openstack/oslo.policy
Code Issues Proposed changes

Merge "Add documentation parameters for DeprecatedRule"

Browse Source
This commit is contained in:
Zuul 2021-02-17 15:19:13 +00:00 committed by Gerrit Code Review
commit d3185debdb
5 changed files with 197 additions and 122 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
oslo_policy/generator.py
View File

@ -204,21 +204,32 @@ def _format_rule_default_yaml(default, include_help=True, comment_rule=True,
'reason': _format_help_text(default.deprecated_reason), 'reason': _format_help_text(default.deprecated_reason),
'text': text} 'text': text}
elif add_deprecated_rules and default.deprecated_rule: elif add_deprecated_rules and default.deprecated_rule:
deprecated_reason = (
default.deprecated_rule.deprecated_reason or
default.deprecated_reason
)
deprecated_since = (
default.deprecated_rule.deprecated_since or
default.deprecated_since
)
# This issues a deprecation warning but aliases the old policy name # This issues a deprecation warning but aliases the old policy name
# with the new policy name for compatibility. # with the new policy name for compatibility.
deprecated_text = ( deprecated_text = (
'"%(old_name)s":"%(old_check_str)s" has been deprecated ' '"%(old_name)s":"%(old_check_str)s" has been deprecated '
'since %(since)s in favor of "%(name)s":"%(check_str)s".' 'since %(since)s in favor of "%(name)s":"%(check_str)s".'
) % {'old_name': default.deprecated_rule.name, ) % {
'old_check_str': default.deprecated_rule.check_str, 'old_name': default.deprecated_rule.name,
'since': default.deprecated_since, 'old_check_str': default.deprecated_rule.check_str,
'name': default.name, 'since': deprecated_since,
'check_str': default.check_str, 'name': default.name,
} 'check_str': default.check_str,
text = ('%(text)s# DEPRECATED\n%(deprecated_text)s\n%(reason)s\n' % }
{'text': text, text = '%(text)s# DEPRECATED\n%(deprecated_text)s\n%(reason)s\n' % {
'reason': _format_help_text(default.deprecated_reason), 'text': text,
'deprecated_text': _format_help_text(deprecated_text)}) 'reason': _format_help_text(deprecated_reason),
'deprecated_text': _format_help_text(deprecated_text)
}
if default.name != default.deprecated_rule.name: if default.name != default.deprecated_rule.name:
text += ('"%(old_name)s": "rule:%(name)s"\n' % text += ('"%(old_name)s": "rule:%(name)s"\n' %

105
oslo_policy/policy.py
View File

@ -225,6 +225,7 @@ import collections.abc
import copy import copy
import logging import logging
import os import os
import typing as ty
import warnings import warnings
from oslo_config import cfg from oslo_config import cfg
@ -704,6 +705,10 @@ class Enforcer(object):
return return
deprecated_rule = default.deprecated_rule deprecated_rule = default.deprecated_rule
deprecated_reason = (
deprecated_rule.deprecated_reason or default.deprecated_reason)
deprecated_since = (
deprecated_rule.deprecated_since or default.deprecated_since)
deprecated_msg = ( deprecated_msg = (
'Policy "%(old_name)s":"%(old_check_str)s" was deprecated in ' 'Policy "%(old_name)s":"%(old_check_str)s" was deprecated in '
@ -713,10 +718,10 @@ class Enforcer(object):
'file and maintain it manually.' % { 'file and maintain it manually.' % {
'old_name': deprecated_rule.name, 'old_name': deprecated_rule.name,
'old_check_str': deprecated_rule.check_str, 'old_check_str': deprecated_rule.check_str,
'release': default.deprecated_since, 'release': deprecated_since,
'name': default.name, 'name': default.name,
'check_str': default.check_str, 'check_str': default.check_str,
'reason': default.deprecated_reason 'reason': deprecated_reason,
} }
) )
@ -1163,21 +1168,20 @@ class RuleDefault(object):
:param scope_types: A list containing the intended scopes of the operation :param scope_types: A list containing the intended scopes of the operation
being done. being done.
.. versionchanged 1.29 .. versionchanged:: 1.29
Added *deprecated_rule* parameter. Added *deprecated_rule* parameter.
.. versionchanged 1.29 .. versionchanged:: 1.29
Added *deprecated_for_removal* parameter. Added *deprecated_for_removal* parameter.
.. versionchanged 1.29 .. versionchanged:: 1.29
Added *deprecated_reason* parameter. Added *deprecated_reason* parameter.
.. versionchanged 1.29 .. versionchanged:: 1.29
Added *deprecated_since* parameter. Added *deprecated_since* parameter.
