Remove six usage

This repo does not support Python 2 anymore, so we don't need
six for compatibility between Python2 and 3, convert six usage to Python
3 code.

Change-Id: Icba56808f38277b27af2ae5aac4b8507dee71b3b

keystone/api/_shared/EC2_S3_Resource.py

@@ -12,10 +12,7 @@
 
 # Common base resource for EC2 and S3 Authentication
 
-import sys
-
 from oslo_serialization import jsonutils
-import six
 from werkzeug import exceptions
 
 from keystone.common import provider_api
@@ -102,10 +99,7 @@ class ResourceBase(ks_flask.ResourceBase):
             PROVIDERS.resource_api.assert_project_enabled(
                 project_id=project_ref['id'], project=project_ref)
         except AssertionError as e:
-            six.reraise(
+            raise ks_exceptions.Unauthorized from e
-                ks_exceptions.Unauthorized,
-                ks_exceptions.Unauthorized(e),
-                sys.exc_info()[2])
 
         roles = PROVIDERS.assignment_api.get_roles_for_user_and_project(
             user_ref['id'], project_ref['id'])

keystone/api/_shared/authentication.py

@@ -19,7 +19,6 @@
 
 import flask
 from oslo_log import log
-import six
 
 from keystone.auth import core
 from keystone.common import provider_api
@@ -55,7 +54,7 @@ def _check_and_set_default_scoping(auth_info, auth_context):
     try:
         user_ref = PROVIDERS.identity_api.get_user(auth_context['user_id'])
     except exception.UserNotFound as e:
-        LOG.warning(six.text_type(e))
+        LOG.warning(e)
         raise exception.Unauthorized(e)
 
     default_project_id = user_ref.get('default_project_id')
@@ -235,7 +234,7 @@ def authenticate_for_token(auth=None):
 
         return token
     except exception.TrustNotFound as e:
-        LOG.warning(six.text_type(e))
+        LOG.warning(e)
         raise exception.Unauthorized(e)
 
 

keystone/api/auth.py

@@ -15,11 +15,11 @@ import string
 
 import flask
 import flask_restful
+import http.client
 from oslo_log import log
 from oslo_serialization import jsonutils
 from oslo_utils import strutils
-from six.moves import http_client
+import urllib
-from six.moves import urllib
 import werkzeug.exceptions
 
 from keystone.api._shared import authentication
@@ -107,7 +107,7 @@ class _AuthFederationWebSSOBase(ks_flask.ResourceBase):
             src = string.Template(template.read())
         subs = {'host': host, 'token': token_id}
         body = src.substitute(subs)
-        resp = flask.make_response(body, http_client.OK)
+        resp = flask.make_response(body, http.client.OK)
         resp.charset = 'utf-8'
         resp.headers['Content-Type'] = 'text/html'
         return resp
@@ -298,7 +298,7 @@ class AuthTokenResource(_AuthFederationWebSSOBase):
         token_resp = render_token.render_token_response_from_model(
             token, include_catalog=include_catalog)
         resp_body = jsonutils.dumps(token_resp)
-        response = flask.make_response(resp_body, http_client.OK)
+        response = flask.make_response(resp_body, http.client.OK)
         response.headers['X-Subject-Token'] = token_id
         response.headers['Content-Type'] = 'application/json'
         return response
@@ -317,7 +317,7 @@ class AuthTokenResource(_AuthFederationWebSSOBase):
             token, include_catalog=include_catalog
         )
         resp_body = jsonutils.dumps(resp_data)
-        response = flask.make_response(resp_body, http_client.CREATED)
+        response = flask.make_response(resp_body, http.client.CREATED)
         response.headers['X-Subject-Token'] = token.id
         response.headers['Content-Type'] = 'application/json'
         return response
@@ -331,7 +331,7 @@ class AuthTokenResource(_AuthFederationWebSSOBase):
         token_id = flask.request.headers.get(
             authorization.SUBJECT_TOKEN_HEADER)
         PROVIDERS.token_provider_api.revoke_token(token_id)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
 
 class AuthFederationWebSSOResource(_AuthFederationWebSSOBase):
@@ -404,7 +404,7 @@ class AuthFederationSaml2Resource(_AuthFederationWebSSOBase):
         validation.lazy_validate(federation_schema.saml_create, auth)
         response, service_provider = saml.create_base_saml_assertion(auth)
         headers = _build_response_headers(service_provider)
-        response = flask.make_response(response.to_string(), http_client.OK)
+        response = flask.make_response(response.to_string(), http.client.OK)
         for header, value in headers:
             response.headers[header] = value
         return response
@@ -431,7 +431,7 @@ class AuthFederationSaml2ECPResource(_AuthFederationWebSSOBase):
             saml_assertion, relay_state_prefix)
         headers = _build_response_headers(service_provider)
         response = flask.make_response(
-            ecp_assertion.to_string(), http_client.OK)
+            ecp_assertion.to_string(), http.client.OK)
         for header, value in headers:
             response.headers[header] = value
         return response

keystone/api/credentials.py

@@ -15,8 +15,8 @@
 import hashlib
 
 import flask
+import http.client
 from oslo_serialization import jsonutils
-from six.moves import http_client
 
 from keystone.common import provider_api
 from keystone.common import rbac_enforcer
@@ -150,7 +150,7 @@ class CredentialResource(ks_flask.ResourceBase):
             self._normalize_dict(credential), trust_id=trust_id)
         ref = PROVIDERS.credential_api.create_credential(
             ref['id'], ref, initiator=self.audit_initiator)
-        return self.wrap_member(ref), http_client.CREATED
+        return self.wrap_member(ref), http.client.CREATED
 
     def patch(self, credential_id):
         # Update Credential
@@ -176,7 +176,7 @@ class CredentialResource(ks_flask.ResourceBase):
 
         return (PROVIDERS.credential_api.delete_credential(
             credential_id, initiator=self.audit_initiator),
-            http_client.NO_CONTENT)
+            http.client.NO_CONTENT)
 
 
 class CredentialAPI(ks_flask.APIBase):

keystone/api/discovery.py

@@ -12,8 +12,8 @@
 
 import flask
 from flask import request
+import http.client
 from oslo_serialization import jsonutils
-from six.moves import http_client
 
 from keystone.common import json_home
 import keystone.conf
@@ -79,7 +79,7 @@ def get_versions():
                 {'versions': {
                     'values': list(versions.values())}}),
             mimetype=MimeTypes.JSON,
-            status=http_client.MULTIPLE_CHOICES)
+            status=http.client.MULTIPLE_CHOICES)
         response.headers['Location'] = preferred_location
         return response
 

keystone/api/domains.py

@@ -15,7 +15,7 @@
 import flask
 import flask_restful
 import functools
-from six.moves import http_client
+import http.client
 
 from keystone.common import json_home
 from keystone.common import provider_api
@@ -127,7 +127,7 @@ class DomainResource(ks_flask.ResourceBase):
         domain = self._normalize_dict(domain)
         ref = PROVIDERS.resource_api.create_domain(
             domain['id'], domain, initiator=self.audit_initiator)
-        return self.wrap_member(ref), http_client.CREATED
+        return self.wrap_member(ref), http.client.CREATED
 
     def patch(self, domain_id):
         """Update domain.
@@ -150,7 +150,7 @@ class DomainResource(ks_flask.ResourceBase):
         ENFORCER.enforce_call(action='identity:delete_domain')
         PROVIDERS.resource_api.delete_domain(
             domain_id, initiator=self.audit_initiator)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
 
 class DomainConfigBase(ks_flask.ResourceBase):
@@ -217,7 +217,7 @@ class DomainConfigBase(ks_flask.ResourceBase):
         PROVIDERS.resource_api.get_domain(domain_id)
         PROVIDERS.domain_config_api.delete_config(
             domain_id, group, option=option)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
 
 class DomainConfigResource(DomainConfigBase):
@@ -247,7 +247,7 @@ class DomainConfigResource(DomainConfigBase):
         if original_config:
             return {self.member_key: ref}
         else:
-            return {self.member_key: ref}, http_client.CREATED
+            return {self.member_key: ref}, http.client.CREATED
 
 
 class DomainConfigGroupResource(DomainConfigBase):
@@ -337,7 +337,7 @@ class DomainUserResource(ks_flask.ResourceBase):
         PROVIDERS.assignment_api.get_grant(
             role_id, domain_id=domain_id, user_id=user_id,
             inherited_to_projects=False)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
     def put(self, domain_id=None, user_id=None, role_id=None):
         """Create a role to a user on a domain.
@@ -350,7 +350,7 @@ class DomainUserResource(ks_flask.ResourceBase):
         PROVIDERS.assignment_api.create_grant(
             role_id, domain_id=domain_id, user_id=user_id,
             inherited_to_projects=False, initiator=self.audit_initiator)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
     def delete(self, domain_id=None, user_id=None, role_id=None):
         """Revoke a role from user on a domain.
@@ -364,7 +364,7 @@ class DomainUserResource(ks_flask.ResourceBase):
         PROVIDERS.assignment_api.delete_grant(
             role_id, domain_id=domain_id, user_id=user_id,
             inherited_to_projects=False, initiator=self.audit_initiator)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
 
 class DomainGroupListResource(flask_restful.Resource):
@@ -398,7 +398,7 @@ class DomainGroupResource(ks_flask.ResourceBase):
         PROVIDERS.assignment_api.get_grant(
             role_id, domain_id=domain_id, group_id=group_id,
             inherited_to_projects=False)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
     def put(self, domain_id=None, group_id=None, role_id=None):
         """Grant a role to a group on a domain.
@@ -411,7 +411,7 @@ class DomainGroupResource(ks_flask.ResourceBase):
         PROVIDERS.assignment_api.create_grant(
             role_id, domain_id=domain_id, group_id=group_id,
             inherited_to_projects=False, initiator=self.audit_initiator)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
     def delete(self, domain_id=None, group_id=None, role_id=None):
         """Revoke a role from a group on a domain.
@@ -425,7 +425,7 @@ class DomainGroupResource(ks_flask.ResourceBase):
         PROVIDERS.assignment_api.delete_grant(
             role_id, domain_id=domain_id, group_id=group_id,
             inherited_to_projects=False, initiator=self.audit_initiator)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
 
 class DomainAPI(ks_flask.APIBase):

keystone/api/ec2tokens.py

@@ -13,9 +13,9 @@
 # This file handles all flask-restful resources for /v3/ec2tokens
 
 import flask
+import http.client
 from keystoneclient.contrib.ec2 import utils as ec2_utils
 from oslo_serialization import jsonutils
-from six.moves import http_client
 
 from keystone.api._shared import EC2_S3_Resource
 from keystone.api._shared import json_home_relations
@@ -67,7 +67,7 @@ class EC2TokensResource(EC2_S3_Resource.ResourceBase):
         token = self.handle_authenticate()
         token_reference = render_token.render_token_response_from_model(token)
         resp_body = jsonutils.dumps(token_reference)
-        response = flask.make_response(resp_body, http_client.OK)
+        response = flask.make_response(resp_body, http.client.OK)
         response.headers['X-Subject-Token'] = token.id
         response.headers['Content-Type'] = 'application/json'
         return response

keystone/api/endpoints.py

@@ -13,7 +13,7 @@
 # This file handles all flask-restful resources for /v3/services
 
 import flask_restful
-from six.moves import http_client
+import http.client
 
 from keystone.api._shared import json_home_relations
 from keystone.catalog import schema
@@ -97,7 +97,7 @@ class EndpointResource(ks_flask.ResourceBase):
         endpoint = self._validate_endpoint_region(endpoint)
         ref = PROVIDERS.catalog_api.create_endpoint(
             endpoint['id'], endpoint, initiator=self.audit_initiator)
-        return self.wrap_member(_filter_endpoint(ref)), http_client.CREATED
+        return self.wrap_member(_filter_endpoint(ref)), http.client.CREATED
 
     def patch(self, endpoint_id):
         ENFORCER.enforce_call(action='identity:update_endpoint')
@@ -113,7 +113,7 @@ class EndpointResource(ks_flask.ResourceBase):
         ENFORCER.enforce_call(action='identity:delete_endpoint')
         PROVIDERS.catalog_api.delete_endpoint(endpoint_id,
                                               initiator=self.audit_initiator)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
 
 class EndpointPolicyEndpointResource(flask_restful.Resource):

keystone/api/groups.py

@@ -15,7 +15,7 @@
 import flask
 import flask_restful
 import functools
-from six.moves import http_client
+import http.client
 
 from keystone.common import json_home
 from keystone.common import provider_api
@@ -107,7 +107,7 @@ class GroupsResource(ks_flask.ResourceBase):
         group = self._normalize_domain_id(group)
         ref = PROVIDERS.identity_api.create_group(
             group, initiator=self.audit_initiator)
-        return self.wrap_member(ref), http_client.CREATED
+        return self.wrap_member(ref), http.client.CREATED
 
     def patch(self, group_id):
         """Update group.
@@ -133,7 +133,7 @@ class GroupsResource(ks_flask.ResourceBase):
         ENFORCER.enforce_call(action='identity:delete_group')
         PROVIDERS.identity_api.delete_group(
             group_id, initiator=self.audit_initiator)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
 
 class GroupUsersResource(ks_flask.ResourceBase):
@@ -194,7 +194,7 @@ class UserGroupCRUDResource(flask_restful.Resource):
             build_target=functools.partial(self._build_enforcement_target_attr,
                                            user_id, group_id))
         PROVIDERS.identity_api.check_user_in_group(user_id, group_id)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
     def put(self, group_id, user_id):
         """Add user to group.
@@ -207,7 +207,7 @@ class UserGroupCRUDResource(flask_restful.Resource):
                                            user_id, group_id))
         PROVIDERS.identity_api.add_user_to_group(
             user_id, group_id, initiator=notifications.build_audit_initiator())
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
     def delete(self, group_id, user_id):
         """Remove user from group.
@@ -220,7 +220,7 @@ class UserGroupCRUDResource(flask_restful.Resource):
                                            user_id, group_id))
         PROVIDERS.identity_api.remove_user_from_group(
             user_id, group_id, initiator=notifications.build_audit_initiator())
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
 
 class GroupAPI(ks_flask.APIBase):

keystone/api/limits.py

@@ -14,7 +14,7 @@
 
 import flask
 import flask_restful
-from six.moves import http_client
+import http.client
 
 from keystone.common import json_home
 from keystone.common import provider_api
@@ -110,7 +110,7 @@ class LimitsResource(ks_flask.ResourceBase):
         refs = PROVIDERS.unified_limit_api.create_limits(limits)
         refs = self.wrap_collection(refs)
         refs.pop('links')
-        return refs, http_client.CREATED
+        return refs, http.client.CREATED
 
     def patch(self, limit_id):
         ENFORCER.enforce_call(action='identity:update_limit')
@@ -124,7 +124,7 @@ class LimitsResource(ks_flask.ResourceBase):
     def delete(self, limit_id):
         ENFORCER.enforce_call(action='identity:delete_limit')
         return (PROVIDERS.unified_limit_api.delete_limit(limit_id),
-                http_client.NO_CONTENT)
+                http.client.NO_CONTENT)
 
 
 class LimitModelResource(flask_restful.Resource):

keystone/api/os_ep_filter.py

@@ -13,7 +13,7 @@
 # This file handles all flask-restful resources for /OS-EP-FILTER
 
 import flask_restful
-from six.moves import http_client
+import http.client
 
 from keystone.api._shared import json_home_relations
 from keystone.api import endpoints as _endpoints_api
@@ -90,7 +90,7 @@ class EndpointGroupsResource(ks_flask.ResourceBase):
         self._require_valid_filter(ep_group)
         ep_group = self._assign_unique_id(ep_group)
         return self.wrap_member(PROVIDERS.catalog_api.create_endpoint_group(
-            ep_group['id'], ep_group)), http_client.CREATED
+            ep_group['id'], ep_group)), http.client.CREATED
 
     def patch(self, endpoint_group_id):
         ENFORCER.enforce_call(action='identity:update_endpoint_group')
@@ -105,7 +105,7 @@ class EndpointGroupsResource(ks_flask.ResourceBase):
     def delete(self, endpoint_group_id):
         ENFORCER.enforce_call(action='identity:delete_endpoint_group')
         return (PROVIDERS.catalog_api.delete_endpoint_group(endpoint_group_id),
-                http_client.NO_CONTENT)
+                http.client.NO_CONTENT)
 
 
 class EPFilterEndpointProjectsResource(flask_restful.Resource):
@@ -127,19 +127,19 @@ class EPFilterProjectsEndpointsResource(flask_restful.Resource):
         PROVIDERS.resource_api.get_project(project_id)
         PROVIDERS.catalog_api.check_endpoint_in_project(
             endpoint_id, project_id)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
     def put(self, project_id, endpoint_id):
         ENFORCER.enforce_call(action='identity:add_endpoint_to_project')
         PROVIDERS.catalog_api.get_endpoint(endpoint_id)
         PROVIDERS.resource_api.get_project(project_id)
         PROVIDERS.catalog_api.add_endpoint_to_project(endpoint_id, project_id)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
     def delete(self, project_id, endpoint_id):
         ENFORCER.enforce_call(action='identity:remove_endpoint_from_project')
         return (PROVIDERS.catalog_api.remove_endpoint_from_project(
-            endpoint_id, project_id), http_client.NO_CONTENT)
+            endpoint_id, project_id), http.client.NO_CONTENT)
 
 
 class EPFilterProjectEndpointsListResource(flask_restful.Resource):
@@ -219,7 +219,7 @@ class EPFilterGroupsProjectsResource(ks_flask.ResourceBase):
         PROVIDERS.catalog_api.get_endpoint_group(endpoint_group_id)
         PROVIDERS.catalog_api.add_endpoint_group_to_project(
             endpoint_group_id, project_id)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
     def delete(self, endpoint_group_id, project_id):
         ENFORCER.enforce_call(
@@ -228,7 +228,7 @@ class EPFilterGroupsProjectsResource(ks_flask.ResourceBase):
         PROVIDERS.catalog_api.get_endpoint_group(endpoint_group_id)
         PROVIDERS.catalog_api.remove_endpoint_group_from_project(
             endpoint_group_id, project_id)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
 
 class EPFilterAPI(ks_flask.APIBase):

keystone/api/os_federation.py

@@ -14,8 +14,8 @@
 
 import flask
 import flask_restful
+import http.client
 from oslo_serialization import jsonutils
-from six.moves import http_client
 
 from keystone.api._shared import authentication
 from keystone.api._shared import json_home_relations
@@ -137,7 +137,7 @@ class IdentityProvidersResource(_ResourceBase):
         idp.setdefault('enabled', False)
         idp_ref = PROVIDERS.federation_api.create_idp(
             idp_id, idp)
-        return self.wrap_member(idp_ref), http_client.CREATED
+        return self.wrap_member(idp_ref), http.client.CREATED
 
     def patch(self, idp_id):
         ENFORCER.enforce_call(action='identity:update_identity_provider')
@@ -151,7 +151,7 @@ class IdentityProvidersResource(_ResourceBase):
     def delete(self, idp_id):
         ENFORCER.enforce_call(action='identity:delete_identity_provider')
         PROVIDERS.federation_api.delete_idp(idp_id)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
 
 class _IdentityProvidersProtocolsResourceBase(_ResourceBase):
@@ -218,7 +218,7 @@ class IDPProtocolsCRUDResource(_IdentityProvidersProtocolsResourceBase):
         protocol = self._normalize_dict(protocol)
         ref = PROVIDERS.federation_api.create_protocol(idp_id, protocol_id,
                                                        protocol)
-        return self.wrap_member(ref), http_client.CREATED
+        return self.wrap_member(ref), http.client.CREATED
 
     def patch(self, idp_id, protocol_id):
         """Update protocol for an IDP.
@@ -241,7 +241,7 @@ class IDPProtocolsCRUDResource(_IdentityProvidersProtocolsResourceBase):
         """
         ENFORCER.enforce_call(action='identity:delete_protocol')
         PROVIDERS.federation_api.delete_protocol(idp_id, protocol_id)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
 
 class MappingResource(_ResourceBase):
@@ -282,7 +282,7 @@ class MappingResource(_ResourceBase):
         utils.validate_mapping_structure(mapping)
         mapping_ref = PROVIDERS.federation_api.create_mapping(
             mapping_id, mapping)
-        return self.wrap_member(mapping_ref), http_client.CREATED
+        return self.wrap_member(mapping_ref), http.client.CREATED
 
     def patch(self, mapping_id):
         """Update a mapping.
@@ -304,7 +304,7 @@ class MappingResource(_ResourceBase):
         """
         ENFORCER.enforce_call(action='identity:delete_mapping')
         PROVIDERS.federation_api.delete_mapping(mapping_id)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
 
 class ServiceProvidersResource(_ResourceBase):
@@ -355,7 +355,7 @@ class ServiceProvidersResource(_ResourceBase):
         sp.setdefault('relay_state_prefix',
                       CONF.saml.relay_state_prefix)
         sp_ref = PROVIDERS.federation_api.create_sp(sp_id, sp)
-        return self.wrap_member(sp_ref), http_client.CREATED
+        return self.wrap_member(sp_ref), http.client.CREATED
 
     def patch(self, sp_id):
         """Update a service provider.
@@ -376,7 +376,7 @@ class ServiceProvidersResource(_ResourceBase):
         """
         ENFORCER.enforce_call(action='identity:delete_service_provider')
         PROVIDERS.federation_api.delete_sp(sp_id)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
 
 class SAML2MetadataResource(flask_restful.Resource):
@@ -393,7 +393,7 @@ class SAML2MetadataResource(flask_restful.Resource):
         except IOError as e:
             # Raise HTTP 500 in case Metadata file cannot be read.
             raise exception.MetadataFileError(reason=e)
-        resp = flask.make_response(metadata, http_client.OK)
+        resp = flask.make_response(metadata, http.client.OK)
         resp.headers['Content-Type'] = 'text/xml'
         return resp
 
@@ -436,7 +436,7 @@ class OSFederationAuthResource(flask_restful.Resource):
         token = authentication.authenticate_for_token(auth)
         token_data = render_token.render_token_response_from_model(token)
         resp_data = jsonutils.dumps(token_data)
-        flask_resp = flask.make_response(resp_data, http_client.CREATED)
+        flask_resp = flask.make_response(resp_data, http.client.CREATED)
         flask_resp.headers['X-Subject-Token'] = token.id
         flask_resp.headers['Content-Type'] = 'application/json'
         return flask_resp

keystone/api/os_inherit.py

@@ -14,8 +14,8 @@
 
 import flask_restful
 import functools
+import http.client
 from oslo_log import log
-from six.moves import http_client
 
 from keystone.api._shared import json_home_relations
 from keystone.common import json_home
@@ -118,7 +118,7 @@ class OSInheritDomainGroupRolesResource(flask_restful.Resource):
         PROVIDERS.assignment_api.get_grant(
             domain_id=domain_id, group_id=group_id, role_id=role_id,
             inherited_to_projects=True)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
     def put(self, domain_id, group_id, role_id):
         """Create an inherited grant for a group on a domain.
@@ -135,7 +135,7 @@ class OSInheritDomainGroupRolesResource(flask_restful.Resource):
         PROVIDERS.assignment_api.create_grant(
             domain_id=domain_id, group_id=group_id, role_id=role_id,
             inherited_to_projects=True)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
     def delete(self, domain_id, group_id, role_id):
         """Revoke an inherited grant for a group on a domain.
@@ -152,7 +152,7 @@ class OSInheritDomainGroupRolesResource(flask_restful.Resource):
         PROVIDERS.assignment_api.delete_grant(
             domain_id=domain_id, group_id=group_id, role_id=role_id,
             inherited_to_projects=True)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
 
 class OSInheritDomainGroupRolesListResource(flask_restful.Resource):
@@ -189,7 +189,7 @@ class OSInheritDomainUserRolesResource(flask_restful.Resource):
         PROVIDERS.assignment_api.get_grant(
             domain_id=domain_id, user_id=user_id, role_id=role_id,
             inherited_to_projects=True)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
     def put(self, domain_id, user_id, role_id):
         """Create an inherited grant for a user on a domain.
@@ -206,7 +206,7 @@ class OSInheritDomainUserRolesResource(flask_restful.Resource):
         PROVIDERS.assignment_api.create_grant(
             domain_id=domain_id, user_id=user_id, role_id=role_id,
             inherited_to_projects=True)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
     def delete(self, domain_id, user_id, role_id):
         """Revoke a grant from a user on a domain.
@@ -223,7 +223,7 @@ class OSInheritDomainUserRolesResource(flask_restful.Resource):
         PROVIDERS.assignment_api.delete_grant(
             domain_id=domain_id, user_id=user_id, role_id=role_id,
             inherited_to_projects=True)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
 
 class OSInheritDomainUserRolesListResource(flask_restful.Resource):
@@ -260,7 +260,7 @@ class OSInheritProjectUserResource(flask_restful.Resource):
         PROVIDERS.assignment_api.get_grant(
             project_id=project_id, user_id=user_id, role_id=role_id,
             inherited_to_projects=True)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
     def put(self, project_id, user_id, role_id):
         """Create an inherited grant for a user on a project.
@@ -277,7 +277,7 @@ class OSInheritProjectUserResource(flask_restful.Resource):
         PROVIDERS.assignment_api.create_grant(
             project_id=project_id, user_id=user_id, role_id=role_id,
             inherited_to_projects=True)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
     def delete(self, project_id, user_id, role_id):
         """Revoke an inherited grant for a user on a project.
@@ -294,7 +294,7 @@ class OSInheritProjectUserResource(flask_restful.Resource):
         PROVIDERS.assignment_api.delete_grant(
             project_id=project_id, user_id=user_id, role_id=role_id,
             inherited_to_projects=True)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
 
 class OSInheritProjectGroupResource(flask_restful.Resource):
@@ -313,7 +313,7 @@ class OSInheritProjectGroupResource(flask_restful.Resource):
         PROVIDERS.assignment_api.get_grant(
             project_id=project_id, group_id=group_id, role_id=role_id,
             inherited_to_projects=True)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
     def put(self, project_id, group_id, role_id):
         """Create an inherited grant for a group on a project.
@@ -330,7 +330,7 @@ class OSInheritProjectGroupResource(flask_restful.Resource):
         PROVIDERS.assignment_api.create_grant(
             project_id=project_id, group_id=group_id, role_id=role_id,
             inherited_to_projects=True)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
     def delete(self, project_id, group_id, role_id):
         """Revoke an inherited grant for a group on a project.
@@ -347,7 +347,7 @@ class OSInheritProjectGroupResource(flask_restful.Resource):
         PROVIDERS.assignment_api.delete_grant(
             project_id=project_id, group_id=group_id, role_id=role_id,
             inherited_to_projects=True)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
 
 class OSInheritAPI(ks_flask.APIBase):

keystone/api/os_oauth1.py

@@ -14,10 +14,10 @@
 
 import flask
 import flask_restful
+import http.client
 from oslo_log import log
 from oslo_utils import timeutils
-from six.moves import http_client
+from urllib import parse as urlparse
-from six.moves.urllib import parse as urlparse
 from werkzeug import exceptions
 
 from keystone.api._shared import json_home_relations
@@ -108,7 +108,7 @@ class ConsumerResource(ks_flask.ResourceBase):
         consumer = self._assign_unique_id(consumer)
         ref = PROVIDERS.oauth_api.create_consumer(
             consumer, initiator=self.audit_initiator)
-        return self.wrap_member(ref), http_client.CREATED
+        return self.wrap_member(ref), http.client.CREATED
 
     def delete(self, consumer_id):
         ENFORCER.enforce_call(action='identity:delete_consumer')
@@ -122,7 +122,7 @@ class ConsumerResource(ks_flask.ResourceBase):
         notifications.invalidate_token_cache_notification(reason)
         PROVIDERS.oauth_api.delete_consumer(
             consumer_id, initiator=self.audit_initiator)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
     def patch(self, consumer_id):
         ENFORCER.enforce_call(action='identity:update_consumer')
@@ -184,7 +184,7 @@ class RequestTokenResource(_OAuth1ResourceBase):
             expiry_bit = '&oauth_expires_at=%s' % token_ref['expires_at']
             result += expiry_bit
 
