Fix & suppress oslo policy warnings

This fix the below warning for DeprecatedRule:

Since 3.7.0, oslo policy started the DeprecationWarning[1] if
deprecated_reason and deprecated_since param are not passed
in DeprecatedRule or they are passed in RuleDefault object.

Andf suppress the policy deprecation and default change warnings

Oslo policy log warnings if defaults for policies are changed.
With new RBAC change every policy rules' default is changed,
which end up lot of warnings in logs. We can suppress these for now
until we are enforcing new defaults.

- https://zuul.opendev.org/t/openstack/build/5cefaef6d02a4b7abe3c449491b81e68/log/job-output.txt#879

[1] https://github.com/openstack/oslo.policy/blob/3.7.0/oslo_policy/policy.py#L1538

Change-Id: If481a5afc3b23d1d196ffd7576d0784a9702da59

ironic_inspector/policy.py

@@ -98,35 +98,51 @@ api_version_policies = [
 
 deprecated_introspection_status = policy.DeprecatedRule(
     name='introspection:status',
-    check_str='rule:is_admin or rule:is_observer'
+    check_str='rule:is_admin or rule:is_observer',
+    deprecated_reason=deprecated_node_reason,
+    deprecated_since=versionutils.deprecated.WALLABY
 )
 deprecated_introspection_start = policy.DeprecatedRule(
     name='introspection:start',
-    check_str='rule:is_admin'
+    check_str='rule:is_admin',
+    deprecated_reason=deprecated_node_reason,
+    deprecated_since=versionutils.deprecated.WALLABY
 )
 deprecated_introspection_abort = policy.DeprecatedRule(
     name='introspection:abort',
-    check_str='rule:is_admin'
+    check_str='rule:is_admin',
+    deprecated_reason=deprecated_node_reason,
+    deprecated_since=versionutils.deprecated.WALLABY
 )
 deprecated_introspection_data = policy.DeprecatedRule(
     name='introspection:data',
-    check_str='rule:is_admin'
+    check_str='rule:is_admin',
+    deprecated_reason=deprecated_node_reason,
+    deprecated_since=versionutils.deprecated.WALLABY
 )
 deprecated_introspection_reapply = policy.DeprecatedRule(
     name='introspection:reapply',
-    check_str='rule:is_admin'
+    check_str='rule:is_admin',
+    deprecated_reason=deprecated_node_reason,
+    deprecated_since=versionutils.deprecated.WALLABY
 )
 deprecated_introspection_rule_get = policy.DeprecatedRule(
     name='introspection:rule:get',
-    check_str='rule:is_admin'
+    check_str='rule:is_admin',
+    deprecated_reason=deprecated_node_reason,
+    deprecated_since=versionutils.deprecated.WALLABY
 )
 deprecated_introspection_rule_delete = policy.DeprecatedRule(
     name='introspection:rule:delete',
-    check_str='rule:is_admin'
+    check_str='rule:is_admin',
+    deprecated_reason=deprecated_node_reason,
+    deprecated_since=versionutils.deprecated.WALLABY
 )
 deprecated_introspection_rule_create = policy.DeprecatedRule(
     name='introspection:rule:create',
-    check_str='rule:is_admin'
+    check_str='rule:is_admin',
+    deprecated_reason=deprecated_node_reason,
+    deprecated_since=versionutils.deprecated.WALLABY
 )
 
