Remove enable config option of trust feature
Then `enable` config option of trust feature is depreacted in Queens. Remove it in Rocky now. Change-Id: I186b49471cb774e161ff4c35c9879a0a4fa9538f bp: removed-as-of-rocky.
This commit is contained in:
wangxiyuan
parent
a44d5dc9f9
commit
59e1d211a6
@ -289,8 +289,6 @@ class AuthInfo(provider_api.ProviderAPIMixin, object):
|
|||||||
domain_ref = self._lookup_domain(self.auth['scope']['domain'])
|
domain_ref = self._lookup_domain(self.auth['scope']['domain'])
|
||||||
self._scope_data = (domain_ref['id'], None, None, None, None)
|
self._scope_data = (domain_ref['id'], None, None, None, None)
|
||||||
elif 'OS-TRUST:trust' in self.auth['scope']:
|
elif 'OS-TRUST:trust' in self.auth['scope']:
|
||||||
if not CONF.trust.enabled:
|
|
||||||
raise exception.Forbidden('Trusts are disabled.')
|
|
||||||
trust_ref = self._lookup_trust(
|
trust_ref = self._lookup_trust(
|
||||||
self.auth['scope']['OS-TRUST:trust'])
|
self.auth['scope']['OS-TRUST:trust'])
|
||||||
# TODO(ayoung): when trusts support domains, fill in domain data
|
# TODO(ayoung): when trusts support domains, fill in domain data
|
||||||
|
|||||||
@ -11,24 +11,10 @@
|
|||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
from oslo_config import cfg
|
from oslo_config import cfg
|
||||||
from oslo_log import versionutils
|
|
||||||
|
|
||||||
from keystone.conf import utils
|
from keystone.conf import utils
|
||||||
|
|
||||||
|
|
||||||
enabled = cfg.BoolOpt(
|
|
||||||
'enabled',
|
|
||||||
default=True,
|
|
||||||
deprecated_for_removal=True,
|
|
||||||
deprecated_reason=utils.fmt("""
|
|
||||||
Disabling the trusts API is deprecated. This option will be removed in the
|
|
||||||
next release and trusts will always be enabled.
|
|
||||||
"""),
|
|
||||||
deprecated_since=versionutils.deprecated.QUEENS,
|
|
||||||
help=utils.fmt("""
|
|
||||||
Delegation and impersonation features using trusts can be optionally disabled.
|
|
||||||
"""))
|
|
||||||
|
|
||||||
allow_redelegation = cfg.BoolOpt(
|
allow_redelegation = cfg.BoolOpt(
|
||||||
'allow_redelegation',
|
'allow_redelegation',
|
||||||
default=False,
|
default=False,
|
||||||
@ -59,7 +45,6 @@ unless you are providing a custom entry point.
|
|||||||
|
|
||||||
GROUP_NAME = __name__.split('.')[-1]
|
GROUP_NAME = __name__.split('.')[-1]
|
||||||
ALL_OPTS = [
|
ALL_OPTS = [
|
||||||
enabled,
|
|
||||||
allow_redelegation,
|
allow_redelegation,
|
||||||
max_redelegation_count,
|
max_redelegation_count,
|
||||||
driver,
|
driver,
|
||||||
|
|||||||
@ -3618,31 +3618,6 @@ class TestAuthJSONExternal(test_v3.RestfulTestCase):
|
|||||||
auth_context)
|
auth_context)
|
||||||
|
|
||||||
|
|
||||||
class TestTrustOptional(test_v3.RestfulTestCase):
|
|
||||||
def setUp(self):
|
|
||||||
super(TestTrustOptional, self).setUp()
|
|
||||||
# TODO(morgan): remove this test case, trusts are not optional.
|
|
||||||
self.skipTest('Trusts are no longer optional.')
