openstack
/
ironic-inspector
Code Issues Proposed changes

Clean up deprecated configuration options 

Mostly removes old authentication options and support for [discoverd].

Also update example.conf to the latest version.

Change-Id: Ided8705c4345a1170c211d926d916cec2173ccb9
This commit is contained in:
Dmitry Tantsur 2017-01-24 14:18:47 +01:00
parent d557080623
commit 73584d27bb
11 changed files with 44 additions and 417 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

106
example.conf
View File

@ -5,13 +5,11 @@
#
# IP to listen on. (string value)
# Deprecated group/name - [discoverd]/listen_address
#listen_address = 0.0.0.0
# Port to listen on. (port value)
# Minimum value: 0
# Maximum value: 65535
# Deprecated group/name - [discoverd]/listen_port
#listen_port = 5050
# Authentication method used on the ironic-inspector API. Either
@ -20,26 +18,17 @@
# Allowed values: keystone, noauth
#auth_strategy = keystone
# DEPRECATED: use auth_strategy. (boolean value)
# Deprecated group/name - [discoverd]/authenticate
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
#authenticate = <None>
# Timeout after which introspection is considered failed, set to 0 to
# disable. (integer value)
# Deprecated group/name - [discoverd]/timeout
#timeout = 3600
# For how much time (in seconds) to keep status information about
# nodes after introspection was finished for them. Default value is 1
# week. (integer value)
# Deprecated group/name - [discoverd]/node_status_keep_time
#node_status_keep_time = 604800
# Amount of time in seconds, after which repeat clean up of timed out
# nodes and old nodes status information. (integer value)
# Deprecated group/name - [discoverd]/clean_up_period
#clean_up_period = 60
# SSL Enabled/Disabled (boolean value)
@ -378,20 +367,6 @@
#db_max_retries = 20
[discoverd]
#
# From ironic_inspector
#
# DEPRECATED: SQLite3 database to store nodes under introspection,
# required. Do not use :memory: here, it won't work. DEPRECATED: use
# [database]/connection. (string value)
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
#database =
[discovery]
#
@ -410,17 +385,14 @@
#
# Whether to manage firewall rules for PXE port. (boolean value)
# Deprecated group/name - [discoverd]/manage_firewall
#manage_firewall = true
# Interface on which dnsmasq listens, the default is for VM's. (string
# value)
# Deprecated group/name - [discoverd]/dnsmasq_interface
#dnsmasq_interface = br-ctlplane
# Amount of time in seconds, after which repeat periodic update of
# firewall. (integer value)
# Deprecated group/name - [discoverd]/firewall_update_period
#firewall_update_period = 15
# iptables chain name to use. (string value)
@ -467,14 +439,6 @@
# Domain name to scope to (string value)
#domain_name = <None>
# DEPRECATED: Keystone admin endpoint. DEPRECATED: Use
# [keystone_authtoken] section for keystone token validation. (string
# value)
# Deprecated group/name - [discoverd]/identity_uri
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
#identity_uri =
# Verify HTTPS connections. (boolean value)
#insecure = false
@ -490,51 +454,15 @@
# (integer value)
#max_retries = 30
# DEPRECATED: Keystone authentication endpoint for accessing Ironic
# API. Use [keystone_authtoken] section for keystone token validation.
# (string value)
# Deprecated group/name - [discoverd]/os_auth_url
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
# Reason: Use options presented by configured keystone auth plugin.
#os_auth_url =
# Ironic endpoint type. (string value)
#os_endpoint_type = internalURL
# DEPRECATED: Password for accessing Ironic API. Use
# [keystone_authtoken] section for keystone token validation. (string
# value)
# Deprecated group/name - [discoverd]/os_password
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
# Reason: Use options presented by configured keystone auth plugin.
#os_password =
# Keystone region used to get Ironic endpoints. (string value)
#os_region = <None>
# Ironic service type. (string value)
#os_service_type = baremetal