 introspection_policies = [
@@ -142,18 +158,14 @@ introspection_policies = [
         description='Get introspection status',
         operations=[{'path': '/introspection', 'method': 'GET'},
                     {'path': '/introspection/{node_id}', 'method': 'GET'}],
-        deprecated_rule=deprecated_introspection_status,
+        deprecated_rule=deprecated_introspection_status
-        deprecated_reason=deprecated_node_reason,
-        deprecated_since=versionutils.deprecated.WALLABY
     ),
     policy.DocumentedRuleDefault(
         name='introspection:start',
         check_str=SYSTEM_ADMIN,
         description='Start introspection',
         operations=[{'path': '/introspection/{node_id}', 'method': 'POST'}],
-        deprecated_rule=deprecated_introspection_start,
+        deprecated_rule=deprecated_introspection_start
-        deprecated_reason=deprecated_node_reason,
-        deprecated_since=versionutils.deprecated.WALLABY
     ),
     policy.DocumentedRuleDefault(
         name='introspection:abort',
@@ -161,9 +173,7 @@ introspection_policies = [
         description='Abort introspection',
         operations=[{'path': '/introspection/{node_id}/abort',
                      'method': 'POST'}],
-        deprecated_rule=deprecated_introspection_abort,
+        deprecated_rule=deprecated_introspection_abort
-        deprecated_reason=deprecated_node_reason,
-        deprecated_since=versionutils.deprecated.WALLABY
     ),
     policy.DocumentedRuleDefault(
         name='introspection:data',
@@ -171,9 +181,7 @@ introspection_policies = [
         description='Get introspection data',
         operations=[{'path': '/introspection/{node_id}/data',
                      'method': 'GET'}],
-        deprecated_rule=deprecated_introspection_data,
+        deprecated_rule=deprecated_introspection_data
-        deprecated_reason=deprecated_node_reason,
-        deprecated_since=versionutils.deprecated.WALLABY
     ),
     policy.DocumentedRuleDefault(
         name='introspection:reapply',
@@ -181,9 +189,7 @@ introspection_policies = [
         description='Reapply introspection on stored data',
         operations=[{'path': '/introspection/{node_id}/data/unprocessed',
                      'method': 'POST'}],
-        deprecated_rule=deprecated_introspection_reapply,
+        deprecated_rule=deprecated_introspection_reapply
-        deprecated_reason=deprecated_node_reason,
-        deprecated_since=versionutils.deprecated.WALLABY
     ),
 ]
 
@@ -194,9 +200,7 @@ rule_policies = [
         description='Get introspection rule(s)',
         operations=[{'path': '/rules', 'method': 'GET'},
                     {'path': '/rules/{rule_id}', 'method': 'GET'}],
-        deprecated_rule=deprecated_introspection_rule_get,
+        deprecated_rule=deprecated_introspection_rule_get
-        deprecated_reason=deprecated_node_reason,
-        deprecated_since=versionutils.deprecated.WALLABY
     ),
     policy.DocumentedRuleDefault(
         name='introspection:rule:delete',
@@ -204,18 +208,14 @@ rule_policies = [
         description='Delete introspection rule(s)',
         operations=[{'path': '/rules', 'method': 'DELETE'},
                     {'path': '/rules/{rule_id}', 'method': 'DELETE'}],
-        deprecated_rule=deprecated_introspection_rule_delete,
+        deprecated_rule=deprecated_introspection_rule_delete
-        deprecated_reason=deprecated_node_reason,
-        deprecated_since=versionutils.deprecated.WALLABY
     ),
     policy.DocumentedRuleDefault(
         name='introspection:rule:create',
         check_str=SYSTEM_ADMIN,
         description='Create introspection rule',
         operations=[{'path': '/rules', 'method': 'POST'}],
-        deprecated_rule=deprecated_introspection_rule_create,
+        deprecated_rule=deprecated_introspection_rule_create
-        deprecated_reason=deprecated_node_reason,
-        deprecated_since=versionutils.deprecated.WALLABY
     ),
 ]
 
@@ -257,6 +257,15 @@ def init_enforcer(policy_file=None, rules=None,
         rules=rules,
         default_rule=default_rule,
         use_conf=use_conf)
+
+    # NOTE(gmann): Explictly disable the warnings for policies
+    # changing their default check_str. With new RBAC policy
+    # work, all the policy defaults have been changed and warning for
+    # each policy started filling the logs limit for various tool.
+    # Once we move to new defaults only world then we can enable these
+    # warning again.
+    _ENFORCER.suppress_default_change_warnings = True
+
     _ENFORCER.register_defaults(list_policies())
 
 

ironic_inspector/test/unit/policy_fixture.py

@@ -38,3 +38,4 @@ class PolicyFixture(fixtures.Fixture):
         CONF.set_override('policy_file', self.policy_file_name, 'oslo_policy')
         inspector_policy._ENFORCER = None
         self.addCleanup(inspector_policy.get_enforcer().clear)
+        inspector_policy._ENFORCER.suppress_deprecation_warnings = True

requirements.txt

@@ -25,7 +25,7 @@ oslo.i18n>=3.15.3 # Apache-2.0
 oslo.log>=3.36.0 # Apache-2.0
 oslo.messaging>=5.32.0 # Apache-2.0
 oslo.middleware>=3.31.0 # Apache-2.0
-oslo.policy>=3.6.0 # Apache-2.0
+oslo.policy>=3.7.0 # Apache-2.0
 oslo.rootwrap>=5.8.0 # Apache-2.0
 oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0
 oslo.service!=1.28.1,>=1.24.0 # Apache-2.0