From 8eea1ae574671a157ae2d215f18635a3c8985a06 Mon Sep 17 00:00:00 2001 From: armando-migliaccio Date: Mon, 17 Jun 2013 13:33:46 -0700 Subject: [PATCH] Make sure exceptions during policy checks are logged. If the invocation of f bombs out, the policy check fails (i.e. returns False), however it does not log the root cause, which makes very difficult to understand why this is happening. Fixes bug #1191948 Change-Id: Ic40053f3965b71199baf9fe3902e8ffc9745076f --- quantum/policy.py | 12 ++++++++---- quantum/tests/unit/test_policy.py | 18 ++++++++++++++++++ 2 files changed, 26 insertions(+), 4 deletions(-) diff --git a/quantum/policy.py b/quantum/policy.py index f99ef0dfd0..15ce561642 100644 --- a/quantum/policy.py +++ b/quantum/policy.py @@ -233,10 +233,14 @@ class OwnerCheck(policy.Check): # f *must* exist, if not found it is better to let quantum # explode. Check will be performed with admin context context = importutils.import_module('quantum.context') - data = f(context.get_admin_context(), - target[parent_foreign_key], - fields=[parent_field]) - target[self.target_field] = data[parent_field] + try: + data = f(context.get_admin_context(), + target[parent_foreign_key], + fields=[parent_field]) + target[self.target_field] = data[parent_field] + except Exception: + LOG.exception(_('Policy check error while calling %s!'), f) + raise match = self.match % target if self.kind in creds: return match == unicode(creds[self.kind]) diff --git a/quantum/tests/unit/test_policy.py b/quantum/tests/unit/test_policy.py index 0c47dffb53..5a6d6bfad3 100644 --- a/quantum/tests/unit/test_policy.py +++ b/quantum/tests/unit/test_policy.py @@ -344,6 +344,24 @@ class QuantumPolicyTestCase(base.BaseTestCase): result = policy.enforce(self.context, action, target) self.assertTrue(result) + def test_enforce_plugin_failure(self): + + def fakegetnetwork(*args, **kwargs): + raise NotImplementedError('Blast!') + + # the policy check and plugin method we use in this test are irrelevant + # so long that we verify that, if *f* blows up, the behavior of the + # policy engine to propagate the exception is preserved + action = "create_port:mac" + with mock.patch.object(manager.QuantumManager.get_instance().plugin, + 'get_network', new=fakegetnetwork): + target = {'network_id': 'whatever'} + self.assertRaises(NotImplementedError, + policy.enforce, + self.context, + action, + target) + def test_enforce_tenant_id_check_parent_resource_bw_compatibility(self): def fakegetnetwork(*args, **kwargs):