[keystone] [stein] - logs filled with policy deprecation warnings
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kolla-ansible |
Triaged
|
Medium
|
Unassigned |
Bug Description
After each reload, policy deprecation warnings appear for each of keystone's WSGI processes if policy is not customized.
2019-06-21 21:36:09.917685 2019-06-21 21:36:09.917 21 WARNING py.warnings [req-bf9c1264-
2019-06-21 21:36:09.917701 As of the Stein release, the assignment API now understands default roles and
2019-06-21 21:36:09.917707 system-scoped tokens, making the API more granular by default without
2019-06-21 21:36:09.917713 compromising security. The new policy defaults account for these changes
2019-06-21 21:36:09.917719 automatically. Be sure to take these new defaults into consideration if you are
2019-06-21 21:36:09.917724 relying on overrides in your deployment for the system assignment API.
2019-06-21 21:36:09.917730 . Either ensure your deployment is ready for the new default or copy/paste the deprecated policy into your policy file and maintain it manually.
2019-06-21 21:36:09.917736 warnings.
2019-06-21 21:36:09.917741 : ConfigFilesNotF
2019-06-21 21:36:09.918455 2019-06-21 21:36:09.917 21 WARNING py.warnings [req-bf9c1264-
2019-06-21 21:36:09.918471 warnings.
2019-06-21 21:36:09.918477 : ConfigFilesNotF
2019-06-21 21:36:09.925396 2019-06-21 21:36:09.924 21 WARNING py.warnings [req-bf9c1264-
2019-06-21 21:36:09.925412 warnings.warn(msg)
2019-06-21 21:36:09.925418 \x1b[00m
summary: |
- Fresh Stein deployment - keystone logs flooded with each action + [keystone] [stein] - logs filled with policy deprecation warnings |
description: | updated |
according to keystone stein release notes https:/ /docs.openstack .org/releasenot es/keystone/ stein.html :
""" required' to 'role:reader and system_scope:all', both policy rules will be in effect. Please check your current policies and role assignments before upgrading to ensure the policies will not be too permissive for your deployment. To hide the deprecation warnings and opt into the less permissive rules, you can override the policy configuration to use the newer policy rule.
... if you have not overridden a policy, the old default and the new default will be OR’d together. This means that, for example, where we have changed the policy rule from 'rule:admin_
"""
hence we should probably install the new default policies because logs are full of this junk entries otherwise.