Remove member_role_id/name

Remove depepated ``member_role_id`` and ``member_role_name``
config options.

Change-Id: I4a29d52da8a7b97baa0cbc52b011b3225fe6ab54
bp: removed-as-of-stein

keystone/api/roles.py

@@ -112,13 +112,7 @@ class RoleResource(ks_flask.ResourceBase):
         else:
             ENFORCER.enforce_call(action='identity:create_role')
         validation.lazy_validate(schema.role_create, role)
-        if role['name'] == CONF.member_role_name:
-            # Use the configured member role ID when creating the configured
-            # member role name. This avoids the potential of creating
-            # a "member" role with an unexpected ID.
-            role['id'] = CONF.member_role_id
-        else:
-            role = self._assign_unique_id(role)
+        role = self._assign_unique_id(role)
         role = self._normalize_dict(role)
         ref = PROVIDERS.role_api.create_role(
             role['id'], role, initiator=self.audit_initiator)

keystone/assignment/core.py

@@ -165,22 +165,6 @@ class Manager(manager.Manager):
         role_ids = list(set([x['role_id'] for x in assignment_list]))
         return PROVIDERS.role_api.list_roles_from_ids(role_ids)
 
-    def ensure_default_role(self):
-        try:
-            PROVIDERS.role_api.get_role(CONF.member_role_id)
-        except exception.RoleNotFound:
-            LOG.info("Creating the default role %s "
-                     "because it does not exist.",
-                     CONF.member_role_id)
-            role = {'id': CONF.member_role_id,
-                    'name': CONF.member_role_name}
-            try:
-                PROVIDERS.role_api.create_role(CONF.member_role_id, role)
-            except exception.Conflict:
-                LOG.info("Creating the default role %s failed because it "
-                         "was already created",
-                         CONF.member_role_id)
-
     @notifications.role_assignment('created')
     def _add_role_to_user_and_project_adapter(self, role_id, user_id=None,
                                               group_id=None, domain_id=None,

keystone/conf/default.py

@@ -21,16 +21,6 @@ This option has been deprecated in the N release and will be removed in the P
 release. Use oslo.middleware.http_proxy_to_wsgi configuration instead.
 """)
 
-
-_DEPRECATE_MEMBER_ID_AND_NAME = utils.fmt("""
-This option was used to create a default member role for keystone v2 role
-assignments, but with the removal of the v2 API it is no longer necessary to
-create this default role. This option is deprecated and will be removed in the
-S release. If you are depending on having a predictable role name and ID for
-this member role you will need to update your tooling.
-""")
-
-
 admin_token = cfg.StrOpt(
     'admin_token',
     secret=True,
@@ -101,34 +91,6 @@ values. With Fernet tokens, this can be set as low as 255. With UUID tokens,
 this should be set to 32).
 """))
 
-member_role_id = cfg.StrOpt(
-    'member_role_id',
-    default='9fe2ff9ee4384b1894a90878d3e92bab',
-    deprecated_for_removal=True,
-    deprecated_reason=_DEPRECATE_MEMBER_ID_AND_NAME,
-    deprecated_since=versionutils.deprecated.QUEENS,
-    help=utils.fmt("""
-Similar to the `[DEFAULT] member_role_name` option, this represents the default
-role ID used to associate users with their default projects in the v2 API. This
-will be used as the explicit role where one is not specified by the v2 API. You
-do not need to set this value unless you want keystone to use an existing role
-with a different ID, other than the arbitrarily defined `_member_` role (in
-which case, you should set `[DEFAULT] member_role_name` as well).
-"""))
-
-member_role_name = cfg.StrOpt(
-    'member_role_name',
-    default='_member_',
-    deprecated_for_removal=True,
-    deprecated_reason=_DEPRECATE_MEMBER_ID_AND_NAME,
-    deprecated_since=versionutils.deprecated.QUEENS,
-    help=utils.fmt("""
-This is the role name used in combination with the `[DEFAULT] member_role_id`
-option; see that option for more detail. You do not need to set this option
-unless you want keystone to use an existing role (in which case, you should set
-`[DEFAULT] member_role_id` as well).
-"""))
-
 # NOTE(lbragstad/morganfainberg): This value of 10k was measured as having an
 # approximate 30% clock-time savings over the old default of 40k.  The passlib
 # default is not static and grows over time to constantly approximate ~300ms of
@@ -245,8 +207,6 @@ ALL_OPTS = [
     max_project_tree_depth,
     max_param_size,
     max_token_size,
-    member_role_id,
-    member_role_name,
     crypt_strength,
     list_limit,
     strict_password_check,

keystone/tests/unit/test_v3_assignment.py

@@ -119,18 +119,6 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
         self.delete('/roles/%(role_id)s' % {
             'role_id': self.role_id})
 
-    def test_create_member_role(self):
-        """Call ``POST /roles``."""
-        # specify only the name on creation
-        ref = unit.new_role_ref(name=CONF.member_role_name)
-        r = self.post(
-            '/roles',
-            body={'role': ref})
-        self.assertValidRoleResponse(r, ref)
-
-        # but the ID should be set as defined in CONF
-        self.assertEqual(CONF.member_role_id, r.json['role']['id'])
-
     # Role Grants tests
 
     def test_crud_user_project_role_grants(self):

releasenotes/notes/removed-as-of-stein-5eb23253b72ab54e.yaml

@@ -0,0 +1,6 @@
+---
+other:
+  - |
+    [`blueprint removed-as-of-stein <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-stein>`_]
+    The options ``member_role_id`` and ``member_role_name`` which were
+    deprecated in Queens and only used for V2 are removed now.