Remove enable config option of trust feature

Then `enable` config option of trust feature is depreacted in
Queens. Remove it in Rocky now.

Change-Id: I186b49471cb774e161ff4c35c9879a0a4fa9538f
bp: removed-as-of-rocky.
This commit is contained in:
wangxiyuan 2018-07-06 17:24:06 +08:00
parent a44d5dc9f9
commit 59e1d211a6
6 changed files with 11 additions and 52 deletions

View File

@ -289,8 +289,6 @@ class AuthInfo(provider_api.ProviderAPIMixin, object):
domain_ref = self._lookup_domain(self.auth['scope']['domain'])
self._scope_data = (domain_ref['id'], None, None, None, None)
elif 'OS-TRUST:trust' in self.auth['scope']:
if not CONF.trust.enabled:
raise exception.Forbidden('Trusts are disabled.')
trust_ref = self._lookup_trust(
self.auth['scope']['OS-TRUST:trust'])
# TODO(ayoung): when trusts support domains, fill in domain data

View File

@ -11,24 +11,10 @@
# under the License.
from oslo_config import cfg
from oslo_log import versionutils
from keystone.conf import utils
enabled = cfg.BoolOpt(
'enabled',
default=True,
deprecated_for_removal=True,
deprecated_reason=utils.fmt("""
Disabling the trusts API is deprecated. This option will be removed in the
next release and trusts will always be enabled.
"""),
deprecated_since=versionutils.deprecated.QUEENS,
help=utils.fmt("""
Delegation and impersonation features using trusts can be optionally disabled.
"""))
allow_redelegation = cfg.BoolOpt(
'allow_redelegation',
default=False,
@ -59,7 +45,6 @@ unless you are providing a custom entry point.
GROUP_NAME = __name__.split('.')[-1]
ALL_OPTS = [
enabled,
allow_redelegation,
max_redelegation_count,
driver,

View File

@ -3618,31 +3618,6 @@ class TestAuthJSONExternal(test_v3.RestfulTestCase):
auth_context)
class TestTrustOptional(test_v3.RestfulTestCase):
def setUp(self):
super(TestTrustOptional, self).setUp()
# TODO(morgan): remove this test case, trusts are not optional.
self.skipTest('Trusts are no longer optional.')
def config_overrides(self):
super(TestTrustOptional, self).config_overrides()
self.config_fixture.config(group='trust', enabled=False)
def test_trusts_returns_not_found(self):
self.get('/OS-TRUST/trusts', body={'trust': {}},
expected_status=http_client.NOT_FOUND)
self.post('/OS-TRUST/trusts', body={'trust': {}},
expected_status=http_client.NOT_FOUND)
def test_auth_with_scope_in_trust_forbidden(self):
auth_data = self.build_authentication_request(
user_id=self.user['id'],
password=self.user['password'],
trust_id=uuid.uuid4().hex)
self.v3_create_token(auth_data,
expected_status=http_client.FORBIDDEN)
class TrustAPIBehavior(test_v3.RestfulTestCase):
"""Redelegation valid and secure.
@ -3673,7 +3648,6 @@ class TrustAPIBehavior(test_v3.RestfulTestCase):
super(TrustAPIBehavior, self).config_overrides()
self.config_fixture.config(
group='trust',
enabled=True,
allow_redelegation=True,
max_redelegation_count=10
)
@ -4463,7 +4437,6 @@ class TestTrustChain(test_v3.RestfulTestCase):
super(TestTrustChain, self).config_overrides()
self.config_fixture.config(
group='trust',
enabled=True,
allow_redelegation=True,
max_redelegation_count=10
)
@ -4905,8 +4878,7 @@ class TestTrustAuthFernetTokenProvider(TrustAPIBehavior, TestTrustChain):
self.config_fixture.config(group='token',
provider='fernet',
revoke_by_id=False)
self.config_fixture.config(group='trust',
enabled=True)
self.config_fixture.config(group='trust')
self.useFixture(
ksfixtures.KeyRepository(
self.config_fixture,

View File

@ -370,7 +370,7 @@ class TestCredentialTrustScoped(test_v3.RestfulTestCase):
def config_overrides(self):
super(TestCredentialTrustScoped, self).config_overrides()
self.config_fixture.config(group='trust', enabled=True)
self.config_fixture.config(group='trust')
def test_trust_scoped_ec2_credential(self):
"""Test creating trust scoped ec2 credential.

View File

@ -277,7 +277,7 @@ class V3TokenDataHelper(provider_api.ProviderAPIMixin, object):
return
user_ref = PROVIDERS.identity_api.get_user(user_id)
if CONF.trust.enabled and trust and 'OS-TRUST:trust' not in token_data:
if trust and 'OS-TRUST:trust' not in token_data:
trustor_user_ref = (PROVIDERS.identity_api.get_user(
trust['trustor_user_id']))
trustee_user_ref = (PROVIDERS.identity_api.get_user(
@ -343,7 +343,7 @@ class V3TokenDataHelper(provider_api.ProviderAPIMixin, object):
token_data['roles'] = filtered_roles
return
if CONF.trust.enabled and trust:
if trust:
# If redelegated_trust_id is set, then we must traverse the
# trust_chain in order to determine who the original trustor is. We
# need to do this because the user ID of the original trustor helps
@ -366,7 +366,7 @@ class V3TokenDataHelper(provider_api.ProviderAPIMixin, object):
if system or token_domain_id or token_project_id:
filtered_roles = []
if CONF.trust.enabled and trust:
if trust:
# First expand out any roles that were in the trust to include
# any implied roles, whether global or domain specific
refs = [{'role_id': role['id']} for role in trust['roles']]
@ -439,7 +439,7 @@ class V3TokenDataHelper(provider_api.ProviderAPIMixin, object):
# no need to repopulate service catalog
return
if CONF.trust.enabled and trust:
if trust:
user_id = trust['trustor_user_id']
# NOTE(lbragstad): The catalog API requires a project in order to
@ -565,7 +565,7 @@ class BaseProvider(provider_api.ProviderAPIMixin, base.Provider):
'The configured token provider does not support bind '
'authentication.'))
if CONF.trust.enabled and trust:
if trust:
if user_id != trust['trustee_user_id']:
raise exception.Forbidden(_('User is not a trustee.'))

View File

@ -14,3 +14,7 @@ other:
Removed support for token bind operations, which were supported by the
``uuid``, ``pki``, and ``pkiz`` token providers. Support for this
feature was deprecated in Pike.
- >
[`blueprint removed-as-of-rocky <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-rocky>`_]
The deprecated `enable` config option of the trust feature is removed.
Trusts now is always enabled.