-        resp = flask.make_response(result, http_client.CREATED)
+        resp = flask.make_response(result, http.client.CREATED)
         resp.headers['Content-Type'] = 'application/x-www-form-urlencoded'
         return resp
 
@@ -276,7 +276,7 @@ class AccessTokenResource(_OAuth1ResourceBase):
             expiry_bit = '&oauth_expires_at=%s' % (token_ref['expires_at'])
             result += expiry_bit
 
-        resp = flask.make_response(result, http_client.CREATED)
+        resp = flask.make_response(result, http.client.CREATED)
         resp.headers['Content-Type'] = 'application/x-www-form-urlencoded'
         return resp
 

keystone/api/policy.py

@@ -13,8 +13,8 @@
 # This file handles all flask-restful resources for /policy
 
 import flask_restful
+import http.client
 from oslo_log import versionutils
-from six.moves import http_client
 
 from keystone.api._shared import json_home_relations
 from keystone.common import json_home
@@ -72,7 +72,7 @@ class PolicyResource(ks_flask.ResourceBase):
         ref = PROVIDERS.policy_api.create_policy(
             policy['id'], policy, initiator=self.audit_initiator
         )
-        return self.wrap_member(ref), http_client.CREATED
+        return self.wrap_member(ref), http.client.CREATED
 
     @versionutils.deprecated(
         as_of=versionutils.deprecated.QUEENS,
@@ -97,7 +97,7 @@ class PolicyResource(ks_flask.ResourceBase):
         res = PROVIDERS.policy_api.delete_policy(
             policy_id, initiator=self.audit_initiator
         )
-        return (res, http_client.NO_CONTENT)
+        return (res, http.client.NO_CONTENT)
 
 
 class EndpointPolicyResource(flask_restful.Resource):
@@ -128,7 +128,7 @@ class EndpointPolicyAssociations(flask_restful.Resource):
         PROVIDERS.endpoint_policy_api.check_policy_association(
             policy_id, endpoint_id=endpoint_id
         )
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
     def put(self, policy_id, endpoint_id):
         action = 'identity:create_policy_association_for_endpoint'
@@ -138,7 +138,7 @@ class EndpointPolicyAssociations(flask_restful.Resource):
         PROVIDERS.endpoint_policy_api.create_policy_association(
             policy_id, endpoint_id=endpoint_id
         )
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
     def delete(self, policy_id, endpoint_id):
         action = 'identity:delete_policy_association_for_endpoint'
@@ -148,7 +148,7 @@ class EndpointPolicyAssociations(flask_restful.Resource):
         PROVIDERS.endpoint_policy_api.delete_policy_association(
             policy_id, endpoint_id=endpoint_id
         )
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
 
 class ServicePolicyAssociations(flask_restful.Resource):
@@ -161,7 +161,7 @@ class ServicePolicyAssociations(flask_restful.Resource):
         PROVIDERS.endpoint_policy_api.check_policy_association(
             policy_id, service_id=service_id
         )
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
     def put(self, policy_id, service_id):
         action = 'identity:create_policy_association_for_service'
@@ -171,7 +171,7 @@ class ServicePolicyAssociations(flask_restful.Resource):
         PROVIDERS.endpoint_policy_api.create_policy_association(
             policy_id, service_id=service_id
         )
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
     def delete(self, policy_id, service_id):
         action = 'identity:delete_policy_association_for_service'
@@ -181,7 +181,7 @@ class ServicePolicyAssociations(flask_restful.Resource):
         PROVIDERS.endpoint_policy_api.delete_policy_association(
             policy_id, service_id=service_id
         )
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
 
 class ServiceRegionPolicyAssociations(flask_restful.Resource):
@@ -195,7 +195,7 @@ class ServiceRegionPolicyAssociations(flask_restful.Resource):
         PROVIDERS.endpoint_policy_api.check_policy_association(
             policy_id, service_id=service_id, region_id=region_id
         )
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
     def put(self, policy_id, service_id, region_id):
         action = 'identity:create_policy_association_for_region_and_service'
@@ -206,7 +206,7 @@ class ServiceRegionPolicyAssociations(flask_restful.Resource):
         PROVIDERS.endpoint_policy_api.create_policy_association(
             policy_id, service_id=service_id, region_id=region_id
         )
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
     def delete(self, policy_id, service_id, region_id):
         action = 'identity:delete_policy_association_for_region_and_service'
@@ -217,7 +217,7 @@ class ServiceRegionPolicyAssociations(flask_restful.Resource):
         PROVIDERS.endpoint_policy_api.delete_policy_association(
             policy_id, service_id=service_id, region_id=region_id
         )
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
 
 class PolicyAPI(ks_flask.APIBase):

keystone/api/projects.py

@@ -15,7 +15,7 @@
 import functools
 
 import flask
-from six.moves import http_client
+import http.client
 
 from keystone.common import json_home
 from keystone.common import provider_api
@@ -179,7 +179,7 @@ class ProjectResource(ks_flask.ResourceBase):
                 initiator=self.audit_initiator)
         except (exception.DomainNotFound, exception.ProjectNotFound) as e:
             raise exception.ValidationError(e)
-        return self.wrap_member(ref), http_client.CREATED
+        return self.wrap_member(ref), http.client.CREATED
 
     def patch(self, project_id):
         """Update project.
@@ -211,7 +211,7 @@ class ProjectResource(ks_flask.ResourceBase):
         PROVIDERS.resource_api.delete_project(
             project_id,
             initiator=self.audit_initiator)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
 
 class _ProjectTagResourceBase(ks_flask.ResourceBase):
@@ -268,7 +268,7 @@ class ProjectTagsResource(_ProjectTagResourceBase):
             build_target=_build_project_target_enforcement
         )
         PROVIDERS.resource_api.update_project_tags(project_id, [])
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
 
 class ProjectTagResource(_ProjectTagResourceBase):
@@ -282,7 +282,7 @@ class ProjectTagResource(_ProjectTagResourceBase):
             build_target=_build_project_target_enforcement,
         )
         PROVIDERS.resource_api.get_project_tag(project_id, value)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
     def put(self, project_id, value):
         """Add a single tag to a project.
@@ -304,7 +304,7 @@ class ProjectTagResource(_ProjectTagResourceBase):
             initiator=self.audit_initiator
         )
         url = '/'.join((ks_flask.base_url(), project_id, 'tags', value))
-        response = flask.make_response('', http_client.CREATED)
+        response = flask.make_response('', http.client.CREATED)
         response.headers['Location'] = url
         return response
 
@@ -318,7 +318,7 @@ class ProjectTagResource(_ProjectTagResourceBase):
             build_target=_build_project_target_enforcement
         )
         PROVIDERS.resource_api.delete_project_tag(project_id, value)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
 
 class _ProjectGrantResourceBase(ks_flask.ResourceBase):
@@ -375,7 +375,7 @@ class ProjectUserGrantResource(_ProjectGrantResourceBase):
         PROVIDERS.assignment_api.get_grant(
             role_id=role_id, user_id=user_id, project_id=project_id,
             inherited_to_projects=inherited)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
     def put(self, project_id, user_id, role_id):
         """Grant role for user on project.
@@ -392,7 +392,7 @@ class ProjectUserGrantResource(_ProjectGrantResourceBase):
         PROVIDERS.assignment_api.create_grant(
             role_id=role_id, user_id=user_id, project_id=project_id,
             inherited_to_projects=inherited, initiator=self.audit_initiator)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
     def delete(self, project_id, user_id, role_id):
         """Delete grant of role for user on project.
@@ -410,7 +410,7 @@ class ProjectUserGrantResource(_ProjectGrantResourceBase):
         PROVIDERS.assignment_api.delete_grant(
             role_id=role_id, user_id=user_id, project_id=project_id,
             inherited_to_projects=inherited, initiator=self.audit_initiator)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
 
 class ProjectUserListGrantResource(_ProjectGrantResourceBase):
@@ -448,7 +448,7 @@ class ProjectGroupGrantResource(_ProjectGrantResourceBase):
         PROVIDERS.assignment_api.get_grant(
             role_id=role_id, group_id=group_id, project_id=project_id,
             inherited_to_projects=inherited)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
     def put(self, project_id, group_id, role_id):
         """Grant role for group on project.
@@ -465,7 +465,7 @@ class ProjectGroupGrantResource(_ProjectGrantResourceBase):
         PROVIDERS.assignment_api.create_grant(
             role_id=role_id, group_id=group_id, project_id=project_id,
             inherited_to_projects=inherited, initiator=self.audit_initiator)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
     def delete(self, project_id, group_id, role_id):
         """Delete grant of role for group on project.
@@ -483,7 +483,7 @@ class ProjectGroupGrantResource(_ProjectGrantResourceBase):
         PROVIDERS.assignment_api.delete_grant(
             role_id=role_id, group_id=group_id, project_id=project_id,
             inherited_to_projects=inherited, initiator=self.audit_initiator)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
 
 class ProjectGroupListGrantResource(_ProjectGrantResourceBase):

keystone/api/regions.py

@@ -12,7 +12,7 @@
 
 # This file handles all flask-restful resources for /v3/regions
 
-from six.moves import http_client
+import http.client
 
 from keystone.catalog import schema
 from keystone.common import provider_api
@@ -59,7 +59,7 @@ class RegionResource(ks_flask.ResourceBase):
             region = self._assign_unique_id(region)
         ref = PROVIDERS.catalog_api.create_region(
             region, initiator=self.audit_initiator)
-        return self.wrap_member(ref), http_client.CREATED
+        return self.wrap_member(ref), http.client.CREATED
 
     def put(self, region_id):
         ENFORCER.enforce_call(action='identity:create_region')
@@ -77,7 +77,7 @@ class RegionResource(ks_flask.ResourceBase):
 
         ref = PROVIDERS.catalog_api.create_region(
             region, initiator=self.audit_initiator)
-        return self.wrap_member(ref), http_client.CREATED
+        return self.wrap_member(ref), http.client.CREATED
 
     def patch(self, region_id):
         ENFORCER.enforce_call(action='identity:update_region')
@@ -90,7 +90,7 @@ class RegionResource(ks_flask.ResourceBase):
     def delete(self, region_id):
         ENFORCER.enforce_call(action='identity:delete_region')
         return PROVIDERS.catalog_api.delete_region(
-            region_id, initiator=self.audit_initiator), http_client.NO_CONTENT
+            region_id, initiator=self.audit_initiator), http.client.NO_CONTENT
 
 
 class RegionAPI(ks_flask.APIBase):

keystone/api/registered_limits.py

@@ -13,7 +13,7 @@
 # This file handles all flask-restful resources for /v3/registered_limits
 
 import flask
-from six.moves import http_client
+import http.client
 
 from keystone.common import json_home
 from keystone.common import provider_api
@@ -62,7 +62,7 @@ class RegisteredLimitResource(ks_flask.ResourceBase):
             registered_limits)
         refs = self.wrap_collection(refs)
         refs.pop('links')
-        return refs, http_client.CREATED
+        return refs, http.client.CREATED
 
     def patch(self, registered_limit_id):
         ENFORCER.enforce_call(action='identity:update_registered_limit')
@@ -78,7 +78,7 @@ class RegisteredLimitResource(ks_flask.ResourceBase):
     def delete(self, registered_limit_id):
         ENFORCER.enforce_call(action='identity:delete_registered_limit')
         return (PROVIDERS.unified_limit_api.delete_registered_limit(
-            registered_limit_id), http_client.NO_CONTENT)
+            registered_limit_id), http.client.NO_CONTENT)
 
 
 class RegisteredLimitsAPI(ks_flask.APIBase):

keystone/api/roles.py

@@ -14,7 +14,7 @@
 
 import flask
 import flask_restful
-from six.moves import http_client
+import http.client
 
 from keystone.api._shared import implied_roles as shared
 from keystone.assignment import schema
@@ -114,7 +114,7 @@ class RoleResource(ks_flask.ResourceBase):
         role = self._normalize_dict(role)
         ref = PROVIDERS.role_api.create_role(
             role['id'], role, initiator=self.audit_initiator)
-        return self.wrap_member(ref), http_client.CREATED
+        return self.wrap_member(ref), http.client.CREATED
 
     def patch(self, role_id):
         """Update role.
@@ -170,7 +170,7 @@ class RoleResource(ks_flask.ResourceBase):
                                       member_target_type='role',
                                       member_target=role)
         PROVIDERS.role_api.delete_role(role_id, initiator=self.audit_initiator)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
 
 def _build_enforcement_target_ref():
@@ -222,7 +222,7 @@ class RoleImplicationResource(flask_restful.Resource):
         # for a future fix. This should just return the above "get" however,
         # we document and implment this as a NO_CONTENT response. NO_CONTENT
         # here is incorrect. It is maintained as is for API contract reasons.
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
     def get(self, prior_role_id, implied_role_id):
         """Get implied role.
@@ -258,7 +258,7 @@ class RoleImplicationResource(flask_restful.Resource):
                               build_target=_build_enforcement_target_ref)
         PROVIDERS.role_api.create_implied_role(prior_role_id, implied_role_id)
         response_json = self._get_implied_role(prior_role_id, implied_role_id)
-        return response_json, http_client.CREATED
+        return response_json, http.client.CREATED
 
     def delete(self, prior_role_id, implied_role_id):
         """Delete implied role.
@@ -268,7 +268,7 @@ class RoleImplicationResource(flask_restful.Resource):
         ENFORCER.enforce_call(action='identity:delete_implied_role',
                               build_target=_build_enforcement_target_ref)
         PROVIDERS.role_api.delete_implied_role(prior_role_id, implied_role_id)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
 
 class RoleAPI(ks_flask.APIBase):

keystone/api/s3tokens.py

@@ -17,9 +17,8 @@ import hashlib
 import hmac
 
 import flask
+import http.client
 from oslo_serialization import jsonutils
-import six
-from six.moves import http_client
 
 from keystone.api._shared import EC2_S3_Resource
 from keystone.api._shared import json_home_relations
@@ -39,10 +38,7 @@ def _calculate_signature_v1(string_to_sign, secret_key):
                             sign requests
     """
     key = str(secret_key).encode('utf-8')
-    if six.PY2:
+    b64_encode = base64.encodebytes
-        b64_encode = base64.encodestring
-    else:
-        b64_encode = base64.encodebytes
     signed = b64_encode(hmac.new(key, string_to_sign, hashlib.sha1)
                         .digest()).decode('utf-8').strip()
     return signed
@@ -100,7 +96,7 @@ class S3Resource(EC2_S3_Resource.ResourceBase):
         token = self.handle_authenticate()
         token_reference = render_token.render_token_response_from_model(token)
         resp_body = jsonutils.dumps(token_reference)
-        response = flask.make_response(resp_body, http_client.OK)
+        response = flask.make_response(resp_body, http.client.OK)
         response.headers['Content-Type'] = 'application/json'
         return response
 

keystone/api/services.py

@@ -12,7 +12,7 @@
 
 # This file handles all flask-restful resources for /v3/services
 
-from six.moves import http_client
+import http.client
 
 from keystone.catalog import schema
 from keystone.common import provider_api
@@ -52,7 +52,7 @@ class ServicesResource(ks_flask.ResourceBase):
         service = self._assign_unique_id(self._normalize_dict(service))
         ref = PROVIDERS.catalog_api.create_service(
             service['id'], service, initiator=self.audit_initiator)
-        return self.wrap_member(ref), http_client.CREATED
+        return self.wrap_member(ref), http.client.CREATED
 
     def patch(self, service_id):
         ENFORCER.enforce_call(action='identity:update_service')
@@ -66,7 +66,7 @@ class ServicesResource(ks_flask.ResourceBase):
     def delete(self, service_id):
         ENFORCER.enforce_call(action='identity:delete_service')
         return PROVIDERS.catalog_api.delete_service(
-            service_id, initiator=self.audit_initiator), http_client.NO_CONTENT
+            service_id, initiator=self.audit_initiator), http.client.NO_CONTENT
 
 
 class ServiceAPI(ks_flask.APIBase):

keystone/api/system.py

@@ -15,7 +15,7 @@
 import flask
 import flask_restful
 import functools
-from six.moves import http_client
+import http.client
 
 from keystone.common import json_home
 from keystone.common import provider_api
@@ -73,7 +73,7 @@ class SystemUsersResource(flask_restful.Resource):
         ENFORCER.enforce_call(action='identity:check_system_grant_for_user',
                               build_target=_build_enforcement_target)
         PROVIDERS.assignment_api.check_system_grant_for_user(user_id, role_id)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
     def put(self, user_id, role_id):
         """Grant a role to a user on the system.
@@ -83,7 +83,7 @@ class SystemUsersResource(flask_restful.Resource):
         ENFORCER.enforce_call(action='identity:create_system_grant_for_user',
                               build_target=_build_enforcement_target)
         PROVIDERS.assignment_api.create_system_grant_for_user(user_id, role_id)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
     def delete(self, user_id, role_id):
         """Revoke a role from user on the system.
@@ -96,7 +96,7 @@ class SystemUsersResource(flask_restful.Resource):
                 _build_enforcement_target,
                 allow_non_existing=True))
         PROVIDERS.assignment_api.delete_system_grant_for_user(user_id, role_id)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
 
 class SystemGroupsRolesListResource(flask_restful.Resource):
@@ -122,7 +122,7 @@ class SystemGroupsRolestResource(flask_restful.Resource):
                               build_target=_build_enforcement_target)
         PROVIDERS.assignment_api.check_system_grant_for_group(
             group_id, role_id)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
     def put(self, group_id, role_id):
         """Grant a role to a group on the system.
@@ -133,7 +133,7 @@ class SystemGroupsRolestResource(flask_restful.Resource):
                               build_target=_build_enforcement_target)
         PROVIDERS.assignment_api.create_system_grant_for_group(
             group_id, role_id)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
     def delete(self, group_id, role_id):
         """Revoke a role from the group on the system.
@@ -147,7 +147,7 @@ class SystemGroupsRolestResource(flask_restful.Resource):
                 allow_non_existing=True))
         PROVIDERS.assignment_api.delete_system_grant_for_group(
             group_id, role_id)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
 
 class SystemAPI(ks_flask.APIBase):

keystone/api/trusts.py

@@ -17,9 +17,9 @@
 
 import flask
 import flask_restful
+import http.client
 from oslo_log import log
 from oslo_policy import _checks as op_checks
-from six.moves import http_client
 
 from keystone.api._shared import json_home_relations
 from keystone.common import context
@@ -305,7 +305,7 @@ class TrustResource(ks_flask.ResourceBase):
             initiator=self.audit_initiator)
         _normalize_trust_expires_at(return_trust)
         _normalize_trust_roles(return_trust)
-        return self.wrap_member(return_trust), http_client.CREATED
+        return self.wrap_member(return_trust), http.client.CREATED
 
     def delete(self, trust_id):
         ENFORCER.enforce_call(action='identity:delete_trust',
@@ -336,7 +336,7 @@ class TrustResource(ks_flask.ResourceBase):
                 raise exception.ForbiddenAction(action=action)
         PROVIDERS.trust_api.delete_trust(trust_id,
                                          initiator=self.audit_initiator)
-        return '', http_client.NO_CONTENT
+        return '', http.client.NO_CONTENT
 
 
 # NOTE(morgan): Since this Resource is not being used with the automatic

keystone/api/users.py

@@ -17,8 +17,8 @@ import os
 import uuid
 
 import flask
+import http.client
 from oslo_serialization import jsonutils
-from six.moves import http_client
 from werkzeug import exceptions
 
 from keystone.api._shared import json_home_relations
@@ -209,7 +209,7 @@ class UserResource(ks_flask.ResourceBase):
         ref = PROVIDERS.identity_api.create_user(
             user_data,
             initiator=self.audit_initiator)
-        return self.wrap_member(ref), http_client.CREATED
+        return self.wrap_member(ref), http.client.CREATED
 
     def patch(self, user_id):
         """Update a user.
@@ -238,7 +238,7 @@ class UserResource(ks_flask.ResourceBase):
             build_target=_build_user_target_enforcement
         )
         PROVIDERS.identity_api.delete_user(user_id)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
 
 class UserChangePasswordResource(ks_flask.ResourceBase):
@@ -262,7 +262,7 @@ class UserChangePasswordResource(ks_flask.ResourceBase):
             raise ks_exception.Unauthorized(
                 _('Error when changing user password: %s') % e
             )
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
 
 class UserProjectsResource(ks_flask.ResourceBase):
@@ -370,7 +370,7 @@ class UserOSEC2CredentialsResourceListCreate(_UserOSEC2CredBaseResource):
         )
         PROVIDERS.credential_api.create_credential(credential_id, cred_data)
         ref = _convert_v3_to_ec2_credential(cred_data)
-        return self.wrap_member(ref), http_client.CREATED
+        return self.wrap_member(ref), http.client.CREATED
 
 
 class UserOSEC2CredentialsResourceGetDelete(_UserOSEC2CredBaseResource):
@@ -408,7 +408,7 @@ class UserOSEC2CredentialsResourceGetDelete(_UserOSEC2CredBaseResource):
         ec2_cred_id = utils.hash_access_key(credential_id)
         self._get_cred_data(ec2_cred_id)
         PROVIDERS.credential_api.delete_credential(ec2_cred_id)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
 
 class _OAuth1ResourceBase(ks_flask.ResourceBase):
@@ -476,7 +476,7 @@ class OAuth1AccessTokenCRUDResource(_OAuth1ResourceBase):
         notifications.invalidate_token_cache_notification(reason)
         PROVIDERS.oauth_api.delete_access_token(
             user_id, access_token_id, initiator=self.audit_initiator)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
 
 class OAuth1AccessTokenRoleListResource(ks_flask.ResourceBase):
@@ -621,7 +621,7 @@ class UserAppCredListCreateResource(ks_flask.ResourceBase):
             # https://specs.openstack.org/openstack/api-wg/guidelines/http.html#failure-code-clarifications
             raise ks_exception.ApplicationCredentialValidationError(
                 detail=str(e))
-        return self.wrap_member(ref), http_client.CREATED
+        return self.wrap_member(ref), http.client.CREATED
 
 
 class UserAppCredGetDeleteResource(ks_flask.ResourceBase):
@@ -650,7 +650,7 @@ class UserAppCredGetDeleteResource(ks_flask.ResourceBase):
         _check_unrestricted_application_credential(token)
         PROVIDERS.application_credential_api.delete_application_credential(
             application_credential_id, initiator=self.audit_initiator)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
 
 class UserAccessRuleListResource(ks_flask.ResourceBase):
@@ -701,7 +701,7 @@ class UserAccessRuleGetDeleteResource(ks_flask.ResourceBase):
         )
         PROVIDERS.application_credential_api.delete_access_rule(
             access_rule_id, initiator=self.audit_initiator)
-        return None, http_client.NO_CONTENT
+        return None, http.client.NO_CONTENT
 
 
 class UserAPI(ks_flask.APIBase):

keystone/application_credential/backends/base.py

@@ -14,13 +14,10 @@
 
 import abc
 
-import six
-
 from keystone import exception
 
 
-@six.add_metaclass(abc.ABCMeta)
+class ApplicationCredentialDriverBase(object, metaclass=abc.ABCMeta):
-class ApplicationCredentialDriverBase(object):
 
     @abc.abstractmethod
     def authenticate(self, application_credential_id, secret):

keystone/assignment/backends/base.py

@@ -14,8 +14,6 @@
 
 import abc
 
-import six
-
 import keystone.conf
 from keystone import exception
 
@@ -23,8 +21,7 @@ from keystone import exception
 CONF = keystone.conf.CONF
 
 
-@six.add_metaclass(abc.ABCMeta)
+class AssignmentDriverBase(object, metaclass=abc.ABCMeta):
-class AssignmentDriverBase(object):
 
     def _get_list_limit(self):
         return CONF.assignment.list_limit or CONF.list_limit

keystone/assignment/role_backends/base.py

@@ -14,8 +14,6 @@
 
 import abc
 
-import six
-
 import keystone.conf
 from keystone import exception
 
@@ -31,8 +29,7 @@ NULL_DOMAIN_ID = '<<null>>'
 CONF = keystone.conf.CONF
 
 
-@six.add_metaclass(abc.ABCMeta)
+class RoleDriverBase(object, metaclass=abc.ABCMeta):
-class RoleDriverBase(object):
 
     def _get_list_limit(self):
         return CONF.role.list_limit or CONF.list_limit

keystone/auth/core.py

@@ -11,10 +11,8 @@
 # under the License.
 
 from functools import partial
-import sys
 
 from oslo_log import log
-import six
 import stevedore
 
 from keystone.common import driver_hints
@@ -146,9 +144,8 @@ class AuthInfo(provider_api.ProviderAPIMixin, object):
                 project_id=project_ref['id'],
                 project=project_ref)
         except AssertionError as e:
-            LOG.warning(six.text_type(e))
+            LOG.warning(e)
-            six.reraise(exception.Unauthorized, exception.Unauthorized(e),
+            raise exception.Unauthorized from e
-                        sys.exc_info()[2])
 
     def _assert_domain_is_enabled(self, domain_ref):
         try:
@@ -156,9 +153,8 @@ class AuthInfo(provider_api.ProviderAPIMixin, object):
                 domain_id=domain_ref['id'],
                 domain=domain_ref)
         except AssertionError as e:
-            LOG.warning(six.text_type(e))
+            LOG.warning(e)
-            six.reraise(exception.Unauthorized, exception.Unauthorized(e),
+            raise exception.Unauthorized from e
-                        sys.exc_info()[2])
 
     def _lookup_domain(self, domain_info):
         domain_id = domain_info.get('id')
@@ -177,7 +173,7 @@ class AuthInfo(provider_api.ProviderAPIMixin, object):
             else:
                 domain_ref = PROVIDERS.resource_api.get_domain(domain_id)
         except exception.DomainNotFound as e:
-            LOG.warning(six.text_type(e))
+            LOG.warning(e)
             raise exception.Unauthorized(e)
         self._assert_domain_is_enabled(domain_ref)
         return domain_ref
@@ -210,7 +206,7 @@ class AuthInfo(provider_api.ProviderAPIMixin, object):
                 # disabled.
                 self._lookup_domain({'id': domain_id})
         except exception.ProjectNotFound as e:
-            LOG.warning(six.text_type(e))
+            LOG.warning(e)
             raise exception.Unauthorized(e)
         self._assert_project_is_enabled(project_ref)
         return project_ref
@@ -254,7 +250,7 @@ class AuthInfo(provider_api.ProviderAPIMixin, object):
         if len(app_creds) != 1:
             message = "Could not find application credential: %s" % name
             tr_message = _("Could not find application credential: %s") % name
-            LOG.warning(six.text_type(message))
+            LOG.warning(message)
             raise exception.Unauthorized(tr_message)
         return app_creds[0]
 
@@ -515,7 +511,7 @@ class UserMFARulesValidator(provider_api.ProviderAPIMixin, object):
                 # No empty rules are allowed.
                 _ok_rule = True
                 for item in r_list:
-                    if not isinstance(item, six.string_types):
+                    if not isinstance(item, str):
                         # Rules may only contain strings for method names
                         # Reject a rule with non-string values
                         LOG.info('Ignoring Rule %(rule)r; rule contains '

keystone/auth/plugins/base.py

@@ -15,8 +15,6 @@
 import abc
 import collections
 
-import six
-
 from keystone.common import provider_api
 from keystone import exception
 
@@ -25,8 +23,8 @@ AuthHandlerResponse = collections.namedtuple(
     'AuthHandlerResponse', 'status, response_body, response_data')
 
 
-@six.add_metaclass(abc.ABCMeta)
+class AuthMethodHandler(provider_api.ProviderAPIMixin, object,
-class AuthMethodHandler(provider_api.ProviderAPIMixin, object):
+                        metaclass=abc.ABCMeta):
     """Abstract base class for an authentication plugin."""
 
     def __init__(self):

keystone/auth/plugins/core.py

@@ -12,13 +12,10 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
-import sys
-
 from oslo_log import log
 from pycadf import cadftaxonomy as taxonomy
 from pycadf import reason
 from pycadf import resource
-import six
 
 from keystone.common import driver_hints
 from keystone.common import provider_api
@@ -121,9 +118,8 @@ class BaseUserInfo(provider_api.ProviderAPIMixin, object):
                 domain_id=domain_ref['id'],
                 domain=domain_ref)
         except AssertionError as e:
-            LOG.warning(six.text_type(e))
+            LOG.warning(e)
-            six.reraise(exception.Unauthorized, exception.Unauthorized(e),
+            raise exception.Unauthorized from e
-                        sys.exc_info()[2])
 
     def _assert_user_is_enabled(self, user_ref):
         try:
@@ -131,9 +127,8 @@ class BaseUserInfo(provider_api.ProviderAPIMixin, object):
                 user_id=user_ref['id'],
                 user=user_ref)
         except AssertionError as e:
-            LOG.warning(six.text_type(e))
+            LOG.warning(e)
-            six.reraise(exception.Unauthorized, exception.Unauthorized(e),
+            raise exception.Unauthorized from e
-                        sys.exc_info()[2])
 
     def _lookup_domain(self, domain_info):
         domain_id = domain_info.get('id')
@@ -148,7 +143,7 @@ class BaseUserInfo(provider_api.ProviderAPIMixin, object):
             else:
                 domain_ref = PROVIDERS.resource_api.get_domain(domain_id)
         except exception.DomainNotFound as e:
-            LOG.warning(six.text_type(e))
+            LOG.warning(e)
             raise exception.Unauthorized(e)
         self._assert_domain_is_enabled(domain_ref)
         return domain_ref
@@ -178,7 +173,7 @@ class BaseUserInfo(provider_api.ProviderAPIMixin, object):
                     user_ref['domain_id'])
                 self._assert_domain_is_enabled(domain_ref)
         except exception.UserNotFound as e:
-            LOG.warning(six.text_type(e))
+            LOG.warning(e)
 
             # We need to special case USER NOT FOUND here for CADF
             # notifications as the normal path for notification(s) come from

keystone/auth/plugins/external.py

@@ -17,7 +17,6 @@
 import abc
 
 import flask
-import six
 
 from keystone.auth.plugins import base
 from keystone.common import provider_api
@@ -30,8 +29,7 @@ CONF = keystone.conf.CONF
 PROVIDERS = provider_api.ProviderAPIs
 
 
-@six.add_metaclass(abc.ABCMeta)
+class Base(base.AuthMethodHandler, metaclass=abc.ABCMeta):
-class Base(base.AuthMethodHandler):
     def authenticate(self, auth_payload):
         """Use REMOTE_USER to look up the user in the identity backend.
 

keystone/auth/plugins/mapped.py

@@ -16,7 +16,7 @@ import uuid
 import flask
 from oslo_log import log
 from pycadf import cadftaxonomy as taxonomy
-from six.moves.urllib import parse
+from urllib import parse
 
 from keystone.auth import plugins as auth_plugins
 from keystone.auth.plugins import base

keystone/auth/plugins/token.py

@@ -14,7 +14,6 @@
 
 import flask
 from oslo_log import log
-import six
 
 from keystone.auth.plugins import base
 from keystone.auth.plugins import mapped
@@ -124,5 +123,5 @@ def token_authenticate(token):
         return response_data
 
     except AssertionError as e:
-        LOG.error(six.text_type(e))
+        LOG.error(e)
         raise exception.Unauthorized(e)

keystone/auth/plugins/totp.py

@@ -29,7 +29,6 @@ from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives.twofactor import totp as crypto_totp
 from oslo_log import log
 from oslo_utils import timeutils
-import six
 
 from keystone.auth import plugins
 from keystone.auth.plugins import base
@@ -57,7 +56,7 @@ def _generate_totp_passcodes(secret, included_previous_windows=0):
     :param bytes secret: A base32 encoded secret for the TOTP authentication
     :returns: totp passcode as bytes
     """
-    if isinstance(secret, six.text_type):
+    if isinstance(secret, str):
         # NOTE(dstanek): since this may be coming from the JSON stored in the
         # database it may be UTF-8 encoded
         secret = secret.encode('utf-8')

keystone/catalog/backends/base.py

@@ -14,8 +14,6 @@
 
 import abc
 
-import six
-
 from keystone.common import provider_api
 import keystone.conf
 from keystone import exception
@@ -24,8 +22,8 @@ from keystone import exception
 CONF = keystone.conf.CONF
 
 
-@six.add_metaclass(abc.ABCMeta)
+class CatalogDriverBase(provider_api.ProviderAPIMixin, object,
-class CatalogDriverBase(provider_api.ProviderAPIMixin, object):
+                        metaclass=abc.ABCMeta):
     """Interface description for the Catalog driver."""
 
     def _get_list_limit(self):

keystone/cmd/doctor/ldap.py

@@ -15,7 +15,7 @@ from __future__ import print_function
 import os
 import re
 
-from six.moves import configparser
+import configparser
 
 import keystone.conf
 

keystone/common/manager.py

@@ -18,7 +18,6 @@ import time
 import types
 
 from oslo_log import log
-import six
 import stevedore
 
 from keystone.common import provider_api
@@ -155,8 +154,7 @@ class _TraceMeta(type):
         return type.__new__(meta, classname, bases, final_cls_dict)
 
 
-@six.add_metaclass(_TraceMeta)
+class Manager(object, metaclass=_TraceMeta):
-class Manager(object):
     """Base class for intermediary request layer.
 
     The Manager layer exists to support additional logic that applies to all

keystone/common/resource_options/core.py

@@ -12,8 +12,6 @@
 
 """Options specific to resources managed by Keystone (Domain, User, etc)."""
 
-import six
-
 from keystone.common import validation
 from keystone.i18n import _
 
@@ -202,14 +200,14 @@ class ResourceOption(object):
                                        validator(s) used at the API layer
         :type json_schema_validation: dict
         """
-        if not isinstance(option_id, six.string_types) and len(option_id) == 4:
+        if not isinstance(option_id, str) and len(option_id) == 4:
             raise TypeError(_('`option_id` must be a string, got %r')
                             % option_id)
         elif len(option_id) != 4:
             raise ValueError(_('`option_id` must be 4 characters in '
 
                                'length. Got %r') % option_id)
-        if not isinstance(option_name, six.string_types):
+        if not isinstance(option_name, str):
             raise TypeError(_('`option_name` must be a string. '
                               'Got %r') % option_name)
 

keystone/common/sql/core.py

@@ -31,7 +31,6 @@ from oslo_serialization import jsonutils
 from oslo_utils import timeutils
 from osprofiler import opts as profiler
 import osprofiler.sqlalchemy
-import six
 import sqlalchemy as sql
 from sqlalchemy.ext import declarative
 from sqlalchemy.orm.attributes import flag_modified, InstrumentedAttribute
@@ -103,8 +102,8 @@ def initialize_decorator(init):
                 if isinstance(attr, InstrumentedAttribute):
                     column = attr.property.columns[0]
                     if isinstance(column.type, String):
-                        if not isinstance(v, six.text_type):
+                        if not isinstance(v, str):
-                            v = six.text_type(v)
+                            v = str(v)
                         if column.type.length and column.type.length < len(v):
                             raise exception.StringLengthExceeded(
                                 string=v, type=k, length=column.type.length)
@@ -521,7 +520,7 @@ def handle_conflicts(conflict_type='object'):
                 # exception details out with the raised Conflict exception
                 # as it can contain raw SQL.
                 LOG.debug(_conflict_msg, {'conflict_type': conflict_type,
-                                          'details': six.text_type(e)})
+                                          'details': e})
                 name = None
                 field = None
                 domain_id = None
@@ -560,7 +559,7 @@ def handle_conflicts(conflict_type='object'):
                     # exception details out with the raised Conflict exception
                     # as it can contain raw SQL.
                     LOG.debug(_conflict_msg, {'conflict_type': conflict_type,
-                                              'details': six.text_type(e)})
+                                              'details': e})
                     # NOTE(morganfainberg): This is really a case where the SQL
                     # failed to store the data. This is not something that the
                     # user has done wrong. Example would be a ForeignKey is

keystone/common/sql/upgrades.py

@@ -21,7 +21,6 @@ from migrate import exceptions
 from migrate.versioning import api as versioning_api
 from oslo_db import exception as db_exception
 from oslo_db.sqlalchemy import migration
-import six
 import sqlalchemy
 
 from keystone.common import sql
@@ -189,7 +188,7 @@ def get_init_version(abs_path=None):
 def _assert_not_schema_downgrade(version=None):
     if version is not None:
         try:
-            current_ver = int(six.text_type(get_db_version()))
+            current_ver = int(str(get_db_version()))
             if int(version) < current_ver:
                 raise migration.exception.DBMigrationError(
                     _("Unable to downgrade schema"))

keystone/common/utils.py

@@ -29,8 +29,8 @@ from oslo_serialization import jsonutils
 from oslo_utils import reflection
 from oslo_utils import strutils
 from oslo_utils import timeutils
-import six
+import urllib
-from six import moves
+
 
 from keystone.common import password_hashing
 import keystone.conf
@@ -66,8 +66,6 @@ def resource_uuid(value):
         return value
     except ValueError:
         if len(value) <= 64:
-            if six.PY2 and isinstance(value, six.text_type):
-                value = value.encode('utf-8')
             return uuid.uuid5(RESOURCE_ID_NAMESPACE, value).hex
         raise ValueError(_('Length of transformable resource id > 64, '
                          'which is max allowed characters'))
@@ -101,7 +99,7 @@ class SmarterEncoder(jsonutils.json.JSONEncoder):
 
 def hash_access_key(access):
     hash_ = hashlib.sha256()
-    if not isinstance(access, six.binary_type):
+    if not isinstance(access, bytes):
         access = access.encode('utf-8')
     hash_.update(access)
     return hash_.hexdigest()
@@ -136,7 +134,7 @@ def auth_str_equal(provided, known):
     result = 0
     p_len = len(provided)
     k_len = len(known)
-    for i in moves.range(p_len):
+    for i in range(p_len):
         a = ord(provided[i]) if i < p_len else 0
         b = ord(known[i]) if i < k_len else 0
         result |= a ^ b
@@ -193,7 +191,7 @@ def get_unix_user(user=None):
     :returns: tuple of (uid, name)
 
     """
-    if isinstance(user, six.string_types):
+    if isinstance(user, str):
         try:
             user_info = pwd.getpwnam(user)
         except KeyError:
@@ -251,7 +249,7 @@ def get_unix_group(group=None):
     :returns: tuple of (gid, name)
 
     """
-    if isinstance(group, six.string_types):
+    if isinstance(group, str):
         try:
             group_info = grp.getgrnam(group)
         except KeyError:
@@ -374,15 +372,15 @@ def lower_case_hostname(url):
     # NOTE(gyee): according to
     # https://www.w3.org/TR/WD-html40-970708/htmlweb.html, the netloc portion
     # of the URL is case-insensitive
-    parsed = moves.urllib.parse.urlparse(url)
+    parsed = urllib.parse.urlparse(url)
     # Note: _replace method for named tuples is public and defined in docs
     replaced = parsed._replace(netloc=parsed.netloc.lower())
-    return moves.urllib.parse.urlunparse(replaced)
+    return urllib.parse.urlunparse(replaced)
 
 
 def remove_standard_port(url):
     # remove the default ports specified in RFC2616 and 2818
-    o = moves.urllib.parse.urlparse(url)
+    o = urllib.parse.urlparse(url)
     separator = ':'
     (host, separator, port) = o.netloc.partition(separator)
     if o.scheme.lower() == 'http' and port == '80':
@@ -394,7 +392,7 @@ def remove_standard_port(url):
     if o.scheme.lower() == 'https' and port == '443':
         o = o._replace(netloc=host)
 
-    return moves.urllib.parse.urlunparse(o)
+    return urllib.parse.urlunparse(o)
 
 
 def format_url(url, substitutions, silent_keyerror_failures=None):

keystone/common/validation/validators.py

@@ -16,7 +16,6 @@ import re
 import jsonschema
 from oslo_config import cfg
 from oslo_log import log
-import six
 
 from keystone import exception
 from keystone.i18n import _
@@ -30,7 +29,7 @@ LOG = log.getLogger(__name__)
 def validate_password(password):
     pattern = CONF.security_compliance.password_regex
     if pattern:
-        if not isinstance(password, six.string_types):
+        if not isinstance(password, str):
             detail = _("Password must be a string type")
             raise exception.PasswordValidationError(detail=detail)
         try:
@@ -81,10 +80,10 @@ class SchemaValidator(object):
                 # too long, then we should build the masking in here so that
                 # we don't expose sensitive user information in the event it
                 # fails validation.
-                path = '/'.join(map(six.text_type, ex.path))
+                path = '/'.join(map(str, ex.path))
                 detail = _("Invalid input for field '%(path)s': "
                            "%(message)s") % {'path': path,
-                                             'message': six.text_type(ex)}
+                                             'message': str(ex)}
             else:
-                detail = six.text_type(ex)
+                detail = str(ex)
             raise exception.SchemaValidationError(detail=detail)

keystone/credential/backends/base.py

@@ -15,7 +15,6 @@
 import abc
 
 from oslo_log import log
-import six
 
 from keystone import exception
 
@@ -23,8 +22,7 @@ from keystone import exception
 LOG = log.getLogger(__name__)
 
 
-@six.add_metaclass(abc.ABCMeta)
+class CredentialDriverBase(object, metaclass=abc.ABCMeta):
-class CredentialDriverBase(object):
     # credential crud
 
     @abc.abstractmethod

keystone/credential/backends/sql.py

@@ -13,7 +13,6 @@
 # under the License.
 
 from oslo_db import api as oslo_db_api
-import six
 from sqlalchemy.ext.hybrid import hybrid_property
 
 from keystone.common import driver_hints
@@ -45,7 +44,7 @@ class CredentialModel(sql.ModelBase, sql.ModelDictMixinWithExtras):
         # Make sure to hand over the encrypted credential as a string value
         # to the backend driver to avoid the sql drivers (esp. psycopg2)
         # treating this as binary data and e.g. hex-escape it.
-        if six.PY3 and isinstance(encrypted_blob, six.binary_type):
+        if isinstance(encrypted_blob, bytes):
             encrypted_blob = encrypted_blob.decode('utf-8')
         self._encrypted_blob = encrypted_blob
 

keystone/credential/providers/core.py

@@ -12,11 +12,8 @@
 
 import abc
 
-import six
 
-
+class Provider(object, metaclass=abc.ABCMeta):
-@six.add_metaclass(abc.ABCMeta)
-class Provider(object):
     """Interface for credential providers that support encryption."""
 
     @abc.abstractmethod

keystone/credential/providers/fernet/core.py

@@ -14,7 +14,6 @@ import hashlib
 
 from cryptography import fernet
 from oslo_log import log
-import six
 
 from keystone.common import fernet_utils
 import keystone.conf
@@ -55,7 +54,7 @@ def get_multi_fernet_keys():
 
 def primary_key_hash(keys):
     """Calculate a hash of the primary key used for encryption."""
-    if isinstance(keys[0], six.text_type):
+    if isinstance(keys[0], str):
         keys[0] = keys[0].encode('utf-8')
     # NOTE(lhinds) This is marked as #nosec since bandit will see SHA1 which
     # is marked as insecure. However, this hash function is used alongside
@@ -103,7 +102,7 @@ class Provider(core.Provider):
         crypto = fernet.MultiFernet(fernet_keys)
 
         try:
-            if isinstance(credential, six.text_type):
+            if isinstance(credential, str):
                 credential = credential.encode('utf-8')
             return crypto.decrypt(credential).decode('utf-8')
         except (fernet.InvalidToken, TypeError, ValueError):

keystone/endpoint_policy/backends/base.py

@@ -11,13 +11,11 @@
 # under the License.
 
 import abc
-import six
 
 from keystone import exception
 
 
-@six.add_metaclass(abc.ABCMeta)
+class EndpointPolicyDriverBase(object, metaclass=abc.ABCMeta):
-class EndpointPolicyDriverBase(object):
     """Interface description for an Endpoint Policy driver."""
 
     @abc.abstractmethod

keystone/exception.py

@@ -12,10 +12,9 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
+import http.client
 from oslo_log import log
 from oslo_utils import encodeutils
-import six
-from six.moves import http_client
 
 import keystone.conf
 from keystone.i18n import _
@@ -60,8 +59,7 @@ class _KeystoneExceptionMeta(type):
         return cls
 
 
-@six.add_metaclass(_KeystoneExceptionMeta)
+class Error(Exception, metaclass=_KeystoneExceptionMeta):
-class Error(Exception):
     """Base error class.
 
     Child classes should define an HTTP status code, title, and a
@@ -102,8 +100,8 @@ class ValidationError(Error):
                        " The server could not comply with the request"
                        " since it is either malformed or otherwise"
                        " incorrect. The client is assumed to be in error.")
-    code = int(http_client.BAD_REQUEST)
+    code = int(http.client.BAD_REQUEST)
-    title = http_client.responses[http_client.BAD_REQUEST]
+    title = http.client.responses[http.client.BAD_REQUEST]
 
 
 class URLValidationError(ValidationError):
@@ -154,8 +152,8 @@ class ValidationTimeStampError(Error):
                        " The server could not comply with the request"
                        " since it is either malformed or otherwise"
                        " incorrect. The client is assumed to be in error.")
-    code = int(http_client.BAD_REQUEST)
+    code = int(http.client.BAD_REQUEST)
-    title = http_client.responses[http_client.BAD_REQUEST]
+    title = http.client.responses[http.client.BAD_REQUEST]
 
 
 class InvalidOperatorError(ValidationError):
@@ -169,8 +167,8 @@ class ValidationExpirationError(Error):
                        " The server could not comply with the request"
                        " since it is either malformed or otherwise"
                        " incorrect. The client is assumed to be in error.")
-    code = int(http_client.BAD_REQUEST)
+    code = int(http.client.BAD_REQUEST)
-    title = http_client.responses[http_client.BAD_REQUEST]
+    title = http.client.responses[http.client.BAD_REQUEST]
 
 
 class StringLengthExceeded(ValidationError):
@@ -192,8 +190,8 @@ class ApplicationCredentialValidationError(ValidationError):
 class CircularRegionHierarchyError(Error):
     message_format = _("The specified parent region %(parent_region_id)s "
                        "would create a circular region hierarchy.")
-    code = int(http_client.BAD_REQUEST)
+    code = int(http.client.BAD_REQUEST)
-    title = http_client.responses[http_client.BAD_REQUEST]
+    title = http.client.responses[http.client.BAD_REQUEST]
 
 
 class ForbiddenNotSecurity(Error):
@@ -204,8 +202,8 @@ class ForbiddenNotSecurity(Error):
 
     """
 
-    code = int(http_client.FORBIDDEN)
+    code = int(http.client.FORBIDDEN)
-    title = http_client.responses[http_client.FORBIDDEN]
+    title = http.client.responses[http.client.FORBIDDEN]
 
 
 class PasswordVerificationError(ForbiddenNotSecurity):
@@ -265,7 +263,7 @@ class SecurityError(Error):
     def _build_message(self, message, **kwargs):
         """Only returns detailed messages in insecure_debug mode."""
         if message and CONF.insecure_debug:
-            if isinstance(message, six.string_types):
+            if isinstance(message, str):
                 # Only do replacement if message is string. The message is
                 # sometimes a different exception or bytes, which would raise
                 # TypeError.
@@ -279,8 +277,8 @@ class SecurityError(Error):
 
 class Unauthorized(SecurityError):
     message_format = _("The request you have made requires authentication.")
-    code = int(http_client.UNAUTHORIZED)
+    code = int(http.client.UNAUTHORIZED)
-    title = http_client.responses[http_client.UNAUTHORIZED]
+    title = http.client.responses[http.client.UNAUTHORIZED]
 
 
 class InsufficientAuthMethods(Error):
@@ -349,8 +347,8 @@ class AdditionalAuthRequired(AuthPluginException):
 class Forbidden(SecurityError):
     message_format = _("You are not authorized to perform the"
                        " requested action.")
-    code = int(http_client.FORBIDDEN)
+    code = int(http.client.FORBIDDEN)
-    title = http_client.responses[http_client.FORBIDDEN]
+    title = http.client.responses[http.client.FORBIDDEN]
 
 
 class ForbiddenAction(Forbidden):
@@ -391,8 +389,8 @@ class LimitTreeExceedError(Exception):
 
 class NotFound(Error):
     message_format = _("Could not find: %(target)s.")
-    code = int(http_client.NOT_FOUND)
+    code = int(http.client.NOT_FOUND)
-    title = http_client.responses[http_client.NOT_FOUND]
+    title = http.client.responses[http.client.NOT_FOUND]
 
 
 class EndpointNotFound(NotFound):
@@ -556,8 +554,8 @@ class AccessRuleNotFound(NotFound):
 class Conflict(Error):
     message_format = _("Conflict occurred attempting to store %(type)s -"
                        " %(details)s.")
-    code = int(http_client.CONFLICT)
+    code = int(http.client.CONFLICT)
-    title = http_client.responses[http_client.CONFLICT]
+    title = http.client.responses[http.client.CONFLICT]
 
 
 class UnexpectedError(SecurityError):
@@ -579,8 +577,8 @@ class UnexpectedError(SecurityError):
         return super(UnexpectedError, self)._build_message(
             message or self.debug_message_format, **kwargs)
 
-    code = int(http_client.INTERNAL_SERVER_ERROR)
+    code = int(http.client.INTERNAL_SERVER_ERROR)
-    title = http_client.responses[http_client.INTERNAL_SERVER_ERROR]
+    title = http.client.responses[http.client.INTERNAL_SERVER_ERROR]
 
 
 class TrustConsumeMaximumAttempt(UnexpectedError):
@@ -618,15 +616,15 @@ class AssignmentTypeCalculationError(UnexpectedError):
 class NotImplemented(Error):
     message_format = _("The action you have requested has not"
                        " been implemented.")
-    code = int(http_client.NOT_IMPLEMENTED)
+    code = int(http.client.NOT_IMPLEMENTED)
-    title = http_client.responses[http_client.NOT_IMPLEMENTED]
+    title = http.client.responses[http.client.NOT_IMPLEMENTED]
 
 
 class Gone(Error):
     message_format = _("The service you have requested is no"
                        " longer available on this server.")
-    code = int(http_client.GONE)
+    code = int(http.client.GONE)
-    title = http_client.responses[http_client.GONE]
+    title = http.client.responses[http.client.GONE]
 
 
 class ConfigFileNotFound(UnexpectedError):

keystone/federation/backends/base.py

@@ -14,13 +14,10 @@
 
 import abc
 
-import six
-
 from keystone import exception
 
 
-@six.add_metaclass(abc.ABCMeta)
+class FederationDriverBase(object, metaclass=abc.ABCMeta):
-class FederationDriverBase(object):
 
     @abc.abstractmethod
     def create_idp(self, idp_id, idp):

keystone/federation/backends/sql.py

@@ -14,7 +14,6 @@
 
 from oslo_log import log
 from oslo_serialization import jsonutils
-import six
 from sqlalchemy import orm
 
 from keystone.common import sql
@@ -169,7 +168,7 @@ class Federation(base.FederationDriverBase):
 
     def _handle_idp_conflict(self, e):
         conflict_type = 'identity_provider'
-        details = six.text_type(e)
+        details = str(e)
         LOG.debug(self._CONFLICT_LOG_MSG, {'conflict_type': conflict_type,
                                            'details': details})
         if 'remote_id' in details:

keystone/federation/utils.py

@@ -20,7 +20,6 @@ import jsonschema
 from oslo_config import cfg
 from oslo_log import log
 from oslo_utils import timeutils
-import six
 
 from keystone.common import provider_api
 import keystone.conf
@@ -437,7 +436,7 @@ def get_assertion_params_from_env():
         # These bytes may be decodable as ISO-8859-1 according to Section
         # 3.2.4 of RFC 7230. Let's assume that our web server plugins are
         # correctly encoding the data.
-        if not isinstance(v, six.text_type) and getattr(v, 'decode', False):
+        if not isinstance(v, str) and getattr(v, 'decode', False):
             v = v.decode('ISO-8859-1')
         yield (k, v)
 
@@ -526,7 +525,7 @@ class RuleProcessor(object):
         # any multiple values are stored in the arrays.
         LOG.debug('assertion data: %s', assertion_data)
         assertion = {n: v.split(';') for n, v in assertion_data.items()
-                     if isinstance(v, six.string_types)}
+                     if isinstance(v, str)}
         LOG.debug('assertion: %s', assertion)
         identity_values = []
 

keystone/identity/backends/base.py

@@ -14,8 +14,6 @@
 
 import abc
 
-import six
-
 import keystone.conf
 from keystone import exception
 
@@ -48,8 +46,7 @@ def filter_user(user_ref):
     return user_ref
 
 
-@six.add_metaclass(abc.ABCMeta)
+class IdentityDriverBase(object, metaclass=abc.ABCMeta):
-class IdentityDriverBase(object):
     """Interface description for an Identity driver.
 
