)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":5202,"name":"Erno Kuvaja","email":"jokke@usr.fi","username":"jokke"},"change_message_id":"cf8129b55ee72aa60412c76ccdce40ea3b162a34","unresolved":true,"context_lines":[{"line_number":28,"context_line":"to control these warnings. NOTE this config only controls the"},{"line_number":29,"context_line":"default change warning, not if policy name is changed."},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"NOTE: default value of this config option is False, which"},{"line_number":32,"context_line":"means do not log warning by default. If the operator wants,"},{"line_number":33,"context_line":"they can enable it. This is what many projects are doing"},{"line_number":34,"context_line":"currently (disabled warnings via \u0027suppress_default_change_warnings\u0027)"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"- https://codesearch.opendev.org/?q\u003dsuppress_default_change_warnings\u0026i\u003dnope\u0026files\u003d\u0026excludeFiles\u003d\u0026repos\u003d"},{"line_number":37,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"c4de1970_3b496ad1","line":34,"range":{"start_line":31,"start_character":0,"end_line":34,"end_character":68},"updated":"2021-07-06 10:14:03.000000000","message":"I think we should do this other way around. We want them deprecations for a reason. So if operator actually reads releasenotes and spots the default have changed they could flip the config option and suppress the warnings. If not they would get very visible reminder on the service logs.\n\nEven better if we would emit these warnings when the policy engine loads the rules rather than every request. As in full list of deprecations on service start and then just work without spamming.\n\nObviously we should turn the warnings off in gate/tests. But what\u0027s the point of deprecation if you don\u0027t tell the operator that something changed?","commit_id":"b1b12da6ad3cf469ee1bfb488a2e9e5364cf7d2e"},{"author":{"_account_id":6928,"name":"Ben Nemec","email":"openstack@nemebean.com","username":"bnemec"},"change_message_id":"548db136b224db66e81bbb9584efb0f75cbf7391","unresolved":true,"context_lines":[{"line_number":28,"context_line":"to control these warnings. NOTE this config only controls the"},{"line_number":29,"context_line":"default change warning, not if policy name is changed."},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"NOTE: default value of this config option is False, which"},{"line_number":32,"context_line":"means do not log warning by default. If the operator wants,"},{"line_number":33,"context_line":"they can enable it. This is what many projects are doing"},{"line_number":34,"context_line":"currently (disabled warnings via \u0027suppress_default_change_warnings\u0027)"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"- https://codesearch.opendev.org/?q\u003dsuppress_default_change_warnings\u0026i\u003dnope\u0026files\u003d\u0026excludeFiles\u003d\u0026repos\u003d"},{"line_number":37,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"a6b25a5d_79e5b6ff","line":34,"range":{"start_line":31,"start_character":0,"end_line":34,"end_character":68},"in_reply_to":"72aecec8_51eb9912","updated":"2021-07-08 15:13:44.000000000","message":"\u003e Even better if we would emit these warnings when the policy engine loads the rules rather than every request. As in full list of deprecations on service start and then just work without spamming.\n\nFWIW, there was a patch up to make the deprecation logs less spammy: https://review.opendev.org/c/openstack/oslo.policy/+/674711\n\nAs I recall, it was only somewhat helpful because every policy got logged in every API thread/process anyway because they all had separate copies of the enforcer. It\u0027s also possible I don\u0027t remember correctly because that was two years ago. :-)\n\nAlso, note the commit message on https://review.opendev.org/c/openstack/oslo.policy/+/673932/ which discusses why these knobs weren\u0027t originally in oslo.policy. The intent was that projects would use the warning filters to address this (as in set the filter to log warnings only once).","commit_id":"b1b12da6ad3cf469ee1bfb488a2e9e5364cf7d2e"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"4f940ffd988c71d121bcab0eb29c2d4c298e7e54","unresolved":true,"context_lines":[{"line_number":28,"context_line":"to control these warnings. NOTE this config only controls the"},{"line_number":29,"context_line":"default change warning, not if policy name is changed."},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"NOTE: default value of this config option is False, which"},{"line_number":32,"context_line":"means do not log warning by default. If the operator wants,"},{"line_number":33,"context_line":"they can enable it. This is what many projects are doing"},{"line_number":34,"context_line":"currently (disabled warnings via \u0027suppress_default_change_warnings\u0027)"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"- https://codesearch.opendev.org/?q\u003dsuppress_default_change_warnings\u0026i\u003dnope\u0026files\u003d\u0026excludeFiles\u003d\u0026repos\u003d"},{"line_number":37,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"f734f41b_d8fe968a","line":34,"range":{"start_line":31,"start_character":0,"end_line":34,"end_character":68},"in_reply_to":"a6b25a5d_79e5b6ff","updated":"2021-07-12 17:36:05.000000000","message":"yeah and in https://review.opendev.org/c/openstack/oslo.policy/+/717879 we added a new flag to handle/stop wanrning for default change (and keep warn on name change) \u0027suppress_default_change_warnings\u0027 and most of the projects started disabling those - https://codesearch.opendev.org/?q\u003dsuppress_default_change_warnings\u0026i\u003dnope\u0026files\u003d\u0026excludeFiles\u003d\u0026repos\u003d\n\nso default change warnings are disabled via hardcoded flag \u0027suppress_default_change_warnings\u0027 and operator has to way to enable those. In this commit, I am making that as configurable so that operator can enable those.