I recreated this locally. Turns out I missed an attribute that the
oslo_policy.policy:Enforcer class had called self.file_rules, which
appear to the be specific policies pulled from policy.json or
policy.yaml files. I modified the check to compare the deprecated policy
against that instead of self.
I thought we planned for that case, but it looks like we log a warning
regardless (obviously from your trace) so that operators don't miss
opportunities to clean up code. In addition to that, the removal of a
policy might make a role obsolete, which is harder to check for than
just seeing if they h
I've noticed that our CI logs have API extension policy deprecation
warnings in them on startup, even though we don't use any non-default
policy rules in our CI runs, so everything is just loaded from policy in
code.
Jan 05 16:58:48.794318 ubuntu-xenial-rax-dfw-0001705089
nova-compute[11289]: