deprecated in 21.0.0 in favor of "project_admin_api":"role:admin and project_id:%(project_id)s". Reason:
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
. Either ensure your deployment is ready for the new default or copy/paste the deprecated policy into your policy file and maintain it manually.
  warnings.warn(deprecated_msg)
/usr/lib/python3/dist-packages/oslo_policy/policy.py:703: UserWarning: Policy "rule:admin_or_owner":"is_admin:True or project_id:%(project_id)s" was deprecated in 21.0.0 in favor of "project_member_api":"role:member and project_id:%(project_id)s". Reason:
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
. Either ensure your deployment is ready for the new default or copy/paste the deprecated policy into your policy file and maintain it manually.
  warnings.warn(deprecated_msg)
/usr/lib/python3/dist-packages/oslo_policy/policy.py:703: UserWarning: Policy "rule:admin_or_owner":"is_admin:True or project_id:%(project_id)s" was deprecated in 21.0.0 in favor of "system_admin_or_owner":"rule:system_admin_api or rule:project_member_api". Reason:
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
. Either ensure your deployment is ready for the new default or copy/paste the deprecated policy into ...

Read more...

tags: added: policy
Revision history for this message
Ghanshyam Mann (ghanshyammann) wrote :

we talked about it in Open Infra Forum sessions - https://etherpad.opendev.org/p/consistent-and-secure-default-policies-wallaby

and will continue the discussion in PTG too.

Changed in nova:
assignee: nobody → Ghanshyam Mann (ghanshyammann)
Changed in nova:
importance: Undecided → Medium
status: New → Confirmed
Revision history for this message
Mesut Muhammet Şahin (messah) wrote :

Hi,

This issue still exist. It would be great if we could somehow disable these types of warnings.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.