diff options
author | Julia Kreger <juliaashleykreger@gmail.com> | 2022-02-22 11:08:56 -0800 |
---|---|---|
committer | Julia Kreger <juliaashleykreger@gmail.com> | 2022-02-22 11:20:49 -0800 |
commit | b67e3c71a042719a6814621dd1c00c2e1818d2b1 (patch) | |
tree | fd1483a09dba4473a06852d3726280d22496730a /releasenotes | |
parent | b48b711b090dcb769c642a50988a774d5737eb1a (diff) | |
download | oslo-policy-b67e3c71a042719a6814621dd1c00c2e1818d2b1.tar.gz |
make deprecated rule examples explicit
Deprecated rules can be confusing and downright unfriendly when
evaluating a generated sample output and seeing legacy rules being
aliased to new rules. Technically this is also invalid and results
in a broken sample file with overriding behavior.
Under normal circumstances, this wouldn't be a big deal, but with
the Secure RBAC effort, projects also performed some further
delineation of RBAC policies instead of performing a 1:1 mapping.
As a result of the policy enforcement model, a prior deprecated
rule was required, which meant the prior deprecated rule would
be reported multiple times in the output.
Since we don't have an extra flag in the policy-in-code definitions
of policies, all we can *really* do is both clarify the purpose
and meaning of the entry, not enable the alias by default in
sample output (as it is a sample! not an override of code!),
and provide projects as well as operators with a knob to
exclude deprecated policy inclusion into examples and sample
output.
Closes-Bug: #1945336
Change-Id: I6d02eb4d8f94323a806fab991ba2f1c3bbf71d04
Diffstat (limited to 'releasenotes')
-rw-r--r-- | releasenotes/notes/fix-deprecated-rule-handling-c6fe321fce6293a9.yaml | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/releasenotes/notes/fix-deprecated-rule-handling-c6fe321fce6293a9.yaml b/releasenotes/notes/fix-deprecated-rule-handling-c6fe321fce6293a9.yaml new file mode 100644 index 0000000..359b867 --- /dev/null +++ b/releasenotes/notes/fix-deprecated-rule-handling-c6fe321fce6293a9.yaml @@ -0,0 +1,19 @@ +--- +fixes: + - | + Fixes handling of deprecated rules when generating sample policy files + such that legacy rules are no longer automatically aliased in the + resulting output. Previously, the behavior led to operator confusion when + attempting to evaluate the output to determine if customized rules were + required, as the aliases were always added as active rules. A warning + is now also added to the generated output. + For more information, please see `launchpad bug #1945336 <https://bugs.launchpad.net/oslo.policy/+bug/1945336>`_. +features: + - Adds the ability to exclude deprecated policies from generated samples by + utilizing the ``--exclude-deprecated`` setting when generating YAML + example files. The Spinx generator can also be controlled using the + ``exclude_deprecated`` environment variable. By default, these rules + will be included, but operators and projects may not desire these + deprecated rules to exist in latest documentation, espescially when + considering the number of policy rules projects have made in the + Secure RBAC effort. |