# DEPRECATED: Tenant name for accessing Ironic API. Use
# [keystone_authtoken] section for keystone token validation. (string
# value)
# Deprecated group/name - [discoverd]/os_tenant_name
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
# Reason: Use options presented by configured keystone auth plugin.
#os_tenant_name =
# DEPRECATED: User name for accessing Ironic API. Use
# [keystone_authtoken] section for keystone token validation. (string
# value)
# Deprecated group/name - [discoverd]/os_username
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
# Reason: Use options presented by configured keystone auth plugin.
#os_username =
# User's password (string value)
#password = <None>
@ -744,6 +672,21 @@
# Reason: PKI token format is no longer supported.
#hash_algorithms = md5
# A choice of roles that must be present in a service token. Service
# tokens are allowed to request that an expired token can be used and
# so this check should tightly control that only actual services
# should be sending this token. Roles here are applied as an ANY check
# so any role in this list must be present. For backwards
# compatibility reasons this currently only affects the allow_expired
# check. (list value)
#service_token_roles = service
# For backwards compatibility reasons we must let valid service tokens
# pass that don't pass the service_token_roles check as valid. Setting
# this true will become the default in a future release and should be
# enabled if possible. (boolean value)
#service_token_roles_required = false
# Authentication type to load (string value)
# Deprecated group/name - [keystone_authtoken]/auth_plugin
#auth_type = <None>
@ -777,7 +720,6 @@
# falls back to "active" if PXE MAC is not supplied by the ramdisk).
# (string value)
# Allowed values: all, active, pxe
# Deprecated group/name - [discoverd]/add_ports
#add_ports = pxe
# Which ports (already present on a node) to keep after introspection.
@ -785,19 +727,16 @@
# which MACs were present in introspection data), added (keep only
# MACs that we added during introspection). (string value)
# Allowed values: all, present, added
# Deprecated group/name - [discoverd]/keep_ports
#keep_ports = all
# Whether to overwrite existing values in node database. Disable this
# option to make introspection a non-destructive operation. (boolean
# value)
# Deprecated group/name - [discoverd]/overwrite_existing
#overwrite_existing = true
# DEPRECATED: Whether to enable setting IPMI credentials during
# introspection. This feature will be removed in the Pike release.
# (boolean value)
# Deprecated group/name - [discoverd]/enable_setting_ipmi_credentials
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
#enable_setting_ipmi_credentials = false
@ -813,18 +752,15 @@
# default for this is $default_processing_hooks, hooks can be added
# before or after the defaults like this:
# "prehook,$default_processing_hooks,posthook". (string value)
# Deprecated group/name - [discoverd]/processing_hooks
#processing_hooks = $default_processing_hooks
# If set, logs from ramdisk will be stored in this directory. (string
# value)
# Deprecated group/name - [discoverd]/ramdisk_logs_dir
#ramdisk_logs_dir = <None>
# Whether to store ramdisk logs even if it did not return an error
# message (dependent upon "ramdisk_logs_dir" option being set).
# (boolean value)
# Deprecated group/name - [discoverd]/always_store_ramdisk_logs
#always_store_ramdisk_logs = false
# The name of the hook to run when inspector receives inspection
@ -913,18 +849,6 @@
# (integer value)
#max_retries = 2
# DEPRECATED: Keystone authentication URL (string value)
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
# Reason: Use options presented by configured keystone auth plugin.
#os_auth_url =
# DEPRECATED: Keystone authentication API version (string value)
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
# Reason: Use options presented by configured keystone auth plugin.
#os_auth_version = 2
# Swift endpoint type. (string value)
#os_endpoint_type = internalURL