|
|
||||||
|
|
||||||
def config_overrides(self):
|
|
||||||
super(TestTrustOptional, self).config_overrides()
|
|
||||||
self.config_fixture.config(group='trust', enabled=False)
|
|
||||||
|
|
||||||
def test_trusts_returns_not_found(self):
|
|
||||||
self.get('/OS-TRUST/trusts', body={'trust': {}},
|
|
||||||
expected_status=http_client.NOT_FOUND)
|
|
||||||
self.post('/OS-TRUST/trusts', body={'trust': {}},
|
|
||||||
expected_status=http_client.NOT_FOUND)
|
|
||||||
|
|
||||||
def test_auth_with_scope_in_trust_forbidden(self):
|
|
||||||
auth_data = self.build_authentication_request(
|
|
||||||
user_id=self.user['id'],
|
|
||||||
password=self.user['password'],
|
|
||||||
trust_id=uuid.uuid4().hex)
|
|
||||||
self.v3_create_token(auth_data,
|
|
||||||
expected_status=http_client.FORBIDDEN)
|
|
||||||
|
|
||||||
|
|
||||||
class TrustAPIBehavior(test_v3.RestfulTestCase):
|
class TrustAPIBehavior(test_v3.RestfulTestCase):
|
||||||
"""Redelegation valid and secure.
|
"""Redelegation valid and secure.
|
||||||
|
|
||||||
@ -3673,7 +3648,6 @@ class TrustAPIBehavior(test_v3.RestfulTestCase):
|
|||||||
super(TrustAPIBehavior, self).config_overrides()
|
super(TrustAPIBehavior, self).config_overrides()
|
||||||
self.config_fixture.config(
|
self.config_fixture.config(
|
||||||
group='trust',
|
group='trust',
|
||||||
enabled=True,
|
|
||||||
allow_redelegation=True,
|
allow_redelegation=True,
|
||||||
max_redelegation_count=10
|
max_redelegation_count=10
|
||||||
)
|
)
|
||||||
@ -4463,7 +4437,6 @@ class TestTrustChain(test_v3.RestfulTestCase):
|
|||||||
super(TestTrustChain, self).config_overrides()
|
super(TestTrustChain, self).config_overrides()
|
||||||
self.config_fixture.config(
|
self.config_fixture.config(
|
||||||
group='trust',
|
group='trust',
|
||||||
enabled=True,
|
|
||||||
allow_redelegation=True,
|
allow_redelegation=True,
|
||||||
max_redelegation_count=10
|
max_redelegation_count=10
|
||||||
)
|
)
|
||||||
@ -4905,8 +4878,7 @@ class TestTrustAuthFernetTokenProvider(TrustAPIBehavior, TestTrustChain):
|
|||||||
self.config_fixture.config(group='token',
|
self.config_fixture.config(group='token',
|
||||||
provider='fernet',
|
provider='fernet',
|
||||||
revoke_by_id=False)
|
revoke_by_id=False)
|
||||||
self.config_fixture.config(group='trust',
|
self.config_fixture.config(group='trust')
|
||||||
enabled=True)
|
|
||||||
self.useFixture(
|
self.useFixture(
|
||||||
ksfixtures.KeyRepository(
|
ksfixtures.KeyRepository(
|
||||||
self.config_fixture,
|
self.config_fixture,
|
||||||
|
|||||||
@ -370,7 +370,7 @@ class TestCredentialTrustScoped(test_v3.RestfulTestCase):
|
|||||||
|
|
||||||
def config_overrides(self):
|
def config_overrides(self):
|
||||||
super(TestCredentialTrustScoped, self).config_overrides()
|
super(TestCredentialTrustScoped, self).config_overrides()
|
||||||
self.config_fixture.config(group='trust', enabled=True)
|
self.config_fixture.config(group='trust')
|
||||||
|
|
||||||
def test_trust_scoped_ec2_credential(self):
|
def test_trust_scoped_ec2_credential(self):
|
||||||
"""Test creating trust scoped ec2 credential.
|
"""Test creating trust scoped ec2 credential.
