openstack/oslo.policy
Code Issues Proposed changes
cbb9d106c8
oslo.policy/releasenotes/notes/fix-deprecated-rule-handling-c6fe321fce6293a9.yaml
Julia Kreger b67e3c71a0 make deprecated rule examples explicit 
Deprecated rules can be confusing and downright unfriendly when
evaluating a generated sample output and seeing legacy rules being
aliased to new rules. Technically this is also invalid and results
in a broken sample file with overriding behavior.

Under normal circumstances, this wouldn't be a big deal, but with
the Secure RBAC effort, projects also performed some further
delineation of RBAC policies instead of performing a 1:1 mapping.

As a result of the policy enforcement model, a prior deprecated
rule was required, which meant the prior deprecated rule would
be reported multiple times in the output.

Since we don't have an extra flag in the policy-in-code definitions
of policies, all we can *really* do is both clarify the purpose
and meaning of the entry, not enable the alias by default in
sample output (as it is a sample! not an override of code!),
and provide projects as well as operators with a knob to
exclude deprecated policy inclusion into examples and sample
output.

Closes-Bug: #1945336
Change-Id: I6d02eb4d8f94323a806fab991ba2f1c3bbf71d04
2022-02-22 11:20:49 -08:00

20 lines
1.1 KiB
YAML
Raw Blame History

---
fixes:
- |
Fixes handling of deprecated rules when generating sample policy files
such that legacy rules are no longer automatically aliased in the
resulting output. Previously, the behavior led to operator confusion when
attempting to evaluate the output to determine if customized rules were
required, as the aliases were always added as active rules. A warning
is now also added to the generated output.
For more information, please see `launchpad bug #1945336 <https://bugs.launchpad.net/oslo.policy/+bug/1945336>`_.
features:
- Adds the ability to exclude deprecated policies from generated samples by
utilizing the ``--exclude-deprecated`` setting when generating YAML
example files. The Spinx generator can also be controlled using the
``exclude_deprecated`` environment variable. By default, these rules
will be included, but operators and projects may not desire these
deprecated rules to exist in latest documentation, espescially when
considering the number of policy rules projects have made in the
Secure RBAC effort.
View Git Blame Copy Permalink