53
ironic_inspector/common/ironic.py
View File

@ -37,50 +37,6 @@ IRONIC_GROUP = 'ironic'
IRONIC_OPTS = [
cfg.StrOpt('os_region',
help=_('Keystone region used to get Ironic endpoints.')),
cfg.StrOpt('os_auth_url',
default='',
help=_('Keystone authentication endpoint for accessing Ironic '
'API. Use [keystone_authtoken] section for keystone '
'token validation.'),
deprecated_group='discoverd',
deprecated_for_removal=True,
deprecated_reason=_('Use options presented by configured '
'keystone auth plugin.')),
cfg.StrOpt('os_username',
default='',
help=_('User name for accessing Ironic API. '
'Use [keystone_authtoken] section for keystone '
'token validation.'),
deprecated_group='discoverd',
deprecated_for_removal=True,
deprecated_reason=_('Use options presented by configured '
'keystone auth plugin.')),
cfg.StrOpt('os_password',
default='',
help=_('Password for accessing Ironic API. '
'Use [keystone_authtoken] section for keystone '
'token validation.'),
secret=True,
deprecated_group='discoverd',
deprecated_for_removal=True,
deprecated_reason=_('Use options presented by configured '
'keystone auth plugin.')),
cfg.StrOpt('os_tenant_name',
default='',
help=_('Tenant name for accessing Ironic API. '
'Use [keystone_authtoken] section for keystone '
'token validation.'),
deprecated_group='discoverd',
deprecated_for_removal=True,
deprecated_reason=_('Use options presented by configured '
'keystone auth plugin.')),
cfg.StrOpt('identity_uri',
default='',
help=_('Keystone admin endpoint. '
'DEPRECATED: Use [keystone_authtoken] section for '
'keystone token validation.'),
deprecated_group='discoverd',
deprecated_for_removal=True),
cfg.StrOpt('auth_strategy',
default='keystone',
choices=('keystone', 'noauth'),
@ -112,12 +68,6 @@ CONF.register_opts(IRONIC_OPTS, group=IRONIC_GROUP)
keystone.register_auth_opts(IRONIC_GROUP)
IRONIC_SESSION = None
LEGACY_MAP = {
'auth_url': 'os_auth_url',
'username': 'os_username',
'password': 'os_password',
'tenant_name': 'os_tenant_name'
}
class NotFound(utils.Error):
@ -175,8 +125,7 @@ def get_client(token=None,
else:
global IRONIC_SESSION
if not IRONIC_SESSION:
IRONIC_SESSION = keystone.get_session(
IRONIC_GROUP, legacy_mapping=LEGACY_MAP)
IRONIC_SESSION = keystone.get_session(IRONIC_GROUP)
if token is None:
args = {'session': IRONIC_SESSION,
'region_name': CONF.ironic.os_region}

77
ironic_inspector/common/keystone.py
View File

@ -13,16 +13,11 @@
import copy
from keystoneauth1 import exceptions
from keystoneauth1 import loading
from oslo_config import cfg
from oslo_log import log
from six.moves.urllib import parse # for legacy options loading only
from ironic_inspector.common.i18n import _LW
CONF = cfg.CONF
LOG = log.getLogger(__name__)
def register_auth_opts(group):
@ -31,81 +26,13 @@ def register_auth_opts(group):
CONF.set_default('auth_type', default='password', group=group)
def get_session(group, legacy_mapping=None, legacy_auth_opts=None):
auth = _get_auth(group, legacy_mapping, legacy_auth_opts)
def get_session(group):
auth = loading.load_auth_from_conf_options(CONF, group)
session = loading.load_session_from_conf_options(
CONF, group, auth=auth)
return session
def _get_auth(group, legacy_mapping=None, legacy_opts=None):
try:
auth = loading.load_auth_from_conf_options(CONF, group)
except exceptions.MissingRequiredOptions:
auth = _get_legacy_auth(group, legacy_mapping, legacy_opts)
else:
if auth is None:
auth = _get_legacy_auth(group, legacy_mapping, legacy_opts)
return auth
def _get_legacy_auth(group, legacy_mapping, legacy_opts):
"""Load auth plugin from legacy options.
If legacy_opts is not empty, these options will be registered first.
legacy_mapping is a dict that maps the following keys to legacy option
names:
auth_url
username
password
tenant_name
"""
LOG.warning(_LW("Group [%s]: Using legacy auth loader is deprecated. "
"Consider specifying appropriate keystone auth plugin as "
"'auth_type' and corresponding plugin options."), group)
if legacy_opts:
for opt in legacy_opts:
try:
CONF.register_opt(opt, group=group)
except cfg.DuplicateOptError:
pass
conf = getattr(CONF, group)
auth_params = {a: getattr(conf, legacy_mapping[a])
for a in legacy_mapping}
legacy_loader = loading.get_plugin_loader('password')
# NOTE(pas-ha) only Swift had this option, take it into account
try:
auth_version = conf.get('os_auth_version')
except cfg.NoSuchOptError:
auth_version = None
# NOTE(pas-ha) mimic defaults of keystoneclient
if _is_apiv3(auth_params['auth_url'], auth_version):
auth_params.update({
'project_domain_id': 'default',
'user_domain_id': 'default'})
return legacy_loader.load_from_options(**auth_params)
# NOTE(pas-ha): for backward compat with legacy options loading only
def _is_apiv3(auth_url, auth_version):
"""Check if V3 version of API is being used or not.
This method inspects auth_url and auth_version, and checks whether V3
version of the API is being used or not.
When no auth_version is specified and auth_url is not a versioned
endpoint, v2.0 is assumed.
:param auth_url: a http or https url to be inspected (like
'http://127.0.0.1:9898/').
:param auth_version: a string containing the version (like 'v2', 'v3.0')
or None
:returns: True if V3 of the API is being used.
"""
return (auth_version in ('v3.0', '3') or
'/v3' in parse.urlparse(auth_url).path)
def add_auth_options(options, group):
def add_options(opts, opts_to_add):

