From 4b094df5cbed7becbead2eff50c13663537cdc3a Mon Sep 17 00:00:00 2001 From: Ghanshyam Mann Date: Wed, 18 Aug 2021 10:44:33 -0500 Subject: [PATCH] Suppress policy deprecation and default change warnings As part of the new policy work, all of the defaults for policies were changed and warnings about it are being emitted constantly in the logs. We can suppress these for now until we are enforcing new defaults. This also suppresses policy deprecation warnings during tests to avoid filling the console with warning messages. Change-Id: Ib2a7a2ed8bcadbb6a002cfa4b34c70910faa4f00 --- glance/api/policy.py | 15 ++++++- .../functional/v2/test_images_api_policy.py | 2 +- .../functional/v2/test_member_api_policy.py | 2 +- .../v2/test_metadef_namespace_api_policy.py | 2 +- .../v2/test_metadef_object_api_policy.py | 2 +- .../unit/api/test_property_protections.py | 8 ++-- .../tests/unit/common/test_property_utils.py | 4 +- glance/tests/unit/test_cache_middleware.py | 12 +++-- glance/tests/unit/test_policy.py | 45 ++++++++++++------- glance/tests/unit/v2/test_images_resource.py | 42 +++++++++++------ 10 files changed, 90 insertions(+), 44 deletions(-) diff --git a/glance/api/policy.py b/glance/api/policy.py index e0925ff2e3..6f6bacc9a1 100644 --- a/glance/api/policy.py +++ b/glance/api/policy.py @@ -45,8 +45,21 @@ opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE) class Enforcer(policy.Enforcer): """Responsible for loading and enforcing rules""" - def __init__(self): + def __init__(self, suppress_deprecation_warnings=False): + """Init an policy Enforcer. + :param suppress_deprecation_warnings: Whether to suppress the + deprecation warnings. + """ super(Enforcer, self).__init__(CONF, use_conf=True, overwrite=False) + # NOTE(gmann): Explictly disable the warnings for policies + # changing their default check_str. For new RBAC, all the policy + # defaults have been changed and warning for each policy started + # filling the logs limit for various tool. + # Once we move to new defaults only world then we can enable these + # warning again. + self.suppress_default_change_warnings = True + if suppress_deprecation_warnings: + self.suppress_deprecation_warnings = True self.register_defaults(policies.list_rules()) if CONF.enforce_secure_rbac and CONF.oslo_policy.enforce_new_defaults: LOG.warning(_LW( diff --git a/glance/tests/functional/v2/test_images_api_policy.py b/glance/tests/functional/v2/test_images_api_policy.py index 4e23547359..27c69db622 100644 --- a/glance/tests/functional/v2/test_images_api_policy.py +++ b/glance/tests/functional/v2/test_images_api_policy.py @@ -24,7 +24,7 @@ from glance.tests import functional class TestImagesPolicy(functional.SynchronousAPIBase): def setUp(self): super(TestImagesPolicy, self).setUp() - self.policy = policy.Enforcer() + self.policy = policy.Enforcer(suppress_deprecation_warnings=True) def set_policy_rules(self, rules): self.policy.set_rules( diff --git a/glance/tests/functional/v2/test_member_api_policy.py b/glance/tests/functional/v2/test_member_api_policy.py index 92f5a907a7..57d586ed6c 100644 --- a/glance/tests/functional/v2/test_member_api_policy.py +++ b/glance/tests/functional/v2/test_member_api_policy.py @@ -25,7 +25,7 @@ from glance.tests import functional class TestImageMembersPolicy(functional.SynchronousAPIBase): def setUp(self): super(TestImageMembersPolicy, self).setUp() - self.policy = policy.Enforcer() + self.policy = policy.Enforcer(suppress_deprecation_warnings=True) def load_data(self, share_image=False): output = {} diff --git a/glance/tests/functional/v2/test_metadef_namespace_api_policy.py b/glance/tests/functional/v2/test_metadef_namespace_api_policy.py index 61a80d09e4..3a040d15ca 100644 --- a/glance/tests/functional/v2/test_metadef_namespace_api_policy.py +++ b/glance/tests/functional/v2/test_metadef_namespace_api_policy.py @@ -69,7 +69,7 @@ NAME_SPACE2 = { class TestMetadefNamespacesPolicy(functional.SynchronousAPIBase): def setUp(self): super(TestMetadefNamespacesPolicy, self).setUp() - self.policy = policy.Enforcer() + self.policy = policy.Enforcer(suppress_deprecation_warnings=True) def set_policy_rules(self, rules): self.policy.set_rules( diff --git a/glance/tests/functional/v2/test_metadef_object_api_policy.py b/glance/tests/functional/v2/test_metadef_object_api_policy.py index a5fefc4eee..d87256b089 100644 --- a/glance/tests/functional/v2/test_metadef_object_api_policy.py +++ b/glance/tests/functional/v2/test_metadef_object_api_policy.py @@ -54,7 +54,7 @@ NAME_SPACE1 = { class TestMetadefObjectsPolicy(functional.SynchronousAPIBase): def setUp(self): super(TestMetadefObjectsPolicy, self).setUp() - self.policy = policy.Enforcer() + self.policy = policy.Enforcer(suppress_deprecation_warnings=True) def load_data(self, create_objects=False): path = '/v2/metadefs/namespaces' diff --git a/glance/tests/unit/api/test_property_protections.py b/glance/tests/unit/api/test_property_protections.py index d6b3162657..103ca94063 100644 --- a/glance/tests/unit/api/test_property_protections.py +++ b/glance/tests/unit/api/test_property_protections.py @@ -47,7 +47,7 @@ class TestProtectedImageRepoProxy(utils.BaseTestCase): def setUp(self): super(TestProtectedImageRepoProxy, self).setUp() self.set_property_protections() - self.policy = policy.Enforcer() + self.policy = policy.Enforcer(suppress_deprecation_warnings=True) self.property_rules = property_utils.PropertyRules(self.policy) self.image_factory = glance.domain.ImageFactory() extra_props = {'spl_create_prop': 'c', @@ -101,7 +101,7 @@ class TestProtectedImageProxy(utils.BaseTestCase): def setUp(self): super(TestProtectedImageProxy, self).setUp() self.set_property_protections() - self.policy = policy.Enforcer() + self.policy = policy.Enforcer(suppress_deprecation_warnings=True) self.property_rules = property_utils.PropertyRules(self.policy) class ImageStub(object): @@ -124,7 +124,7 @@ class TestExtraPropertiesProxy(utils.BaseTestCase): def setUp(self): super(TestExtraPropertiesProxy, self).setUp() self.set_property_protections() - self.policy = policy.Enforcer() + self.policy = policy.Enforcer(suppress_deprecation_warnings=True) self.property_rules = property_utils.PropertyRules(self.policy) def test_read_extra_property_as_admin_role(self): @@ -239,7 +239,7 @@ class TestProtectedImageFactoryProxy(utils.BaseTestCase): def setUp(self): super(TestProtectedImageFactoryProxy, self).setUp() self.set_property_protections() - self.policy = policy.Enforcer() + self.policy = policy.Enforcer(suppress_deprecation_warnings=True) self.property_rules = property_utils.PropertyRules(self.policy) self.factory = glance.domain.ImageFactory() diff --git a/glance/tests/unit/common/test_property_utils.py b/glance/tests/unit/common/test_property_utils.py index f526b0bfb2..82aeb3f140 100644 --- a/glance/tests/unit/common/test_property_utils.py +++ b/glance/tests/unit/common/test_property_utils.py @@ -55,7 +55,7 @@ class TestPropertyRulesWithRoles(base.IsolatedUnitTest): def