Merge "Remove member_role_id/name"

This commit is contained in:
Zuul 2018-09-07 22:48:03 +00:00 committed by Gerrit Code Review
commit b8b52a3355
5 changed files with 7 additions and 75 deletions

View File

@ -112,13 +112,7 @@ class RoleResource(ks_flask.ResourceBase):
else:
ENFORCER.enforce_call(action='identity:create_role')
validation.lazy_validate(schema.role_create, role)
if role['name'] == CONF.member_role_name:
# Use the configured member role ID when creating the configured
# member role name. This avoids the potential of creating
# a "member" role with an unexpected ID.
role['id'] = CONF.member_role_id
else:
role = self._assign_unique_id(role)
role = self._assign_unique_id(role)
role = self._normalize_dict(role)
ref = PROVIDERS.role_api.create_role(
role['id'], role, initiator=self.audit_initiator)

View File

@ -165,22 +165,6 @@ class Manager(manager.Manager):
role_ids = list(set([x['role_id'] for x in assignment_list]))
return PROVIDERS.role_api.list_roles_from_ids(role_ids)
def ensure_default_role(self):
try:
PROVIDERS.role_api.get_role(CONF.member_role_id)
except exception.RoleNotFound:
LOG.info("Creating the default role %s "
"because it does not exist.",
CONF.member_role_id)
role = {'id': CONF.member_role_id,
'name': CONF.member_role_name}
try:
PROVIDERS.role_api.create_role(CONF.member_role_id, role)
except exception.Conflict:
LOG.info("Creating the default role %s failed because it "
"was already created",
CONF.member_role_id)
@notifications.role_assignment('created')
def _add_role_to_user_and_project_adapter(self, role_id, user_id=None,
group_id=None, domain_id=None,

View File

@ -21,16 +21,6 @@ This option has been deprecated in the N release and will be removed in the P
release. Use oslo.middleware.http_proxy_to_wsgi configuration instead.
""")
_DEPRECATE_MEMBER_ID_AND_NAME = utils.fmt("""
This option was used to create a default member role for keystone v2 role
assignments, but with the removal of the v2 API it is no longer necessary to
create this default role. This option is deprecated and will be removed in the
S release. If you are depending on having a predictable role name and ID for
this member role you will need to update your tooling.
""")
admin_token = cfg.StrOpt(
'admin_token',
secret=True,
@ -101,34 +91,6 @@ values. With Fernet tokens, this can be set as low as 255. With UUID tokens,
this should be set to 32).
"""))
member_role_id = cfg.StrOpt(
'member_role_id',
default='9fe2ff9ee4384b1894a90878d3e92bab',
deprecated_for_removal=True,
deprecated_reason=_DEPRECATE_MEMBER_ID_AND_NAME,
deprecated_since=versionutils.deprecated.QUEENS,
help=utils.fmt("""
Similar to the `[DEFAULT] member_role_name` option, this represents the default
role ID used to associate users with their default projects in the v2 API. This
will be used as the explicit role where one is not specified by the v2 API. You
do not need to set this value unless you want keystone to use an existing role
with a different ID, other than the arbitrarily defined `_member_` role (in
which case, you should set `[DEFAULT] member_role_name` as well).
"""))
member_role_name = cfg.StrOpt(
'member_role_name',
default='_member_',
deprecated_for_removal=True,
deprecated_reason=_DEPRECATE_MEMBER_ID_AND_NAME,
deprecated_since=versionutils.deprecated.QUEENS,
help=utils.fmt("""
This is the role name used in combination with the `[DEFAULT] member_role_id`
option; see that option for more detail. You do not need to set this option
unless you want keystone to use an existing role (in which case, you should set
`[DEFAULT] member_role_id` as well).
"""))
# NOTE(lbragstad/morganfainberg): This value of 10k was measured as having an
# approximate 30% clock-time savings over the old default of 40k. The passlib
# default is not static and grows over time to constantly approximate ~300ms of
@ -245,8 +207,6 @@ ALL_OPTS = [
max_project_tree_depth,
max_param_size,
max_token_size,
member_role_id,
member_role_name,
crypt_strength,
list_limit,
strict_password_check,

View File

@ -119,18 +119,6 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
self.delete('/roles/%(role_id)s' % {
'role_id': self.role_id})
def test_create_member_role(self):
"""Call ``POST /roles``."""
# specify only the name on creation
ref = unit.new_role_ref(name=CONF.member_role_name)
r = self.post(
'/roles',
body={'role': ref})
self.assertValidRoleResponse(r, ref)
# but the ID should be set as defined in CONF
self.assertEqual(CONF.member_role_id, r.json['role']['id'])
# Role Grants tests
def test_crud_user_project_role_grants(self):

View File

@ -0,0 +1,6 @@
---
other:
- |
[`blueprint removed-as-of-stein <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-stein>`_]
The options ``member_role_id`` and ``member_role_name`` which were
deprecated in Queens and only used for V2 are removed now.