38
ironic_inspector/common/swift.py
View File

@ -42,18 +42,6 @@ SWIFT_OPTS = [
default='ironic-inspector',
help=_('Default Swift container to use when creating '
'objects.')),
cfg.StrOpt('os_auth_version',
default='2',
help=_('Keystone authentication API version'),
deprecated_for_removal=True,
deprecated_reason=_('Use options presented by configured '
'keystone auth plugin.')),
cfg.StrOpt('os_auth_url',
default='',
help=_('Keystone authentication URL'),
deprecated_for_removal=True,
deprecated_reason=_('Use options presented by configured '
'keystone auth plugin.')),
cfg.StrOpt('os_service_type',
default='object-store',
help=_('Swift service type.')),
@ -64,33 +52,11 @@ SWIFT_OPTS = [
help=_('Keystone region to get endpoint for.')),
]
# NOTE(pas-ha) these old options conflict with options exported by
# most used keystone auth plugins. Need to register them manually
# for the backward-compat case.
LEGACY_OPTS = [
cfg.StrOpt('username',
default='',
help=_('User name for accessing Swift API.')),
cfg.StrOpt('password',
default='',
help=_('Password for accessing Swift API.'),
secret=True),
cfg.StrOpt('tenant_name',
default='',
help=_('Tenant name for accessing Swift API.')),
]
CONF.register_opts(SWIFT_OPTS, group=SWIFT_GROUP)
keystone.register_auth_opts(SWIFT_GROUP)
OBJECT_NAME_PREFIX = 'inspector_data'
SWIFT_SESSION = None
LEGACY_MAP = {
'auth_url': 'os_auth_url',
'username': 'username',
'password': 'password',
'tenant_name': 'tenant_name',
}
def reset_swift_session():
@ -112,9 +78,7 @@ class SwiftAPI(object):
"""
global SWIFT_SESSION
if not SWIFT_SESSION:
SWIFT_SESSION = keystone.get_session(
SWIFT_GROUP, legacy_mapping=LEGACY_MAP,
legacy_auth_opts=LEGACY_OPTS)
SWIFT_SESSION = keystone.get_session(SWIFT_GROUP)
# TODO(pas-ha): swiftclient does not support keystone sessions ATM.
# Must be reworked when LP bug #1518938 is fixed.
swift_url = SWIFT_SESSION.get_endpoint(