     The schema for users and groups is different depending on whether the

keystone/identity/backends/ldap/common.py

@@ -25,9 +25,6 @@ import ldap.filter
 import ldappool
 from oslo_log import log
 from oslo_utils import reflection
-import six
-from six.moves import zip
-from six import PY2
 
 from keystone.common import driver_hints
 from keystone import exception
@@ -70,9 +67,9 @@ def utf8_encode(value):
     :returns: UTF-8 encoded version of value
     :raises TypeError: If value is not basestring
     """
-    if isinstance(value, six.text_type):
+    if isinstance(value, str):
         return _utf8_encoder(value)[0]
-    elif isinstance(value, six.binary_type):
+    elif isinstance(value, bytes):
         return value
     else:
         value_cls_name = reflection.get_class_name(
@@ -94,9 +91,9 @@ def utf8_decode(value):
     :returns: value as unicode
     :raises UnicodeDecodeError: for invalid UTF-8 encoding
     """
-    if isinstance(value, six.binary_type):
+    if isinstance(value, bytes):
         return _utf8_decoder(value)[0]
-    return six.text_type(value)
+    return str(value)
 
 
 def py2ldap(val):
@@ -113,7 +110,7 @@ def py2ldap(val):
     if isinstance(val, bool):
         return u'TRUE' if val else u'FALSE'
     else:
-        return six.text_type(val)
+        return str(val)
 
 
 def enabled2py(val):
@@ -332,8 +329,7 @@ def dn_startswith(descendant_dn, dn):
     return is_dn_equal(descendant_dn[-len(dn):], dn)
 
 
-@six.add_metaclass(abc.ABCMeta)
+class LDAPHandler(object, metaclass=abc.ABCMeta):
-class LDAPHandler(object):
     """Abstract class which defines methods for a LDAP API provider.
 
     Native Keystone values cannot be passed directly into and from the
@@ -516,14 +512,7 @@ class PythonLDAPHandler(LDAPHandler):
                                     debug_level=debug_level,
                                     timeout=conn_timeout)
 
-        if PY2:
+        self.conn = ldap.initialize(url)
-            # NOTE: Once https://github.com/python-ldap/python-ldap/issues/249
-            # is released, we can pass bytes_strictness='warn' as a parameter
-            # to ldap.initialize instead of setting it after ldap.initialize.
-            self.conn = ldap.initialize(url, bytes_mode=False)
-            self.conn.bytes_strictness = 'warn'
-        else:
-            self.conn = ldap.initialize(url)
         self.conn.protocol_version = ldap.VERSION3
 
         if alias_dereferencing is not None:
@@ -1272,7 +1261,7 @@ class BaseLdap(object):
     def _id_to_dn_string(self, object_id):
         return u'%s=%s,%s' % (self.id_attr,
                               ldap.dn.escape_dn_chars(
-                                  six.text_type(object_id)),
+                                  str(object_id)),
                               self.tree_dn)
 
     def _id_to_dn(self, object_id):
@@ -1284,7 +1273,7 @@ class BaseLdap(object):
                 u'(&(%(id_attr)s=%(id)s)(objectclass=%(objclass)s))' %
                 {'id_attr': self.id_attr,
                  'id': ldap.filter.escape_filter_chars(
-                     six.text_type(object_id)),
+                     str(object_id)),
                  'objclass': self.object_class},
                 attrlist=DN_ONLY)
         if search_result:
@@ -1478,7 +1467,7 @@ class BaseLdap(object):
                  u'(objectClass=%(object_class)s))'
                  % {'id_attr': self.id_attr,
                     'id': ldap.filter.escape_filter_chars(
-                        six.text_type(object_id)),
+                        str(object_id)),
                     'filter': (ldap_filter or self.ldap_filter or ''),
                     'object_class': self.object_class})
         with self.get_connection() as conn:
@@ -1579,7 +1568,7 @@ class BaseLdap(object):
     def get_by_name(self, name, ldap_filter=None):
         query = (u'(%s=%s)' % (self.attribute_mapping['name'],
                                ldap.filter.escape_filter_chars(
-                                   six.text_type(name))))
+                                   str(name))))
         res = self.get_all(query)
         try:
             return res[0]

keystone/identity/backends/ldap/core.py

@@ -17,7 +17,6 @@ import uuid
 import ldap.filter
 from oslo_log import log
 from oslo_log import versionutils
-import six
 
 import keystone.conf
 from keystone import exception
@@ -267,7 +266,7 @@ class UserApi(common_ldap.EnabledEmuMixIn, common_ldap.BaseLdap):
             # This could be a bool or a string.  If it's a string,
             # we need to convert it so we can invert it properly.
             enabled = obj.get('enabled', self.enabled_default)
-            if isinstance(enabled, six.string_types):
+            if isinstance(enabled, str):
                 if enabled.lower() == 'true':
                     enabled = True
                 else:

keystone/identity/backends/resource_options.py

@@ -10,8 +10,6 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
-import six
-
 from keystone.common import resource_options
 from keystone.common.validation import parameter_types
 from keystone.i18n import _
@@ -47,7 +45,7 @@ def _mfa_rules_validator_list_of_lists_of_strings_no_duplicates(value):
         # Add the sublist to the tracker
         sublists.append(sublist)
         for element in sublist:
-            if not isinstance(element, six.string_types):
+            if not isinstance(element, str):
                 # Element of sublist is not a string, TypeError
                 raise TypeError(msg)
             if element in string_set:

keystone/identity/generator.py

@@ -16,8 +16,6 @@
 
 import abc
 
-import six
-
 from keystone.common import manager
 import keystone.conf
 from keystone import exception
@@ -36,8 +34,7 @@ class Manager(manager.Manager):
         super(Manager, self).__init__(CONF.identity_mapping.generator)
 
 
-@six.add_metaclass(abc.ABCMeta)
+class IDGenerator(object, metaclass=abc.ABCMeta):
-class IDGenerator(object):
     """Interface description for an ID Generator provider."""
 
     @abc.abstractmethod

keystone/identity/mapping_backends/base.py

@@ -14,14 +14,12 @@
 
 import abc
 
-import six
-
 from keystone.common import provider_api
 from keystone import exception
 
 
-@six.add_metaclass(abc.ABCMeta)
+class MappingDriverBase(provider_api.ProviderAPIMixin, object,
-class MappingDriverBase(provider_api.ProviderAPIMixin, object):
+                        metaclass=abc.ABCMeta):
     """Interface description for an ID Mapping driver."""
 
     @abc.abstractmethod

keystone/identity/shadow_backends/base.py

@@ -14,13 +14,10 @@
 
 import abc
 
-import six
-
 from keystone import exception
 
 
-@six.add_metaclass(abc.ABCMeta)
+class ShadowUsersDriverBase(object, metaclass=abc.ABCMeta):
-class ShadowUsersDriverBase(object):
     """Interface description for an Shadow Users driver."""
 
     @abc.abstractmethod

keystone/limit/backends/base.py

@@ -15,8 +15,6 @@
 
 import abc
 
-import six
-
 import keystone.conf
 from keystone import exception
 
@@ -24,8 +22,7 @@ from keystone import exception
 CONF = keystone.conf.CONF
 
 
-@six.add_metaclass(abc.ABCMeta)
+class UnifiedLimitDriverBase(object, metaclass=abc.ABCMeta):
-class UnifiedLimitDriverBase(object):
 
     def _get_list_limit(self):
         return CONF.unified_limit.list_limit or CONF.list_limit

keystone/limit/models/base.py

@@ -11,7 +11,6 @@
 # under the License.
 import abc
 
-import six
 import stevedore
 
 import keystone.conf
@@ -33,8 +32,7 @@ def load_driver(driver_name, *args):
         raise ImportError(msg % {'name': driver_name, 'namespace': namespace})
 
 
-@six.add_metaclass(abc.ABCMeta)
+class ModelBase(object, metaclass=abc.ABCMeta):
-class ModelBase(object):
     """Interface for a limit model driver."""
 
     NAME = None

keystone/models/receipt_model.py

@@ -15,7 +15,6 @@
 from oslo_log import log
 from oslo_serialization import msgpackutils
 from oslo_utils import reflection
-import six
 
 from keystone.auth import core
 from keystone.common import cache
@@ -57,7 +56,7 @@ class ReceiptModel(object):
 
     @expires_at.setter
     def expires_at(self, value):
-        if not isinstance(value, six.string_types):
+        if not isinstance(value, str):
             raise ValueError('expires_at must be a string.')
         self.__expires_at = value
 
@@ -67,7 +66,7 @@ class ReceiptModel(object):
 
     @issued_at.setter
     def issued_at(self, value):
-        if not isinstance(value, six.string_types):
+        if not isinstance(value, str):
             raise ValueError('issued_at must be a string.')
         self.__issued_at = value
 

keystone/models/token_model.py

@@ -15,7 +15,6 @@
 from oslo_log import log
 from oslo_serialization import msgpackutils
 from oslo_utils import reflection
-import six
 
 from keystone.common import cache
 from keystone.common import provider_api
@@ -101,7 +100,7 @@ class TokenModel(object):
 
     @expires_at.setter
     def expires_at(self, value):
-        if not isinstance(value, six.string_types):
+        if not isinstance(value, str):
             raise ValueError('expires_at must be a string.')
         self.__expires_at = value
 
@@ -111,7 +110,7 @@ class TokenModel(object):
 
     @issued_at.setter
     def issued_at(self, value):
-        if not isinstance(value, six.string_types):
+        if not isinstance(value, str):
             raise ValueError('issued_at must be a string.')
         self.__issued_at = value
 

keystone/oauth1/backends/base.py

@@ -15,8 +15,6 @@
 import abc
 import string
 
-import six
-
 from keystone import exception
 
 
@@ -55,8 +53,7 @@ def filter_consumer(consumer_ref):
     return consumer_ref
 
 
-@six.add_metaclass(abc.ABCMeta)
+class Oauth1DriverBase(object, metaclass=abc.ABCMeta):
-class Oauth1DriverBase(object):
     """Interface description for an OAuth1 driver."""
 
     @abc.abstractmethod

keystone/oauth1/validator.py

@@ -14,8 +14,6 @@
 
 """oAuthlib request validator."""
 
-import six
-
 from keystone.common import provider_api
 from keystone import exception
 from keystone.oauth1.backends import base
@@ -178,7 +176,7 @@ class OAuthValidator(provider_api.ProviderAPIMixin, oauth1.RequestValidator):
 
     def verify_request_token(self, token, request):
         # there aren't strong expectations on the request token format
-        return isinstance(token, six.string_types)
+        return isinstance(token, str)
 
     def verify_realms(self, token, realms, request):
         return True

keystone/policy/backends/base.py

@@ -11,7 +11,6 @@
 # under the License.
 
 import abc
-import six
 
 import keystone.conf
 from keystone import exception
@@ -20,8 +19,7 @@ from keystone import exception
 CONF = keystone.conf.CONF
 
 
-@six.add_metaclass(abc.ABCMeta)
+class PolicyDriverBase(object, metaclass=abc.ABCMeta):
-class PolicyDriverBase(object):
 
     def _get_list_limit(self):
         return CONF.policy.list_limit or CONF.list_limit

keystone/receipt/handlers.py

@@ -13,8 +13,8 @@
 # under the License.
 
 import flask
+import http.client
 from oslo_serialization import jsonutils
-from six.moves import http_client
 
 from keystone.common import authorization
 from keystone.common import provider_api
@@ -68,7 +68,7 @@ def build_receipt(mfa_error):
         issue_receipt(mfa_error.user_id, mfa_error.methods)
     resp_data = _render_receipt_response_from_model(receipt)
     resp_body = jsonutils.dumps(resp_data)
-    response = flask.make_response(resp_body, http_client.UNAUTHORIZED)
+    response = flask.make_response(resp_body, http.client.UNAUTHORIZED)
     response.headers[authorization.AUTH_RECEIPT_HEADER] = receipt.id
     response.headers['Content-Type'] = 'application/json'
     return response

keystone/receipt/provider.py

@@ -18,7 +18,6 @@ import datetime
 
 from oslo_log import log
 from oslo_utils import timeutils
-import six
 
 from keystone.common import cache
 from keystone.common import manager
@@ -159,7 +158,7 @@ class Manager(manager.Manager):
 
         if isinstance(expires_at, datetime.datetime):
             receipt.expires_at = utils.isotime(expires_at, subsecond=True)
-        if isinstance(expires_at, six.string_types):
+        if isinstance(expires_at, str):
             receipt.expires_at = expires_at
         elif not expires_at:
             receipt.expires_at = utils.isotime(

keystone/receipt/providers/base.py

@@ -14,13 +14,10 @@
 
 import abc
 
-import six
-
 from keystone import exception
 
 
-@six.add_metaclass(abc.ABCMeta)
+class Provider(object, metaclass=abc.ABCMeta):
-class Provider(object):
     """Interface description for a Receipt provider."""
 
     @abc.abstractmethod

keystone/receipt/receipt_formatters.py

@@ -71,8 +71,8 @@ class ReceiptFormatter(object):
     def pack(self, payload):
         """Pack a payload for transport as a receipt.
 
-        :type payload: six.binary_type
+        :type payload: bytes
-        :rtype: six.text_type
+        :rtype: str
 
         """
         # base64 padding (if any) is not URL-safe
@@ -81,8 +81,8 @@ class ReceiptFormatter(object):
     def unpack(self, receipt):
         """Unpack a receipt, and validate the payload.
 
-        :type receipt: six.text_type
+        :type receipt: str
-        :rtype: six.binary_type
+        :rtype: bytes
 
         """
         receipt = ReceiptFormatter.restore_padding(receipt)
@@ -98,7 +98,7 @@ class ReceiptFormatter(object):
         """Restore padding based on receipt size.
 
         :param receipt: receipt to restore padding on
-        :type receipt: six.text_type
+        :type receipt: str
         :returns: receipt with correct padding
 
         """
@@ -113,14 +113,14 @@ class ReceiptFormatter(object):
     def creation_time(cls, fernet_receipt):
         """Return the creation time of a valid Fernet receipt.
 
-        :type fernet_receipt: six.text_type
+        :type fernet_receipt: str
 
         """
         fernet_receipt = ReceiptFormatter.restore_padding(fernet_receipt)
-        # fernet_receipt is six.text_type
+        # fernet_receipt is str
 
         # Fernet receipts are base64 encoded, so we need to unpack them first
-        # urlsafe_b64decode() requires six.binary_type
+        # urlsafe_b64decode() requires bytes
         receipt_bytes = base64.urlsafe_b64decode(
             fernet_receipt.encode('utf-8'))
 
@@ -159,7 +159,7 @@ class ReceiptFormatter(object):
     def validate_receipt(self, receipt):
         """Validate a Fernet receipt and returns the payload attributes.
 
-        :type receipt: six.text_type
+        :type receipt: str
 
         """
         serialized_payload = self.unpack(receipt)
@@ -280,20 +280,20 @@ class ReceiptPayload(object):
     def base64_encode(cls, s):
         """Encode a URL-safe string.
 
-        :type s: six.text_type
+        :type s: str
-        :rtype: six.text_type
+        :rtype: str
 
         """
-        # urlsafe_b64encode() returns six.binary_type so need to convert to
+        # urlsafe_b64encode() returns bytes so need to convert to
-        # six.text_type, might as well do it before stripping.
+        # str, might as well do it before stripping.
         return base64.urlsafe_b64encode(s).decode('utf-8').rstrip('=')
 
     @classmethod
     def random_urlsafe_str_to_bytes(cls, s):
-        """Convert string from :func:`random_urlsafe_str()` to six.binary_type.
+        """Convert string from :func:`random_urlsafe_str()` to bytes.
 
-        :type s: six.text_type
+        :type s: str
-        :rtype: six.binary_type
+        :rtype: bytes
 
         """
         # urlsafe_b64decode() requires str, unicode isn't accepted.

keystone/resource/backends/base.py

@@ -14,8 +14,6 @@
 
 import abc
 
-import six
-
 import keystone.conf
 from keystone import exception
 
@@ -39,8 +37,7 @@ def get_project_from_domain(domain_ref):
 NULL_DOMAIN_ID = '<<keystone.domain.root>>'
 
 
-@six.add_metaclass(abc.ABCMeta)
+class ResourceDriverBase(object, metaclass=abc.ABCMeta):
-class ResourceDriverBase(object):
 
     def _get_list_limit(self):
         return CONF.resource.list_limit or CONF.list_limit

keystone/resource/backends/sql_model.py

@@ -10,7 +10,6 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
-from six import text_type
 from sqlalchemy import orm
 from sqlalchemy.orm import collections
 
@@ -102,7 +101,7 @@ class Project(sql.ModelBase, sql.ModelDictMixinWithExtras):
         for tag in values:
             tag_ref = ProjectTag()
             tag_ref.project_id = self.id
-            tag_ref.name = text_type(tag)
+            tag_ref.name = str(tag)
             new_tags.append(tag_ref)
         self._tags = new_tags
 

keystone/resource/config_backends/base.py

@@ -14,13 +14,10 @@
 
 import abc
 
-import six
-
 from keystone import exception
 
 
-@six.add_metaclass(abc.ABCMeta)
+class DomainConfigDriverBase(object, metaclass=abc.ABCMeta):
-class DomainConfigDriverBase(object):
     """Interface description for a Domain Config driver."""
 
     @abc.abstractmethod

keystone/resource/core.py

@@ -13,7 +13,6 @@
 """Main entry point into the Resource service."""
 
 from oslo_log import log
-import six
 
 from keystone import assignment
 from keystone.common import cache
@@ -1476,7 +1475,7 @@ class DomainConfigManager(manager.Manager):
         sensitive_dict = {s['option']: s['value'] for s in sensitive}
 
         for each_whitelisted in whitelisted:
-            if not isinstance(each_whitelisted['value'], six.string_types):
+            if not isinstance(each_whitelisted['value'], str):
                 # We only support substitutions into string types, if its an
                 # integer, list etc. then just continue onto the next one
                 continue

keystone/revoke/backends/base.py

@@ -16,7 +16,6 @@ import abc
 import datetime
 
 from oslo_utils import timeutils
-import six
 
 import keystone.conf
 from keystone import exception
@@ -32,8 +31,7 @@ def revoked_before_cutoff_time():
     return oldest
 
 
-@six.add_metaclass(abc.ABCMeta)
+class RevokeDriverBase(object, metaclass=abc.ABCMeta):
-class RevokeDriverBase(object):
     """Interface for recording and reporting revocation events."""
 
     @abc.abstractmethod

keystone/server/flask/application.py

@@ -19,7 +19,6 @@ import flask
 import oslo_i18n
 from oslo_log import log
 from oslo_middleware import healthcheck
-import six
 
 try:
     # werkzeug 0.15.x
@@ -85,9 +84,9 @@ def _handle_keystone_exception(error):
             "Authorization failed. %(exception)s from %(remote_addr)s",
             {'exception': error, 'remote_addr': flask.request.remote_addr})
     elif isinstance(error, exception.UnexpectedError):
-        LOG.exception(six.text_type(error))
+        LOG.exception(str(error))
     else:
-        LOG.warning(six.text_type(error))
+        LOG.warning(str(error))
 
     # Render the exception to something user "friendly"
     error_message = error.args[0]
@@ -95,7 +94,7 @@ def _handle_keystone_exception(error):
     if message is error_message:
         # translate() didn't do anything because it wasn't a Message,
         # convert to a string.
-        message = six.text_type(message)
+        message = str(message)
 
     body = dict(
         error={

keystone/server/flask/common.py

@@ -22,11 +22,10 @@ import flask
 from flask import blueprints
 import flask_restful
 import flask_restful.utils
+import http.client
 from oslo_log import log
 from oslo_log import versionutils
 from oslo_serialization import jsonutils
-import six
-from six.moves import http_client
 
 from keystone.common import authorization
 from keystone.common import context
@@ -156,13 +155,12 @@ def _assert_rbac_enforcement_called(resp):
 
 def _remove_content_type_on_204(resp):
     # Remove content-type if the resp is 204.
-    if resp.status_code == http_client.NO_CONTENT:
+    if resp.status_code == http.client.NO_CONTENT:
         resp.headers.pop('content-type', None)
     return resp
 
 
-@six.add_metaclass(abc.ABCMeta)
+class APIBase(object, metaclass=abc.ABCMeta):
-class APIBase(object):
 
     @property
     @abc.abstractmethod
@@ -807,7 +805,7 @@ class ResourceBase(flask_restful.Resource):
         val = False
         if filter_name in flask.request.args:
             filter_value = flask.request.args.get(filter_name)
-            if (isinstance(filter_value, six.string_types) and
+            if (isinstance(filter_value, str) and
                     filter_value == '0'):
                 val = False
             else:

keystone/server/flask/request_processing/middleware/auth_context.py

@@ -16,12 +16,11 @@ import itertools
 import re
 import wsgiref.util
 
+import http.client
 from keystonemiddleware import auth_token
 import oslo_i18n
 from oslo_log import log
 from oslo_serialization import jsonutils
-import six
-from six.moves import http_client
 import webob.dec
 import webob.exc
 
@@ -103,16 +102,16 @@ def middleware_exceptions(method):
         try:
             return method(self, request)
         except exception.Error as e:
-            LOG.warning(six.text_type(e))
+            LOG.warning(e)
             return render_exception(e, request=request,
                                     user_locale=best_match_language(request))
         except TypeError as e:
-            LOG.exception(six.text_type(e))
+            LOG.exception(e)
             return render_exception(exception.ValidationError(e),
                                     request=request,
                                     user_locale=best_match_language(request))
         except Exception as e:
-            LOG.exception(six.text_type(e))
+            LOG.exception(e)
             return render_exception(exception.UnexpectedError(exception=e),
                                     request=request,
                                     user_locale=best_match_language(request))
@@ -130,8 +129,8 @@ def render_response(body=None, status=None, headers=None, method=None):
 
     if body is None:
         body = b''
-        status = status or (http_client.NO_CONTENT,
+        status = status or (http.client.NO_CONTENT,
-                            http_client.responses[http_client.NO_CONTENT])
+                            http.client.responses[http.client.NO_CONTENT])
     else:
         content_types = [v for h, v in headers if h == 'Content-Type']
         if content_types:
@@ -143,8 +142,8 @@ def render_response(body=None, status=None, headers=None, method=None):
             body = jsonutils.dump_as_bytes(body, cls=utils.SmarterEncoder)
             if content_type is None:
                 headers.append(('Content-Type', 'application/json'))
-        status = status or (http_client.OK,
+        status = status or (http.client.OK,
-                            http_client.responses[http_client.OK])
+                            http.client.responses[http.client.OK])
 
