From 59e1d211a6092176836b2463f27278e0ff832381 Mon Sep 17 00:00:00 2001 From: wangxiyuan Date: Fri, 6 Jul 2018 17:24:06 +0800 Subject: [PATCH] Remove enable config option of trust feature Then `enable` config option of trust feature is depreacted in Queens. Remove it in Rocky now. Change-Id: I186b49471cb774e161ff4c35c9879a0a4fa9538f bp: removed-as-of-rocky. --- keystone/auth/core.py | 2 -- keystone/conf/trust.py | 15 ---------- keystone/tests/unit/test_v3_auth.py | 30 +------------------ keystone/tests/unit/test_v3_credential.py | 2 +- keystone/token/providers/common.py | 10 +++---- .../removed-as-of-rocky-f44c3ba7c3e73d01.yaml | 4 +++ 6 files changed, 11 insertions(+), 52 deletions(-) diff --git a/keystone/auth/core.py b/keystone/auth/core.py index 4c456f679c..40df56f021 100644 --- a/keystone/auth/core.py +++ b/keystone/auth/core.py @@ -289,8 +289,6 @@ class AuthInfo(provider_api.ProviderAPIMixin, object): domain_ref = self._lookup_domain(self.auth['scope']['domain']) self._scope_data = (domain_ref['id'], None, None, None, None) elif 'OS-TRUST:trust' in self.auth['scope']: - if not CONF.trust.enabled: - raise exception.Forbidden('Trusts are disabled.') trust_ref = self._lookup_trust( self.auth['scope']['OS-TRUST:trust']) # TODO(ayoung): when trusts support domains, fill in domain data diff --git a/keystone/conf/trust.py b/keystone/conf/trust.py index 17f59ce637..a382a49212 100644 --- a/keystone/conf/trust.py +++ b/keystone/conf/trust.py @@ -11,24 +11,10 @@ # under the License. from oslo_config import cfg -from oslo_log import versionutils from keystone.conf import utils -enabled = cfg.BoolOpt( - 'enabled', - default=True, - deprecated_for_removal=True, - deprecated_reason=utils.fmt(""" -Disabling the trusts API is deprecated. This option will be removed in the -next release and trusts will always be enabled. -"""), - deprecated_since=versionutils.deprecated.QUEENS, - help=utils.fmt(""" -Delegation and impersonation features using trusts can be optionally disabled. -""")) - allow_redelegation = cfg.BoolOpt( 'allow_redelegation', default=False, @@ -59,7 +45,6 @@ unless you are providing a custom entry point. GROUP_NAME = __name__.split('.')[-1] ALL_OPTS = [ - enabled, allow_redelegation, max_redelegation_count, driver, diff --git a/keystone/tests/unit/test_v3_auth.py b/keystone/tests/unit/test_v3_auth.py index fa8de81eb1..e591ee7d18 100644 --- a/keystone/tests/unit/test_v3_auth.py +++ b/keystone/tests/unit/test_v3_auth.py @@ -3618,31 +3618,6 @@ class TestAuthJSONExternal(test_v3.RestfulTestCase): auth_context) -class TestTrustOptional(test_v3.RestfulTestCase): - def setUp(self): - super(TestTrustOptional, self).setUp() - # TODO(morgan): remove this test case, trusts are not optional. - self.skipTest('Trusts are no longer optional.') - - def config_overrides(self): - super(TestTrustOptional, self).config_overrides() - self.config_fixture.config(group='trust', enabled=False) - - def test_trusts_returns_not_found(self): - self.get('/OS-TRUST/trusts', body={'trust': {}}, - expected_status=http_client.NOT_FOUND) - self.post('/OS-TRUST/trusts', body={'trust': {}}, - expected_status=http_client.NOT_FOUND) - - def test_auth_with_scope_in_trust_forbidden(self): - auth_data = self.build_authentication_request( - user_id=self.user['id'], - password=self.user['password'], - trust_id=uuid.uuid4().hex) - self.v3_create_token(auth_data, - expected_status=http_client.FORBIDDEN) - - class TrustAPIBehavior(test_v3.RestfulTestCase): """Redelegation valid and secure. @@ -3673,7 +3648,6 @@ class TrustAPIBehavior(test_v3.RestfulTestCase): super(TrustAPIBehavior, self).config_overrides() self.config_fixture.config( group='trust', - enabled=True, allow_redelegation=True, max_redelegation_count=10 ) @@ -4463,7 +4437,6 @@ class TestTrustChain(test_v3.RestfulTestCase): super(TestTrustChain, self).config_overrides() self.config_fixture.config( group='trust', - enabled=True, allow_redelegation=True, max_redelegation_count=10 ) @@ -4905,8 +4878,7 @@ class TestTrustAuthFernetTokenProvider(TrustAPIBehavior, TestTrustChain): self.config_fixture.config(group='token', provider='fernet', revoke_by_id=False) - self.config_fixture.config(group='trust', - enabled=True) + self.config_fixture.config(group='trust') self.useFixture( ksfixtures.KeyRepository( self.config_fixture, diff --git a/keystone/tests/unit/test_v3_credential.py b/keystone/tests/unit/test_v3_credential.py index 809c65c42a..b0b5187fee 100644 --- a/keystone/tests/unit/test_v3_credential.py +++ b/keystone/tests/unit/test_v3_credential.py @@ -370,7 +370,7 @@ class TestCredentialTrustScoped(test_v3.RestfulTestCase): def config_overrides(self): super(TestCredentialTrustScoped, self).config_overrides() - self.config_fixture.config(group='trust', enabled=True) + self.config_fixture.config(group='trust') def test_trust_scoped_ec2_credential(self): """Test creating trust scoped ec2 credential. diff --git a/keystone/token/providers/common.py b/keystone/token/providers/common.py index 126cf27755..bb465da6c7 100644 --- a/keystone/token/providers/common.py +++ b/keystone/token/providers/common.py @@ -277,7 +277,7 @@ class V3TokenDataHelper(provider_api.ProviderAPIMixin, object): return user_ref = PROVIDERS.identity_api.get_user(user_id) - if CONF.trust.enabled and trust and 'OS-TRUST:trust' not in token_data: + if trust and 'OS-TRUST:trust' not in token_data: trustor_user_ref = (PROVIDERS.identity_api.get_user( trust['trustor_user_id'])) trustee_user_ref = (PROVIDERS.identity_api.get_user( @@ -343,7 +343,7 @@ class V3TokenDataHelper(provider_api.ProviderAPIMixin, object): token_data['roles'] = filtered_roles return - if CONF.trust.enabled and trust: + if trust: # If redelegated_trust_id is set, then we must traverse the # trust_chain in order to determine who the original trustor is. We # need to do this because the user ID of the original trustor helps @@ -366,7 +366,7 @@ class V3TokenDataHelper(provider_api.ProviderAPIMixin, object): if system or token_domain_id or token_project_id: filtered_roles = [] - if CONF.trust.enabled and trust: + if trust: # First expand out any roles that were in the trust to include # any implied roles, whether global or domain specific refs = [{'role_id': role['id']} for role in trust['roles']] @@ -439,7 +439,7 @@ class V3TokenDataHelper(provider_api.ProviderAPIMixin, object): # no need to repopulate service catalog return - if CONF.trust.enabled and trust: + if trust: user_id = trust['trustor_user_id'] # NOTE(lbragstad): The catalog API requires a project in order to @@ -565,7 +565,7 @@ class BaseProvider(provider_api.ProviderAPIMixin, base.Provider): 'The configured token provider does not support bind ' 'authentication.')) - if CONF.trust.enabled and trust: + if trust: if user_id != trust['trustee_user_id']: raise exception.Forbidden(_('User is not a trustee.')) diff --git a/releasenotes/notes/removed-as-of-rocky-f44c3ba7c3e73d01.yaml b/releasenotes/notes/removed-as-of-rocky-f44c3ba7c3e73d01.yaml index d2a2d11e8a..a83d3a5aed 100644 --- a/releasenotes/notes/removed-as-of-rocky-f44c3ba7c3e73d01.yaml +++ b/releasenotes/notes/removed-as-of-rocky-f44c3ba7c3e73d01.yaml @@ -14,3 +14,7 @@ other: Removed support for token bind operations, which were supported by the ``uuid``, ``pki``, and ``pkiz`` token providers. Support for this feature was deprecated in Pike. + - > + [`blueprint removed-as-of-rocky `_] + The deprecated `enable` config option of the trust feature is removed. + Trusts now is always enabled.