\n\nI will add TODO note in the code that we can enable these warning by default once we remove the legacy policy rules (means current policy change of all the rule defaults).","commit_id":"b1b12da6ad3cf469ee1bfb488a2e9e5364cf7d2e"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"d2e42e6eefef2f676e1e60b853a4e7b940bf4159","unresolved":true,"context_lines":[{"line_number":28,"context_line":"to control these warnings. NOTE this config only controls the"},{"line_number":29,"context_line":"default change warning, not if policy name is changed."},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"NOTE: default value of this config option is False, which"},{"line_number":32,"context_line":"means do not log warning by default. If the operator wants,"},{"line_number":33,"context_line":"they can enable it. This is what many projects are doing"},{"line_number":34,"context_line":"currently (disabled warnings via \u0027suppress_default_change_warnings\u0027)"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"- https://codesearch.opendev.org/?q\u003dsuppress_default_change_warnings\u0026i\u003dnope\u0026files\u003d\u0026excludeFiles\u003d\u0026repos\u003d"},{"line_number":37,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"72aecec8_51eb9912","line":34,"range":{"start_line":31,"start_character":0,"end_line":34,"end_character":68},"in_reply_to":"c4de1970_3b496ad1","updated":"2021-07-06 16:02:46.000000000","message":"for regular default change I agree we should add warning by default but during new RBAC work every policy rule is changing its default so its too much warnings. that is why I thought of disable it by default as thousands of warnings does not help in case of new RBAC migration.","commit_id":"b1b12da6ad3cf469ee1bfb488a2e9e5364cf7d2e"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"79f207f8e5dbf04de51012ac4366fa369f2036da","unresolved":true,"context_lines":[{"line_number":33,"context_line":"not changning what operator gets currently."},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"- https://codesearch.opendev.org/?q\u003dsuppress_default_change_warnings\u0026i\u003dnope\u0026files\u003d\u0026excludeFiles\u003d\u0026repos\u003d"},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"Change-Id: I9f35db891d9a0812a4aa0b538505f6ef65ecd0d2"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"2835d622_ae1264ca","line":36,"updated":"2021-08-19 16:56:35.000000000","message":"We can close https://bugs.launchpad.net/oslo.policy/+bug/1836568 with this patch.","commit_id":"150fe210d8fc44177abfcaf3496fe52d3ee9a6b2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"6876ee29c33e49aaa6f909e71e20424c26c59244","unresolved":true,"context_lines":[{"line_number":33,"context_line":"not changning what operator gets currently."},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"- https://codesearch.opendev.org/?q\u003dsuppress_default_change_warnings\u0026i\u003dnope\u0026files\u003d\u0026excludeFiles\u003d\u0026repos\u003d"},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"Change-Id: I9f35db891d9a0812a4aa0b538505f6ef65ecd0d2"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"f99696c1_5d97dc2f","line":36,"in_reply_to":"2835d622_ae1264ca","updated":"2022-04-25 17:59:46.000000000","message":"sure, done","commit_id":"150fe210d8fc44177abfcaf3496fe52d3ee9a6b2"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":31245,"name":"Daniel Bengtsson","email":"dbengt@redhat.com","username":"damani42"},"change_message_id":"89f8b088bb2d7c13660df5abe0fd63c9555a1430","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"f500af78_f89cb152","updated":"2022-04-25 13:52:25.000000000","message":"I would like to know if this patch is still relevant?","commit_id":"150fe210d8fc44177abfcaf3496fe52d3ee9a6b2"},{"author":{"_account_id":31245,"name":"Daniel Bengtsson","email":"dbengt@redhat.com","username":"damani42"},"change_message_id":"6513f4effc23357801dcfa53fde5a3567ff868fe","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"e2b7128a_3e942970","in_reply_to":"57ceb6e7_e1ae2fe9","updated":"2022-04-27 13:31:29.000000000","message":"Ok thanks a lot for your answer.","commit_id":"150fe210d8fc44177abfcaf3496fe52d3ee9a6b2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"6876ee29c33e49aaa6f909e71e20424c26c59244","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"57ceb6e7_e1ae2fe9","in_reply_to":"f500af78_f89cb152","updated":"2022-04-25 17:59:46.000000000","message":"Yeah, I was waiting for the PTG discussion abd how we decide to enable the new defaults/scope by default. We have more clarity now, let me revise it.","commit_id":"150fe210d8fc44177abfcaf3496fe52d3ee9a6b2"}],"oslo_policy/opts.py":[{"author":{"_account_id":5202,"name":"Erno