     # NOTE(davechen): `mod_wsgi` follows the standards from pep-3333 and
     # requires the value in response header to be binary type(str) on python2,
@@ -205,7 +204,7 @@ def render_exception(error, context=None, request=None, user_locale=None):
     if message is error_message:
         # translate() didn't do anything because it wasn't a Message,
         # convert to a string.
-        message = six.text_type(message)
+        message = str(message)
 
     body = {'error': {
         'code': error.code,

keystone/tests/hacking/checks.py

@@ -26,8 +26,6 @@ please see pycodestyle.py.
 import ast
 import re
 
-import six
-
 
 class BaseASTChecker(ast.NodeVisitor):
     """Provides a simple framework for writing AST-based checks.
@@ -183,7 +181,7 @@ class CheckForTranslationIssues(BaseASTChecker):
             if obj_name is None:
                 return None
             return obj_name + '.' + method_name
-        elif isinstance(node, six.string_types):
+        elif isinstance(node, str):
             return node
         else:  # could be Subscript, Call or many more
             return None

keystone/tests/protection/v3/test_access_rules.py

@@ -12,7 +12,7 @@
 
 import uuid
 
-from six.moves import http_client
+import http.client
 
 from keystone.common import provider_api
 import keystone.conf
@@ -133,7 +133,7 @@ class _ProjectUsersTests(object):
                 user['id'], access_rule_id)
             c.get(
                 path, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_get_own_non_existent_access_rule_not_found(self):
@@ -142,7 +142,7 @@ class _ProjectUsersTests(object):
                 '/v3/users/%s/access_rules/%s' % (
                     self.user_id, uuid.uuid4().hex),
                 headers=self.headers,
-                expected_status_code=http_client.NOT_FOUND
+                expected_status_code=http.client.NOT_FOUND
             )
 
     def test_cannot_get_non_existent_access_rule_other_user_forbidden(self):
@@ -153,7 +153,7 @@ class _ProjectUsersTests(object):
                 '/v3/users/%s/access_rules/%s' % (
                     user['id'], uuid.uuid4().hex),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_list_access_rules_for_other_users(self):
@@ -186,7 +186,7 @@ class _ProjectUsersTests(object):
         with self.test_client() as c:
             path = '/v3/users/%s/access_rules' % user['id']
             c.get(path, headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN)
+                  expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_delete_access_rules_for_others(self):
         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
@@ -222,7 +222,7 @@ class _ProjectUsersTests(object):
                 user['id'], access_rule_id)
             c.delete(
                 path, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_delete_non_existent_access_rule_other_user_forbidden(self):
@@ -233,7 +233,7 @@ class _ProjectUsersTests(object):
                 '/v3/users/%s/access_rules/%s' % (
                     user['id'], uuid.uuid4().hex),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -281,7 +281,7 @@ class _SystemUserAccessRuleTests(object):
                 '/v3/users/%s/access_rules/%s' % (
                     user['id'], uuid.uuid4().hex),
                 headers=self.headers,
-                expected_status_code=http_client.NOT_FOUND
+                expected_status_code=http.client.NOT_FOUND
             )
 
 
@@ -352,7 +352,7 @@ class SystemReaderTests(base_classes.TestCaseWithBootstrap,
                 user['id'], access_rule_id)
             c.delete(
                 path, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_non_existent_access_rule_forbidden(self):
@@ -363,7 +363,7 @@ class SystemReaderTests(base_classes.TestCaseWithBootstrap,
                 '/v3/users/%s/access_rules/%s' % (
                     user['id'], uuid.uuid4().hex),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -434,7 +434,7 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
                 user['id'], access_rule_id)
             c.delete(
                 path, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
         with self.test_client() as c:
@@ -442,7 +442,7 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
                 user['id'], access_rule_id)
             c.delete(
                 path, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_non_existent_access_rule_forbidden(self):
@@ -453,7 +453,7 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
                 '/v3/users/%s/access_rules/%s' % (
                     user['id'], uuid.uuid4().hex),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -526,7 +526,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
                 '/v3/users/%s/access_rules/%s' % (
                     user['id'], uuid.uuid4().hex),
                 headers=self.headers,
-                expected_status_code=http_client.NOT_FOUND
+                expected_status_code=http.client.NOT_FOUND
             )
 
 

keystone/tests/protection/v3/test_application_credential.py

@@ -13,8 +13,8 @@
 import datetime
 import uuid
 
+import http.client
 from oslo_serialization import jsonutils
-from six.moves import http_client
 
 from keystone.common.policies import base as base_policy
 from keystone.common import provider_api
@@ -127,7 +127,7 @@ class _DomainAndProjectUserTests(object):
         with self.test_client() as c:
             c.get('/v3/users/%s/application_credentials' % (
                   self.app_cred_user_id),
-                  expected_status_code=http_client.FORBIDDEN,
+                  expected_status_code=http.client.FORBIDDEN,
                   headers=self.headers)
 
     def test_user_cannot_get_application_credential(self):
@@ -137,7 +137,7 @@ class _DomainAndProjectUserTests(object):
             c.get('/v3/users/%s/application_credentials/%s' % (
                   self.app_cred_user_id,
                   app_cred['id']),
-                  expected_status_code=http_client.FORBIDDEN,
+                  expected_status_code=http.client.FORBIDDEN,
                   headers=self.headers)
 
     def test_user_cannot_lookup_application_credential(self):
@@ -147,7 +147,7 @@ class _DomainAndProjectUserTests(object):
             c.get('/v3/users/%s/application_credentials?name=%s' % (
                   self.app_cred_user_id,
                   app_cred['name']),
-                  expected_status_code=http_client.FORBIDDEN,
+                  expected_status_code=http.client.FORBIDDEN,
                   headers=self.headers)
 
     def test_user_cannot_delete_application_credential(self):
@@ -158,7 +158,7 @@ class _DomainAndProjectUserTests(object):
                 '/v3/users/%s/application_credentials/%s' % (
                     self.app_cred_user_id,
                     app_cred['id']),
-                expected_status_code=http_client.FORBIDDEN,
+                expected_status_code=http.client.FORBIDDEN,
                 headers=self.headers)
 
     def test_user_cannot_lookup_non_existent_application_credential(self):
@@ -166,7 +166,7 @@ class _DomainAndProjectUserTests(object):
             c.get('/v3/users/%s/application_credentials?name=%s' % (
                   self.app_cred_user_id,
                   uuid.uuid4().hex),
-                  expected_status_code=http_client.FORBIDDEN,
+                  expected_status_code=http.client.FORBIDDEN,
                   headers=self.headers)
 
     def test_user_cannot_create_app_credential_for_another_user(self):
@@ -187,7 +187,7 @@ class _DomainAndProjectUserTests(object):
             c.post(
                 '/v3/users/%s/application_credentials' % another_user_id,
                 json=app_cred_body,
-                expected_status_code=http_client.FORBIDDEN,
+                expected_status_code=http.client.FORBIDDEN,
                 headers=self.headers)
 
 
@@ -233,7 +233,7 @@ class _SystemUserAndOwnerTests(object):
 
     def _test_delete_application_credential(
             self,
-            expected_status_code=http_client.NO_CONTENT):
+            expected_status_code=http.client.NO_CONTENT):
         app_cred = self._create_application_credential()
 
         with self.test_client() as c:
@@ -262,7 +262,7 @@ class _SystemUserAndOwnerTests(object):
             c.post(
                 '/v3/users/%s/application_credentials' % another_user_id,
                 json=app_cred_body,
-                expected_status_code=http_client.FORBIDDEN,
+                expected_status_code=http.client.FORBIDDEN,
                 headers=self.headers)
 
 
@@ -300,7 +300,7 @@ class SystemReaderTests(_TestAppCredBase,
 
     def test_system_reader_cannot_delete_application_credential_for_user(self):
         self._test_delete_application_credential(
-            expected_status_code=http_client.FORBIDDEN)
+            expected_status_code=http.client.FORBIDDEN)
 
 
 class SystemMemberTests(_TestAppCredBase,
@@ -337,7 +337,7 @@ class SystemMemberTests(_TestAppCredBase,
 
     def test_system_reader_cannot_delete_application_credential_for_user(self):
         self._test_delete_application_credential(
-            expected_status_code=http_client.FORBIDDEN)
+            expected_status_code=http.client.FORBIDDEN)
 
 
 class SystemAdminTests(_TestAppCredBase,
@@ -412,7 +412,7 @@ class OwnerTests(_TestAppCredBase,
             c.post(
                 '/v3/users/%s/application_credentials' % self.user_id,
                 json=app_cred_body,
-                expected_status_code=http_client.CREATED,
+                expected_status_code=http.client.CREATED,
                 headers=self.headers)
 
     def test_owner_can_delete_application_credential(self):

keystone/tests/protection/v3/test_assignment.py

@@ -11,7 +11,7 @@
 #    under the License.
 
 import copy
-from six.moves import http_client
+import http.client
 import uuid
 
 from oslo_serialization import jsonutils
@@ -1021,7 +1021,7 @@ class _DomainUserTests(object):
                 ('/v3/role_assignments?scope.project.id=%s&include_subtree' %
                  assignments['project_id']),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -1031,7 +1031,7 @@ class _ProjectUserTests(object):
         with self.test_client() as c:
             c.get(
                 '/v3/role_assignments', headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_filter_role_assignments_by_user_of_project(self):
@@ -1042,7 +1042,7 @@ class _ProjectUserTests(object):
             c.get(
                 '/v3/role_assignments?user.id=%s' % user_id,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_filter_role_assignments_by_group_of_project(self):
@@ -1053,7 +1053,7 @@ class _ProjectUserTests(object):
             c.get(
                 '/v3/role_assignments?group.id=%s' % group_id,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_filter_role_assignments_by_system(self):
@@ -1061,7 +1061,7 @@ class _ProjectUserTests(object):
             c.get(
                 '/v3/role_assignments?scope.system=all',
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_filter_role_assignments_by_domain(self):
@@ -1070,7 +1070,7 @@ class _ProjectUserTests(object):
                 '/v3/role_assignments?scope.domain.id=%s'
                 % self.domain_id,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_filter_role_assignments_by_other_project(self):
@@ -1084,7 +1084,7 @@ class _ProjectUserTests(object):
                 '/v3/role_assignments?scope.project.id=%s'
                 % project1,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_filter_role_assignments_by_other_project_user(self):
@@ -1099,7 +1099,7 @@ class _ProjectUserTests(object):
             c.get(
                 '/v3/role_assignments?user.id=%s' % user_id,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_filter_role_assignments_by_other_project_group(self):
@@ -1114,7 +1114,7 @@ class _ProjectUserTests(object):
             c.get(
                 '/v3/role_assignments?group.id=%s' % group_id,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -1138,7 +1138,7 @@ class _ProjectReaderMemberTests(object):
                 ('/v3/role_assignments?scope.project.id=%s&include_subtree' %
                  self.project_id),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -1628,5 +1628,5 @@ class ProjectAdminTests(base_classes.TestCaseWithBootstrap,
                 ('/v3/role_assignments?scope.project.id=%s&include_subtree' %
                  project['id']),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )

keystone/tests/protection/v3/test_consumer.py

@@ -12,7 +12,7 @@
 
 import uuid
 
-from six.moves import http_client
+import http.client
 
 from keystone.common import provider_api
 import keystone.conf
@@ -49,7 +49,7 @@ class _SystemReaderAndMemberOauth1ConsumerTests(object):
         with self.test_client() as c:
             c.post('/v3/OS-OAUTH1/consumers',
                    json={'consumer': {}},
-                   expected_status_code=http_client.FORBIDDEN,
+                   expected_status_code=http.client.FORBIDDEN,
                    headers=self.headers)
 
     def test_user_cannot_update_consumer(self):
@@ -58,7 +58,7 @@ class _SystemReaderAndMemberOauth1ConsumerTests(object):
         with self.test_client() as c:
             c.patch('/v3/OS-OAUTH1/consumers/%s' % ref['id'],
                     json={'consumer': {'description': uuid.uuid4().hex}},
-                    expected_status_code=http_client.FORBIDDEN,
+                    expected_status_code=http.client.FORBIDDEN,
                     headers=self.headers)
 
     def test_user_cannot_delete_consumer(self):
@@ -66,7 +66,7 @@ class _SystemReaderAndMemberOauth1ConsumerTests(object):
             {'id': uuid.uuid4().hex})
         with self.test_client() as c:
             c.delete('/v3/OS-OAUTH1/consumers/%s' % ref['id'],
-                     expected_status_code=http_client.FORBIDDEN,
+                     expected_status_code=http.client.FORBIDDEN,
                      headers=self.headers)
 
 

keystone/tests/protection/v3/test_credentials.py

@@ -12,8 +12,8 @@
 
 import uuid
 
+import http.client
 from oslo_serialization import jsonutils
-from six.moves import http_client
 
 from keystone.common.policies import base as bp
 from keystone.common import provider_api
@@ -192,14 +192,14 @@ class _ProjectUsersTests(object):
             path = '/v3/credentials/%s' % credential_id
             c.get(
                 path, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_get_non_existant_credential_forbidden(self):
         with self.test_client() as c:
             c.get(
                 '/v3/credentials/%s' % uuid.uuid4().hex, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_list_credentials_for_other_users(self):
@@ -351,7 +351,7 @@ class _ProjectUsersTests(object):
             path = '/v3/credentials/%s' % credential_id
             c.patch(
                 path, json=update, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_non_existant_credential_forbidden(self):
@@ -361,7 +361,7 @@ class _ProjectUsersTests(object):
             c.patch(
                 '/v3/credentials/%s' % uuid.uuid4().hex, json=update,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_create_credentials_for_other_users(self):
@@ -379,7 +379,7 @@ class _ProjectUsersTests(object):
             }
             c.post(
                 '/v3/credentials', json=create, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_credentials_for_others(self):
@@ -418,14 +418,14 @@ class _ProjectUsersTests(object):
             path = '/v3/credentials/%s' % credential_id
             c.delete(
                 path, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_non_existant_credential_forbidden(self):
         with self.test_client() as c:
             c.delete(
                 '/v3/credentials/%s' % uuid.uuid4().hex, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -474,7 +474,7 @@ class _SystemUserCredentialTests(object):
         with self.test_client() as c:
             c.get(
                 '/v3/credentials/%s' % uuid.uuid4().hex, headers=self.headers,
-                expected_status_code=http_client.NOT_FOUND
+                expected_status_code=http.client.NOT_FOUND
             )
 
     def test_user_can_filter_credentials_by_type_for_others(self):
@@ -617,7 +617,7 @@ class SystemReaderTests(base_classes.TestCaseWithBootstrap,
             }
             c.post(
                 '/v3/credentials', json=create, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_credentials_for_others(self):
@@ -657,7 +657,7 @@ class SystemReaderTests(base_classes.TestCaseWithBootstrap,
             path = '/v3/credentials/%s' % credential_id
             c.patch(
                 path, json=update, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_non_existant_credential_forbidden(self):
@@ -667,7 +667,7 @@ class SystemReaderTests(base_classes.TestCaseWithBootstrap,
             c.patch(
                 '/v3/credentials/%s' % uuid.uuid4().hex, json=update,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_credentials_for_others(self):
@@ -706,14 +706,14 @@ class SystemReaderTests(base_classes.TestCaseWithBootstrap,
             path = '/v3/credentials/%s' % credential_id
             c.delete(
                 path, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_non_existant_credential_forbidden(self):
         with self.test_client() as c:
             c.delete(
                 '/v3/credentials/%s' % uuid.uuid4().hex, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -765,7 +765,7 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
             }
             c.post(
                 '/v3/credentials', json=create, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_credentials_for_others(self):
@@ -805,7 +805,7 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
             path = '/v3/credentials/%s' % credential_id
             c.patch(
                 path, json=update, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_non_existant_credential_forbidden(self):
@@ -815,7 +815,7 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
             c.patch(
                 '/v3/credentials/%s' % uuid.uuid4().hex, json=update,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_credentials_for_others(self):
@@ -854,14 +854,14 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
             path = '/v3/credentials/%s' % credential_id
             c.delete(
                 path, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_non_existant_credential_forbidden(self):
         with self.test_client() as c:
             c.delete(
                 '/v3/credentials/%s' % uuid.uuid4().hex, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -954,7 +954,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
             c.patch(
                 '/v3/credentials/%s' % uuid.uuid4().hex, json=update,
                 headers=self.headers,
-                expected_status_code=http_client.NOT_FOUND
+                expected_status_code=http.client.NOT_FOUND
             )
 
     def test_user_can_delete_credentials_for_others(self):
@@ -997,7 +997,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
         with self.test_client() as c:
             c.delete(
                 '/v3/credentials/%s' % uuid.uuid4().hex, headers=self.headers,
-                expected_status_code=http_client.NOT_FOUND
+                expected_status_code=http.client.NOT_FOUND
             )
 
 

keystone/tests/protection/v3/test_domain_config.py

@@ -12,7 +12,7 @@
 
 import uuid
 
-from six.moves import http_client
+import http.client
 
 from keystone.common import provider_api
 import keystone.conf
@@ -122,7 +122,7 @@ class _SystemUserDomainConfigTests(object):
         with self.test_client() as c:
             c.get('/v3/domains/%s/config/ldap'
                   % invalid_domain_id, headers=self.headers,
-                  expected_status_code=http_client.NOT_FOUND)
+                  expected_status_code=http.client.NOT_FOUND)
 
     def test_user_can_get_non_existent_config(self):
         domain = PROVIDERS.resource_api.create_domain(
@@ -130,7 +130,7 @@ class _SystemUserDomainConfigTests(object):
         )
         with self.test_client() as c:
             c.get('/v3/domains/%s/config' % domain['id'], headers=self.headers,
-                  expected_status_code=http_client.NOT_FOUND)
+                  expected_status_code=http.client.NOT_FOUND)
 
     def test_user_can_get_non_existent_config_group_invalid_domain(self):
         domain = PROVIDERS.resource_api.create_domain(
@@ -142,7 +142,7 @@ class _SystemUserDomainConfigTests(object):
         with self.test_client() as c:
             c.get('/v3/domains/%s/config/ldap'
                   % invalid_domain_id, headers=self.headers,
-                  expected_status_code=http_client.NOT_FOUND)
+                  expected_status_code=http.client.NOT_FOUND)
 
     def test_user_can_get_domain_config_option(self):
         domain = PROVIDERS.resource_api.create_domain(
@@ -163,7 +163,7 @@ class _SystemUserDomainConfigTests(object):
         with self.test_client() as c:
             c.get('/v3/domains/%s/config/ldap/user_tree_dn'
                   % domain['id'], headers=self.headers,
-                  expected_status_code=http_client.NOT_FOUND)
+                  expected_status_code=http.client.NOT_FOUND)
 
     def test_user_can_get_non_existent_config_option_invalid_domain(self):
         domain = PROVIDERS.resource_api.create_domain(
@@ -175,7 +175,7 @@ class _SystemUserDomainConfigTests(object):
         with self.test_client() as c:
             c.get('/v3/domains/%s/config/ldap/user_tree_dn'
                   % invalid_domain_id, headers=self.headers,
-                  expected_status_code=http_client.NOT_FOUND)
+                  expected_status_code=http.client.NOT_FOUND)
 
     def test_user_can_get_security_compliance_domain_config(self):
         # Set the security compliance configuration options
@@ -247,7 +247,7 @@ class _SystemReaderMemberDomainAndProjectUserDomainConfigTests(object):
                   % domain['id'],
                   json={'config': unit.new_domain_config_ref()},
                   headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN)
+                  expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_update_domain_config(self):
         domain = PROVIDERS.resource_api.create_domain(
@@ -261,7 +261,7 @@ class _SystemReaderMemberDomainAndProjectUserDomainConfigTests(object):
             c.patch('/v3/domains/%s/config'
                     % domain['id'], json={'config': new_config},
                     headers=self.headers,
-                    expected_status_code=http_client.FORBIDDEN)
+                    expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_update_domain_group_config(self):
         domain = PROVIDERS.resource_api.create_domain(
@@ -275,7 +275,7 @@ class _SystemReaderMemberDomainAndProjectUserDomainConfigTests(object):
             c.patch('/v3/domains/%s/config/ldap'
                     % domain['id'], json={'config': new_config},
                     headers=self.headers,
-                    expected_status_code=http_client.FORBIDDEN)
+                    expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_update_domain_config_option(self):
         domain = PROVIDERS.resource_api.create_domain(
@@ -289,7 +289,7 @@ class _SystemReaderMemberDomainAndProjectUserDomainConfigTests(object):
                     % domain['id'],
                     json={'config': new_config},
                     headers=self.headers,
-                    expected_status_code=http_client.FORBIDDEN)
+                    expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_delete_domain_config(self):
         domain = PROVIDERS.resource_api.create_domain(
@@ -300,7 +300,7 @@ class _SystemReaderMemberDomainAndProjectUserDomainConfigTests(object):
         with self.test_client() as c:
             c.delete('/v3/domains/%s/config' % domain['id'],
                      headers=self.headers,
-                     expected_status_code=http_client.FORBIDDEN)
+                     expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_delete_domain_group_config(self):
         domain = PROVIDERS.resource_api.create_domain(
@@ -311,7 +311,7 @@ class _SystemReaderMemberDomainAndProjectUserDomainConfigTests(object):
         with self.test_client() as c:
             c.delete('/v3/domains/%s/config/ldap'
                      % domain['id'], headers=self.headers,
-                     expected_status_code=http_client.FORBIDDEN)
+                     expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_delete_domain_config_option(self):
         domain = PROVIDERS.resource_api.create_domain(
@@ -322,7 +322,7 @@ class _SystemReaderMemberDomainAndProjectUserDomainConfigTests(object):
         with self.test_client() as c:
             c.delete('/v3/domains/%s/config/ldap/url'
                      % domain['id'], headers=self.headers,
-                     expected_status_code=http_client.FORBIDDEN)
+                     expected_status_code=http.client.FORBIDDEN)
 
 
 class _DomainAndProjectUserDomainConfigTests(object):
@@ -336,7 +336,7 @@ class _DomainAndProjectUserDomainConfigTests(object):
         with self.test_client() as c:
             c.get('/v3/domains/%s/config'
                   % domain['id'], headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN)
+                  expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_get_domain_group_config(self):
         domain = PROVIDERS.resource_api.create_domain(
@@ -347,7 +347,7 @@ class _DomainAndProjectUserDomainConfigTests(object):
         with self.test_client() as c:
             c.get('/v3/domains/%s/config/ldap'
                   % domain['id'], headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN)
+                  expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_get_non_existant_config(self):
         domain = PROVIDERS.resource_api.create_domain(
@@ -355,7 +355,7 @@ class _DomainAndProjectUserDomainConfigTests(object):
         )
         with self.test_client() as c:
             c.get('/v3/domains/%s/config' % domain['id'], headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN)
+                  expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_get_domain_config_option(self):
         domain = PROVIDERS.resource_api.create_domain(
@@ -366,22 +366,22 @@ class _DomainAndProjectUserDomainConfigTests(object):
         with self.test_client() as c:
             c.get('/v3/domains/%s/config/ldap/url'
                   % domain['id'], headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN)
+                  expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_get_domain_config_default(self):
         with self.test_client() as c:
             c.get('/v3/domains/config/default', headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN)
+                  expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_get_domain_group_config_default(self):
         with self.test_client() as c:
             c.get('/v3/domains/config/ldap/default', headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN)
+                  expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_get_domain_config_option_default(self):
         with self.test_client() as c:
             c.get('/v3/domains/config/ldap/url/default', headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN)
+                  expected_status_code=http.client.FORBIDDEN)
 
 
 class SystemReaderTests(
@@ -492,7 +492,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
                   % domain['id'],
                   json={'config': unit.new_domain_config_ref()},
                   headers=self.headers,
-                  expected_status_code=http_client.CREATED)
+                  expected_status_code=http.client.CREATED)
 
     def test_user_cannot_create_invalid_domain_config(self):
         invalid_domain_id = uuid.uuid4().hex
@@ -501,7 +501,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
                   % invalid_domain_id,
                   json={'config': unit.new_domain_config_ref()},
                   headers=self.headers,
-                  expected_status_code=http_client.NOT_FOUND)
+                  expected_status_code=http.client.NOT_FOUND)
 
     def test_user_can_update_domain_config(self):
         domain = PROVIDERS.resource_api.create_domain(
@@ -581,7 +581,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
         with self.test_client() as c:
             c.delete('/v3/domains/%s/config' % invalid_domain_id,
                      headers=self.headers,
-                     expected_status_code=http_client.NOT_FOUND)
+                     expected_status_code=http.client.NOT_FOUND)
 
 
 class DomainUserTests(

keystone/tests/protection/v3/test_domain_roles.py

@@ -12,7 +12,7 @@
 
 import uuid
 
-from six.moves import http_client
+import http.client
 
 from keystone.common import provider_api
 import keystone.conf
@@ -60,7 +60,7 @@ class _SystemReaderAndMemberDomainRoleTests(object):
         with self.test_client() as c:
             c.post(
                 '/v3/roles', json=create, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_domain_roles(self):
@@ -74,7 +74,7 @@ class _SystemReaderAndMemberDomainRoleTests(object):
         with self.test_client() as c:
             c.patch(
                 '/v3/roles/%s' % role['id'], json=update, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_domain_roles(self):
@@ -86,7 +86,7 @@ class _SystemReaderAndMemberDomainRoleTests(object):
         with self.test_client() as c:
             c.delete(
                 '/v3/roles/%s' % role['id'], headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -101,7 +101,7 @@ class _DomainAndProjectUserDomainRoleTests(object):
         with self.test_client() as c:
             c.get(
                 '/v3/roles', headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_get_a_domain_role(self):
@@ -113,7 +113,7 @@ class _DomainAndProjectUserDomainRoleTests(object):
         with self.test_client() as c:
             c.get(
                 '/v3/roles/%s' % role['id'], headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_create_domain_roles(self):
@@ -123,7 +123,7 @@ class _DomainAndProjectUserDomainRoleTests(object):
         with self.test_client() as c:
             c.post(
                 '/v3/roles', json=create, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_domain_roles(self):
@@ -137,7 +137,7 @@ class _DomainAndProjectUserDomainRoleTests(object):
         with self.test_client() as c:
             c.patch(
                 '/v3/roles/%s' % role['id'], json=update, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_domain_roles(self):
@@ -149,7 +149,7 @@ class _DomainAndProjectUserDomainRoleTests(object):
         with self.test_client() as c:
             c.delete(
                 '/v3/roles/%s' % role['id'], headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 

