x/vmware-nsx
Code Issues Proposed changes

Merge "Decrease policy logging verbosity"

Browse Source
This commit is contained in:
Jenkins 2014-11-17 09:28:55 +00:00 committed by Gerrit Code Review
commit 8edf980078
2 changed files with 25 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
neutron/policy.py
View File

@ -225,11 +225,6 @@ def _build_match_rule(action, target):
attribute_name, attribute, attribute_name, attribute,
action, target)]) action, target)])
match_rule = policy.AndCheck([match_rule, attr_rule]) match_rule = policy.AndCheck([match_rule, attr_rule])
# Check that the logger has a DEBUG log level
if (cfg.CONF.debug and LOG.logger.level == logging.NOTSET or
LOG.logger.level == logging.DEBUG):
rules = _process_rules_list([], match_rule)
LOG.debug("Enforcing rules: %s", rules)
return match_rule return match_rule
@ -369,6 +364,12 @@ def _prepare_check(context, action, target):
return match_rule, target, credentials return match_rule, target, credentials
def log_rule_list(match_rule):
if LOG.isEnabledFor(logging.DEBUG):
rules = _process_rules_list([], match_rule)
LOG.debug("Enforcing rules: %s", rules)
def check(context, action, target, plugin=None, might_not_exist=False): def check(context, action, target, plugin=None, might_not_exist=False):
"""Verifies that the action is valid on the target in this context. """Verifies that the action is valid on the target in this context.
@ -388,7 +389,12 @@ def check(context, action, target, plugin=None, might_not_exist=False):
""" """
if might_not_exist and not (_ENFORCER.rules and action in _ENFORCER.rules): if might_not_exist and not (_ENFORCER.rules and action in _ENFORCER.rules):
return True return True
return _ENFORCER.enforce(*(_prepare_check(context, action, target))) match_rule, target, credentials = _prepare_check(context, action, target)
result = _ENFORCER.enforce(match_rule, target, credentials)
# logging applied rules in case of failure
if not result:
log_rule_list(match_rule)
return result
def enforce(context, action, target, plugin=None): def enforce(context, action, target, plugin=None):
@ -408,10 +414,11 @@ def enforce(context, action, target, plugin=None):
""" """
rule, target, credentials = _prepare_check(context, action, target) rule, target, credentials = _prepare_check(context, action, target)
try: try:
result = _ENFORCER.enforce(rule, target, credentials, result = _ENFORCER.enforce(rule, target, credentials, action=action,
action=action, do_raise=True) do_raise=True)
except policy.PolicyNotAuthorized: except policy.PolicyNotAuthorized:
with excutils.save_and_reraise_exception(): with excutils.save_and_reraise_exception():
log_rule_list(rule)
LOG.debug("Failed policy check for '%s'", action) LOG.debug("Failed policy check for '%s'", action)
return result return result

10
neutron/tests/unit/test_policy.py
View File

@ -15,6 +15,7 @@
"""Test of Policy Engine For Neutron""" """Test of Policy Engine For Neutron"""
import contextlib
import StringIO import StringIO
import urllib2 import urllib2
@ -601,3 +602,12 @@ class NeutronPolicyTestCase(base.BaseTestCase):
rules = policy._process_rules_list([], match_rule) rules = policy._process_rules_list([], match_rule)
self.assertEqual(['create_something', 'create_something:somethings', self.assertEqual(['create_something', 'create_something:somethings',
'create_something:attr:sub_attr_1'], rules) 'create_something:attr:sub_attr_1'], rules)
def test_log_rule_list(self):
with contextlib.nested(
mock.patch.object(policy.LOG, 'isEnabledFor', return_value=True),
mock.patch.object(policy.LOG, 'debug')
) as (is_e, dbg):
policy.log_rule_list(common_policy.RuleCheck('rule', 'create_'))
self.assertTrue(is_e.called)
self.assertTrue(dbg.called)