bd9d47aa36
The policy engine converts simple strings into instances of rule objects based on a policy DSL. This engine iterates checks and reduces them after each iteration if performing the conversion on list of check strings. When we deprecate policies we apply a logical OR to make upgrades easier for operators. The logical OR, implemented with an OrCheck, only needs to be done once per deprecated rule. Today, we're re-initializing an OrCheck instance each time we load rules, which happens every time oslo_policy.policy.Enforcer.enforce() is called. For most OpenStack usage, this isn't noticiable, especially if you're only using it to enforce access to a specific endpoint. However, this can get expensive if you're using the enforcer to protect the API, protect each resource in a response, and protect each attrbute of the resource (e.g., Neutron makes extensive usage of this pattern to implement RBAC for resources it's responsible for). This commit updates the RuleDefault object to track state of handling deprecated logic ORs so that we only cast the check strings to OrCheck instances once per rule no matter how many times we call load_rules(). Closes-Bug: 1913718 Change-Id: I539672fc220b8d7e3c47ab3dfa6670b88e3f4093
8 lines
260 B
YAML
8 lines
260 B
YAML
---
|
|
fixes:
|
|
- |
|
|
[`bug 1913718 <https://launchpad.net/bugs/1913718>`_]
|
|
The `Enforcer()` object now only processes deprecated rules once at load or
|
|
enforcement time, improving performance for users that make extensive use
|
|
of policy enforcement.
|