keystone/tests/protection/v3/test_domains.py

@@ -12,8 +12,8 @@
 
 import uuid
 
+import http.client
 from oslo_serialization import jsonutils
-from six.moves import http_client
 
 from keystone.common.policies import domain as dp
 from keystone.common import provider_api
@@ -100,7 +100,7 @@ class _SystemMemberAndReaderDomainTests(object):
         with self.test_client() as c:
             c.post(
                 '/v3/domains', json=create, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_a_domain(self):
@@ -113,7 +113,7 @@ class _SystemMemberAndReaderDomainTests(object):
             c.patch(
                 '/v3/domains/%s' % domain['id'], json=update,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_a_domain(self):
@@ -124,7 +124,7 @@ class _SystemMemberAndReaderDomainTests(object):
         with self.test_client() as c:
             c.delete(
                 '/v3/domains/%s' % domain['id'], headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -143,14 +143,14 @@ class _DomainAndProjectUserDomainTests(object):
         with self.test_client() as c:
             c.get(
                 '/v3/domains/%s' % domain['id'], headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_list_domains(self):
         with self.test_client() as c:
             c.get(
                 '/v3/domains', headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_filter_domains_by_name(self):
@@ -166,18 +166,18 @@ class _DomainAndProjectUserDomainTests(object):
             c.get(
                 '/v3/domains?name=%s' % domain_name,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_filter_domains_by_enabled(self):
         with self.test_client() as c:
             c.get(
                 '/v3/domains?enabled=true', headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
             c.get(
                 '/v3/domains?enabled=false', headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_a_domain(self):
@@ -190,7 +190,7 @@ class _DomainAndProjectUserDomainTests(object):
             c.patch(
                 '/v3/domains/%s' % domain['id'], json=update,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_create_a_domain(self):
@@ -199,7 +199,7 @@ class _DomainAndProjectUserDomainTests(object):
         with self.test_client() as c:
             c.post(
                 '/v3/domains', json=create, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_a_domain(self):
@@ -212,11 +212,11 @@ class _DomainAndProjectUserDomainTests(object):
             path = '/v3/domains/%s' % domain['id']
             c.patch(
                 path, json=update, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
             c.delete(
                 path, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_get_non_existant_domain_forbidden(self):
@@ -225,7 +225,7 @@ class _DomainAndProjectUserDomainTests(object):
             c.get(
                 '/v3/domains/%s' % uuid.uuid4().hex,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 

keystone/tests/protection/v3/test_ec2_credential.py

@@ -10,8 +10,8 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import http.client
 from oslo_serialization import jsonutils
-from six.moves import http_client
 
 from keystone.common.policies import base as bp
 from keystone.common import provider_api
@@ -85,7 +85,7 @@ class _UserEC2CredentialTests(object):
         with self.test_client() as c:
             c.post('/v3/users/%s/credentials/OS-EC2' % self.user_id,
                    json={'tenant_id': project['id']}, headers=self.headers,
-                   expected_status_code=http_client.CREATED)
+                   expected_status_code=http.client.CREATED)
 
     def test_user_delete_their_ec2_credentials(self):
         project = unit.new_project_ref(
@@ -122,7 +122,7 @@ class _UserEC2CredentialTests(object):
         with self.test_client() as c:
             c.post('/v3/users/%s/credentials/OS-EC2' % user['id'],
                    json={'tenant_id': project['id']}, headers=self.headers,
-                   expected_status_code=http_client.FORBIDDEN)
+                   expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_delete_ec2_credentials_for_others(self):
         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
@@ -152,7 +152,7 @@ class _UserEC2CredentialTests(object):
             c.delete('/v3/users/%s/credentials/OS-EC2/%s' % (
                      self.user_id, credential_id),
                      headers=self.headers,
-                     expected_status_code=http_client.FORBIDDEN)
+                     expected_status_code=http.client.FORBIDDEN)
 
 
 class _SystemUserTests(object):
@@ -185,7 +185,7 @@ class _SystemUserTests(object):
             path = '/v3/users/%s/credentials/OS-EC2/%s' % (
                 self.user_id, credential_id)
             c.get(path, headers=self.headers,
-                  expected_status_code=http_client.OK)
+                  expected_status_code=http.client.OK)
 
 
 class _SystemReaderAndMemberTests(object):

keystone/tests/protection/v3/test_endpoint_group.py

@@ -12,7 +12,7 @@
 
 import uuid
 
-from six.moves import http_client
+import http.client
 
 from keystone.common import provider_api
 import keystone.conf
@@ -153,7 +153,7 @@ class _SystemReaderAndMemberUserEndpointGroupsTests(object):
             c.post(
                 '/v3/OS-EP-FILTER/endpoint_groups', json=create,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_endpoint_groups(self):
@@ -170,7 +170,7 @@ class _SystemReaderAndMemberUserEndpointGroupsTests(object):
                 '/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'],
                 json=update,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_endpoint_groups(self):
@@ -184,7 +184,7 @@ class _SystemReaderAndMemberUserEndpointGroupsTests(object):
             c.delete(
                 '/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'],
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_add_endpoint_group_to_project(self):
@@ -202,7 +202,7 @@ class _SystemReaderAndMemberUserEndpointGroupsTests(object):
             c.put('/v3/OS-EP-FILTER/endpoint_groups/%s/projects/%s'
                   % (endpoint_group['id'], project['id']),
                   headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN
+                  expected_status_code=http.client.FORBIDDEN
                   )
 
     def test_cannot_remove_endpoint_group_from_project(self):
@@ -220,7 +220,7 @@ class _SystemReaderAndMemberUserEndpointGroupsTests(object):
             c.delete('/v3/OS-EP-FILTER/endpoint_groups/%s/projects/%s'
                      % (endpoint_group['id'], project['id']),
                      headers=self.headers,
-                     expected_status_code=http_client.FORBIDDEN
+                     expected_status_code=http.client.FORBIDDEN
                      )
 
 
@@ -235,7 +235,7 @@ class _DomainAndProjectUserEndpointGroupTests(object):
 
         with self.test_client() as c:
             c.get('/v3/OS-EP-FILTER/endpoint_groups', headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN)
+                  expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_get_an_endpoint_group(self):
         endpoint_group = unit.new_endpoint_group_ref(
@@ -246,7 +246,7 @@ class _DomainAndProjectUserEndpointGroupTests(object):
         with self.test_client() as c:
             c.get('/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'],
                   headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN)
+                  expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_list_projects_associated_with_endpoint_groups(self):
         project = PROVIDERS.resource_api.create_project(
@@ -265,7 +265,7 @@ class _DomainAndProjectUserEndpointGroupTests(object):
             c.get('/v3/OS-EP-FILTER/endpoint_groups/%s/projects'
                   % endpoint_group['id'],
                   headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN)
+                  expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_list_endpoints_associated_with_endpoint_groups(self):
         service = PROVIDERS.catalog_api.create_service(
@@ -284,7 +284,7 @@ class _DomainAndProjectUserEndpointGroupTests(object):
             c.get('/v3/OS-EP-FILTER/endpoint_groups/%s/endpoints'
                   % endpoint_group['id'],
                   headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN)
+                  expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_get_endpoints_associated_with_endpoint_groups(self):
         project = PROVIDERS.resource_api.create_project(
@@ -303,7 +303,7 @@ class _DomainAndProjectUserEndpointGroupTests(object):
             c.get('/v3/OS-EP-FILTER/endpoint_groups/%s/projects/%s'
                   % (endpoint_group['id'], project['id']),
                   headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN)
+                  expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_list_endpoint_groups_with_their_projects(self):
         project = PROVIDERS.resource_api.create_project(
@@ -322,7 +322,7 @@ class _DomainAndProjectUserEndpointGroupTests(object):
             c.get('/v3/OS-EP-FILTER/projects/%s/endpoint_groups'
                   % project['id'],
                   headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN)
+                  expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_create_endpoint_groups(self):
         create = {
@@ -338,7 +338,7 @@ class _DomainAndProjectUserEndpointGroupTests(object):
             c.post(
                 '/v3/OS-EP-FILTER/endpoint_groups', json=create,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_endpoint_groups(self):
@@ -355,7 +355,7 @@ class _DomainAndProjectUserEndpointGroupTests(object):
                 '/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'],
                 json=update,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_endpoint_groups(self):
@@ -369,7 +369,7 @@ class _DomainAndProjectUserEndpointGroupTests(object):
             c.delete(
                 '/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'],
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_add_endpoint_group_to_project(self):
@@ -387,7 +387,7 @@ class _DomainAndProjectUserEndpointGroupTests(object):
             c.put('/v3/OS-EP-FILTER/endpoint_groups/%s/projects/%s'
                   % (endpoint_group['id'], project['id']),
                   headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN
+                  expected_status_code=http.client.FORBIDDEN
                   )
 
     def test_cannot_remove_endpoint_group_from_project(self):
@@ -405,7 +405,7 @@ class _DomainAndProjectUserEndpointGroupTests(object):
             c.delete('/v3/OS-EP-FILTER/endpoint_groups/%s/projects/%s'
                      % (endpoint_group['id'], project['id']),
                      headers=self.headers,
-                     expected_status_code=http_client.FORBIDDEN
+                     expected_status_code=http.client.FORBIDDEN
                      )
 
 

keystone/tests/protection/v3/test_endpoints.py

@@ -12,7 +12,7 @@
 
 import uuid
 
-from six.moves import http_client
+import http.client
 
 from keystone.common import provider_api
 import keystone.conf
@@ -74,7 +74,7 @@ class _SystemReaderAndMemberUserEndpointTests(object):
         with self.test_client() as c:
             c.post(
                 '/v3/endpoints', json=create, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_endpoints(self):
@@ -92,7 +92,7 @@ class _SystemReaderAndMemberUserEndpointTests(object):
             c.patch(
                 '/v3/endpoints/%s' % endpoint['id'], json=update,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_endpoints(self):
@@ -107,7 +107,7 @@ class _SystemReaderAndMemberUserEndpointTests(object):
         with self.test_client() as c:
             c.delete(
                 '/v3/endpoints/%s' % endpoint['id'], headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -125,7 +125,7 @@ class _DomainAndProjectUserEndpointTests(object):
         with self.test_client() as c:
             c.post(
                 '/v3/endpoints', json=create, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_list_endpoints(self):
@@ -143,7 +143,7 @@ class _DomainAndProjectUserEndpointTests(object):
         with self.test_client() as c:
             c.get(
                 '/v3/endpoints', headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_get_an_endpoint(self):
@@ -158,7 +158,7 @@ class _DomainAndProjectUserEndpointTests(object):
         with self.test_client() as c:
             c.get(
                 '/v3/endpoints/%s' % endpoint['id'], headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_endpoints(self):
@@ -176,7 +176,7 @@ class _DomainAndProjectUserEndpointTests(object):
             c.patch(
                 '/v3/endpoints/%s' % endpoint['id'], json=update,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_endpoints(self):
@@ -191,7 +191,7 @@ class _DomainAndProjectUserEndpointTests(object):
         with self.test_client() as c:
             c.delete(
                 '/v3/endpoints/%s' % endpoint['id'], headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 

keystone/tests/protection/v3/test_grants.py

@@ -12,8 +12,8 @@
 
 import uuid
 
+import http.client
 from oslo_serialization import jsonutils
-from six.moves import http_client
 
 from keystone.common.policies import grant as gp
 from keystone.common import provider_api
@@ -141,7 +141,7 @@ class _SystemUserGrantTests(object):
                     project['id'], user['id'], self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.NO_CONTENT
+                expected_status_code=http.client.NO_CONTENT
             )
 
     def test_can_check_grant_for_user_on_domain(self):
@@ -164,7 +164,7 @@ class _SystemUserGrantTests(object):
                     domain['id'], user['id'], self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.NO_CONTENT
+                expected_status_code=http.client.NO_CONTENT
             )
 
     def test_can_check_grant_for_group_on_project(self):
@@ -191,7 +191,7 @@ class _SystemUserGrantTests(object):
                     self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.NO_CONTENT
+                expected_status_code=http.client.NO_CONTENT
             )
 
     def test_can_check_grant_for_group_on_domain(self):
@@ -214,7 +214,7 @@ class _SystemUserGrantTests(object):
                     domain['id'], group['id'], self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.NO_CONTENT
+                expected_status_code=http.client.NO_CONTENT
             )
 
 
@@ -237,7 +237,7 @@ class _SystemMemberAndReaderGrantTests(object):
                     project['id'], user['id'], self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_create_grant_for_user_on_domain(self):
@@ -255,7 +255,7 @@ class _SystemMemberAndReaderGrantTests(object):
                     domain['id'], user['id'], self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_create_grant_for_group_on_project(self):
@@ -277,7 +277,7 @@ class _SystemMemberAndReaderGrantTests(object):
                     self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_create_grant_for_group_on_domain(self):
@@ -295,7 +295,7 @@ class _SystemMemberAndReaderGrantTests(object):
                     domain['id'], group['id'], self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_revoke_grant_from_user_on_project(self):
@@ -320,7 +320,7 @@ class _SystemMemberAndReaderGrantTests(object):
                     project['id'], user['id'], self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_revoke_grant_from_user_on_domain(self):
@@ -343,7 +343,7 @@ class _SystemMemberAndReaderGrantTests(object):
                     domain['id'], user['id'], self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_revoke_grant_from_group_on_project(self):
@@ -370,7 +370,7 @@ class _SystemMemberAndReaderGrantTests(object):
                     self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_revoke_grant_from_group_on_domain(self):
@@ -393,7 +393,7 @@ class _SystemMemberAndReaderGrantTests(object):
                     domain['id'], group['id'], self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -499,7 +499,7 @@ class _DomainUserTests(object):
                     project['id'], user['id'], self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.NO_CONTENT
+                expected_status_code=http.client.NO_CONTENT
             )
 
     def test_can_check_grant_for_user_on_domain(self):
@@ -519,7 +519,7 @@ class _DomainUserTests(object):
                     self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.NO_CONTENT
+                expected_status_code=http.client.NO_CONTENT
             )
 
     def test_can_check_grant_for_group_on_project(self):
@@ -544,7 +544,7 @@ class _DomainUserTests(object):
                     self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.NO_CONTENT
+                expected_status_code=http.client.NO_CONTENT
             )
 
     def test_can_check_grant_for_group_on_domain(self):
@@ -564,7 +564,7 @@ class _DomainUserTests(object):
                     self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.NO_CONTENT
+                expected_status_code=http.client.NO_CONTENT
             )
 
     def test_cannot_list_grants_for_user_other_domain_on_project_own_domain(self):  # noqa: E501
@@ -588,7 +588,7 @@ class _DomainUserTests(object):
             c.get(
                 '/v3/projects/%s/users/%s/roles' % (project['id'], user['id']),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_list_grants_for_user_own_domain_on_project_other_domain(self):  # noqa: E501
@@ -613,7 +613,7 @@ class _DomainUserTests(object):
             c.get(
                 '/v3/projects/%s/users/%s/roles' % (project['id'], user['id']),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_list_grants_for_user_own_domain_on_other_domain(self):
@@ -633,7 +633,7 @@ class _DomainUserTests(object):
             c.get(
                 '/v3/domains/%s/users/%s/roles' % (domain_id, user['id']),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_list_grants_for_user_other_domain_on_own_domain(self):
@@ -653,7 +653,7 @@ class _DomainUserTests(object):
             c.get(
                 '/v3/domains/%s/users/%s/roles' % (domain_id, user['id']),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_list_grants_for_group_other_domain_on_project_own_domain(self):  # noqa: E501
@@ -678,7 +678,7 @@ class _DomainUserTests(object):
                 '/v3/projects/%s/groups/%s/roles' % (
                     project['id'], group['id']),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_list_grants_for_group_own_domain_on_project_other_domain(self):  # noqa: E501
@@ -704,7 +704,7 @@ class _DomainUserTests(object):
                 '/v3/projects/%s/groups/%s/roles' % (
                     project['id'], group['id']),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_list_grants_for_group_own_domain_on_other_domain(self):
@@ -725,7 +725,7 @@ class _DomainUserTests(object):
                 '/v3/domains/%s/groups/%s/roles' % (
                     domain_id, group['id']),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_list_grants_for_group_other_domain_on_own_domain(self):
@@ -746,7 +746,7 @@ class _DomainUserTests(object):
                 '/v3/domains/%s/groups/%s/roles' % (
                     domain_id, group['id']),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_check_grant_for_user_other_domain_on_project_own_domain(self):  # noqa: E501
@@ -772,7 +772,7 @@ class _DomainUserTests(object):
                     project['id'], user['id'],
                     self.bootstrapper.reader_role_id),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_check_grant_for_user_own_domain_on_project_other_domain(self):  # noqa: E501
@@ -799,7 +799,7 @@ class _DomainUserTests(object):
                     project['id'], user['id'],
                     self.bootstrapper.reader_role_id),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_check_grant_for_user_own_domain_on_project_own_domain_with_role_other_domain(self):  # noqa: E501
@@ -830,7 +830,7 @@ class _DomainUserTests(object):
                     project['id'], user['id'],
                     role['id']),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_check_grant_for_user_own_domain_on_other_domain(self):
@@ -853,7 +853,7 @@ class _DomainUserTests(object):
                     self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_check_grant_for_user_other_domain_on_own_domain(self):
@@ -876,7 +876,7 @@ class _DomainUserTests(object):
                     self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_check_grant_for_user_own_domain_on_own_domain_with_role_other_domain(self):  # noqa: E501
@@ -904,7 +904,7 @@ class _DomainUserTests(object):
                     role['id']
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_check_grant_for_group_other_domain_on_project_own_domain(self):  # noqa: E501
@@ -930,7 +930,7 @@ class _DomainUserTests(object):
                     project['id'], group['id'],
                     self.bootstrapper.reader_role_id),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_check_grant_for_group_own_domain_on_project_other_domain(self):  # noqa: E501
@@ -956,7 +956,7 @@ class _DomainUserTests(object):
                     project['id'], group['id'],
                     self.bootstrapper.reader_role_id),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_check_grant_for_group_own_domain_on_project_own_domain_with_role_other_domain(self):  # noqa: E501
@@ -987,7 +987,7 @@ class _DomainUserTests(object):
                     project['id'], group['id'],
                     role['id']),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_check_grant_for_group_own_domain_on_other_domain(self):
@@ -1009,7 +1009,7 @@ class _DomainUserTests(object):
                     domain_id, group['id'],
                     self.bootstrapper.reader_role_id),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_check_grant_for_group_other_domain_on_own_domain(self):
@@ -1031,7 +1031,7 @@ class _DomainUserTests(object):
                     domain_id, group['id'],
                     self.bootstrapper.reader_role_id),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_check_grant_for_group_own_domain_on_own_domain_with_role_other_domain(self):  # noqa: E501
@@ -1057,7 +1057,7 @@ class _DomainUserTests(object):
                     domain_id, group['id'],
                     role['id']),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_create_grant_for_user_other_domain_on_project_own_domain(self):  # noqa: E501
@@ -1080,7 +1080,7 @@ class _DomainUserTests(object):
                     project['id'], user['id'], self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_create_grant_for_user_own_domain_on_project_other_domain(self):  # noqa: E501
@@ -1103,7 +1103,7 @@ class _DomainUserTests(object):
                     project['id'], user['id'], self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_create_grant_for_user_own_domain_on_project_own_domain_with_role_other_domain(self):  # noqa: E501
@@ -1129,7 +1129,7 @@ class _DomainUserTests(object):
                     project['id'], user['id'], role['id']
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_create_grant_for_user_other_domain_on_own_domain(self):
@@ -1146,7 +1146,7 @@ class _DomainUserTests(object):
                     domain_id, user['id'], self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_create_grant_for_user_own_domain_on_other_domain(self):
@@ -1163,7 +1163,7 @@ class _DomainUserTests(object):
                     domain_id, user['id'], self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_create_grant_for_user_own_domain_on_own_domain_with_role_other_domain(self):  # noqa: E501
@@ -1184,7 +1184,7 @@ class _DomainUserTests(object):
                     domain_id, user['id'], role['id']
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_create_grant_for_group_other_domain_on_project_own_domain(self):  # noqa: E501
@@ -1209,7 +1209,7 @@ class _DomainUserTests(object):
                     self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_create_grant_for_group_own_domain_on_project_other_domain(self):  # noqa: E501
@@ -1234,7 +1234,7 @@ class _DomainUserTests(object):
                     self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_create_grant_for_group_own_domain_on_project_own_domain_with_role_other_domain(self):  # noqa: E501
@@ -1263,7 +1263,7 @@ class _DomainUserTests(object):
                     role['id']
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_create_grant_for_group_other_domain_on_own_domain(self):
@@ -1280,7 +1280,7 @@ class _DomainUserTests(object):
                     domain_id, group['id'], self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_create_grant_for_group_own_domain_on_other_domain(self):
@@ -1297,7 +1297,7 @@ class _DomainUserTests(object):
                     domain_id, group['id'], self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_create_grant_for_group_own_domain_on_own_domain_with_role_other_domain(self):  # noqa: E501
@@ -1318,7 +1318,7 @@ class _DomainUserTests(object):
                     domain_id, group['id'], role['id']
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_revoke_grant_from_user_other_domain_on_project_own_domain(self):  # noqa: E501
@@ -1346,7 +1346,7 @@ class _DomainUserTests(object):
                     project['id'], user['id'], self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_revoke_grant_from_user_own_domain_on_project_other_domain(self):  # noqa: E501
@@ -1374,7 +1374,7 @@ class _DomainUserTests(object):
                     project['id'], user['id'], self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_revoke_grant_from_user_other_domain_on_own_domain(self):
@@ -1396,7 +1396,7 @@ class _DomainUserTests(object):
                     domain_id, user['id'], self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_revoke_grant_from_user_own_domain_on_other_domain(self):
@@ -1418,7 +1418,7 @@ class _DomainUserTests(object):
                     domain_id, user['id'], self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_revoke_grant_from_user_own_domain_on_own_domain_with_role_other_domain(self):  # noqa: E501
@@ -1444,7 +1444,7 @@ class _DomainUserTests(object):
                     domain_id, user['id'], role['id']
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_revoke_grant_from_group_other_domain_on_project_own_domain(self):  # noqa: E501
@@ -1474,7 +1474,7 @@ class _DomainUserTests(object):
                     self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_revoke_grant_from_group_own_domain_on_project_other_domain(self):  # noqa: E501
@@ -1504,7 +1504,7 @@ class _DomainUserTests(object):
                     self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_revoke_grant_from_group_other_domain_on_own_domain(self):
@@ -1526,7 +1526,7 @@ class _DomainUserTests(object):
                     domain_id, group['id'], self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_revoke_grant_from_group_own_domain_on_other_domain(self):
@@ -1548,7 +1548,7 @@ class _DomainUserTests(object):
                     domain_id, group['id'], self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_revoke_grant_from_group_own_domain_on_own_domain_with_role_other_domain(self):  # noqa: E501
@@ -1575,7 +1575,7 @@ class _DomainUserTests(object):
                     domain_id, group['id'], role['id']
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -1859,7 +1859,7 @@ class _DomainMemberAndReaderTests(object):
                     project['id'], user['id'], self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_create_grant_for_user_on_domain(self):
@@ -1877,7 +1877,7 @@ class _DomainMemberAndReaderTests(object):
                     domain['id'], user['id'], self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_create_grant_for_group_on_project(self):
@@ -1897,7 +1897,7 @@ class _DomainMemberAndReaderTests(object):
                     self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_create_grant_for_group_on_domain(self):
@@ -1915,7 +1915,7 @@ class _DomainMemberAndReaderTests(object):
                     domain['id'], group['id'], self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_revoke_grant_from_user_on_project(self):
@@ -1938,7 +1938,7 @@ class _DomainMemberAndReaderTests(object):
                     project['id'], user['id'], self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_revoke_grant_from_user_on_domain(self):
@@ -1961,7 +1961,7 @@ class _DomainMemberAndReaderTests(object):
                     domain['id'], user['id'], self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_revoke_grant_from_group_on_project(self):
@@ -1988,7 +1988,7 @@ class _DomainMemberAndReaderTests(object):
                     self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_cannot_revoke_grant_from_group_on_domain(self):
@@ -2011,7 +2011,7 @@ class _DomainMemberAndReaderTests(object):
                     domain['id'], group['id'], self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -2245,5 +2245,5 @@ class DomainAdminTests(base_classes.TestCaseWithBootstrap,
                     domain['id'], group['id'], self.bootstrapper.reader_role_id
                 ),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )

keystone/tests/protection/v3/test_groups.py

@@ -12,8 +12,8 @@
 
 import uuid
 
+import http.client
 from oslo_serialization import jsonutils
-from six.moves import http_client
 
 from keystone.common.policies import group as gp
 from keystone.common import provider_api
@@ -113,14 +113,14 @@ class _SystemUserGroupTests(object):
             c.get(
                 '/v3/groups/%s/users/%s' % (group['id'], user['id']),
                 headers=self.headers,
-                expected_status_code=http_client.NO_CONTENT
+                expected_status_code=http.client.NO_CONTENT
             )
 
     def test_user_cannot_get_non_existent_group_not_found(self):
         with self.test_client() as c:
             c.get(
                 '/v3/groups/%s' % uuid.uuid4().hex, headers=self.headers,
-                expected_status_code=http_client.NOT_FOUND
+                expected_status_code=http.client.NOT_FOUND
             )
 