setUp(self): super(TestPropertyRulesWithRoles, self).setUp() self.set_property_protections() - self.policy = policy.Enforcer() + self.policy = policy.Enforcer(suppress_deprecation_warnings=True) def test_is_property_protections_enabled_true(self): self.config(property_protection_file="property-protections.conf") @@ -329,7 +329,7 @@ class TestPropertyRulesWithPolicies(base.IsolatedUnitTest): def setUp(self): super(TestPropertyRulesWithPolicies, self).setUp() self.set_property_protections(use_policies=True) - self.policy = policy.Enforcer() + self.policy = policy.Enforcer(suppress_deprecation_warnings=True) self.rules_checker = property_utils.PropertyRules(self.policy) def test_check_property_rules_create_permitted_specific_policy(self): diff --git a/glance/tests/unit/test_cache_middleware.py b/glance/tests/unit/test_cache_middleware.py index 49f1198f9a..ae74a1f7b5 100644 --- a/glance/tests/unit/test_cache_middleware.py +++ b/glance/tests/unit/test_cache_middleware.py @@ -171,7 +171,8 @@ class ProcessRequestTestCacheFilter(glance.api.middleware.cache.CacheFilter): class TestCacheMiddlewareProcessRequest(base.IsolatedUnitTest): def _enforcer_from_rules(self, unparsed_rules): rules = policy.Rules.from_dict(unparsed_rules) - enforcer = glance.api.policy.Enforcer() + enforcer = glance.api.policy.Enforcer( + suppress_deprecation_warnings=True) enforcer.set_rules(rules, overwrite=True) return enforcer @@ -363,7 +364,8 @@ class TestCacheMiddlewareProcessRequest(base.IsolatedUnitTest): "download_image": "role:admin or rule:restricted" } self.set_policy_rules(rules) - cache_filter.policy = glance.api.policy.Enforcer() + cache_filter.policy = glance.api.policy.Enforcer( + suppress_deprecation_warnings=True) actual = cache_filter.process_request(request) self.assertTrue(actual) @@ -406,7 +408,8 @@ class TestCacheMiddlewareProcessResponse(base.IsolatedUnitTest): "download_image": "role:admin or rule:restricted" } self.set_policy_rules(rules) - cache_filter.policy = glance.api.policy.Enforcer() + cache_filter.policy = glance.api.policy.Enforcer( + suppress_deprecation_warnings=True) request = webob.Request.blank('/v2/images/test1/file') request.context = context.RequestContext(roles=['_member_']) @@ -443,7 +446,8 @@ class TestCacheMiddlewareProcessResponse(base.IsolatedUnitTest): "download_image": "role:admin or rule:restricted" } self.set_policy_rules(rules) - cache_filter.policy = glance.api.policy.Enforcer() + cache_filter.policy = glance.api.policy.Enforcer( + suppress_deprecation_warnings=True) request = webob.Request.blank('/v2/images/test1/file') request.context = context.RequestContext(roles=['member']) diff --git a/glance/tests/unit/test_policy.py b/glance/tests/unit/test_policy.py index 0a2550a806..bdfab871d5 100644 --- a/glance/tests/unit/test_policy.py +++ b/glance/tests/unit/test_policy.py @@ -258,7 +258,8 @@ class MdTagRepoStub(object): class TestPolicyEnforcer(base.IsolatedUnitTest): def test_policy_enforce_unregistered(self): - enforcer = glance.api.policy.Enforcer() + enforcer = glance.api.policy.Enforcer( + suppress_deprecation_warnings=True) context = glance.context.RequestContext(roles=[]) self.assertRaises(glance.api.policy.policy.PolicyNotRegistered, @@ -266,7 +267,8 @@ class TestPolicyEnforcer(base.IsolatedUnitTest): context, 'wibble', {}) def test_policy_check_unregistered(self): - enforcer = glance.api.policy.Enforcer() + enforcer = glance.api.policy.Enforcer( + suppress_deprecation_warnings=True) context = glance.context.RequestContext(roles=[]) self.assertRaises(glance.api.policy.policy.PolicyNotRegistered, @@ -274,7 +276,8 @@ class TestPolicyEnforcer(base.IsolatedUnitTest): context, 'wibble', {}) def test_policy_file_default_rules_default_location(self): - enforcer = glance.api.policy.Enforcer() + enforcer = glance.api.policy.Enforcer( + suppress_deprecation_warnings=True) context = glance.context.RequestContext(roles=['reader']) enforcer.enforce(context, 'get_image', @@ -284,7 +287,8 @@ class TestPolicyEnforcer(base.IsolatedUnitTest): rules = {"get_image": '!'