Ken, thanks for raising this , Oslo team will send notice early when we
have major changes like this .
2017-09-27 4:17 GMT+08:00 Ken Giusti <kgiu...@gmail.com>:
> Hi Folks,
>
> Just a head's up:
>
> In Queens the default access policy for RPC Endpoints will change from
> LegacyRPCAccessPolicy to DefaultRPCAccessPolicy. RPC calls to private
> ('_' prefix) methods will no longer be possible. If you want to allow
> RPC Clients to invoke private methods, you must explicitly set the
> access_policy to LegacyRPCAccessPolicy when you call get_rpc_server()
> or instantiate an RPCDispatcher. This change [0] has been merged to
> oslo.messaging master and will appear in the next release of
> oslo.messaging.
>
> "Umm.... What?"
>
> Good question! Here's the TL;DR details:
>
> Since forever it's been possible for a client to make an RPC call
> against _any_ method defined in the RPC Endpoint object. And by "any"
> we mean "all methods including private ones (method names prefixed by
> '_' )"
>
> Naturally this ability came as a surprise many folk [1], including
> yours truly and others on the oslo team [2]. It was agreed that
> having this be the default behavior was indeed A Bad Thing.
>
> So starting in Ocata oslo.messaging has provided a means for
> controlling access to Endpoint methods [3]. Oslo.messaging now
> defines three different "access control policies" that can be applied
> to an RPC Server:
>
> LegacyRPCAccessPolicy: original behavior - any method can be invoked
> by an RPC client
> DefaultRPCAccessPolicy: prevent RPC access to private '_' methods, all
> others may be invoked
> ExplicitRPCAccessPolicy: only allow access to those methods that have
> been decorated with @expose decorator
>
> See [4] for more details.
>
> In order not to break anything at the time the default access policy
> was set to 'LegacyRPCAccessPolicy'. This has been the default for
> Ocata and Pike.
>
> Starting in Queens this will no longer be the case.
> DefaultRPCAccessPolicy will become the default if no access policy is
> specified when calling get_rpc_server() or directly instantiating an
> RPCDispatcher. To keep the old behavior you must explicitly set the
> access policy to LegacyRPCAccessPolicy:
>
> from oslo_messaging.rpc import LegacyRPCAccessPolicy
> ...
> server = get_rpc_server(transport, target, endpoints,
> access_policy=LegacyRPCAccessPolicy)
>
>
>
> Reply here if you have any questions or hit any issues, thanks!
>
> -K
>
> [0] https://review.openstack.org/#/c/500456/
> [1] https://bugs.launchpad.net/oslo.messaging/+bug/1194279
> [2] https://bugs.launchpad.net/oslo.messaging/+bug/1555845
> [3] https://review.openstack.org/#/c/358359/
> [4] https://docs.openstack.org/oslo.messaging/latest/reference/server.html
> --
> Ken Giusti (kgiu...@gmail.com)
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
--
ChangBo Guo(gcb)
Community Director @EasyStack
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
