Revert "Resource backend is SQL only now"

This reverts commit 3d46c8a5d93529b4050bab635486cfa6b05c9a85.

In the last commit, the foreign key constraints between the project
table and other tables were dropped, which allows us to restore the
configurability of the resource driver.

Change-Id: Iba4951e2d3965be5acec705385967d312456f1c7

keystone/conf/resource.py

@@ -11,7 +11,6 @@
 # under the License.
 
 from oslo_config import cfg
-from oslo_log import versionutils
 
 from keystone.conf import utils
 
@@ -19,13 +18,6 @@ from keystone.conf import utils
 driver = cfg.StrOpt(
     'driver',
     default='sql',
-    deprecated_for_removal=True,
-    deprecated_reason='Non-SQL resource cannot be used with SQL Identity and '
-                      'has been unable to be used since Ocata. SQL Resource '
-                      'backend is a requirement as of Pike. Setting this '
-                      'option no longer has an effect on how Keystone '
-                      'operates.',
-    deprecated_since=versionutils.deprecated.PIKE,
     help=utils.fmt("""
 Entry point for the resource driver in the `keystone.resource` namespace. Only
 a `sql` driver is supplied by keystone. Unless you are writing proprietary

keystone/resource/backends/sql.py

@@ -26,8 +26,6 @@ LOG = log.getLogger(__name__)
 
 
 class Resource(base.ResourceDriverBase):
-    # TODO(morgan): Merge all of this code into the manager, Resource backend
-    # is only SQL. There is no configurable driver.
 
     def _encode_domain_id(self, ref):
         if 'domain_id' in ref and ref['domain_id'] is None:

keystone/resource/core.py

@@ -27,7 +27,6 @@ from keystone import exception
 from keystone.i18n import _
 from keystone import notifications
 from keystone.resource.backends import base
-from keystone.resource.backends import sql as resource_sql
 from keystone.token import provider as token_provider
 
 CONF = keystone.conf.CONF
@@ -55,14 +54,8 @@ class Manager(manager.Manager):
     _PROJECT_TAG = 'project tag'
 
     def __init__(self):
-        # NOTE(morgan): The resource driver must be SQL. This is because there
-        # is a FK between identity and resource. Almost every deployment uses
-        # SQL Identity in some form. Even if SQL Identity is not used, there
-        # is almost no reason to have non-SQL Resource. Keystone requires
-        # SQL in a number of ways, this simply codifies it plainly for resource
-        # the driver_name = None simply implies we don't need to load a driver.
-        self.driver = resource_sql.Resource()
-        super(Manager, self).__init__(driver_name=None)
+        resource_driver = CONF.resource.driver
+        super(Manager, self).__init__(resource_driver)
 
     def _get_hierarchy_depth(self, parents_list):
         return len(parents_list) + 1

keystone/tests/unit/test_backend_ldap.py

@@ -1124,7 +1124,8 @@ class LDAPIdentity(BaseLDAPIdentity):
     def assert_backends(self):
         _assert_backends(self,
                          assignment='sql',
-                         identity='ldap')
+                         identity='ldap',
+                         resource='sql')
 
     def test_list_domains(self):
         domains = PROVIDERS.resource_api.list_domains()
@@ -1988,7 +1989,8 @@ class LDAPLimitTests(unit.TestCase, identity_tests.LimitTests):
         identity_tests.LimitTests.setUp(self)
         _assert_backends(self,
                          assignment='sql',
-                         identity='ldap')
+                         identity='ldap',
+                         resource='sql')
 
     def config_overrides(self):
         super(LDAPLimitTests, self).config_overrides()
@@ -2493,7 +2495,8 @@ class MultiLDAPandSQLIdentity(BaseLDAPIdentity, unit.SQLDriverOverrides,
                              self.domain_default['id']: 'ldap',
                              self.domains['domain1']['id']: 'ldap',
                              self.domains['domain2']['id']: 'ldap',
-                         })
+                         },
+                         resource='sql')
 
     def config_overrides(self):
         super(MultiLDAPandSQLIdentity, self).config_overrides()
@@ -2816,7 +2819,8 @@ class MultiLDAPandSQLIdentityDomainConfigsInSQL(MultiLDAPandSQLIdentity):
                              self.domain_default['id']: 'ldap',
                              self.domains['domain1']['id']: 'ldap',
                              self.domains['domain2']['id']: 'ldap',
-                         })
+                         },
+                         resource='sql')
 
     def enable_multi_domain(self):
         # The values below are the same as in the domain_configs_multi_ldap
@@ -3062,7 +3066,8 @@ class DomainSpecificLDAPandSQLIdentity(
                 None: 'ldap',
                 'default': 'ldap',
                 self.domains['domain1']['id']: 'sql',
-            })
+            },
+            resource='sql')
 
     def config_overrides(self):
         super(DomainSpecificLDAPandSQLIdentity, self).config_overrides()
@@ -3236,7 +3241,8 @@ class DomainSpecificSQLIdentity(DomainSpecificLDAPandSQLIdentity):
     def assert_backends(self):
         _assert_backends(self,
                          assignment='sql',
-                         identity='ldap')
+                         identity='ldap',
+                         resource='sql')
 
     def config_overrides(self):
         super(DomainSpecificSQLIdentity, self).config_overrides()

releasenotes/notes/resource-driver-33793dd5080ee4d2.yaml

@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Restores the configurability of the resource driver, so it is now possible
+    to create a custom resource driver if the built-in sql driver does not meet
+    business requirements.

setup.cfg

@@ -137,6 +137,9 @@ keystone.policy =
     rules = keystone.policy.backends.rules:Policy
     sql = keystone.policy.backends.sql:Policy
 
+keystone.resource =
+    sql = keystone.resource.backends.sql:Resource
+
 keystone.resource.domain_config =
     sql = keystone.resource.config_backends.sql:DomainConfig