.. versionchanged 1.31 .. versionchanged:: 1.31
Added *scope_types* parameter. Added *scope_types* parameter.
""" """
def __init__(self, name, check_str, description=None, def __init__(self, name, check_str, description=None,
deprecated_rule=None, deprecated_for_removal=False, deprecated_rule=None, deprecated_for_removal=False,
@ -1199,13 +1203,23 @@ class RuleDefault(object):
'deprecated_rule must be a DeprecatedRule object.' 'deprecated_rule must be a DeprecatedRule object.'
) )
if (deprecated_for_removal or deprecated_rule) and ( # if this rule is being deprecated, we need to provide a deprecation
deprecated_reason is None or deprecated_since is None): # reason here, but if this rule is replacing another rule, then the
raise ValueError( # deprecation reason belongs on that other rule
'%(name)s deprecated without deprecated_reason or ' if deprecated_for_removal:
'deprecated_since. Both must be supplied if deprecating a ' if deprecated_reason is None or deprecated_since is None:
'policy' % {'name': self.name} raise ValueError(
) '%(name)s deprecated without deprecated_reason or '
'deprecated_since. Both must be supplied if deprecating a '
'policy' % {'name': self.name}
)
elif deprecated_rule and (deprecated_reason or deprecated_since):
warnings.warn(
f'{name} should not configure deprecated_reason or '
f'deprecated_since as these should be configured on the '
f'DeprecatedRule indicated by deprecated_rule. '
f'This will be an error in a future release',
DeprecationWarning)
if scope_types: if scope_types:
msg = 'scope_types must be a list of strings.' msg = 'scope_types must be a list of strings.'
@ -1330,6 +1344,8 @@ class DeprecatedRule(object):
deprecated_rule = policy.DeprecatedRule( deprecated_rule = policy.DeprecatedRule(
name='foo:create_bar', name='foo:create_bar',
check_str='role:fizz' check_str='role:fizz'
deprecated_reason='role:bang is a better default',
deprecated_since='N',
) )
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
@ -1338,8 +1354,6 @@ class DeprecatedRule(object):
description='Create a bar.', description='Create a bar.',
operations=[{'path': '/v1/bars', 'method': 'POST'}], operations=[{'path': '/v1/bars', 'method': 'POST'}],
deprecated_rule=deprecated_rule, deprecated_rule=deprecated_rule,
deprecated_reason='role:bang is a better default',
deprecated_since='N'
) )
DeprecatedRule can be used to change the policy name itself. Assume the DeprecatedRule can be used to change the policy name itself. Assume the
@ -1361,6 +1375,8 @@ class DeprecatedRule(object):
deprecated_rule = policy.DeprecatedRule( deprecated_rule = policy.DeprecatedRule(
name='foo:post_bar', name='foo:post_bar',
check_str='role:fizz' check_str='role:fizz'
deprecated_reason='foo:create_bar is more consistent',
deprecated_since='N',
) )
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
@ -1369,8 +1385,6 @@ class DeprecatedRule(object):
description='Create a bar.', description='Create a bar.',
operations=[{'path': '/v1/bars', 'method': 'POST'}], operations=[{'path': '/v1/bars', 'method': 'POST'}],
deprecated_rule=deprecated_rule, deprecated_rule=deprecated_rule,
deprecated_reason='foo:create_bar is more consistent',
deprecated_since='N'
) )
Finally, let's use DeprecatedRule to break a policy into more granular Finally, let's use DeprecatedRule to break a policy into more granular
@ -1415,6 +1429,10 @@ class DeprecatedRule(object):
deprecated_rule = policy.DeprecatedRule( deprecated_rule = policy.DeprecatedRule(
name='foo:bar', name='foo:bar',
check_str='role:bazz' check_str='role:bazz'
deprecated_reason=(
'foo:bar has been replaced by more granular policies'
),
deprecated_since='N',
) )
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
@ -1423,8 +1441,6 @@ class DeprecatedRule(object):
description='Create a bar.', description='Create a bar.',
operations=[{'path': '/v1/bars', 'method': 'POST'}], operations=[{'path': '/v1/bars', 'method': 'POST'}],
deprecated_rule=deprecated_rule, deprecated_rule=deprecated_rule,
deprecated_reason='foo:create_bar is more granular than foo:bar',
deprecated_since='N'
) )
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name='foo:list_bars', name='foo:list_bars',
@ -1432,8 +1448,6 @@ class DeprecatedRule(object):
