Remove rolling_upgrade_password_hash_compat

The config option ``rolling_upgrade_password_hash_compat`` is only used for rolling-upgrade from Ocata release to Pike release. It should be removed now. Change-Id: Ic9bb5809b40a120f92c801b8c0d37608a7976105 bp: removed-as-of-queens
2017-12-07 11:47:34 +08:00
parent 23d14f5562
commit 4783d1f194
4 changed files with 3 additions and 63 deletions
--- a/keystone/conf/identity.py
+++ b/keystone/conf/identity.py
@@ -11,7 +11,6 @@
 # under the License.

 from oslo_config import cfg
-from oslo_log import versionutils
 import passlib.utils

 from keystone.conf import utils
@@ -167,24 +166,6 @@ This option is only used when the `password_hash_algorithm` option is set
 to `scrypt`. Defaults to 1.
 """))

-# TODO(notmorgan): remove this option in Q release.
-rolling_upgrade_password_hash_compat = cfg.BoolOpt(
-    'rolling_upgrade_password_hash_compat',
-    default=False,
-    deprecated_since=versionutils.deprecated.PIKE,
-    deprecated_reason='Only used for rolling-upgrade between Ocata and Pike',
-    help=utils.fmt("""
-This option tells keystone to continue to hash passwords with the sha512_crypt
-algorithm for supporting rolling upgrades. sha512_crypt is typically more
-insecure than bcrypt, pbkdf2, and scrypt. This option should be set to
-`False` except in the case of performing a rolling upgrade where some
-Keystone servers may not know how to verify non-sha512_crypt based password
-hashes.
-
-This option will be removed in the Queens release and is only to support
-rolling upgrades from Ocata release to Pike release.
-"""))
-
 GROUP_NAME = __name__.split('.')[-1]
 ALL_OPTS = [
    default_domain_id,
@@ -201,7 +182,6 @@ ALL_OPTS = [
    scrypt_block_size,
    scrypt_paralellism,
    salt_bytesize,
-    rolling_upgrade_password_hash_compat,
 ]


--- a/keystone/identity/backends/sql_model.py
+++ b/keystone/identity/backends/sql_model.py
@@ -159,10 +159,6 @@ class User(sql.ModelBase, sql.ModelDictMixinWithExtras):
            # different systems) to unauthorized parties.
            hashed_passwd = password_hashing.hash_password(value)

-            # TODO(notmorgan): Remove this compat code in Q release.
-            if CONF.identity.rolling_upgrade_password_hash_compat:
-                hashed_compat = password_hashing.hash_password_compat(value)
-
        new_password_ref.password_hash = hashed_passwd
        new_password_ref.password = hashed_compat
        new_password_ref.created_at = now
--- a/keystone/tests/unit/identity/test_backend_sql.py
+++ b/keystone/tests/unit/identity/test_backend_sql.py
@@ -78,45 +78,6 @@ class UserPasswordHashingTestsNoCompat(test_backend_sql.SqlTests):
            password_hashing._get_hasher_from_ident(user_ref.password))


-class UserPasswordHashingTestsWithCompat(test_backend_sql.SqlTests):
-    def config_overrides(self):
-        super(UserPasswordHashingTestsWithCompat, self).config_overrides()
-        self.config_fixture.config(
-            group='identity',
-            rolling_upgrade_password_hash_compat=True)
-
-    def test_compat_password_hashing(self):
-        with sql.session_for_read() as session:
-            user_ref = self.identity_api._get_user(session,
-                                                   self.user_foo['id'])
-        self.assertIsNotNone(user_ref.password_ref.password)
-        self.assertIsNotNone(user_ref.password_ref.password_hash)
-        self.assertEqual(user_ref.password,
-                         user_ref.password_ref.password_hash)
-        self.assertNotEqual(user_ref.password,
-                            user_ref.password_ref.password)
-        self.assertTrue(password_hashing.check_password(
-            self.user_foo['password'], user_ref.password))
-        self.assertTrue(password_hashing.check_password(
-            self.user_foo['password'], user_ref.password_ref.password))
-
-    def test_user_with_compat_password_hash_only(self):
-        with sql.session_for_write() as session:
-            user_ref = self.identity_api._get_user(session,
-                                                   self.user_foo['id'])
-            user_ref.password_ref.password_hash = None
-
-        with sql.session_for_read() as session:
-            user_ref = self.identity_api._get_user(session,
-                                                   self.user_foo['id'])
-
-        self.assertIsNone(user_ref.password_ref.password_hash)
-        self.assertIsNotNone(user_ref.password)
-        self.assertEqual(user_ref.password, user_ref.password_ref.password)
-        self.assertTrue(password_hashing.check_password(
-            self.user_foo['password'], user_ref.password))
-
-
 class UserResourceOptionTests(test_backend_sql.SqlTests):
    def setUp(self):
        super(UserResourceOptionTests, self).setUp()
--- a/releasenotes/notes/removed-as-of-queens-94c04e88c08f89aa.yaml
+++ b/releasenotes/notes/removed-as-of-queens-94c04e88c08f89aa.yaml
@@ -6,3 +6,6 @@ other:
    and will no longer create a default member role. Please create any
    additional roles you need after running ``bootstrap`` by using the
    ``openstack role create`` command.
+  - >
+    The config option ``rolling_upgrade_password_hash_compat`` is removed. It
+    is only used for rolling-upgrade from Ocata release to Pike release.