Allow disabling the default check_str change warnings

When policy change their default check_str and not override by
operator then warnings are being logged which is ok when few
policy are changing their defaults but in case of adopting the
new defaults provided by keystone, all policies has to change
their defaults.

Nova has lot of policies which are changing their defaults. All
those warnings started filling the logs. n-api log was 256 MB.

- https://6d82362f2cdc504b27f1-9f757b11a1d2b00e739d31e1ecad199a.ssl.cf5.rackcdn.com/717662/1/check/tempest-integrated-compute/b3260ce/controller/logs/screen-n-api.txt
- http://paste.openstack.org/show/791678/

Nova added workaround by suppressing all the warning via flag used
to disable for testing 'suppress_deprecation_warnings'.
- https://review.opendev.org/#/c/717802/

This commit adds a new flag to control the warning for policies changing
their defaults check_str only. There is no change for Policy changing their
name or marked for removal.

New flag is default to False to no change in behaviour for old users.

Change-Id: If7a467a12d5d272180fa8061d12e5f2699c08282

2 files changed, 31 insertions, 1 deletions

diff --git a/oslo_policy/policy.py b/oslo_policy/policy.py
index 61a3597..dbb9443 100644
--- a/oslo_policy/policy.py
+++ b/oslo_policy/policy.py
@@ -503,6 +503,12 @@ class Enforcer(object):
         self._policy_dir_mtimes = {}
         self._file_cache = {}
         self._informed_no_policy_file = False
+        # NOTE(gmann): This flag will suppress the warning for
+        # policies changing their default check_str that have
+        # not been overridden by operators. This does not affect the
+        # warning for policy changed their name or deprecated
+        # for removal.
+        self.suppress_default_change_warnings = False
         # FOR TESTING ONLY
         self.suppress_deprecation_warnings = False
 
@@ -540,6 +546,7 @@ class Enforcer(object):
         self.registered_rules = {}
         self.file_rules = {}
         self._informed_no_policy_file = False
+        self.suppress_default_change_warnings = False
         self.suppress_deprecation_warnings = False
 
     def load_rules(self, force_reload=False):
@@ -702,7 +709,8 @@ class Enforcer(object):
             default.check = OrCheck([_parser.parse_rule(cs) for cs in
                                      [default.check_str,
                                       deprecated_rule.check_str]])
-            if not self.suppress_deprecation_warnings:
+            if not (self.suppress_deprecation_warnings
+                    or self.suppress_default_change_warnings):
                 warnings.warn(deprecated_msg)
 
     def _undefined_check(self, check):
diff --git a/oslo_policy/tests/test_policy.py b/oslo_policy/tests/test_policy.py
index f3f75b0..953820b 100644
--- a/oslo_policy/tests/test_policy.py
+++ b/oslo_policy/tests/test_policy.py
@@ -1415,6 +1415,28 @@ class DocumentedRuleDefaultDeprecationTestCase(base.PolicyBaseTestCase):
             enforcer.load_rules()
             mock_warn.assert_not_called()
 
+    def test_suppress_default_change_warnings_flag_not_log_warning(self):
+        deprecated_rule = policy.DeprecatedRule(
+            name='foo:create_bar',
+            check_str='role:fizz'
+        )
+
+        rule_list = [policy.DocumentedRuleDefault(
+            name='foo:create_bar',
+            check_str='role:bang',
+            description='Create a bar.',
+            operations=[{'path': '/v1/bars', 'method': 'POST'}],
+            deprecated_rule=deprecated_rule,
+            deprecated_reason='"role:bang" is a better default',
+            deprecated_since='N'
+        )]
+        enforcer = policy.Enforcer(self.conf)
+        enforcer.suppress_default_change_warnings = True
+        enforcer.register_defaults(rule_list)
+        with mock.patch('warnings.warn') as mock_warn:
+            enforcer.load_rules()
+            mock_warn.assert_not_called()
+
     def test_deprecated_policy_for_removal_must_include_deprecated_since(self):
         self.assertRaises(
             ValueError,