description='List bars.', description='List bars.',
operations=[{'path': '/v1/bars', 'method': 'GET'}], operations=[{'path': '/v1/bars', 'method': 'GET'}],
deprecated_rule=deprecated_rule, deprecated_rule=deprecated_rule,
deprecated_reason='foo:list_bars is more granular than foo:bar',
deprecated_since='N'
) )
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name='foo:get_bar', name='foo:get_bar',
@ -1441,8 +1455,6 @@ class DeprecatedRule(object):
description='Get a bar.', description='Get a bar.',
operations=[{'path': '/v1/bars/{bar_id}', 'method': 'GET'}], operations=[{'path': '/v1/bars/{bar_id}', 'method': 'GET'}],
deprecated_rule=deprecated_rule, deprecated_rule=deprecated_rule,
deprecated_reason='foo:get_bar is more granular than foo:bar',
deprecated_since='N'
) )
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name='foo:update_bar', name='foo:update_bar',
@ -1450,8 +1462,6 @@ class DeprecatedRule(object):
description='Update a bar.', description='Update a bar.',
operations=[{'path': '/v1/bars/{bar_id}', 'method': 'PATCH'}], operations=[{'path': '/v1/bars/{bar_id}', 'method': 'PATCH'}],
deprecated_rule=deprecated_rule, deprecated_rule=deprecated_rule,
deprecated_reason='foo:update_bar is more granular than foo:bar',
deprecated_since='N'
) )
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name='foo:delete_bar', name='foo:delete_bar',
@ -1459,19 +1469,42 @@ class DeprecatedRule(object):
description='Delete a bar.', description='Delete a bar.',
operations=[{'path': '/v1/bars/{bar_id}', 'method': 'DELETE'}], operations=[{'path': '/v1/bars/{bar_id}', 'method': 'DELETE'}],
deprecated_rule=deprecated_rule, deprecated_rule=deprecated_rule,
deprecated_reason='foo:delete_bar is more granular than foo:bar',
deprecated_since='N'
) )
.. versionchanged 1.29 :param name: The name of the policy. This is used when referencing it
from another rule or during policy enforcement.
:param check_str: The policy. This is a string defining a policy that
conforms to the policy language outlined at the top of the file.
:param deprecated_reason: indicates why this policy is planned for removal
in a future release.
:param deprecated_since: indicates which release this policy was deprecated
in. Accepts any string, though valid version strings are encouraged.
.. versionchanged:: 1.29
Added *DeprecatedRule* object. Added *DeprecatedRule* object.
.. versionchanged:: 3.4
Added *deprecated_reason* parameter.
.. versionchanged:: 3.4
Added *deprecated_since* parameter.
""" """
def __init__(self, name, check_str): def __init__(
"""Construct a DeprecatedRule object. self,
name: str,
:param name: the policy name check_str: str,
:param check_str: the value of the policy's check string *,
""" deprecated_reason: ty.Optional[str] = None,
deprecated_since: ty.Optional[str] = None,
):
self.name = name self.name = name
self.check_str = check_str self.check_str = check_str
self.deprecated_reason = deprecated_reason
self.deprecated_since = deprecated_since
if not deprecated_reason or not deprecated_since:
warnings.warn(
f'{name} deprecated without deprecated_reason or '
f'deprecated_since. This will be an error in a future release',
DeprecationWarning)

50
oslo_policy/tests/test_generator.py
View File

@ -194,17 +194,17 @@ class GenerateSampleYAMLTestCase(base.PolicyBaseTestCase):
def test_deprecated_policies_are_aliased_to_new_names(self): def test_deprecated_policies_are_aliased_to_new_names(self):
deprecated_rule = policy.DeprecatedRule( deprecated_rule = policy.DeprecatedRule(
name='foo:post_bar', name='foo:post_bar',
check_str='role:fizz' check_str='role:fizz',
deprecated_reason=(
'foo:post_bar is being removed in favor of foo:create_bar'
),
deprecated_since='N',
) )
new_rule = policy.RuleDefault( new_rule = policy.RuleDefault(
name='foo:create_bar', name='foo:create_bar',
check_str='role:fizz', check_str='role:fizz',
description='Create a bar.', description='Create a bar.',
deprecated_rule=deprecated_rule, deprecated_rule=deprecated_rule,
deprecated_reason=(
'foo:post_bar is being removed in favor of foo:create_bar'
),
deprecated_since='N'
) )
opts = {'rules': [new_rule]} opts = {'rules': [new_rule]}
@ -240,17 +240,17 @@ class GenerateSampleYAMLTestCase(base.PolicyBaseTestCase):
