Browse Source

Remove [token]/ infer_roles

infer_roles in [token] is deprecated. This patch
removes the same.

Partial-Bug: #1829453
Change-Id: If77d73eeac6db215d7710b33c6dba926c14ae2b2
changes/00/659500/8
Vishakha Agarwal 2 years ago
parent
commit
be36a939cf
4 changed files with 16 additions and 31 deletions
  1. +0
    -2
      keystone/assignment/core.py
  2. +0
    -18
      keystone/conf/token.py
  3. +11
    -11
      keystone/tests/unit/test_v3_auth.py
  4. +5
    -0
      releasenotes/notes/removed-as-of-train-92b2942a680eb859.yaml

+ 0
- 2
keystone/assignment/core.py View File

@ -646,8 +646,6 @@ class Manager(manager.Manager):
indirect['role_id'] = prior_ref['role_id']
return implied_ref
if not CONF.token.infer_roles:
return role_refs
try:
implied_roles_cache = {}
role_refs_to_check = list(role_refs)


+ 0
- 18
keystone/conf/token.py View File

@ -89,23 +89,6 @@ for tokens with a more specific scope) or to provide their credentials in every
request for a scoped token to avoid re-scoping altogether.
"""))
infer_roles = cfg.BoolOpt(
'infer_roles',
default=True,
deprecated_since=versionutils.deprecated.ROCKY,
deprecated_reason=utils.fmt("""
Default roles depend on a chain of implied role assignments. Ex: an admin user
will also have the reader and member role. By ensuring that all these roles
will always appear on the token validation response, we can improve the
simplicity and readability of policy files.
"""),
deprecated_for_removal=True,
help=utils.fmt("""
This controls whether roles should be included with tokens that are not
directly assigned to the token's scope, but are instead linked implicitly to
other role assignments.
"""))
cache_on_issue = cfg.BoolOpt(
'cache_on_issue',
default=True,
@ -144,7 +127,6 @@ ALL_OPTS = [
cache_time,
revoke_by_id,
allow_rescope_scoped_token,
infer_roles,
cache_on_issue,
allow_expired_window,
]


+ 11
- 11
keystone/tests/unit/test_v3_auth.py View File

@ -2061,11 +2061,11 @@ class TokenAPITests(object):
def test_create_implied_role_shows_in_v3_project_token(self):
# regardless of the default chosen, this should always
# test with the option set.
self.config_fixture.config(group='token', infer_roles=True)
self.config_fixture.config(group='token')
self._create_implied_role_shows_in_v3_token(False)
def test_create_implied_role_shows_in_v3_domain_token(self):
self.config_fixture.config(group='token', infer_roles=True)
self.config_fixture.config(group='token')
PROVIDERS.assignment_api.create_grant(
self.role['id'], user_id=self.user['id'],
domain_id=self.domain['id']
@ -2074,7 +2074,7 @@ class TokenAPITests(object):
self._create_implied_role_shows_in_v3_token(True)
def test_create_implied_role_shows_in_v3_system_token(self):
self.config_fixture.config(group='token', infer_roles=True)
self.config_fixture.config(group='token')
PROVIDERS.assignment_api.create_system_grant_for_user(
self.user['id'], self.role['id']
)
@ -2091,7 +2091,7 @@ class TokenAPITests(object):
self.assertEqual(2, len(token_roles))
def test_group_assigned_implied_role_shows_in_v3_token(self):
self.config_fixture.config(group='token', infer_roles=True)
self.config_fixture.config(group='token')
is_domain = False
token_roles = self._get_scoped_token_roles(is_domain)
self.assertEqual(1, len(token_roles))
@ -2130,7 +2130,7 @@ class TokenAPITests(object):
self.assertIn(implied2['id'], token_role_ids)
def test_multiple_implied_roles_show_in_v3_token(self):
self.config_fixture.config(group='token', infer_roles=True)
self.config_fixture.config(group='token')
token_roles = self._get_scoped_token_roles()
self.assertEqual(1, len(token_roles))
@ -2149,7 +2149,7 @@ class TokenAPITests(object):
self.assertIn(implied3['id'], token_role_ids)
def test_chained_implied_role_shows_in_v3_token(self):
self.config_fixture.config(group='token', infer_roles=True)
self.config_fixture.config(group='token')
token_roles = self._get_scoped_token_roles()
self.assertEqual(1, len(token_roles))
@ -2169,7 +2169,7 @@ class TokenAPITests(object):
self.assertIn(implied3['id'], token_role_ids)
def test_implied_role_disabled_by_config(self):
self.config_fixture.config(group='token', infer_roles=False)
self.config_fixture.config(group='token')
token_roles = self._get_scoped_token_roles()
self.assertEqual(1, len(token_roles))
@ -2179,12 +2179,12 @@ class TokenAPITests(object):
self._create_implied_role(implied2['id'])
token_roles = self._get_scoped_token_roles()
self.assertEqual(1, len(token_roles))
self.assertEqual(4, len(token_roles))
token_role_ids = [role['id'] for role in token_roles]
self.assertIn(prior, token_role_ids)
def test_delete_implied_role_do_not_show_in_v3_token(self):
self.config_fixture.config(group='token', infer_roles=True)
self.config_fixture.config(group='token')
token_roles = self._get_scoped_token_roles()
prior = token_roles[0]['id']
implied = self._create_implied_role(prior)
@ -2197,7 +2197,7 @@ class TokenAPITests(object):
self.assertEqual(1, len(token_roles))
def test_unrelated_implied_roles_do_not_change_v3_token(self):
self.config_fixture.config(group='token', infer_roles=True)
self.config_fixture.config(group='token')
token_roles = self._get_scoped_token_roles()
prior = token_roles[0]['id']
implied = self._create_implied_role(prior)
@ -2217,7 +2217,7 @@ class TokenAPITests(object):
self.assertEqual(2, len(token_roles))
def test_domain_specific_roles_do_not_show_v3_token(self):
self.config_fixture.config(group='token', infer_roles=True)
self.config_fixture.config(group='token')
initial_token_roles = self._get_scoped_token_roles()
new_role = self._create_role(domain_id=self.domain_id)


+ 5
- 0
releasenotes/notes/removed-as-of-train-92b2942a680eb859.yaml View File

@ -0,0 +1,5 @@
---
other:
- |
[`bug 1829453 <https://bugs.launchpad.net/keystone/+bug/1829453>`_]
The deprecated config option `infer_roles` is removed now.

Loading…
Cancel
Save