diff options
| author | Julia Kreger <juliaashleykreger@gmail.com> | 2022-02-22 11:08:56 -0800 |
|---|---|---|
| committer | Julia Kreger <juliaashleykreger@gmail.com> | 2022-02-22 11:20:49 -0800 |
| commit | b67e3c71a042719a6814621dd1c00c2e1818d2b1 (patch) | |
| tree | fd1483a09dba4473a06852d3726280d22496730a /doc | |
| parent | b48b711b090dcb769c642a50988a774d5737eb1a (diff) | |
| download | oslo-policy-b67e3c71a042719a6814621dd1c00c2e1818d2b1.tar.gz | |
make deprecated rule examples explicit
Deprecated rules can be confusing and downright unfriendly when
evaluating a generated sample output and seeing legacy rules being
aliased to new rules. Technically this is also invalid and results
in a broken sample file with overriding behavior.
Under normal circumstances, this wouldn't be a big deal, but with
the Secure RBAC effort, projects also performed some further
delineation of RBAC policies instead of performing a 1:1 mapping.
As a result of the policy enforcement model, a prior deprecated
rule was required, which meant the prior deprecated rule would
be reported multiple times in the output.
Since we don't have an extra flag in the policy-in-code definitions
of policies, all we can *really* do is both clarify the purpose
and meaning of the entry, not enable the alias by default in
sample output (as it is a sample! not an override of code!),
and provide projects as well as operators with a knob to
exclude deprecated policy inclusion into examples and sample
output.
Closes-Bug: #1945336
Change-Id: I6d02eb4d8f94323a806fab991ba2f1c3bbf71d04
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/source/cli/common/generator-opts.rst | 5 | ||||
| -rw-r--r-- | doc/source/user/sphinxpolicygen.rst | 5 |
2 files changed, 10 insertions, 0 deletions
diff --git a/doc/source/cli/common/generator-opts.rst b/doc/source/cli/common/generator-opts.rst index b88549f..afa7d16 100644 --- a/doc/source/cli/common/generator-opts.rst +++ b/doc/source/cli/common/generator-opts.rst @@ -1,3 +1,8 @@ .. option:: --output-file OUTPUT_FILE Path of the file to write to. Defaults to stdout. + +.. option:: --exclude-deprecated True + + Option allowing the rendered output to be generated *without* deprecated + policy information. diff --git a/doc/source/user/sphinxpolicygen.rst b/doc/source/user/sphinxpolicygen.rst index 227dbad..4aae146 100644 --- a/doc/source/user/sphinxpolicygen.rst +++ b/doc/source/user/sphinxpolicygen.rst @@ -40,6 +40,11 @@ where: ``_static/nova.policy.yaml.sample``. If this option is not specified, the file will be output to ``sample.policy.yaml``. +``exclude_deprecated`` + Boolean value, default False, controls if the output should include deprecated + policy information or values, as these can be confusing and misleading + in some cases. + Once configured, you can include this configuration file in your source: .. code:: reST |