From de712bf467888b05de14bcbe6e65cc1765692c62 Mon Sep 17 00:00:00 2001
From: Kevin Benton <blak111@gmail.com>
Date: Thu, 10 Aug 2017 00:07:31 -0700
Subject: [PATCH] Log policy filters in one line

Rather than generating an entire log line for each policy that
filters out an attribute, we can instead log the excluded attributes
once after all of the policy checks are done.

This only applies to the policy checks, policy enforcements
(e.g. preventing a user from entering a field value on create)
are still logged individually.

Partial-Bug: #1707307
Change-Id: I77401e30cb220901dacd61028acde4c79001ed9b
(cherry picked from commit 62c1a4b6873d0b2382349ece65545bf28c9c87ca)
---
 neutron/pecan_wsgi/hooks/policy_enforcement.py | 6 ++++++
 neutron/policy.py                              | 3 ---
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/neutron/pecan_wsgi/hooks/policy_enforcement.py b/neutron/pecan_wsgi/hooks/policy_enforcement.py
index 297cbbe7ae7..fdcfef0b40e 100644
--- a/neutron/pecan_wsgi/hooks/policy_enforcement.py
+++ b/neutron/pecan_wsgi/hooks/policy_enforcement.py
@@ -15,6 +15,7 @@
 
 import copy
 
+from oslo_log import log as logging
 from oslo_policy import policy as oslo_policy
 from oslo_utils import excutils
 from pecan import hooks
@@ -29,6 +30,8 @@ from neutron.pecan_wsgi.controllers import quota
 from neutron.pecan_wsgi.hooks import utils
 from neutron import policy
 
+LOG = logging.getLogger(__name__)
+
 
 def _custom_getter(resource, resource_id):
     """Helper function to retrieve resources not served by any plugin."""
@@ -250,4 +253,7 @@ class PolicyHook(hooks.PecanHook):
             # This should be migrated to project_id later.
             if attr_name == 'tenant_id':
                 attributes_to_exclude.append('project_id')
+        if attributes_to_exclude:
+            LOG.debug("Attributes excluded by policy engine: %s",
+                      attributes_to_exclude)
         return attributes_to_exclude
diff --git a/neutron/policy.py b/neutron/policy.py
index 51e9c3ef2cd..29effa62057 100644
--- a/neutron/policy.py
+++ b/neutron/policy.py
@@ -368,9 +368,6 @@ def check(context, action, target, plugin=None, might_not_exist=False,
                                target,
                                credentials,
                                pluralized=pluralized)
-    # logging applied rules in case of failure
-    if not result:
-        log_rule_list(match_rule)
     return result