|
||||||
|
|||||||
@ -277,7 +277,7 @@ class V3TokenDataHelper(provider_api.ProviderAPIMixin, object):
|
|||||||
return
|
return
|
||||||
|
|
||||||
user_ref = PROVIDERS.identity_api.get_user(user_id)
|
user_ref = PROVIDERS.identity_api.get_user(user_id)
|
||||||
if CONF.trust.enabled and trust and 'OS-TRUST:trust' not in token_data:
|
if trust and 'OS-TRUST:trust' not in token_data:
|
||||||
trustor_user_ref = (PROVIDERS.identity_api.get_user(
|
trustor_user_ref = (PROVIDERS.identity_api.get_user(
|
||||||
trust['trustor_user_id']))
|
trust['trustor_user_id']))
|
||||||
trustee_user_ref = (PROVIDERS.identity_api.get_user(
|
trustee_user_ref = (PROVIDERS.identity_api.get_user(
|
||||||
@ -343,7 +343,7 @@ class V3TokenDataHelper(provider_api.ProviderAPIMixin, object):
|
|||||||
token_data['roles'] = filtered_roles
|
token_data['roles'] = filtered_roles
|
||||||
return
|
return
|
||||||
|
|
||||||
if CONF.trust.enabled and trust:
|
if trust:
|
||||||
# If redelegated_trust_id is set, then we must traverse the
|
# If redelegated_trust_id is set, then we must traverse the
|
||||||
# trust_chain in order to determine who the original trustor is. We
|
# trust_chain in order to determine who the original trustor is. We
|
||||||
# need to do this because the user ID of the original trustor helps
|
# need to do this because the user ID of the original trustor helps
|
||||||
@ -366,7 +366,7 @@ class V3TokenDataHelper(provider_api.ProviderAPIMixin, object):
|
|||||||
|
|
||||||
if system or token_domain_id or token_project_id:
|
if system or token_domain_id or token_project_id:
|
||||||
filtered_roles = []
|
filtered_roles = []
|
||||||
if CONF.trust.enabled and trust:
|
if trust:
|
||||||
# First expand out any roles that were in the trust to include
|
# First expand out any roles that were in the trust to include
|
||||||
# any implied roles, whether global or domain specific
|
# any implied roles, whether global or domain specific
|
||||||
refs = [{'role_id': role['id']} for role in trust['roles']]
|
refs = [{'role_id': role['id']} for role in trust['roles']]
|
||||||
@ -439,7 +439,7 @@ class V3TokenDataHelper(provider_api.ProviderAPIMixin, object):
|
|||||||
# no need to repopulate service catalog
|
# no need to repopulate service catalog
|
||||||
return
|
return
|
||||||
|
|
||||||
if CONF.trust.enabled and trust:
|
if trust:
|
||||||
user_id = trust['trustor_user_id']
|
user_id = trust['trustor_user_id']
|
||||||
|
|
||||||
# NOTE(lbragstad): The catalog API requires a project in order to
|
# NOTE(lbragstad): The catalog API requires a project in order to
|
||||||
@ -565,7 +565,7 @@ class BaseProvider(provider_api.ProviderAPIMixin, base.Provider):
|
|||||||
'The configured token provider does not support bind '
|
'The configured token provider does not support bind '
|
||||||
'authentication.'))
|
'authentication.'))
|
||||||
|
|
||||||
if CONF.trust.enabled and trust:
|
if trust:
|
||||||
if user_id != trust['trustee_user_id']:
|
if user_id != trust['trustee_user_id']:
|
||||||
raise exception.Forbidden(_('User is not a trustee.'))
|
raise exception.Forbidden(_('User is not a trustee.'))
|
||||||
|
|
||||||
|
|||||||
@ -14,3 +14,7 @@ other:
|
|||||||
Removed support for token bind operations, which were supported by the
|
Removed support for token bind operations, which were supported by the
|
||||||
``uuid``, ``pki``, and ``pkiz`` token providers. Support for this
|
``uuid``, ``pki``, and ``pkiz`` token providers. Support for this
|
||||||
feature was deprecated in Pike.
|
feature was deprecated in Pike.
|
||||||
|
- >
|
||||||
|
[`blueprint removed-as-of-rocky <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-rocky>`_]
|
||||||
|
The deprecated `enable` config option of the trust feature is removed.
|
||||||
|
Trusts now is always enabled.
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user