def test_deprecated_policies_with_same_name(self): def test_deprecated_policies_with_same_name(self):
deprecated_rule = policy.DeprecatedRule( deprecated_rule = policy.DeprecatedRule(
name='foo:create_bar', name='foo:create_bar',
check_str='role:old' check_str='role:old',
deprecated_reason=(
'role:fizz is a more sane default for foo:create_bar'
),
deprecated_since='N',
) )
new_rule = policy.RuleDefault( new_rule = policy.RuleDefault(
name='foo:create_bar', name='foo:create_bar',
check_str='role:fizz', check_str='role:fizz',
description='Create a bar.', description='Create a bar.',
deprecated_rule=deprecated_rule, deprecated_rule=deprecated_rule,
deprecated_reason=(
'role:fizz is a more sane default for foo:create_bar'
),
deprecated_since='N'
) )
opts = {'rules': [new_rule]} opts = {'rules': [new_rule]}
@ -606,12 +606,18 @@ class ListRedundantTestCase(base.PolicyBaseTestCase):
enforcer.register_default( enforcer.register_default(
policy.RuleDefault('owner', 'project_id:%(project_id)s')) policy.RuleDefault('owner', 'project_id:%(project_id)s'))
# register a new opt # register a new opt
deprecated_rule = policy.DeprecatedRule('old_foo', 'role:bar') deprecated_rule = policy.DeprecatedRule(
name='old_foo',
check_str='role:bar',
deprecated_reason='reason',
deprecated_since='T'
)
enforcer.register_default( enforcer.register_default(
policy.RuleDefault('foo', 'role:foo', policy.RuleDefault(
deprecated_rule=deprecated_rule, name='foo',
deprecated_reason='reason', check_str='role:foo',
deprecated_since='T') deprecated_rule=deprecated_rule,
),
) )
# Mock out stevedore to return the configured enforcer # Mock out stevedore to return the configured enforcer
@ -656,7 +662,9 @@ class UpgradePolicyTestCase(base.PolicyBaseTestCase):
self.create_config_file('policy.json', policy_json_contents) self.create_config_file('policy.json', policy_json_contents)
deprecated_policy = policy.DeprecatedRule( deprecated_policy = policy.DeprecatedRule(
name='deprecated_name', name='deprecated_name',
check_str='rule:admin' check_str='rule:admin',
deprecated_reason='test',
deprecated_since='Stein',
) )
self.new_policy = policy.DocumentedRuleDefault( self.new_policy = policy.DocumentedRuleDefault(
name='new_policy_name', name='new_policy_name',
@ -664,8 +672,6 @@ class UpgradePolicyTestCase(base.PolicyBaseTestCase):
description='test_policy', description='test_policy',
operations=[{'path': '/test', 'method': 'GET'}], operations=[{'path': '/test', 'method': 'GET'}],
deprecated_rule=deprecated_policy, deprecated_rule=deprecated_policy,
deprecated_reason='test',
deprecated_since='Stein'
) )
self.extensions = [] self.extensions = []
ext = stevedore.extension.Extension(name='test_upgrade', ext = stevedore.extension.Extension(name='test_upgrade',
@ -848,7 +854,9 @@ class ConvertJsonToYamlTestCase(base.PolicyBaseTestCase):
'converted_policy.yaml') 'converted_policy.yaml')
deprecated_policy = policy.DeprecatedRule( deprecated_policy = policy.DeprecatedRule(
name='deprecated_rule1_name', name='deprecated_rule1_name',
check_str='rule:admin' check_str='rule:admin',
deprecated_reason='testing',
deprecated_since='ussuri',
) )
self.registered_policy = [ self.registered_policy = [
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
@ -857,9 +865,7 @@ class ConvertJsonToYamlTestCase(base.PolicyBaseTestCase):
description='test_rule1', description='test_rule1',
operations=[{'path': '/test', 'method': 'GET'}], operations=[{'path': '/test', 'method': 'GET'}],
deprecated_rule=deprecated_policy, deprecated_rule=deprecated_policy,
deprecated_reason='testing', scope_types=['system'],
deprecated_since='ussuri',
scope_types=['system']
), ),
policy.RuleDefault( policy.RuleDefault(
name='rule2_name', name='rule2_name',

121
oslo_policy/tests/test_policy.py
View File

@ -1253,7 +1253,9 @@ class DocumentedRuleDefaultDeprecationTestCase(base.PolicyBaseTestCase):
def test_deprecate_a_policy_check_string(self): def test_deprecate_a_policy_check_string(self):
deprecated_rule = policy.DeprecatedRule( deprecated_rule = policy.DeprecatedRule(
name='foo:create_bar', name='foo:create_bar',
check_str='role:fizz' check_str='role:fizz',
deprecated_reason='"role:bang" is a better default',
deprecated_since='N'
) )