59
ironic_inspector/conf.py
View File

@ -29,18 +29,15 @@ VALID_STORE_DATA_VALUES = ('none', 'swift')
FIREWALL_OPTS = [
cfg.BoolOpt('manage_firewall',
default=True,
help=_('Whether to manage firewall rules for PXE port.'),
deprecated_group='discoverd'),
help=_('Whether to manage firewall rules for PXE port.')),
cfg.StrOpt('dnsmasq_interface',
default='br-ctlplane',
help=_('Interface on which dnsmasq listens, the default is for '
'VM\'s.'),
deprecated_group='discoverd'),
'VM\'s.')),
cfg.IntOpt('firewall_update_period',
default=15,
help=_('Amount of time in seconds, after which repeat periodic '
'update of firewall.'),
deprecated_group='discoverd'),
'update of firewall.')),
cfg.StrOpt('firewall_chain',
default='ironic-inspector',
help=_('iptables chain name to use.')),
@ -56,8 +53,7 @@ PROCESSING_OPTS = [
'IP addresses), pxe (only MAC address of NIC node PXE '
'booted from, falls back to "active" if PXE MAC is not '
'supplied by the ramdisk).'),
choices=VALID_ADD_PORTS_VALUES,
deprecated_group='discoverd'),
choices=VALID_ADD_PORTS_VALUES),
cfg.StrOpt('keep_ports',
default='all',
help=_('Which ports (already present on a node) to keep after '
@ -65,20 +61,17 @@ PROCESSING_OPTS = [
'anything), present (keep ports which MACs were present '
'in introspection data), added (keep only MACs that we '
'added during introspection).'),
choices=VALID_KEEP_PORTS_VALUES,
deprecated_group='discoverd'),
choices=VALID_KEEP_PORTS_VALUES),
cfg.BoolOpt('overwrite_existing',
default=True,
help=_('Whether to overwrite existing values in node '
'database. Disable this option to make '
'introspection a non-destructive operation.'),
deprecated_group='discoverd'),
'introspection a non-destructive operation.')),
cfg.BoolOpt('enable_setting_ipmi_credentials',
default=False,
help=_('Whether to enable setting IPMI credentials during '
'introspection. This feature will be removed in the '
'Pike release.'),
deprecated_group='discoverd',
deprecated_for_removal=True),
cfg.StrOpt('default_processing_hooks',
default='ramdisk_error,root_disk_selection,scheduler,'
@ -96,18 +89,15 @@ PROCESSING_OPTS = [
'pipeline. The default for this is '
'$default_processing_hooks, hooks can be added before '
'or after the defaults like this: '
'"prehook,$default_processing_hooks,posthook".'),
deprecated_group='discoverd'),
'"prehook,$default_processing_hooks,posthook".')),
cfg.StrOpt('ramdisk_logs_dir',
help=_('If set, logs from ramdisk will be stored in this '
'directory.'),
deprecated_group='discoverd'),
'directory.')),
cfg.BoolOpt('always_store_ramdisk_logs',
default=False,
help=_('Whether to store ramdisk logs even if it did not '
'return an error message (dependent upon '
'"ramdisk_logs_dir" option being set).'),
deprecated_group='discoverd'),
'"ramdisk_logs_dir" option being set).')),
cfg.StrOpt('node_not_found_hook',
help=_('The name of the hook to run when inspector receives '
'inspection information from a node it isn\'t already '
@ -143,51 +133,32 @@ PROCESSING_OPTS = [
help=_('Whether to power off a node after introspection.')),
]
DISCOVERD_OPTS = [
cfg.StrOpt('database',
default='',
help=_('SQLite3 database to store nodes under introspection, '
'required. Do not use :memory: here, it won\'t work. '
'DEPRECATED: use [database]/connection.'),
deprecated_for_removal=True),
]
SERVICE_OPTS = [
cfg.StrOpt('listen_address',
default='0.0.0.0',
help=_('IP to listen on.'),
deprecated_group='discoverd'),
help=_('IP to listen on.')),
cfg.PortOpt('listen_port',
default=5050,
help=_('Port to listen on.'),
deprecated_group='discoverd'),
help=_('Port to listen on.')),
cfg.StrOpt('auth_strategy',
default='keystone',
choices=('keystone', 'noauth'),
help=_('Authentication method used on the ironic-inspector '
'API. Either "noauth" or "keystone" are currently valid '
'options. "noauth" will disable all authentication.')),
cfg.BoolOpt('authenticate',
help=_('DEPRECATED: use auth_strategy.'),
deprecated_group='discoverd',
deprecated_for_removal=True),
cfg.IntOpt('timeout',
default=3600,
help=_('Timeout after which introspection is considered '
'failed, set to 0 to disable.'),
deprecated_group='discoverd'),
'failed, set to 0 to disable.')),
cfg.IntOpt('node_status_keep_time',
default=604800,
help=_('For how much time (in seconds) to keep status '
'information about nodes after introspection was '
'finished for them. Default value is 1 week.'),
deprecated_group='discoverd'),
'finished for them. Default value is 1 week.')),
cfg.IntOpt('clean_up_period',
default=60,
help=_('Amount of time in seconds, after which repeat clean up '
'of timed out nodes and old nodes status information.'),
deprecated_group='discoverd'),
'of timed out nodes and old nodes status information.')),
cfg.BoolOpt('use_ssl',
default=False,
help=_('SSL Enabled/Disabled')),
@ -225,7 +196,6 @@ SERVICE_OPTS = [
cfg.CONF.register_opts(SERVICE_OPTS)
cfg.CONF.register_opts(FIREWALL_OPTS, group='firewall')
cfg.CONF.register_opts(PROCESSING_OPTS, group='processing')
cfg.CONF.register_opts(DISCOVERD_OPTS, group='discoverd')
def list_opts():
@ -233,7 +203,6 @@ def list_opts():
('', SERVICE_OPTS),
('firewall', FIREWALL_OPTS),
('processing', PROCESSING_OPTS),
('discoverd', DISCOVERD_OPTS),
]