 
@@ -142,7 +142,7 @@ class _SystemAndDomainMemberAndReaderGroupTests(object):
         with self.test_client() as c:
             c.post(
                 '/v3/groups', json=create, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_group(self):
@@ -159,7 +159,7 @@ class _SystemAndDomainMemberAndReaderGroupTests(object):
             c.patch(
                 '/v3/groups/%s' % group['id'], json=update,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_group(self):
@@ -173,7 +173,7 @@ class _SystemAndDomainMemberAndReaderGroupTests(object):
         with self.test_client() as c:
             c.delete(
                 '/v3/groups/%s' % group['id'], headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_add_users_to_group(self):
@@ -191,7 +191,7 @@ class _SystemAndDomainMemberAndReaderGroupTests(object):
             c.put(
                 '/v3/groups/%s/users/%s' % (group['id'], user['id']),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_remove_users_from_group(self):
@@ -211,7 +211,7 @@ class _SystemAndDomainMemberAndReaderGroupTests(object):
             c.delete(
                 '/v3/groups/%s/users/%s' % (group['id'], user['id']),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -442,13 +442,13 @@ class _DomainUserGroupTests(object):
         with self.test_client() as c:
             c.get('/v3/groups/%s' % group['id'],
                   headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN)
+                  expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_get_non_existent_group_forbidden(self):
         with self.test_client() as c:
             c.get(
                 '/v3/groups/%s' % uuid.uuid4().hex, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_can_list_groups_in_domain_for_user_in_domain(self):
@@ -479,13 +479,13 @@ class _DomainUserGroupTests(object):
         with self.test_client() as c:
             c.get('/v3/users/%s/groups' % user['id'],
                   headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN)
+                  expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_list_groups_for_non_existent_user_forbidden(self):
         with self.test_client() as c:
             c.get('/v3/users/%s/groups' % uuid.uuid4().hex,
                   headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN)
+                  expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_list_groups_in_other_domain_user_in_own_domain(self):
         domain = PROVIDERS.resource_api.create_domain(
@@ -563,13 +563,13 @@ class _DomainUserGroupTests(object):
         with self.test_client() as c:
             c.get('/v3/groups/%s/users' % group['id'],
                   headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN)
+                  expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_list_users_in_non_existent_group_forbidden(self):
         with self.test_client() as c:
             c.get('/v3/groups/%s/users' % uuid.uuid4().hex,
                   headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN)
+                  expected_status_code=http.client.FORBIDDEN)
 
     def test_user_can_check_user_in_own_domain_group_in_own_domain(self):
         user = PROVIDERS.identity_api.create_user(
@@ -583,11 +583,11 @@ class _DomainUserGroupTests(object):
             c.head('/v3/groups/%(group)s/users/%(user)s' % {
                    'group': group['id'], 'user': user['id']},
                    headers=self.headers,
-                   expected_status_code=http_client.NO_CONTENT)
+                   expected_status_code=http.client.NO_CONTENT)
             c.get('/v3/groups/%(group)s/users/%(user)s' % {
                   'group': group['id'], 'user': user['id']},
                   headers=self.headers,
-                  expected_status_code=http_client.NO_CONTENT)
+                  expected_status_code=http.client.NO_CONTENT)
 
     def test_user_cannot_check_user_in_other_domain_group_in_own_domain(self):
         domain = PROVIDERS.resource_api.create_domain(
@@ -604,11 +604,11 @@ class _DomainUserGroupTests(object):
             c.head('/v3/groups/%(group)s/users/%(user)s' % {
                    'group': group['id'], 'user': user['id']},
                    headers=self.headers,
-                   expected_status_code=http_client.FORBIDDEN)
+                   expected_status_code=http.client.FORBIDDEN)
             c.get('/v3/groups/%(group)s/users/%(user)s' % {
                   'group': group['id'], 'user': user['id']},
                   headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN)
+                  expected_status_code=http.client.FORBIDDEN)
 
 
 class DomainReaderTests(base_classes.TestCaseWithBootstrap,
@@ -836,7 +836,7 @@ class DomainAdminTests(base_classes.TestCaseWithBootstrap,
 
         with self.test_client() as c:
             c.post('/v3/groups', json=create, headers=self.headers,
-                   expected_status_code=http_client.FORBIDDEN)
+                   expected_status_code=http.client.FORBIDDEN)
 
     def test_user_can_update_group_in_own_domain(self):
         group = PROVIDERS.identity_api.create_group(
@@ -862,7 +862,7 @@ class DomainAdminTests(base_classes.TestCaseWithBootstrap,
             c.patch(
                 '/v3/groups/%s' % group['id'], json=update,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_can_delete_group_in_own_domain(self):
@@ -886,7 +886,7 @@ class DomainAdminTests(base_classes.TestCaseWithBootstrap,
             c.delete(
                 '/v3/groups/%s' % group['id'],
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_can_remove_user_in_own_domain_from_group_in_own_domain(self):
@@ -917,7 +917,7 @@ class DomainAdminTests(base_classes.TestCaseWithBootstrap,
             c.delete('/v3/groups/%(group)s/users/%(user)s' % {
                      'group': group['id'], 'user': user['id']},
                      headers=self.headers,
-                     expected_status_code=http_client.FORBIDDEN)
+                     expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_remove_user_own_domain_from_group_other_domain(self):
         domain = PROVIDERS.resource_api.create_domain(
@@ -934,7 +934,7 @@ class DomainAdminTests(base_classes.TestCaseWithBootstrap,
             c.delete('/v3/groups/%(group)s/users/%(user)s' % {
                      'group': group['id'], 'user': user['id']},
                      headers=self.headers,
-                     expected_status_code=http_client.FORBIDDEN)
+                     expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_remove_non_existent_user_from_group_forbidden(self):
         group = PROVIDERS.identity_api.create_group(
@@ -944,7 +944,7 @@ class DomainAdminTests(base_classes.TestCaseWithBootstrap,
             c.delete('/v3/groups/%(group)s/users/%(user)s' % {
                      'group': group['id'], 'user': uuid.uuid4().hex},
                      headers=self.headers,
-                     expected_status_code=http_client.FORBIDDEN)
+                     expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_remove_user_from_non_existent_group_forbidden(self):
         user = PROVIDERS.identity_api.create_user(
@@ -954,7 +954,7 @@ class DomainAdminTests(base_classes.TestCaseWithBootstrap,
             c.delete('/v3/groups/%(group)s/users/%(user)s' % {
                      'group': uuid.uuid4().hex, 'user': user['id']},
                      headers=self.headers,
-                     expected_status_code=http_client.FORBIDDEN)
+                     expected_status_code=http.client.FORBIDDEN)
 
     def test_user_can_add_user_in_own_domain_to_group_in_own_domain(self):
         group = PROVIDERS.identity_api.create_group(
@@ -982,7 +982,7 @@ class DomainAdminTests(base_classes.TestCaseWithBootstrap,
             c.put('/v3/groups/%(group)s/users/%(user)s' % {
                   'group': group['id'], 'user': user['id']},
                   headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN)
+                  expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_add_user_own_domain_to_group_other_domain(self):
         domain = PROVIDERS.resource_api.create_domain(
@@ -998,7 +998,7 @@ class DomainAdminTests(base_classes.TestCaseWithBootstrap,
             c.put('/v3/groups/%(group)s/users/%(user)s' % {
                   'group': group['id'], 'user': user['id']},
                   headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN)
+                  expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_add_non_existent_user_to_group_forbidden(self):
         group = PROVIDERS.identity_api.create_group(
@@ -1008,7 +1008,7 @@ class DomainAdminTests(base_classes.TestCaseWithBootstrap,
             c.put('/v3/groups/%(group)s/users/%(user)s' % {
                   'group': group['id'], 'user': uuid.uuid4().hex},
                   headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN)
+                  expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_add_user_from_non_existent_group_forbidden(self):
         user = PROVIDERS.identity_api.create_user(
@@ -1018,7 +1018,7 @@ class DomainAdminTests(base_classes.TestCaseWithBootstrap,
             c.put('/v3/groups/%(group)s/users/%(user)s' % {
                   'group': uuid.uuid4().hex, 'user': user['id']},
                   headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN)
+                  expected_status_code=http.client.FORBIDDEN)
 
 
 class ProjectUserTests(base_classes.TestCaseWithBootstrap,
@@ -1089,7 +1089,7 @@ class ProjectUserTests(base_classes.TestCaseWithBootstrap,
         with self.test_client() as c:
             c.get(
                 '/v3/users/%s/groups' % user['id'], headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_list_groups(self):
@@ -1103,7 +1103,7 @@ class ProjectUserTests(base_classes.TestCaseWithBootstrap,
         with self.test_client() as c:
             c.get(
                 '/v3/groups', headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_get_a_group(self):
@@ -1117,7 +1117,7 @@ class ProjectUserTests(base_classes.TestCaseWithBootstrap,
         with self.test_client() as c:
             c.get(
                 '/v3/groups/%s' % group['id'], headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_list_group_members(self):
@@ -1136,7 +1136,7 @@ class ProjectUserTests(base_classes.TestCaseWithBootstrap,
         with self.test_client() as c:
             c.get(
                 '/v3/groups/%s/users' % group['id'], headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_check_if_user_in_group(self):
@@ -1156,12 +1156,12 @@ class ProjectUserTests(base_classes.TestCaseWithBootstrap,
             c.get(
                 '/v3/groups/%s/users/%s' % (group['id'], user['id']),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_get_non_existent_group_forbidden(self):
         with self.test_client() as c:
             c.get(
                 '/v3/groups/%s' % uuid.uuid4().hex, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )

keystone/tests/protection/v3/test_identity_providers.py

@@ -12,7 +12,7 @@
 
 import uuid
 
-from six.moves import http_client
+import http.client
 
 from keystone.common import provider_api
 import keystone.conf
@@ -65,7 +65,7 @@ class _SystemReaderAndMemberIdentityProviderTests(object):
             c.put(
                 '/v3/OS-FEDERATION/identity_providers/%s' % uuid.uuid4().hex,
                 json=create, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_identity_providers(self):
@@ -79,7 +79,7 @@ class _SystemReaderAndMemberIdentityProviderTests(object):
             c.patch(
                 '/v3/OS-FEDERATION/identity_providers/%s' % idp['id'],
                 json=update, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_identity_providers(self):
@@ -91,7 +91,7 @@ class _SystemReaderAndMemberIdentityProviderTests(object):
             c.delete(
                 '/v3/OS-FEDERATION/identity_providers/%s' % idp['id'],
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -105,7 +105,7 @@ class _DomainAndProjectUserIdentityProviderTests(object):
             c.put(
                 '/v3/OS-FEDERATION/identity_providers/%s' % uuid.uuid4().hex,
                 json=create, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_identity_providers(self):
@@ -119,7 +119,7 @@ class _DomainAndProjectUserIdentityProviderTests(object):
             c.patch(
                 '/v3/OS-FEDERATION/identity_providers/%s' % idp['id'],
                 json=update, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_list_identity_providers(self):
@@ -130,7 +130,7 @@ class _DomainAndProjectUserIdentityProviderTests(object):
         with self.test_client() as c:
             c.get(
                 '/v3/OS-FEDERATION/identity_providers', headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_get_an_identity_provider(self):
@@ -142,7 +142,7 @@ class _DomainAndProjectUserIdentityProviderTests(object):
             c.get(
                 '/v3/OS-FEDERATION/identity_providers/%s' % idp['id'],
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_identity_providers(self):
@@ -154,7 +154,7 @@ class _DomainAndProjectUserIdentityProviderTests(object):
             c.delete(
                 '/v3/OS-FEDERATION/identity_providers/%s' % idp['id'],
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -259,7 +259,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
             c.put(
                 '/v3/OS-FEDERATION/identity_providers/%s' % uuid.uuid4().hex,
                 json=create, headers=self.headers,
-                expected_status_code=http_client.CREATED
+                expected_status_code=http.client.CREATED
             )
 
     def test_user_can_update_identity_providers(self):

keystone/tests/protection/v3/test_implied_roles.py

@@ -10,7 +10,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
-from six.moves import http_client
+import http.client
 
 from keystone.common import provider_api
 import keystone.conf
@@ -58,7 +58,7 @@ class _SystemUserImpliedRoleTests(object):
                 '/v3/roles/%s/implies/%s' % (
                     self.prior_role_id, self.implied_role_id),
                 headers=self.headers,
-                expected_status_code=http_client.NO_CONTENT)
+                expected_status_code=http.client.NO_CONTENT)
 
     def test_user_can_list_role_inference_rules(self):
         PROVIDERS.role_api.create_implied_role(self.prior_role_id,
@@ -81,7 +81,7 @@ class _SystemReaderAndMemberImpliedRoleTests(object):
                 '/v3/roles/%s/implies/%s' % (
                     self.prior_role_id, self.implied_role_id),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_implied_roles(self):
@@ -93,7 +93,7 @@ class _SystemReaderAndMemberImpliedRoleTests(object):
                 '/v3/roles/%s/implies/%s' % (
                     self.prior_role_id, self.implied_role_id),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -206,7 +206,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
                 '/v3/roles/%s/implies/%s' % (
                     self.prior_role_id, self.implied_role_id),
                 headers=self.headers,
-                expected_status_code=http_client.CREATED
+                expected_status_code=http.client.CREATED
             )
 
     def test_user_can_delete_implied_roles(self):

keystone/tests/protection/v3/test_limits.py

@@ -12,7 +12,7 @@
 
 import uuid
 
-from six.moves import http_client
+import http.client
 
 from keystone.common import provider_api
 import keystone.conf
@@ -134,7 +134,7 @@ class _UserLimitTests(object):
         with self.test_client() as c:
             c.post(
                 '/v3/limits', json=create, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_limits(self):
@@ -146,7 +146,7 @@ class _UserLimitTests(object):
             c.patch(
                 '/v3/limits/%s' % limit_id, json=update,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_limits(self):
@@ -156,7 +156,7 @@ class _UserLimitTests(object):
             c.delete(
                 '/v3/limits/%s' % limit_id,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -377,7 +377,7 @@ class DomainUserTests(base_classes.TestCaseWithBootstrap,
         with self.test_client() as c:
             c.get(
                 '/v3/limits/%s' % project_limit_id, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_get_domain_limits_for_other_domain(self):
@@ -386,7 +386,7 @@ class DomainUserTests(base_classes.TestCaseWithBootstrap,
         with self.test_client() as c:
             c.get(
                 '/v3/limits/%s' % domain_limit_id, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_can_list_limits_within_domain(self):
@@ -439,7 +439,7 @@ class DomainUserTests(base_classes.TestCaseWithBootstrap,
         with self.test_client() as c:
             c.post(
                 '/v3/limits', json=create, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_create_limits_for_other_domain(self):
@@ -471,7 +471,7 @@ class DomainUserTests(base_classes.TestCaseWithBootstrap,
         with self.test_client() as c:
             c.post(
                 '/v3/limits', json=create, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_create_limits_for_projects_in_domain(self):
@@ -507,7 +507,7 @@ class DomainUserTests(base_classes.TestCaseWithBootstrap,
         with self.test_client() as c:
             c.post(
                 '/v3/limits', json=create, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_create_limits_for_projects_outside_domain(self):
@@ -544,7 +544,7 @@ class DomainUserTests(base_classes.TestCaseWithBootstrap,
         with self.test_client() as c:
             c.post(
                 '/v3/limits', json=create, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_limits_for_domain(self):
@@ -558,7 +558,7 @@ class DomainUserTests(base_classes.TestCaseWithBootstrap,
             c.patch(
                 '/v3/limits/%s' % domain_limit_id, json=update,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_limits_for_other_domain(self):
@@ -570,7 +570,7 @@ class DomainUserTests(base_classes.TestCaseWithBootstrap,
             c.patch(
                 '/v3/limits/%s' % domain_limit_id, json=update,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_limits_for_projects_in_domain(self):
@@ -583,7 +583,7 @@ class DomainUserTests(base_classes.TestCaseWithBootstrap,
         with self.test_client() as c:
             c.patch(
                 '/v3/limits/%s' % project_limit_id, headers=self.headers,
-                json=update, expected_status_code=http_client.FORBIDDEN
+                json=update, expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_limits_for_projects_outside_domain(self):
@@ -594,7 +594,7 @@ class DomainUserTests(base_classes.TestCaseWithBootstrap,
         with self.test_client() as c:
             c.patch(
                 '/v3/limits/%s' % project_limit_id, headers=self.headers,
-                json=update, expected_status_code=http_client.FORBIDDEN
+                json=update, expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_limits_for_domain(self):
@@ -605,7 +605,7 @@ class DomainUserTests(base_classes.TestCaseWithBootstrap,
         with self.test_client() as c:
             c.delete(
                 '/v3/limits/%s' % domain_limit_id, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_limits_for_other_domain(self):
@@ -614,7 +614,7 @@ class DomainUserTests(base_classes.TestCaseWithBootstrap,
         with self.test_client() as c:
             c.delete(
                 '/v3/limits/%s' % domain_limit_id, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_limits_for_projects_in_domain(self):
@@ -625,7 +625,7 @@ class DomainUserTests(base_classes.TestCaseWithBootstrap,
         with self.test_client() as c:
             c.delete(
                 '/v3/limits/%s' % project_limit_id, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_limits_for_projects_outside_domain(self):
@@ -634,7 +634,7 @@ class DomainUserTests(base_classes.TestCaseWithBootstrap,
         with self.test_client() as c:
             c.delete(
                 '/v3/limits/%s' % project_limit_id, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -693,7 +693,7 @@ class ProjectUserTests(base_classes.TestCaseWithBootstrap,
         with self.test_client() as c:
             c.get(
                 '/v3/limits/%s' % project_limit_id, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_get_domain_limit(self):
@@ -702,7 +702,7 @@ class ProjectUserTests(base_classes.TestCaseWithBootstrap,
         with self.test_client() as c:
             c.get(
                 '/v3/limits/%s' % domain_limit_id, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_can_list_limits(self):
@@ -775,7 +775,7 @@ class ProjectUserTests(base_classes.TestCaseWithBootstrap,
         with self.test_client() as c:
             c.post(
                 '/v3/limits', json=create, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_limits(self):
@@ -787,7 +787,7 @@ class ProjectUserTests(base_classes.TestCaseWithBootstrap,
             c.patch(
                 '/v3/limits/%s' % limit_id, json=update,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_limits(self):
@@ -797,7 +797,7 @@ class ProjectUserTests(base_classes.TestCaseWithBootstrap,
             c.delete(
                 '/v3/limits/%s' % limit_id,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 

keystone/tests/protection/v3/test_mappings.py

@@ -12,7 +12,7 @@
 
 import uuid
 
-from six.moves import http_client
+import http.client
 
 from keystone.common import provider_api
 import keystone.conf
@@ -71,7 +71,7 @@ class _SystemReaderAndMemberUserMappingTests(object):
             c.put(
                 '/v3/OS-FEDERATION/mappings/%s' % mapping_id, json=create,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_mappings(self):
@@ -93,7 +93,7 @@ class _SystemReaderAndMemberUserMappingTests(object):
             c.patch(
                 '/v3/OS-FEDERATION/mappings/%s' % mapping['id'],
                 json=update, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_mappings(self):
@@ -106,7 +106,7 @@ class _SystemReaderAndMemberUserMappingTests(object):
             c.delete(
                 '/v3/OS-FEDERATION/mappings/%s' % mapping['id'],
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -128,7 +128,7 @@ class _DomainAndProjectUserMappingTests(object):
             c.put(
                 '/v3/OS-FEDERATION/mappings/%s' % mapping_id, json=create,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_list_mappings(self):
@@ -140,7 +140,7 @@ class _DomainAndProjectUserMappingTests(object):
         with self.test_client() as c:
             c.get(
                 '/v3/OS-FEDERATION/mappings', headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_get_a_mapping(self):
@@ -153,7 +153,7 @@ class _DomainAndProjectUserMappingTests(object):
             c.get(
                 '/v3/OS-FEDERATION/mappings/%s' % mapping['id'],
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_mappings(self):
@@ -175,7 +175,7 @@ class _DomainAndProjectUserMappingTests(object):
             c.patch(
                 '/v3/OS-FEDERATION/mappings/%s' % mapping['id'],
                 json=update, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_mappings(self):
@@ -188,7 +188,7 @@ class _DomainAndProjectUserMappingTests(object):
             c.delete(
                 '/v3/OS-FEDERATION/mappings/%s' % mapping['id'],
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -241,7 +241,7 @@ class SystemReaderTests(base_classes.TestCaseWithBootstrap,
             c.put(
                 '/v3/OS-FEDERATION/mappings/%s' % mapping_id, json=create,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_mappings(self):
@@ -263,7 +263,7 @@ class SystemReaderTests(base_classes.TestCaseWithBootstrap,
             c.patch(
                 '/v3/OS-FEDERATION/mappings/%s' % mapping['id'],
                 json=update, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_mappings(self):
@@ -276,7 +276,7 @@ class SystemReaderTests(base_classes.TestCaseWithBootstrap,
             c.delete(
                 '/v3/OS-FEDERATION/mappings/%s' % mapping['id'],
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -355,7 +355,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
         with self.test_client() as c:
             c.put(
                 '/v3/OS-FEDERATION/mappings/%s' % mapping_id, json=create,
-                headers=self.headers, expected_status_code=http_client.CREATED
+                headers=self.headers, expected_status_code=http.client.CREATED
             )
 
     def test_user_can_update_mappings(self):

keystone/tests/protection/v3/test_policy.py

@@ -13,7 +13,7 @@
 import json
 import uuid
 
-from six.moves import http_client
+import http.client
 
 from keystone.common import provider_api
 import keystone.conf
@@ -66,7 +66,7 @@ class _SystemReaderAndMemberPoliciesTests(object):
         with self.test_client() as c:
             c.post(
                 '/v3/policies', json=create, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_policy(self):
@@ -79,7 +79,7 @@ class _SystemReaderAndMemberPoliciesTests(object):
             c.patch(
                 '/v3/policies/%s' % policy['id'], json=update,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_policy(self):
@@ -89,7 +89,7 @@ class _SystemReaderAndMemberPoliciesTests(object):
         with self.test_client() as c:
             c.delete(
                 '/v3/policies/%s' % policy['id'], headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -101,7 +101,7 @@ class _DomainAndProjectUserPolicyTests(object):
 
         with self.test_client() as c:
             c.get('/v3/policies', headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN)
+                  expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_get_policy(self):
         policy = unit.new_policy_ref()
@@ -109,7 +109,7 @@ class _DomainAndProjectUserPolicyTests(object):
 
         with self.test_client() as c:
             c.get('/v3/policies/%s' % policy['id'], headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN)
+                  expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_create_policy(self):
         create = {
@@ -124,7 +124,7 @@ class _DomainAndProjectUserPolicyTests(object):
         with self.test_client() as c:
             c.post(
                 '/v3/policies', json=create, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_policy(self):
@@ -137,7 +137,7 @@ class _DomainAndProjectUserPolicyTests(object):
             c.patch(
                 '/v3/policies/%s' % policy['id'], json=update,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_policy(self):
@@ -147,7 +147,7 @@ class _DomainAndProjectUserPolicyTests(object):
         with self.test_client() as c:
             c.delete(
                 '/v3/policies/%s' % policy['id'], headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 

keystone/tests/protection/v3/test_policy_association.py

@@ -12,7 +12,7 @@
 
 import uuid
 
-from six.moves import http_client
+import http.client
 
 from keystone.common import provider_api
 import keystone.conf
@@ -47,7 +47,7 @@ class _SystemUserPoliciesAssociationTests(object):
             c.get('/v3/policies/%s/OS-ENDPOINT-POLICY/endpoints/%s'
                   % (policy['id'], endpoint['id']),
                   headers=self.headers,
-                  expected_status_code=http_client.NO_CONTENT)
+                  expected_status_code=http.client.NO_CONTENT)
 
     def test_user_can_check_policy_association_for_service(self):
         policy = unit.new_policy_ref()
@@ -64,7 +64,7 @@ class _SystemUserPoliciesAssociationTests(object):
             c.get('/v3/policies/%s/OS-ENDPOINT-POLICY/services/%s'
                   % (policy['id'], service['id']),
                   headers=self.headers,
-                  expected_status_code=http_client.NO_CONTENT)
+                  expected_status_code=http.client.NO_CONTENT)
 
     def test_user_can_check_policy_association_for_region_and_service(self):
         policy = unit.new_policy_ref()
@@ -84,7 +84,7 @@ class _SystemUserPoliciesAssociationTests(object):
             c.get('/v3/policies/%s/OS-ENDPOINT-POLICY/services/%s/regions/%s'
                   % (policy['id'], service['id'], region['id']),
                   headers=self.headers,
-                  expected_status_code=http_client.NO_CONTENT)
+                  expected_status_code=http.client.NO_CONTENT)
 
