yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1836568] Re: Logs filled with unnecessary policy deprecation warnings

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Colleen Murphy <colleen@xxxxxxxxxxx>
Date: Thu, 01 Aug 2019 22:46:58 -0000
Reply-to: Bug 1836568 <1836568@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Also affects: oslo.policy
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1836568

Title:
  Logs  filled with unnecessary policy deprecation warnings

Status in OpenStack Identity (keystone):
  Triaged
Status in oslo.policy:
  In Progress

Bug description:
  My today master version of keystone log is full with:

  2019-07-15 10:47:25.316828 As of the Stein release, the domain API now understands how to handle
  2019-07-15 10:47:25.316831 system-scoped tokens in addition to project-scoped tokens, making the API more
  2019-07-15 10:47:25.316834 accessible to users without compromising security or manageability for
  2019-07-15 10:47:25.316837 administrators. The new default policies for this API account for these changes
  2019-07-15 10:47:25.316840 automatically
  2019-07-15 10:47:25.316843 . Either ensure your deployment is ready for the new default or copy/paste the deprecated policy into your policy file and maintain it manually.
  2019-07-15 10:47:25.316846   warnings.warn(deprecated_msg)
  2019-07-15 10:47:25.316849 \x1b[00m

  2019-07-15 10:47:25.132244 2019-07-15 10:47:25.131 22582 WARNING py.warnings [req-0162c9d3-9953-4b2d-9587-6046651033c3 7b0f3387e0f942f3bae75cea0a5766a3 98500c83d03e4ba38aa27a78675d2b1b - default default] /usr/lo
  cal/lib/python3.7/site-packages/oslo_policy/policy.py:695: UserWarning: Policy "identity:delete_credential":"rule:admin_required" was deprecated in S in favor of "identity:delete_credential":"(role:admin and sys
  tem_scope:all) or user_id:%(target.credential.user_id)s". Reason: As of the Stein release, the credential API now understands how to handle system-scoped tokens in addition to project-scoped tokens, making the A
  PI more accessible to users without compromising security or manageability for administrators. The new default policies for this API account for these changes automatically.. Either ensure your deployment is rea
  dy for the new default or copy/paste the deprecated policy into your policy file and maintain it manually.
  2019-07-15 10:47:25.132262   warnings.warn(deprecated_msg)
  2019-07-15 10:47:25.132266 \x1b[00m
  2019-07-15 10:47:25.132979 2019-07-15 10:47:25.132 22582 WARNING

  
  This is fresh setup from `master` without any policy configuration, therefore keystone defaults itself triggers the warning.

  grep -R  'As of the Stein release' keystone-error.log |wc -l
  820

  
  Current master is for `T` , there is no point to have 820 warning (first ~ 10 minute) for using the keystone default.

  
  Please make these warnings less noise .

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1836568/+subscriptions

References

[Bug 1836568] [NEW] Logis filled with uneccesery policy derecation warning
From: Attila Fazekas, 2019-07-15