rule_list = [policy.DocumentedRuleDefault( rule_list = [policy.DocumentedRuleDefault(
@ -1262,8 +1264,6 @@ class DocumentedRuleDefaultDeprecationTestCase(base.PolicyBaseTestCase):
description='Create a bar.', description='Create a bar.',
operations=[{'path': '/v1/bars', 'method': 'POST'}], operations=[{'path': '/v1/bars', 'method': 'POST'}],
deprecated_rule=deprecated_rule, deprecated_rule=deprecated_rule,
deprecated_reason='"role:bang" is a better default',
deprecated_since='N'
)] )]
enforcer = policy.Enforcer(self.conf) enforcer = policy.Enforcer(self.conf)
enforcer.register_defaults(rule_list) enforcer.register_defaults(rule_list)
@ -1293,7 +1293,9 @@ class DocumentedRuleDefaultDeprecationTestCase(base.PolicyBaseTestCase):
def test_deprecate_an_empty_policy_check_string(self): def test_deprecate_an_empty_policy_check_string(self):
deprecated_rule = policy.DeprecatedRule( deprecated_rule = policy.DeprecatedRule(
name='foo:create_bar', name='foo:create_bar',
check_str='' check_str='',
deprecated_reason='because of reasons',
deprecated_since='N',
) )
rule_list = [policy.DocumentedRuleDefault( rule_list = [policy.DocumentedRuleDefault(
@ -1302,8 +1304,6 @@ class DocumentedRuleDefaultDeprecationTestCase(base.PolicyBaseTestCase):
description='Create a bar.', description='Create a bar.',
operations=[{'path': '/v1/bars', 'method': 'POST'}], operations=[{'path': '/v1/bars', 'method': 'POST'}],
deprecated_rule=deprecated_rule, deprecated_rule=deprecated_rule,
deprecated_reason='because of reasons',
deprecated_since='N'
)] )]
enforcer = policy.Enforcer(self.conf) enforcer = policy.Enforcer(self.conf)
enforcer.register_defaults(rule_list) enforcer.register_defaults(rule_list)
@ -1321,7 +1321,9 @@ class DocumentedRuleDefaultDeprecationTestCase(base.PolicyBaseTestCase):
def test_deprecate_replace_with_empty_policy_check_string(self): def test_deprecate_replace_with_empty_policy_check_string(self):
deprecated_rule = policy.DeprecatedRule( deprecated_rule = policy.DeprecatedRule(
name='foo:create_bar', name='foo:create_bar',
check_str='role:fizz' check_str='role:fizz',
deprecated_reason='because of reasons',
deprecated_since='N',
) )
rule_list = [policy.DocumentedRuleDefault( rule_list = [policy.DocumentedRuleDefault(
@ -1330,8 +1332,6 @@ class DocumentedRuleDefaultDeprecationTestCase(base.PolicyBaseTestCase):
description='Create a bar.', description='Create a bar.',
operations=[{'path': '/v1/bars', 'method': 'POST'}], operations=[{'path': '/v1/bars', 'method': 'POST'}],
deprecated_rule=deprecated_rule, deprecated_rule=deprecated_rule,
deprecated_reason='because of reasons',
deprecated_since='N'
)] )]
enforcer = policy.Enforcer(self.conf) enforcer = policy.Enforcer(self.conf)
enforcer.register_defaults(rule_list) enforcer.register_defaults(rule_list)
@ -1348,15 +1348,7 @@ class DocumentedRuleDefaultDeprecationTestCase(base.PolicyBaseTestCase):
def test_deprecate_a_policy_name(self): def test_deprecate_a_policy_name(self):
deprecated_rule = policy.DeprecatedRule( deprecated_rule = policy.DeprecatedRule(
name='foo:bar', name='foo:bar',
check_str='role:baz'
)
rule_list = [policy.DocumentedRuleDefault(
name='foo:create_bar',
check_str='role:baz', check_str='role:baz',
description='Create a bar.',
operations=[{'path': '/v1/bars/', 'method': 'POST'}],
deprecated_rule=deprecated_rule,
deprecated_reason=( deprecated_reason=(
'"foo:bar" is not granular enough. If your deployment has ' '"foo:bar" is not granular enough. If your deployment has '
'overridden "foo:bar", ensure you override the new policies ' 'overridden "foo:bar", ensure you override the new policies '
@ -1365,7 +1357,15 @@ class DocumentedRuleDefaultDeprecationTestCase(base.PolicyBaseTestCase):
'"foo:bar:update", "foo:bar:list", and "foo:bar:delete", ' '"foo:bar:update", "foo:bar:list", and "foo:bar:delete", '
'which might be backwards incompatible for your deployment' 'which might be backwards incompatible for your deployment'
), ),
deprecated_since='N' deprecated_since='N',
)
rule_list = [policy.DocumentedRuleDefault(
name='foo:create_bar',
check_str='role:baz',
description='Create a bar.',
operations=[{'path': '/v1/bars/', 'method': 'POST'}],
deprecated_rule=deprecated_rule,
)] )]
expected_msg = ( expected_msg = (