4
ironic_inspector/db.py
View File

@ -43,10 +43,6 @@ _FACADE = None
db_opts.set_defaults(cfg.CONF, _DEFAULT_SQL_CONNECTION,
'ironic_inspector.sqlite')
if CONF.discoverd.database:
db_opts.set_defaults(CONF,
connection='sqlite:///%s' %
str(CONF.discoverd.database).strip())
class Node(Base):

2
ironic_inspector/main.py
View File

@ -429,7 +429,7 @@ class Service(object):
CONF.log_opt_values(LOG, log.DEBUG)
def init(self):
if utils.get_auth_strategy() != 'noauth':
if CONF.auth_strategy != 'noauth':
utils.add_auth_middleware(app)
else:
LOG.warning(_LW('Starting unauthenticated, please check'

54
ironic_inspector/test/unit/test_keystone.py
View File

@ -13,7 +13,6 @@
import mock
from keystoneauth1 import exceptions as kaexc
from keystoneauth1 import loading as kaloading
from oslo_config import cfg
@ -38,7 +37,7 @@ class KeystoneTest(base.BaseTest):
self.assertIn(o, self.cfg.conf[TESTGROUP])
self.assertEqual('password', self.cfg.conf[TESTGROUP]['auth_type'])
@mock.patch.object(keystone, '_get_auth')
@mock.patch.object(kaloading, 'load_auth_from_conf_options', autospec=True)
def test_get_session(self, auth_mock):
keystone.register_auth_opts(TESTGROUP)
self.cfg.config(group=TESTGROUP,
@ -49,57 +48,6 @@ class KeystoneTest(base.BaseTest):
self.assertEqual('/path/to/ca/file', sess.verify)
self.assertEqual(auth1, sess.auth)
@mock.patch('keystoneauth1.loading.load_auth_from_conf_options')
@mock.patch.object(keystone, '_get_legacy_auth')
def test__get_auth(self, legacy_mock, load_mock):
auth1 = mock.Mock()
load_mock.side_effect = [
auth1,
None,
kaexc.MissingRequiredOptions([kaloading.Opt('spam')])]
auth2 = mock.Mock()
legacy_mock.return_value = auth2
self.assertEqual(auth1, keystone._get_auth(TESTGROUP))
self.assertEqual(auth2, keystone._get_auth(TESTGROUP))
self.assertEqual(auth2, keystone._get_auth(TESTGROUP))
@mock.patch('keystoneauth1.loading._plugins.identity.generic.Password.'
'load_from_options')
def test__get_legacy_auth(self, load_mock):
self.cfg.register_opts(
[cfg.StrOpt('identity_url'),
cfg.StrOpt('old_user'),
cfg.StrOpt('old_password')],
group=TESTGROUP)
self.cfg.config(group=TESTGROUP,
identity_url='http://fake:5000/v3',
old_password='ham',
old_user='spam')
options = [cfg.StrOpt('old_tenant_name', default='fake'),
cfg.StrOpt('old_user')]
mapping = {'username': 'old_user',
'password': 'old_password',
'auth_url': 'identity_url',
'tenant_name': 'old_tenant_name'}
keystone._get_legacy_auth(TESTGROUP, mapping, options)
load_mock.assert_called_once_with(username='spam',
password='ham',
tenant_name='fake',
user_domain_id='default',
project_domain_id='default',
auth_url='http://fake:5000/v3')
def test__is_api_v3(self):
cases = ((False, 'http://fake:5000', None),
(False, 'http://fake:5000/v2.0', None),
(True, 'http://fake:5000/v3', None),
(True, 'http://fake:5000', '3'),
(True, 'http://fake:5000', 'v3.0'))
for case in cases:
result, url, version = case
self.assertEqual(result, keystone._is_apiv3(url, version))
def test_add_auth_options(self):
group, opts = keystone.add_auth_options([], TESTGROUP)[0]
self.assertEqual(TESTGROUP, group)