     def test_user_can_get_policy_for_endpoint(self):
         policy = unit.new_policy_ref()
@@ -143,7 +143,7 @@ class _SystemReaderAndMemberPoliciesAssociationTests(object):
                 '/v3/policies/%s/OS-ENDPOINT-POLICY/endpoints/%s'
                 % (policy['id'], endpoint['id']),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_policy_association_for_endpoint(self):
@@ -162,7 +162,7 @@ class _SystemReaderAndMemberPoliciesAssociationTests(object):
                 '/v3/policies/%s/OS-ENDPOINT-POLICY/endpoints/%s'
                 % (policy['id'], endpoint['id']),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_create_policy_association_for_service(self):
@@ -176,7 +176,7 @@ class _SystemReaderAndMemberPoliciesAssociationTests(object):
                 '/v3/policies/%s/OS-ENDPOINT-POLICY/services/%s'
                 % (policy['id'], service['id']),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_policy_association_for_service(self):
@@ -191,7 +191,7 @@ class _SystemReaderAndMemberPoliciesAssociationTests(object):
                 '/v3/policies/%s/OS-ENDPOINT-POLICY/services/%s'
                 % (policy['id'], service['id']),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_create_policy_assoc_for_region_and_service(self):
@@ -207,7 +207,7 @@ class _SystemReaderAndMemberPoliciesAssociationTests(object):
                 '/v3/policies/%s/OS-ENDPOINT-POLICY/services/%s/regions/%s'
                 % (policy['id'], service['id'], region['id']),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_policy_assoc_for_region_and_service(self):
@@ -223,7 +223,7 @@ class _SystemReaderAndMemberPoliciesAssociationTests(object):
                 '/v3/policies/%s/OS-ENDPOINT-POLICY/services/%s/regions/%s'
                 % (policy['id'], service['id'], region['id']),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -248,7 +248,7 @@ class _DomainAndProjectUserPolicyAssociationsTests(object):
             c.get('/v3/policies/%s/OS-ENDPOINT-POLICY/endpoints/%s'
                   % (policy['id'], endpoint['id']),
                   headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN)
+                  expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_check_policy_association_for_service(self):
         policy = unit.new_policy_ref()
@@ -265,7 +265,7 @@ class _DomainAndProjectUserPolicyAssociationsTests(object):
             c.get('/v3/policies/%s/OS-ENDPOINT-POLICY/services/%s'
                   % (policy['id'], service['id']),
                   headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN)
+                  expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_check_policy_association_for_region_and_service(self):
         policy = unit.new_policy_ref()
@@ -285,7 +285,7 @@ class _DomainAndProjectUserPolicyAssociationsTests(object):
             c.get('/v3/policies/%s/OS-ENDPOINT-POLICY/services/%s/regions/%s'
                   % (policy['id'], service['id'], region['id']),
                   headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN)
+                  expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_get_policy_for_endpoint(self):
         policy = unit.new_policy_ref()
@@ -304,7 +304,7 @@ class _DomainAndProjectUserPolicyAssociationsTests(object):
             c.get('/v3/endpoints/%s/OS-ENDPOINT-POLICY/policy'
                   % (endpoint['id']),
                   headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN)
+                  expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_list_endpoints_for_policy(self):
         policy = unit.new_policy_ref()
@@ -322,7 +322,7 @@ class _DomainAndProjectUserPolicyAssociationsTests(object):
         with self.test_client() as c:
             c.get('/v3/policies/%s/OS-ENDPOINT-POLICY/endpoints'
                   % (policy['id']), headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN
+                  expected_status_code=http.client.FORBIDDEN
                   )
 
     def test_user_cannot_create_policy_association_for_endpoint(self):
@@ -341,7 +341,7 @@ class _DomainAndProjectUserPolicyAssociationsTests(object):
                 '/v3/policies/%s/OS-ENDPOINT-POLICY/endpoints/%s'
                 % (policy['id'], endpoint['id']),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_policy_association_for_endpoint(self):
@@ -360,7 +360,7 @@ class _DomainAndProjectUserPolicyAssociationsTests(object):
                 '/v3/policies/%s/OS-ENDPOINT-POLICY/endpoints/%s'
                 % (policy['id'], endpoint['id']),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_create_policy_association_for_service(self):
@@ -374,7 +374,7 @@ class _DomainAndProjectUserPolicyAssociationsTests(object):
                 '/v3/policies/%s/OS-ENDPOINT-POLICY/services/%s'
                 % (policy['id'], service['id']),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_policy_association_for_service(self):
@@ -389,7 +389,7 @@ class _DomainAndProjectUserPolicyAssociationsTests(object):
                 '/v3/policies/%s/OS-ENDPOINT-POLICY/services/%s'
                 % (policy['id'], service['id']),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_create_policy_assoc_for_region_and_service(self):
@@ -405,7 +405,7 @@ class _DomainAndProjectUserPolicyAssociationsTests(object):
                 '/v3/policies/%s/OS-ENDPOINT-POLICY/services/%s/regions/%s'
                 % (policy['id'], service['id'], region['id']),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_policy_assoc_for_region_and_service(self):
@@ -421,7 +421,7 @@ class _DomainAndProjectUserPolicyAssociationsTests(object):
                 '/v3/policies/%s/OS-ENDPOINT-POLICY/services/%s/regions/%s'
                 % (policy['id'], service['id'], region['id']),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -535,7 +535,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
                 '/v3/policies/%s/OS-ENDPOINT-POLICY/endpoints/%s'
                 % (policy['id'], endpoint['id']),
                 headers=self.headers,
-                expected_status_code=http_client.NO_CONTENT
+                expected_status_code=http.client.NO_CONTENT
             )
 
     def test_user_can_delete_policy_association_for_endpoint(self):
@@ -554,7 +554,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
                 '/v3/policies/%s/OS-ENDPOINT-POLICY/endpoints/%s'
                 % (policy['id'], endpoint['id']),
                 headers=self.headers,
-                expected_status_code=http_client.NO_CONTENT
+                expected_status_code=http.client.NO_CONTENT
             )
 
     def test_user_can_create_policy_association_for_service(self):
@@ -568,7 +568,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
                 '/v3/policies/%s/OS-ENDPOINT-POLICY/services/%s'
                 % (policy['id'], service['id']),
                 headers=self.headers,
-                expected_status_code=http_client.NO_CONTENT
+                expected_status_code=http.client.NO_CONTENT
             )
 
     def test_user_can_delete_policy_association_for_service(self):
@@ -583,7 +583,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
                 '/v3/policies/%s/OS-ENDPOINT-POLICY/services/%s'
                 % (policy['id'], service['id']),
                 headers=self.headers,
-                expected_status_code=http_client.NO_CONTENT
+                expected_status_code=http.client.NO_CONTENT
             )
 
     def test_user_can_create_policy_association_for_region_and_service(self):
@@ -599,7 +599,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
                 '/v3/policies/%s/OS-ENDPOINT-POLICY/services/%s/regions/%s'
                 % (policy['id'], service['id'], region['id']),
                 headers=self.headers,
-                expected_status_code=http_client.NO_CONTENT
+                expected_status_code=http.client.NO_CONTENT
             )
 
     def test_user_can_delete_policy_association_for_region_and_service(self):
@@ -615,7 +615,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
                 '/v3/policies/%s/OS-ENDPOINT-POLICY/services/%s/regions/%s'
                 % (policy['id'], service['id'], region['id']),
                 headers=self.headers,
-                expected_status_code=http_client.NO_CONTENT
+                expected_status_code=http.client.NO_CONTENT
             )
 
 

keystone/tests/protection/v3/test_project_endpoint.py

@@ -12,8 +12,8 @@
 
 import uuid
 
+import http.client
 from oslo_serialization import jsonutils
-from six.moves import http_client
 
 from keystone.common.policies import base as bp
 from keystone.common import provider_api
@@ -74,7 +74,7 @@ class _SystemUserProjectEndpointTests(object):
             c.get('/v3/OS-EP-FILTER/projects/%s/endpoints/%s'
                   % (project['id'], endpoint['id']),
                   headers=self.headers,
-                  expected_status_code=http_client.NO_CONTENT)
+                  expected_status_code=http.client.NO_CONTENT)
 
     def test_user_can_list_endpoints_for_project(self):
         project = PROVIDERS.resource_api.create_project(
@@ -118,7 +118,7 @@ class _SystemReaderAndMemberProjectEndpointTests(object):
             c.put('/v3/OS-EP-FILTER/projects/%s/endpoints/%s'
                   % (project['id'], endpoint['id']),
                   headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN)
+                  expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_remove_endpoint_from_project(self):
         project = PROVIDERS.resource_api.create_project(
@@ -137,7 +137,7 @@ class _SystemReaderAndMemberProjectEndpointTests(object):
             c.delete('/v3/OS-EP-FILTER/projects/%s/endpoints/%s'
                      % (project['id'], endpoint['id']),
                      headers=self.headers,
-                     expected_status_code=http_client.FORBIDDEN)
+                     expected_status_code=http.client.FORBIDDEN)
 
 
 class _DomainAndProjectUserProjectEndpointTests(object):
@@ -161,7 +161,7 @@ class _DomainAndProjectUserProjectEndpointTests(object):
         with self.test_client() as c:
             c.get('/v3/OS-EP-FILTER/endpoints/%s/projects' % endpoint['id'],
                   headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN)
+                  expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_check_endpoint_in_project(self):
         project = PROVIDERS.resource_api.create_project(
@@ -183,7 +183,7 @@ class _DomainAndProjectUserProjectEndpointTests(object):
             c.get('/v3/OS-EP-FILTER/projects/%s/endpoints/%s'
                   % (project['id'], endpoint['id']),
                   headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN)
+                  expected_status_code=http.client.FORBIDDEN)
 
     def test_user_cannot_list_endpoints_for_project(self):
         project = PROVIDERS.resource_api.create_project(
@@ -204,7 +204,7 @@ class _DomainAndProjectUserProjectEndpointTests(object):
         with self.test_client() as c:
             c.get('/v3/OS-EP-FILTER/projects/%s/endpoints' % project['id'],
                   headers=self.headers,
-                  expected_status_code=http_client.FORBIDDEN)
+                  expected_status_code=http.client.FORBIDDEN)
 
 
 class SystemReaderTests(base_classes.TestCaseWithBootstrap,
@@ -318,7 +318,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
             c.put('/v3/OS-EP-FILTER/projects/%s/endpoints/%s'
                   % (project['id'], endpoint['id']),
                   headers=self.headers,
-                  expected_status_code=http_client.NO_CONTENT)
+                  expected_status_code=http.client.NO_CONTENT)
 
     def test_user_can_remove_endpoint_from_project(self):
         project = PROVIDERS.resource_api.create_project(
@@ -339,7 +339,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
             c.delete('/v3/OS-EP-FILTER/projects/%s/endpoints/%s'
                      % (project['id'], endpoint['id']),
                      headers=self.headers,
-                     expected_status_code=http_client.NO_CONTENT)
+                     expected_status_code=http.client.NO_CONTENT)
 
 
 class DomainUserTests(base_classes.TestCaseWithBootstrap,

keystone/tests/protection/v3/test_project_tags.py

@@ -12,8 +12,8 @@
 
 import uuid
 
+import http.client
 from oslo_serialization import jsonutils
-from six.moves import http_client
 
 from keystone.common.policies import project as pp
 from keystone.common import provider_api
@@ -75,7 +75,7 @@ class _SystemUserTests(object):
             c.get(
                 '/v3/projects/%s/tags/%s' % (project['id'], tag),
                 headers=self.headers,
-                expected_status_code=http_client.NO_CONTENT
+                expected_status_code=http.client.NO_CONTENT
             )
 
     def test_user_can_list_project_tags(self):
@@ -109,7 +109,7 @@ class _SystemMemberAndReaderTagTests(object):
             c.put(
                 '/v3/projects/%s/tags/%s' % (project['id'], tag),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_project_tag(self):
@@ -126,7 +126,7 @@ class _SystemMemberAndReaderTagTests(object):
         with self.test_client() as c:
             c.put(
                 '/v3/projects/%s/tags' % project['id'], headers=self.headers,
-                json=update, expected_status_code=http_client.FORBIDDEN
+                json=update, expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_project_tag(self):
@@ -142,7 +142,7 @@ class _SystemMemberAndReaderTagTests(object):
             c.delete(
                 '/v3/projects/%s/tags/%s' % (project['id'], tag),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -160,7 +160,7 @@ class _DomainAndProjectUserTagTests(object):
             c.put(
                 '/v3/projects/%s/tags/%s' % (project['id'], tag),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_project_tag(self):
@@ -177,7 +177,7 @@ class _DomainAndProjectUserTagTests(object):
         with self.test_client() as c:
             c.put(
                 '/v3/projects/%s/tags' % project['id'], headers=self.headers,
-                json=update, expected_status_code=http_client.FORBIDDEN
+                json=update, expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_project_tag(self):
@@ -193,7 +193,7 @@ class _DomainAndProjectUserTagTests(object):
             c.delete(
                 '/v3/projects/%s/tags/%s' % (project['id'], tag),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -301,7 +301,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
             c.put(
                 '/v3/projects/%s/tags/%s' % (project['id'], tag),
                 headers=self.headers,
-                expected_status_code=http_client.CREATED
+                expected_status_code=http.client.CREATED
             )
 
     def test_user_can_update_project_tag(self):
@@ -319,7 +319,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
             c.put(
                 '/v3/projects/%s/tags' % project['id'], headers=self.headers,
                 json=update,
-                expected_status_code=http_client.OK
+                expected_status_code=http.client.OK
             )
 
     def test_user_can_delete_project_tag(self):
@@ -352,7 +352,7 @@ class _DomainUserTagTests(object):
             c.get(
                 '/v3/projects/%s/tags/%s' % (project['id'], tag),
                 headers=self.headers,
-                expected_status_code=http_client.NO_CONTENT
+                expected_status_code=http.client.NO_CONTENT
             )
 
     def test_user_can_list_tags_for_project_in_domain(self):
@@ -382,7 +382,7 @@ class _DomainUserTagTests(object):
             c.put(
                 '/v3/projects/%s/tags/%s' % (project['id'], tag),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_project_tag_outside_domain(self):
@@ -400,7 +400,7 @@ class _DomainUserTagTests(object):
         with self.test_client() as c:
             c.put(
                 '/v3/projects/%s/tags' % project['id'], headers=self.headers,
-                json=update, expected_status_code=http_client.FORBIDDEN
+                json=update, expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_project_tag_outside_domain(self):
@@ -416,7 +416,7 @@ class _DomainUserTagTests(object):
             c.delete(
                 '/v3/projects/%s/tags/%s' % (project['id'], tag),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_get_tag_for_project_outside_domain(self):
@@ -432,7 +432,7 @@ class _DomainUserTagTests(object):
             c.get(
                 '/v3/projects/%s/tags/%s' % (project['id'], tag),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_list_tags_for_project_outside_domain(self):
@@ -448,7 +448,7 @@ class _DomainUserTagTests(object):
             c.get(
                 '/v3/projects/%s/tags' % project['id'],
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -465,7 +465,7 @@ class _DomainMemberAndReaderTagTests(object):
             c.put(
                 '/v3/projects/%s/tags/%s' % (project['id'], tag),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_project_tag_in_domain(self):
@@ -482,7 +482,7 @@ class _DomainMemberAndReaderTagTests(object):
         with self.test_client() as c:
             c.put(
                 '/v3/projects/%s/tags' % project['id'], headers=self.headers,
-                json=update, expected_status_code=http_client.FORBIDDEN
+                json=update, expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_project_tag_in_domain(self):
@@ -497,7 +497,7 @@ class _DomainMemberAndReaderTagTests(object):
             c.delete(
                 '/v3/projects/%s/tags/%s' % (project['id'], tag),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -553,7 +553,7 @@ class DomainAdminUserTests(base_classes.TestCaseWithBootstrap,
         with self.test_client() as c:
             c.put(
                 '/v3/projects/%s/tags/%s' % (project['id'], tag),
-                headers=self.headers, expected_status_code=http_client.CREATED
+                headers=self.headers, expected_status_code=http.client.CREATED
             )
 
     def test_user_can_update_project_tag_in_domain(self):
@@ -570,7 +570,7 @@ class DomainAdminUserTests(base_classes.TestCaseWithBootstrap,
         with self.test_client() as c:
             r = c.put(
                 '/v3/projects/%s/tags' % project['id'], headers=self.headers,
-                json=update, expected_status_code=http_client.OK
+                json=update, expected_status_code=http.client.OK
             )
             self.assertTrue(len(r.json['tags']) == 1)
             self.assertEqual(new_tag, r.json['tags'][0])
@@ -688,7 +688,7 @@ class _ProjectUserTagTests(object):
             c.get(
                 '/v3/projects/%s/tags/%s' % (self.project_id, tag),
                 headers=self.headers,
-                expected_status_code=http_client.NO_CONTENT
+                expected_status_code=http.client.NO_CONTENT
             )
 
     def test_user_can_list_tags_for_project(self):
@@ -714,7 +714,7 @@ class _ProjectUserTagTests(object):
             c.put(
                 '/v3/projects/%s/tags/%s' % (project['id'], tag),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_tag_for_other_project(self):
@@ -731,7 +731,7 @@ class _ProjectUserTagTests(object):
         with self.test_client() as c:
             c.put(
                 '/v3/projects/%s/tags' % project['id'], headers=self.headers,
-                json=update, expected_status_code=http_client.FORBIDDEN
+                json=update, expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_tag_for_other_project(self):
@@ -747,7 +747,7 @@ class _ProjectUserTagTests(object):
             c.delete(
                 '/v3/projects/%s/tags/%s' % (project['id'], tag),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_get_tag_for_other_project(self):
@@ -763,7 +763,7 @@ class _ProjectUserTagTests(object):
             c.get(
                 '/v3/projects/%s/tags/%s' % (project['id'], tag),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_list_tags_for_other_project(self):
@@ -779,7 +779,7 @@ class _ProjectUserTagTests(object):
             c.get(
                 '/v3/projects/%s/tags' % project['id'],
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -791,7 +791,7 @@ class _ProjectMemberAndReaderTagTests(object):
             c.put(
                 '/v3/projects/%s/tags/%s' % (self.project_id, tag),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_project_tag(self):
@@ -803,7 +803,7 @@ class _ProjectMemberAndReaderTagTests(object):
         with self.test_client() as c:
             c.put(
                 '/v3/projects/%s/tags' % self.project_id, headers=self.headers,
-                json=update, expected_status_code=http_client.FORBIDDEN
+                json=update, expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_project_tag(self):
@@ -814,7 +814,7 @@ class _ProjectMemberAndReaderTagTests(object):
             c.delete(
                 '/v3/projects/%s/tags/%s' % (self.project_id, tag),
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -860,7 +860,7 @@ class ProjectAdminTests(base_classes.TestCaseWithBootstrap,
         with self.test_client() as c:
             c.put(
                 '/v3/projects/%s/tags/%s' % (self.project_id, tag),
-                headers=self.headers, expected_status_code=http_client.CREATED
+                headers=self.headers, expected_status_code=http.client.CREATED
             )
 
     def test_user_can_update_project_tag(self):
@@ -872,7 +872,7 @@ class ProjectAdminTests(base_classes.TestCaseWithBootstrap,
         with self.test_client() as c:
             c.put(
                 '/v3/projects/%s/tags' % self.project_id, headers=self.headers,
-                json=update, expected_status_code=http_client.OK
+                json=update, expected_status_code=http.client.OK
             )
 
     def test_user_can_delete_project_tag(self):

keystone/tests/protection/v3/test_projects.py

@@ -12,8 +12,8 @@
 
 import uuid
 
+import http.client
 from oslo_serialization import jsonutils
-from six.moves import http_client
 
 from keystone.common.policies import project as pp
 from keystone.common import provider_api
@@ -80,7 +80,7 @@ class _SystemUserTests(object):
         with self.test_client() as c:
             c.get(
                 '/v3/projects/%s' % uuid.uuid4().hex, headers=self.headers,
-                expected_status_code=http_client.NOT_FOUND
+                expected_status_code=http.client.NOT_FOUND
             )
 
 
@@ -97,7 +97,7 @@ class _SystemMemberAndReaderProjectTests(object):
         with self.test_client() as c:
             c.post(
                 '/v3/projects', json=create, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_projects(self):
@@ -112,7 +112,7 @@ class _SystemMemberAndReaderProjectTests(object):
             c.patch(
                 '/v3/projects/%s' % project['id'], json=update,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_non_existent_project_forbidden(self):
@@ -122,7 +122,7 @@ class _SystemMemberAndReaderProjectTests(object):
             c.patch(
                 '/v3/projects/%s' % uuid.uuid4().hex, json=update,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_projects(self):
@@ -134,14 +134,14 @@ class _SystemMemberAndReaderProjectTests(object):
         with self.test_client() as c:
             c.delete(
                 '/v3/projects/%s' % project['id'], headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_non_existent_project_forbidden(self):
         with self.test_client() as c:
             c.delete(
                 '/v3/projects/%s' % uuid.uuid4().hex, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -188,7 +188,7 @@ class _DomainUsersTests(object):
         with self.test_client() as c:
             c.get(
                 '/v3/projects/%s' % project['id'], headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_can_list_projects_for_user_in_domain(self):
@@ -237,7 +237,7 @@ class _DomainUsersTests(object):
         with self.test_client() as c:
             c.get(
                 '/v3/users/%s/projects' % user['id'], headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -250,7 +250,7 @@ class _DomainMemberAndReaderProjectTests(object):
         with self.test_client() as c:
             c.post(
                 '/v3/projects', json=create, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_create_projects_in_other_domains(self):
@@ -263,7 +263,7 @@ class _DomainMemberAndReaderProjectTests(object):
         with self.test_client() as c:
             c.post(
                 '/v3/projects', json=create, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_projects_within_domain(self):
@@ -278,7 +278,7 @@ class _DomainMemberAndReaderProjectTests(object):
             c.patch(
                 '/v3/projects/%s' % project['id'], json=update,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_projects_in_other_domain(self):
@@ -293,7 +293,7 @@ class _DomainMemberAndReaderProjectTests(object):
             c.patch(
                 '/v3/projects/%s' % project['id'], json=update,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_non_existent_project_forbidden(self):
@@ -303,7 +303,7 @@ class _DomainMemberAndReaderProjectTests(object):
             c.patch(
                 '/v3/projects/%s' % uuid.uuid4().hex, json=update,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_projects_within_domain(self):
@@ -315,7 +315,7 @@ class _DomainMemberAndReaderProjectTests(object):
         with self.test_client() as c:
             c.delete(
                 '/v3/projects/%s' % project['id'], headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_projects_in_other_domain(self):
@@ -327,14 +327,14 @@ class _DomainMemberAndReaderProjectTests(object):
         with self.test_client() as c:
             c.delete(
                 '/v3/projects/%s' % project['id'], headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_non_existent_projects_forbidden(self):
         with self.test_client() as c:
             c.delete(
                 '/v3/projects/%s' % uuid.uuid4().hex, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -461,7 +461,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
             c.patch(
                 '/v3/projects/%s' % uuid.uuid4().hex, json=update,
                 headers=self.headers,
-                expected_status_code=http_client.NOT_FOUND
+                expected_status_code=http.client.NOT_FOUND
             )
 
     def test_user_can_delete_projects(self):
@@ -477,7 +477,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
         with self.test_client() as c:
             c.delete(
                 '/v3/projects/%s' % uuid.uuid4().hex, headers=self.headers,
-                expected_status_code=http_client.NOT_FOUND
+                expected_status_code=http.client.NOT_FOUND
             )
 
     def test_user_can_list_their_projects(self):
@@ -661,7 +661,7 @@ class DomainAdminTests(base_classes.TestCaseWithBootstrap,
         with self.test_client() as c:
             c.post(
                 '/v3/projects', json=create, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_can_update_projects_within_domain(self):
@@ -690,7 +690,7 @@ class DomainAdminTests(base_classes.TestCaseWithBootstrap,
             c.patch(
                 '/v3/projects/%s' % project['id'], json=update,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_non_existent_project_forbidden(self):
@@ -706,7 +706,7 @@ class DomainAdminTests(base_classes.TestCaseWithBootstrap,
             c.patch(
                 '/v3/projects/%s' % uuid.uuid4().hex, json=update,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_can_delete_projects_within_domain(self):
@@ -727,7 +727,7 @@ class DomainAdminTests(base_classes.TestCaseWithBootstrap,
         with self.test_client() as c:
             c.delete(
                 '/v3/projects/%s' % project['id'], headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_non_existent_projects_forbidden(self):
@@ -740,7 +740,7 @@ class DomainAdminTests(base_classes.TestCaseWithBootstrap,
         with self.test_client() as c:
             c.delete(
                 '/v3/projects/%s' % uuid.uuid4().hex, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
 
@@ -809,7 +809,7 @@ class ProjectUserTests(base_classes.TestCaseWithBootstrap,
         with self.test_client() as c:
             c.get(
                 '/v3/projects', headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_list_projects_for_others(self):
@@ -833,7 +833,7 @@ class ProjectUserTests(base_classes.TestCaseWithBootstrap,
         with self.test_client() as c:
             c.get(
                 '/v3/users/%s/projects' % user['id'], headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_can_list_their_projects(self):
@@ -860,7 +860,7 @@ class ProjectUserTests(base_classes.TestCaseWithBootstrap,
         with self.test_client() as c:
             c.get(
                 '/v3/projects/%s' % project['id'], headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_create_projects(self):
@@ -873,7 +873,7 @@ class ProjectUserTests(base_classes.TestCaseWithBootstrap,
         with self.test_client() as c:
             c.post(
                 '/v3/projects', json=create, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_projects(self):
@@ -888,7 +888,7 @@ class ProjectUserTests(base_classes.TestCaseWithBootstrap,
             c.patch(
                 '/v3/projects/%s' % project['id'], json=update,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_update_non_existent_project_forbidden(self):
@@ -898,7 +898,7 @@ class ProjectUserTests(base_classes.TestCaseWithBootstrap,
             c.patch(
                 '/v3/projects/%s' % uuid.uuid4().hex, json=update,
                 headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_projects(self):
@@ -910,12 +910,12 @@ class ProjectUserTests(base_classes.TestCaseWithBootstrap,
         with self.test_client() as c:
             c.delete(
                 '/v3/projects/%s' % project['id'], headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )
 
     def test_user_cannot_delete_non_existent_project_forbidden(self):
         with self.test_client() as c:
             c.delete(
                 '/v3/projects/%s' % uuid.uuid4().hex, headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
+                expected_status_code=http.client.FORBIDDEN
             )