'Policy "foo:bar":"role:baz" was deprecated in N in favor of ' 'Policy "foo:bar":"role:baz" was deprecated in N in favor of '
@ -1439,7 +1439,9 @@ class DocumentedRuleDefaultDeprecationTestCase(base.PolicyBaseTestCase):
def test_deprecate_check_str_suppress_does_not_log_warning(self): def test_deprecate_check_str_suppress_does_not_log_warning(self):
deprecated_rule = policy.DeprecatedRule( deprecated_rule = policy.DeprecatedRule(
name='foo:create_bar', name='foo:create_bar',
check_str='role:fizz' check_str='role:fizz',
deprecated_reason='"role:bang" is a better default',
deprecated_since='N'
) )
rule_list = [policy.DocumentedRuleDefault( rule_list = [policy.DocumentedRuleDefault(
@ -1448,8 +1450,6 @@ class DocumentedRuleDefaultDeprecationTestCase(base.PolicyBaseTestCase):
description='Create a bar.', description='Create a bar.',
operations=[{'path': '/v1/bars', 'method': 'POST'}], operations=[{'path': '/v1/bars', 'method': 'POST'}],
deprecated_rule=deprecated_rule, deprecated_rule=deprecated_rule,
deprecated_reason='"role:bang" is a better default',
deprecated_since='N'
)] )]
enforcer = policy.Enforcer(self.conf) enforcer = policy.Enforcer(self.conf)
enforcer.suppress_deprecation_warnings = True enforcer.suppress_deprecation_warnings = True
@ -1461,7 +1461,9 @@ class DocumentedRuleDefaultDeprecationTestCase(base.PolicyBaseTestCase):
def test_deprecate_name_suppress_does_not_log_warning(self): def test_deprecate_name_suppress_does_not_log_warning(self):
deprecated_rule = policy.DeprecatedRule( deprecated_rule = policy.DeprecatedRule(
name='foo:bar', name='foo:bar',
check_str='role:baz' check_str='role:baz',
deprecated_reason='"foo:bar" is not granular enough.',
deprecated_since='N',
) )
rule_list = [policy.DocumentedRuleDefault( rule_list = [policy.DocumentedRuleDefault(
@ -1470,8 +1472,6 @@ class DocumentedRuleDefaultDeprecationTestCase(base.PolicyBaseTestCase):
description='Create a bar.', description='Create a bar.',
operations=[{'path': '/v1/bars/', 'method': 'POST'}], operations=[{'path': '/v1/bars/', 'method': 'POST'}],
deprecated_rule=deprecated_rule, deprecated_rule=deprecated_rule,
deprecated_reason='"foo:bar" is not granular enough.',
deprecated_since='N'
)] )]
rules = jsonutils.dumps({'foo:bar': 'role:bang'}) rules = jsonutils.dumps({'foo:bar': 'role:bang'})
@ -1509,7 +1509,9 @@ class DocumentedRuleDefaultDeprecationTestCase(base.PolicyBaseTestCase):
def test_suppress_default_change_warnings_flag_not_log_warning(self): def test_suppress_default_change_warnings_flag_not_log_warning(self):
deprecated_rule = policy.DeprecatedRule( deprecated_rule = policy.DeprecatedRule(
name='foo:create_bar', name='foo:create_bar',
check_str='role:fizz' check_str='role:fizz',
deprecated_reason='"role:bang" is a better default',
deprecated_since='N',
) )
rule_list = [policy.DocumentedRuleDefault( rule_list = [policy.DocumentedRuleDefault(
@ -1518,8 +1520,6 @@ class DocumentedRuleDefaultDeprecationTestCase(base.PolicyBaseTestCase):
description='Create a bar.', description='Create a bar.',
operations=[{'path': '/v1/bars', 'method': 'POST'}], operations=[{'path': '/v1/bars', 'method': 'POST'}],
deprecated_rule=deprecated_rule, deprecated_rule=deprecated_rule,
deprecated_reason='"role:bang" is a better default',
deprecated_since='N'
)] )]
enforcer = policy.Enforcer(self.conf) enforcer = policy.Enforcer(self.conf)
enforcer.suppress_default_change_warnings = True enforcer.suppress_default_change_warnings = True
@ -1528,7 +1528,7 @@ class DocumentedRuleDefaultDeprecationTestCase(base.PolicyBaseTestCase):
enforcer.load_rules() enforcer.load_rules()
mock_warn.assert_not_called() mock_warn.assert_not_called()
def test_deprecated_policy_for_removal_must_include_deprecated_since(self): def test_deprecated_policy_for_removal_must_include_deprecated_meta(self):
self.assertRaises( self.assertRaises(
ValueError, ValueError,
policy.DocumentedRuleDefault, policy.DocumentedRuleDefault,
@ -1538,24 +1538,25 @@ class DocumentedRuleDefaultDeprecationTestCase(base.PolicyBaseTestCase):
operations=[{'path': '/v1/foos/', 'method': 'POST'}], operations=[{'path': '/v1/foos/', 'method': 'POST'}],
deprecated_for_removal=True, deprecated_for_removal=True,
deprecated_reason='Some reason.' deprecated_reason='Some reason.'