} self.set_policy_rules(rules) - enforcer = glance.api.policy.Enforcer() + enforcer = glance.api.policy.Enforcer( + suppress_deprecation_warnings=True) context = glance.context.RequestContext(roles=[]) self.assertRaises(exception.Forbidden, @@ -297,7 +301,8 @@ class TestPolicyEnforcer(base.IsolatedUnitTest): rules = {"get_image": '!'} self.set_policy_rules(rules) - enforcer = glance.api.policy.Enforcer() + enforcer = glance.api.policy.Enforcer( + suppress_deprecation_warnings=True) context = glance.context.RequestContext(roles=[]) self.assertRaises(exception.Forbidden, @@ -310,7 +315,8 @@ class TestPolicyEnforcer(base.IsolatedUnitTest): rules = {"get_image": '!'} self.set_policy_rules(rules) - enforcer = glance.api.policy.Enforcer() + enforcer = glance.api.policy.Enforcer( + suppress_deprecation_warnings=True) context = glance.context.RequestContext(roles=[]) self.assertEqual(False, enforcer.check(context, 'get_image', {})) @@ -319,7 +325,8 @@ class TestPolicyEnforcer(base.IsolatedUnitTest): rules = {"default": ''} self.set_policy_rules(rules) - enforcer = glance.api.policy.Enforcer() + enforcer = glance.api.policy.Enforcer( + suppress_deprecation_warnings=True) context = glance.context.RequestContext(roles=[]) self.assertEqual(True, enforcer.check(context, 'get_image', {})) @@ -328,7 +335,8 @@ class TestPolicyEnforcer(base.IsolatedUnitTest): rules = {"default": '!'} self.set_policy_rules(rules) - enforcer = glance.api.policy.Enforcer() + enforcer = glance.api.policy.Enforcer( + suppress_deprecation_warnings=True) context = glance.context.RequestContext(roles=[]) self.assertRaises(exception.Forbidden, @@ -339,7 +347,8 @@ class TestPolicyEnforcer(base.IsolatedUnitTest): rule = common_policy.RuleDefault( name=policy_name, check_str='role:bar', scope_types=['system']) - enforcer = glance.api.policy.Enforcer() + enforcer = glance.api.policy.Enforcer( + suppress_deprecation_warnings=True) enforcer.register_default(rule) context = glance.context.RequestContext( @@ -368,7 +377,8 @@ class TestPolicyEnforcer(base.IsolatedUnitTest): context = glance.context.RequestContext() mock_enforcer = self.mock_object(common_policy.Enforcer, 'enforce') - enforcer = glance.api.policy.Enforcer() + enforcer = glance.api.policy.Enforcer( + suppress_deprecation_warnings=True) enforcer.register_default( common_policy.RuleDefault(name='foo', check_str='role:bar') ) @@ -397,13 +407,15 @@ class TestPolicyEnforcer(base.IsolatedUnitTest): "personas, specifically for system-scope." ) with mock.patch.object(glance.api.policy, 'LOG') as mock_log: - glance.api.policy.Enforcer() + glance.api.policy.Enforcer( + suppress_deprecation_warnings=True) mock_log.warning.assert_called_once_with(expected_log_string) def test_ensure_experimental_warning_is_not_logged_for_legacy_rbac(self): self.config(enforce_new_defaults=False, group='oslo_policy') with mock.patch.object(glance.api.policy, 'LOG') as mock_log: - glance.api.policy.Enforcer() + glance.api.policy.Enforcer( + suppress_deprecation_warnings=True) mock_log.warning.assert_not_called() @@ -413,7 +425,8 @@ class TestPolicyEnforcerNoFile(base.IsolatedUnitTest): """Missing defined policy file should result in a default ruleset""" self.config(policy_file='gobble.gobble', group='oslo_policy') self.config(enforce_new_defaults=True, group='oslo_policy') - enforcer = glance.api.policy.Enforcer() + enforcer = glance.api.policy.Enforcer( + suppress_deprecation_warnings=True) context = glance.context.RequestContext(roles=[]) self.assertRaises(exception.Forbidden, @@ -433,7 +446,8 @@ class TestPolicyEnforcerNoFile(base.IsolatedUnitTest): self.mock_object(oslo_config.cfg.ConfigOpts, 'find_file', fake_find_file) - enforcer = glance.api.policy.Enforcer() + enforcer = glance.api.policy.Enforcer( + suppress_deprecation_warnings=True) context = glance.context.RequestContext(roles=[]) self.assertRaises(exception.Forbidden, @@ -1029,7 +1043,8 @@ class TestContextPolicyEnforcer(base.IsolatedUnitTest): rules = {'context_is_admin': 'role:%s' % policy_admin_role} self.set_policy_rules(rules) - enforcer = glance.api.policy.Enforcer() + enforcer = glance.api.policy.Enforcer( + suppress_deprecation_warnings=True) context = glance.context.RequestContext(roles=[context_role], is_admin=context_is_admin, diff --git a/glance/tests/unit/v2/test_images_resource.py b/glance/tests/unit/v2/test_images_resource.py index cb99cc5a34..45ccfa57d5 100644 --- a/glance/tests/unit/v2/test_images_resource.py +++ b/glance/tests/unit/v2/test_images_resource.py @@ -1552,7 +1552,8 @@ class TestImagesController(base.IsolatedUnitTest): self.controller.update, request, UUID1, changes) def test_prop_protection_with_create_and_permitted_role(self): - enforcer = glance.api.policy.Enforcer() + enforcer = glance.api.policy.Enforcer( + suppress_deprecation_warnings=True) self.controller = glance.api.v2.images.ImagesController(self.db, enforcer, self.notifier, @@ -1573,7 +1574,8 @@ class TestImagesController(base.IsolatedUnitTest): def test_prop_protection_with_update_and_permitted_policy(self): self.set_property_protections(use_policies=True) - enforcer = glance.api.policy.Enforcer() + enforcer = glance.api.policy.Enforcer( + suppress_deprecation_warnings=True) self.controller = glance.api.v2.images.ImagesController(self.db, enforcer, self.notifier, @@ -1601,7 +1603,8 @@ class TestImagesController(base.IsolatedUnitTest): def test_prop_protection_with_create_with_patch_and_policy(self): self.set_property_protections(use_policies=True) - enforcer = glance.api.policy.Enforcer() + enforcer = glance.api.policy.Enforcer( + suppress_deprecation_warnings=True) self.controller = glance.api.v2.images.ImagesController(self.db, enforcer, self.notifier, @@ -1627,7 +1630,8 @@ class TestImagesController(base.IsolatedUnitTest): output.extra_properties['spl_creator_policy']) def test_prop_protection_with_create_and_unpermitted_role(self): - enforcer = glance.api.policy.Enforcer() + enforcer = glance.api.policy.Enforcer( + suppress_deprecation_warnings=True) self.controller = glance.api.v2.images.ImagesController(self.db, enforcer, self.notifier, @@ -1648,7 +1652,8 @@ class TestImagesController(base.IsolatedUnitTest): created_image.image_id, changes) def test_prop_protection_with_show_and_permitted_role(self): - enforcer = glance.api.policy.Enforcer() + enforcer = glance.api.policy.Enforcer( + suppress_deprecation_warnings=True) self.controller = glance.api.v2.images.ImagesController(self.db, enforcer, self.notifier, @@ -1666,7 +1671,8 @@ class