29
ironic_inspector/test/unit/test_utils.py
View File

@ -57,35 +57,6 @@ class TestCheckAuth(base.BaseTest):
self.assertEqual('http://127.0.0.1:5000', args1['auth_uri'])
self.assertEqual('http://127.0.0.1:35357', args1['identity_uri'])
@mock.patch.object(auth_token, 'AuthProtocol')
def test_add_auth_middleware_with_deprecated_items(self, mock_auth):
CONF.set_override('os_password', 'os_password', 'ironic')
CONF.set_override('admin_password', 'admin_password',
'keystone_authtoken')
CONF.set_override('os_username', 'os_username', 'ironic')
CONF.set_override('admin_user', 'admin_user', 'keystone_authtoken')
CONF.set_override('os_auth_url', 'os_auth_url', 'ironic')
CONF.set_override('auth_uri', 'auth_uri', 'keystone_authtoken')
CONF.set_override('os_tenant_name', 'os_tenant_name', 'ironic')
CONF.set_override('admin_tenant_name', 'admin_tenant_name',
'keystone_authtoken')
CONF.set_override('identity_uri', 'identity_uri_ironic', 'ironic')
CONF.set_override('identity_uri', 'identity_uri', 'keystone_authtoken')
app = mock.Mock(wsgi_app=mock.sentinel.app)
utils.add_auth_middleware(app)
call_args = mock_auth.call_args_list[0]
args = call_args[0]
self.assertEqual(mock.sentinel.app, args[0])
args1 = args[1]
self.assertEqual('os_password', args1['admin_password'])
self.assertEqual('os_username', args1['admin_user'])
self.assertEqual('os_auth_url', args1['auth_uri'])
self.assertEqual('os_tenant_name', args1['admin_tenant_name'])
self.assertTrue(args1['delay_auth_decision'])
self.assertEqual('identity_uri_ironic', args1['identity_uri'])
def test_ok(self):
request = mock.Mock(headers={'X-Identity-Status': 'Confirmed',
'X-Roles': 'admin,member'})

31
ironic_inspector/utils.py
View File

@ -150,29 +150,6 @@ def add_auth_middleware(app):
:param app: application.
"""
auth_conf = dict(CONF.keystone_authtoken)
# These items should only be used for accessing Ironic API.
# For keystonemiddleware's authentication,
# keystone_authtoken's items will be used and
# these items will be unsupported.
# [ironic]/os_password
# [ironic]/os_username
# [ironic]/os_auth_url
# [ironic]/os_tenant_name
auth_conf.update({'admin_password':
CONF.ironic.os_password or
CONF.keystone_authtoken.admin_password,
'admin_user':
CONF.ironic.os_username or
CONF.keystone_authtoken.admin_user,
'auth_uri':
CONF.ironic.os_auth_url or
CONF.keystone_authtoken.auth_uri,
'admin_tenant_name':
CONF.ironic.os_tenant_name or
CONF.keystone_authtoken.admin_tenant_name,
'identity_uri':
CONF.ironic.identity_uri or
CONF.keystone_authtoken.identity_uri})
auth_conf['delay_auth_decision'] = True
app.wsgi_app = auth_token.AuthProtocol(app.wsgi_app, auth_conf)
@ -194,7 +171,7 @@ def check_auth(request):
:param request: Flask request
:raises: utils.Error if access is denied
"""
if get_auth_strategy() == 'noauth':
if CONF.auth_strategy == 'noauth':
return
if request.headers.get('X-Identity-Status').lower() == 'invalid':
raise Error(_('Authentication required'), code=401)
@ -204,12 +181,6 @@ def check_auth(request):
raise Error(_('Access denied'), code=403)
def get_auth_strategy():
if CONF.authenticate is not None:
return 'keystone' if CONF.authenticate else 'noauth'
return CONF.auth_strategy
def get_valid_macs(data):
"""Get a list of valid MAC's from the introspection data."""
return [m['mac']

8
releasenotes/notes/deprecated-options-removal-ocata-a44dadf3bcf8d6fc.yaml Normal file
View File

@ -0,0 +1,8 @@
---
upgrade:
- |
Removed previously deprecated authentication options from "ironic",
"swift", and "keystone_authtoken" sections.
- |
Removed long deprecated support for "discoverd" section in configuration
file.