# no deprecated_since
) )
def test_deprecated_policy_must_include_deprecated_since(self): def test_deprecated_policy_should_not_include_deprecated_meta(self):
deprecated_rule = policy.DeprecatedRule( deprecated_rule = policy.DeprecatedRule(
name='foo:bar', name='foo:bar',
check_str='rule:baz' check_str='rule:baz'
) )
self.assertRaises( with mock.patch('warnings.warn') as mock_warn:
ValueError, policy.DocumentedRuleDefault(
policy.DocumentedRuleDefault, name='foo:bar',
name='foo:bar', check_str='rule:baz',
check_str='rule:baz', description='Create a foo.',
description='Create a foo.', operations=[{'path': '/v1/foos/', 'method': 'POST'}],
operations=[{'path': '/v1/foos/', 'method': 'POST'}], deprecated_rule=deprecated_rule,
deprecated_rule=deprecated_rule, deprecated_reason='Some reason.'
deprecated_reason='Some reason.' )
) mock_warn.assert_called_once()
def test_deprecated_rule_requires_deprecated_rule_object(self): def test_deprecated_rule_requires_deprecated_rule_object(self):
self.assertRaises( self.assertRaises(
@ -1591,7 +1592,9 @@ class DocumentedRuleDefaultDeprecationTestCase(base.PolicyBaseTestCase):
# better. # better.
deprecated_rule = policy.DeprecatedRule( deprecated_rule = policy.DeprecatedRule(
name='foo:bar', name='foo:bar',
check_str='role:fizz' check_str='role:fizz',
deprecated_reason='"role:bang" is a better default',
deprecated_since='N',
) )
rule_list = [policy.DocumentedRuleDefault( rule_list = [policy.DocumentedRuleDefault(
name='foo:create_bar', name='foo:create_bar',
@ -1599,8 +1602,6 @@ class DocumentedRuleDefaultDeprecationTestCase(base.PolicyBaseTestCase):
description='Create a bar.', description='Create a bar.',
operations=[{'path': '/v1/bars', 'method': 'POST'}], operations=[{'path': '/v1/bars', 'method': 'POST'}],
deprecated_rule=deprecated_rule, deprecated_rule=deprecated_rule,
deprecated_reason='"role:bang" is a better default',
deprecated_since='N'
)] )]
self.enforcer.register_defaults(rule_list) self.enforcer.register_defaults(rule_list)
@ -1625,7 +1626,9 @@ class DocumentedRuleDefaultDeprecationTestCase(base.PolicyBaseTestCase):
# better. # better.
deprecated_rule = policy.DeprecatedRule( deprecated_rule = policy.DeprecatedRule(
name='foo:bar', name='foo:bar',
check_str='role:fizz' check_str='role:fizz',
deprecated_reason='"role:bang" is a better default',
deprecated_since='N',
) )
rule_list = [policy.DocumentedRuleDefault( rule_list = [policy.DocumentedRuleDefault(
name='foo:create_bar', name='foo:create_bar',
@ -1633,8 +1636,6 @@ class DocumentedRuleDefaultDeprecationTestCase(base.PolicyBaseTestCase):
description='Create a bar.', description='Create a bar.',
operations=[{'path': '/v1/bars', 'method': 'POST'}], operations=[{'path': '/v1/bars', 'method': 'POST'}],
deprecated_rule=deprecated_rule, deprecated_rule=deprecated_rule,
deprecated_reason='"role:bang" is a better default',
deprecated_since='N'
)] )]
self.enforcer.register_defaults(rule_list) self.enforcer.register_defaults(rule_list)
@ -1667,7 +1668,9 @@ class DocumentedRuleDefaultDeprecationTestCase(base.PolicyBaseTestCase):