Kuvaja","email":"jokke@usr.fi","username":"jokke"},"change_message_id":"cf8129b55ee72aa60412c76ccdce40ea3b162a34","unresolved":true,"context_lines":[{"line_number":46,"context_line":"                       \u0027flag so that you can get the benefits of new defaults \u0027"},{"line_number":47,"context_line":"                       \u0027and ``scope_type`` together\u0027)),"},{"line_number":48,"context_line":"    cfg.BoolOpt(\u0027warn_default_change\u0027,"},{"line_number":49,"context_line":"                default\u003dFalse,"},{"line_number":50,"context_line":"                help\u003d_(\u0027This option controls whether or not to log the \u0027"},{"line_number":51,"context_line":"                       \u0027warnings if defaults value of policy rule is changed. \u0027"},{"line_number":52,"context_line":"                       \u0027Note: This only controls the warning for the default \u0027"}],"source_content_type":"text/x-python","patch_set":1,"id":"977fd475_4998e055","line":49,"range":{"start_line":49,"start_character":24,"end_line":49,"end_character":29},"updated":"2021-07-06 10:14:03.000000000","message":"Imo we should default this to the old behaviour, some optimization ideas in the commit message comment.","commit_id":"b1b12da6ad3cf469ee1bfb488a2e9e5364cf7d2e"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"f54a9e213366f04012c4201058043719d463d5bd","unresolved":true,"context_lines":[{"line_number":52,"context_line":"    # Once the legacy rules are removed from projects then we can enable"},{"line_number":53,"context_line":"    # these warnings by default."},{"line_number":54,"context_line":"    cfg.BoolOpt(\u0027warn_default_change\u0027,"},{"line_number":55,"context_line":"                default\u003dFalse,"},{"line_number":56,"context_line":"                help\u003d_(\u0027This option controls whether or not to log the \u0027"},{"line_number":57,"context_line":"                       \u0027warnings if defaults value of policy rule is changed. \u0027"},{"line_number":58,"context_line":"                       \u0027Note: This only controls the warning for the default \u0027"}],"source_content_type":"text/x-python","patch_set":2,"id":"b13d95db_0da9b867","line":55,"updated":"2021-08-02 16:27:15.000000000","message":"I am on the fence on setting this default \"False\" because it will also stop warnings for non-\"secure RBAC\" related default value changes that may be important for the operator to be aware of.\nThis would mean that the only way for a project to notify the operator of a default value change would be via the release notes.\nOn the other hand, the \"secure RBAC\" changes are causing hugely excessive logging.","commit_id":"150fe210d8fc44177abfcaf3496fe52d3ee9a6b2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"ce1d25330ef209be8fa4d3dabd2359eda4ef2332","unresolved":true,"context_lines":[{"line_number":52,"context_line":"    # Once the legacy rules are removed from projects then we can enable"},{"line_number":53,"context_line":"    # these warnings by default."},{"line_number":54,"context_line":"    cfg.BoolOpt(\u0027warn_default_change\u0027,"},{"line_number":55,"context_line":"                default\u003dFalse,"},{"line_number":56,"context_line":"                help\u003d_(\u0027This option controls whether or not to log the \u0027"},{"line_number":57,"context_line":"                       \u0027warnings if defaults value of policy rule is changed. \u0027"},{"line_number":58,"context_line":"                       \u0027Note: This only controls the warning for the default \u0027"}],"source_content_type":"text/x-python","patch_set":2,"id":"3c75ee90_c7d4760a","line":55,"in_reply_to":"b13d95db_0da9b867","updated":"2021-08-02 18:07:31.000000000","message":"Yeah, I have added a TODO (L48) to fix that. As of now, all projects are changing the policy default for \u0027secure RBAC\u0027 only and so its warning will be disabled by default. But once we are going to finish the \u0027secure RBAC\u0027 then we can default it to True.","commit_id":"150fe210d8fc44177abfcaf3496fe52d3ee9a6b2"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"79f207f8e5dbf04de51012ac4366fa369f2036da","unresolved":true,"context_lines":[{"line_number":58,"context_line":"                       \u0027Note: This only controls the warning for the default \u0027"},{"line_number":59,"context_line":"                       \u0027value change, not for the policy rule deprecation \u0027"},{"line_number":60,"context_line":"                       \u0027or name change. \u0027"},{"line_number":61,"context_line":"                       \u0027Change it to True if you want to log warning\u0027)),"},{"line_number":62,"context_line":"    cfg.StrOpt(\u0027policy_file\u0027,"},{"line_number":63,"context_line":"               default\u003d\u0027policy.json\u0027,"},{"line_number":64,"context_line":"               help\u003d_(\u0027The relative or absolute path of a file that maps \u0027"}],"source_content_type":"text/x-python","patch_set":2,"id":"47b1405f_4eddd30a","line":61,"updated":"2021-08-19 16:56:35.000000000","message":"We do have operators that rely on logs to figure out what to do with policies (e.g., kinda like crafting SElinux policies).\n\nDisabling this by default seems like it\u0027s going against that mentality. Is it possible to log a warning once?","commit_id":"150fe210d8fc44177abfcaf3496fe52d3ee9a6b2"}]}