TestImagesController(base.IsolatedUnitTest): self.assertEqual('bar', output.extra_properties['x_owner_foo']) def test_prop_protection_with_show_and_unpermitted_role(self): - enforcer = glance.api.policy.Enforcer() + enforcer = glance.api.policy.Enforcer( + suppress_deprecation_warnings=True) self.controller = glance.api.v2.images.ImagesController(self.db, enforcer, self.notifier, @@ -1685,7 +1691,8 @@ class TestImagesController(base.IsolatedUnitTest): 'x_owner_foo') def test_prop_protection_with_update_and_permitted_role(self): - enforcer = glance.api.policy.Enforcer() + enforcer = glance.api.policy.Enforcer( + suppress_deprecation_warnings=True) self.controller = glance.api.v2.images.ImagesController(self.db, enforcer, self.notifier, @@ -1706,7 +1713,8 @@ class TestImagesController(base.IsolatedUnitTest): self.assertEqual('baz', output.extra_properties['x_owner_foo']) def test_prop_protection_with_update_and_unpermitted_role(self): - enforcer = glance.api.policy.Enforcer() + enforcer = glance.api.policy.Enforcer( + suppress_deprecation_warnings=True) self.controller = glance.api.v2.images.ImagesController(self.db, enforcer, self.notifier, @@ -1726,7 +1734,8 @@ class TestImagesController(base.IsolatedUnitTest): another_request, created_image.image_id, changes) def test_prop_protection_with_delete_and_permitted_role(self): - enforcer = glance.api.policy.Enforcer() + enforcer = glance.api.policy.Enforcer( + suppress_deprecation_warnings=True) self.controller = glance.api.v2.images.ImagesController(self.db, enforcer, self.notifier, @@ -1748,7 +1757,8 @@ class TestImagesController(base.IsolatedUnitTest): 'x_owner_foo') def test_prop_protection_with_delete_and_unpermitted_role(self): - enforcer = glance.api.policy.Enforcer() + enforcer = glance.api.policy.Enforcer( + suppress_deprecation_warnings=True) self.controller = glance.api.v2.images.ImagesController(self.db, enforcer, self.notifier, @@ -1768,7 +1778,8 @@ class TestImagesController(base.IsolatedUnitTest): another_request, created_image.image_id, changes) def test_create_protected_prop_case_insensitive(self): - enforcer = glance.api.policy.Enforcer() + enforcer = glance.api.policy.Enforcer( + suppress_deprecation_warnings=True) self.controller = glance.api.v2.images.ImagesController(self.db, enforcer, self.notifier, @@ -1788,7 +1799,8 @@ class TestImagesController(base.IsolatedUnitTest): self.assertEqual('1', output.extra_properties['x_case_insensitive']) def test_read_protected_prop_case_insensitive(self): - enforcer = glance.api.policy.Enforcer() + enforcer = glance.api.policy.Enforcer( + suppress_deprecation_warnings=True) self.controller = glance.api.v2.images.ImagesController(self.db, enforcer, self.notifier, @@ -1806,7 +1818,8 @@ class TestImagesController(base.IsolatedUnitTest): self.assertEqual('1', output.extra_properties['x_case_insensitive']) def test_update_protected_prop_case_insensitive(self): - enforcer = glance.api.policy.Enforcer() + enforcer = glance.api.policy.Enforcer( + suppress_deprecation_warnings=True) self.controller = glance.api.v2.images.ImagesController(self.db, enforcer, self.notifier, @@ -1827,7 +1840,8 @@ class TestImagesController(base.IsolatedUnitTest): self.assertEqual('2', output.extra_properties['x_case_insensitive']) def test_delete_protected_prop_case_insensitive(self): - enforcer = glance.api.policy.Enforcer() + enforcer = glance.api.policy.Enforcer( + suppress_deprecation_warnings=True) self.controller = glance.api.v2.images.ImagesController(self.db, enforcer, self.notifier,