# better. # better.
deprecated_rule = policy.DeprecatedRule( deprecated_rule = policy.DeprecatedRule(
name='foo:bar', name='foo:bar',
check_str='role:fizz' check_str='role:fizz',
deprecated_reason='"role:bang" is a better default',
deprecated_since='N',
) )
rule_list = [policy.DocumentedRuleDefault( rule_list = [policy.DocumentedRuleDefault(
name='foo:create_bar', name='foo:create_bar',
@ -1675,8 +1678,6 @@ class DocumentedRuleDefaultDeprecationTestCase(base.PolicyBaseTestCase):
description='Create a bar.', description='Create a bar.',
operations=[{'path': '/v1/bars', 'method': 'POST'}], operations=[{'path': '/v1/bars', 'method': 'POST'}],
deprecated_rule=deprecated_rule, deprecated_rule=deprecated_rule,
deprecated_reason='"role:bang" is a better default',
deprecated_since='N'
)] )]
self.enforcer.register_defaults(rule_list) self.enforcer.register_defaults(rule_list)
@ -1711,7 +1712,9 @@ class DocumentedRuleDefaultDeprecationTestCase(base.PolicyBaseTestCase):
# Deprecate the policy name in favor of something better. # Deprecate the policy name in favor of something better.
deprecated_rule = policy.DeprecatedRule( deprecated_rule = policy.DeprecatedRule(
name='old_rule', name='old_rule',
check_str='role:bang' check_str='role:bang',
deprecated_reason='"old_rule" is a bad name',
deprecated_since='N',
) )
rule_list = [policy.DocumentedRuleDefault( rule_list = [policy.DocumentedRuleDefault(
name='new_rule', name='new_rule',
@ -1719,8 +1722,6 @@ class DocumentedRuleDefaultDeprecationTestCase(base.PolicyBaseTestCase):
description='Replacement for old_rule.', description='Replacement for old_rule.',
operations=[{'path': '/v1/bars', 'method': 'POST'}], operations=[{'path': '/v1/bars', 'method': 'POST'}],
deprecated_rule=deprecated_rule, deprecated_rule=deprecated_rule,
deprecated_reason='"old_rule" is a bad name',
deprecated_since='N'
)] )]
self.enforcer.register_defaults(rule_list) self.enforcer.register_defaults(rule_list)
@ -1740,7 +1741,9 @@ class DocumentedRuleDefaultDeprecationTestCase(base.PolicyBaseTestCase):
group='oslo_policy') group='oslo_policy')
deprecated_rule = policy.DeprecatedRule( deprecated_rule = policy.DeprecatedRule(
name='foo:create_bar', name='foo:create_bar',
check_str='role:fizz' check_str='role:fizz',
deprecated_reason='"role:bang" is a better default',
deprecated_since='N',
) )
rule_list = [policy.DocumentedRuleDefault( rule_list = [policy.DocumentedRuleDefault(
@ -1749,8 +1752,6 @@ class DocumentedRuleDefaultDeprecationTestCase(base.PolicyBaseTestCase):
description='Create a bar.', description='Create a bar.',
operations=[{'path': '/v1/bars', 'method': 'POST'}], operations=[{'path': '/v1/bars', 'method': 'POST'}],
deprecated_rule=deprecated_rule, deprecated_rule=deprecated_rule,
deprecated_reason='"role:bang" is a better default',
deprecated_since='N'
)] )]
enforcer = policy.Enforcer(self.conf) enforcer = policy.Enforcer(self.conf)
enforcer.register_defaults(rule_list) enforcer.register_defaults(rule_list)
@ -1888,6 +1889,18 @@ class DocumentedRuleDefaultTestCase(base.PolicyBaseTestCase):
operations=invalid_op) operations=invalid_op)
class DeprecatedRuleTestCase(base.PolicyBaseTestCase):
def test_should_include_deprecated_meta(self):
with mock.patch('warnings.warn') as mock_warn:
policy.DeprecatedRule(
name='foo:bar',
check_str='rule:baz'
)
mock_warn.assert_called_once()
class EnforcerCheckRulesTest(base.PolicyBaseTestCase): class EnforcerCheckRulesTest(base.PolicyBaseTestCase):
def setUp(self): def setUp(self):
super(EnforcerCheckRulesTest, self).setUp() super(EnforcerCheckRulesTest, self).setUp()

12
releasenotes/notes/add-deprecated-metadata-to-DeprecatedRule-79d2e8a3f5d11743.yaml Normal file
View File

@ -0,0 +1,12 @@
---
features:
- |
``DeprecatedRule`` now accepts two new parameters: ``deprecated_reason``
and ``deprecated_since``. These should be used in place of the equivalent
parameters on the rule that is replacing this rule in order to avoid
confusion.
upgrade:
- |
Users with a ``RuleDefault`` or ``DocumentedRuleDefault`` that have
configured a ``deprecated_rule`` should move the ``deprecated_reason``
and ``deprecated_since`` parameters to this ``DeprecatedRule``.