From be36a939cff21b12fe0e65f08a6cdf39ade6f292 Mon Sep 17 00:00:00 2001 From: Vishakha Agarwal Date: Thu, 16 May 2019 14:24:24 +0530 Subject: [PATCH] Remove [token]/ infer_roles infer_roles in [token] is deprecated. This patch removes the same. Partial-Bug: #1829453 Change-Id: If77d73eeac6db215d7710b33c6dba926c14ae2b2 --- keystone/assignment/core.py | 2 -- keystone/conf/token.py | 18 --------------- keystone/tests/unit/test_v3_auth.py | 22 +++++++++---------- .../removed-as-of-train-92b2942a680eb859.yaml | 5 +++++ 4 files changed, 16 insertions(+), 31 deletions(-) create mode 100644 releasenotes/notes/removed-as-of-train-92b2942a680eb859.yaml diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py index 4e21efdbf5..cfa2fb4ef3 100644 --- a/keystone/assignment/core.py +++ b/keystone/assignment/core.py @@ -646,8 +646,6 @@ class Manager(manager.Manager): indirect['role_id'] = prior_ref['role_id'] return implied_ref - if not CONF.token.infer_roles: - return role_refs try: implied_roles_cache = {} role_refs_to_check = list(role_refs) diff --git a/keystone/conf/token.py b/keystone/conf/token.py index 2676d00e6f..5cf9d717b6 100644 --- a/keystone/conf/token.py +++ b/keystone/conf/token.py @@ -89,23 +89,6 @@ for tokens with a more specific scope) or to provide their credentials in every request for a scoped token to avoid re-scoping altogether. """)) -infer_roles = cfg.BoolOpt( - 'infer_roles', - default=True, - deprecated_since=versionutils.deprecated.ROCKY, - deprecated_reason=utils.fmt(""" -Default roles depend on a chain of implied role assignments. Ex: an admin user -will also have the reader and member role. By ensuring that all these roles -will always appear on the token validation response, we can improve the -simplicity and readability of policy files. -"""), - deprecated_for_removal=True, - help=utils.fmt(""" -This controls whether roles should be included with tokens that are not -directly assigned to the token's scope, but are instead linked implicitly to -other role assignments. -""")) - cache_on_issue = cfg.BoolOpt( 'cache_on_issue', default=True, @@ -144,7 +127,6 @@ ALL_OPTS = [ cache_time, revoke_by_id, allow_rescope_scoped_token, - infer_roles, cache_on_issue, allow_expired_window, ] diff --git a/keystone/tests/unit/test_v3_auth.py b/keystone/tests/unit/test_v3_auth.py index 87e9cadb65..7e6c9b58af 100644 --- a/keystone/tests/unit/test_v3_auth.py +++ b/keystone/tests/unit/test_v3_auth.py @@ -2061,11 +2061,11 @@ class TokenAPITests(object): def test_create_implied_role_shows_in_v3_project_token(self): # regardless of the default chosen, this should always # test with the option set. - self.config_fixture.config(group='token', infer_roles=True) + self.config_fixture.config(group='token') self._create_implied_role_shows_in_v3_token(False) def test_create_implied_role_shows_in_v3_domain_token(self): - self.config_fixture.config(group='token', infer_roles=True) + self.config_fixture.config(group='token') PROVIDERS.assignment_api.create_grant( self.role['id'], user_id=self.user['id'], domain_id=self.domain['id'] @@ -2074,7 +2074,7 @@ class TokenAPITests(object): self._create_implied_role_shows_in_v3_token(True) def test_create_implied_role_shows_in_v3_system_token(self): - self.config_fixture.config(group='token', infer_roles=True) + self.config_fixture.config(group='token') PROVIDERS.assignment_api.create_system_grant_for_user( self.user['id'], self.role['id'] ) @@ -2091,7 +2091,7 @@ class TokenAPITests(object): self.assertEqual(2, len(token_roles)) def test_group_assigned_implied_role_shows_in_v3_token(self): - self.config_fixture.config(group='token', infer_roles=True) + self.config_fixture.config(group='token') is_domain = False token_roles = self._get_scoped_token_roles(is_domain) self.assertEqual(1, len(token_roles)) @@ -2130,7 +2130,7 @@ class TokenAPITests(object): self.assertIn(implied2['id'], token_role_ids) def test_multiple_implied_roles_show_in_v3_token(self): - self.config_fixture.config(group='token', infer_roles=True) + self.config_fixture.config(group='token') token_roles = self._get_scoped_token_roles() self.assertEqual(1, len(token_roles)) @@ -2149,7 +2149,7 @@ class TokenAPITests(object): self.assertIn(implied3['id'], token_role_ids) def test_chained_implied_role_shows_in_v3_token(self): - self.config_fixture.config(group='token', infer_roles=True) + self.config_fixture.config(group='token') token_roles = self._get_scoped_token_roles() self.assertEqual(1, len(token_roles)) @@ -2169,7 +2169,7 @@ class TokenAPITests(object): self.assertIn(implied3['id'], token_role_ids) def test_implied_role_disabled_by_config(self): - self.config_fixture.config(group='token', infer_roles=False) + self.config_fixture.config(group='token') token_roles = self._get_scoped_token_roles() self.assertEqual(1, len(token_roles)) @@ -2179,12 +2179,12 @@ class TokenAPITests(object): self._create_implied_role(implied2['id']) token_roles = self._get_scoped_token_roles() - self.assertEqual(1, len(token_roles)) + self.assertEqual(4, len(token_roles)) token_role_ids = [role['id'] for role in token_roles] self.assertIn(prior, token_role_ids) def test_delete_implied_role_do_not_show_in_v3_token(self): - self.config_fixture.config(group='token', infer_roles=True) + self.config_fixture.config(group='token') token_roles = self._get_scoped_token_roles() prior = token_roles[0]['id'] implied = self._create_implied_role(prior) @@ -2197,7 +2197,7 @@ class TokenAPITests(object): self.assertEqual(1, len(token_roles)) def test_unrelated_implied_roles_do_not_change_v3_token(self): - self.config_fixture.config(group='token', infer_roles=True) + self.config_fixture.config(group='token') token_roles = self._get_scoped_token_roles() prior = token_roles[0]['id'] implied = self._create_implied_role(prior) @@ -2217,7 +2217,7 @@ class TokenAPITests(object): self.assertEqual(2, len(token_roles)) def test_domain_specific_roles_do_not_show_v3_token(self): - self.config_fixture.config(group='token', infer_roles=True) + self.config_fixture.config(group='token') initial_token_roles = self._get_scoped_token_roles() new_role = self._create_role(domain_id=self.domain_id) diff --git a/releasenotes/notes/removed-as-of-train-92b2942a680eb859.yaml b/releasenotes/notes/removed-as-of-train-92b2942a680eb859.yaml new file mode 100644 index 0000000000..2db0cc9a70 --- /dev/null +++ b/releasenotes/notes/removed-as-of-train-92b2942a680eb859.yaml @@ -0,0 +1,5 @@ +--- +other: + - | + [`bug 1829453 `_] + The deprecated config option `infer_roles` is removed now.