Remove LDAP Role Backend

The LDAP Role Backend has been removed without the normal deprecation notice in-code however, the Role backend was explicitly called out when the deprecation announcement occured[1] and was explicitly included as part of the deprecation of "assignment"-based LDAP. The LDAP Role backend is not very useful without the other parts of the assignment backend that were deprecated and removed. [1] http://lists.openstack.org/pipermail/openstack/2015-January/011337.html Change-Id: I1bd02d5834814959a93601fe53f115d0f9cc08a8 bp: removed-as-of-mitaka
2015-10-07 00:27:43 -07:00 · 2015-10-07 00:27:43 -07:00 · d78fcc361e
parent e6efbe62b8
commit d78fcc361e
6 changed files with 4 additions and 278 deletions
--- a/keystone/assignment/role_backends/ldap.py
+++ b/keystone/assignment/role_backends/ldap.py
@ -1,157 +0,0 @@
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from __future__ import absolute_import
-
-from oslo_config import cfg
-from oslo_log import versionutils
-
-from keystone import assignment
-from keystone.common import ldap as common_ldap
-from keystone.common import models
-from keystone import exception
-from keystone.i18n import _
-from keystone.identity.backends import ldap as ldap_identity
-
-
-CONF = cfg.CONF
-
-
-class Role(assignment.RoleDriverV9):
-    @versionutils.deprecated(
-        versionutils.deprecated.MITAKA,
-        what='ldap role',
-        in_favor_of='sql role backend')
-    def __init__(self):
-        super(Role, self).__init__()
-        self.LDAP_URL = CONF.ldap.url
-        self.LDAP_USER = CONF.ldap.user
-        self.LDAP_PASSWORD = CONF.ldap.password
-        self.suffix = CONF.ldap.suffix
-
-        # This is the only deep dependency from resource back
-        # to identity.  The assumption is that if you are using
-        # LDAP for resource, you are using it for identity as well.
-        self.user = ldap_identity.UserApi(CONF)
-        self.role = RoleApi(CONF, self.user)
-
-    def get_role(self, role_id):
-        return self.role.get(role_id)
-
-    def list_roles(self, hints):
-        return self.role.get_all()
-
-    def list_roles_from_ids(self, ids):
-        return [self.get_role(id) for id in ids]
-
-    def create_role(self, role_id, role):
-        self.role.check_allow_create()
-        try:
-            self.get_role(role_id)
-        except exception.NotFound:  # nosec
-            # The call to self.get_role() raises this exception when a role
-            # with the given ID doesn't exist. This was done to ensure that
-            # a role with the new role's ID doesn't already exist. As such this
-            # exception is expected to happen in the normal case. The abnormal
-            # case would be if the role does already exist. So this exception
-            # is expected to be ignored and there's no security issue with
-            # ignoring it.
-            pass
-        else:
-            msg = _('Duplicate ID, %s.') % role_id
-            raise exception.Conflict(type='role', details=msg)
-
-        try:
-            self.role.get_by_name(role['name'])
-        except exception.NotFound:  # nosec
-            # The call to self.role.get_by_name() raises this exception when a
-            # role with the given name doesn't exist. This was done to ensure
-            # that a role with the new role's name doesn't already exist. As
-            # such this exception is expected to happen in the normal case. The
-            # abnormal case would be if a role with the same name does already
-            # exist. So this exception is expected to be ignored and there's no
-            # security issue with ignoring it.
-            pass
-        else:
-            msg = _('Duplicate name, %s.') % role['name']
-            raise exception.Conflict(type='role', details=msg)
-
-        return self.role.create(role)
-
-    def delete_role(self, role_id):
-        self.role.check_allow_delete()
-        return self.role.delete(role_id)
-
-    def update_role(self, role_id, role):
-        self.role.check_allow_update()
-        self.get_role(role_id)
-        return self.role.update(role_id, role)
-
-    def create_implied_role(self, prior_role_id, implied_role_id):
-        raise exception.NotImplemented()  # pragma: no cover
-
-    def delete_implied_role(self, prior_role_id, implied_role_id):
-        raise exception.NotImplemented()  # pragma: no cover
-
-    def list_implied_roles(self, prior_role_id):
-        raise exception.NotImplemented()  # pragma: no cover
-
-    def list_role_inference_rules(self):
-        raise exception.NotImplemented()  # pragma: no cover
-
-    def get_implied_role(self, prior_role_id, implied_role_id):
-        raise exception.NotImplemented()  # pragma: no cover
-
-
-# NOTE(henry-nash): A mixin class to enable the sharing of the LDAP structure
-# between here and the assignment LDAP.
-class RoleLdapStructureMixin(object):
-    DEFAULT_OU = 'ou=Roles'
-    DEFAULT_STRUCTURAL_CLASSES = []
-    DEFAULT_OBJECTCLASS = 'organizationalRole'
-    DEFAULT_MEMBER_ATTRIBUTE = 'roleOccupant'
-    NotFound = exception.RoleNotFound
-    options_name = 'role'
-    attribute_options_names = {'name': 'name'}
-    immutable_attrs = ['id']
-    model = models.Role
-
-
-# TODO(termie): turn this into a data object and move logic to driver
-class RoleApi(RoleLdapStructureMixin, common_ldap.BaseLdap):
-
-    def __init__(self, conf, user_api):
-        super(RoleApi, self).__init__(conf)
-        self._user_api = user_api
-
-    def get(self, role_id, role_filter=None):
-        model = super(RoleApi, self).get(role_id, role_filter)
-        return model
-
-    def create(self, values):
-        return super(RoleApi, self).create(values)
-
-    def update(self, role_id, role):
-        new_name = role.get('name')
-        if new_name is not None:
-            try:
-                old_role = self.get_by_name(new_name)
-                if old_role['id'] != role_id:
-                    raise exception.Conflict(
-                        _('Cannot duplicate name %s') % old_role)
-            except exception.NotFound:  # nosec
-                # Another role with the same name doesn't exist, good.
-                pass
-        return super(RoleApi, self).update(role_id, role)
-
-    def delete(self, role_id):
-        super(RoleApi, self).delete(role_id)
--- a/keystone/common/config.py
+++ b/keystone/common/config.py
@ -646,47 +646,6 @@ FILE_OPTIONS = {
                         'mapping format is <ldap_attr>:<user_attr>, where '
                         'ldap_attr is the attribute in the LDAP entry and '
                         'user_attr is the Identity API attribute.'),
-
-        cfg.StrOpt('role_tree_dn',
-                   deprecated_for_removal=True,
-                   help='Search base for roles. '
-                        'Defaults to the suffix value.'),
-        cfg.StrOpt('role_filter',
-                   deprecated_for_removal=True,
-                   help='LDAP search filter for roles.'),
-        cfg.StrOpt('role_objectclass', default='organizationalRole',
-                   deprecated_for_removal=True,
-                   help='LDAP objectclass for roles.'),
-        cfg.StrOpt('role_id_attribute', default='cn',
-                   deprecated_for_removal=True,
-                   help='LDAP attribute mapped to role id.'),
-        cfg.StrOpt('role_name_attribute', default='ou',
-                   deprecated_for_removal=True,
-                   help='LDAP attribute mapped to role name.'),
-        cfg.StrOpt('role_member_attribute', default='roleOccupant',
-                   deprecated_for_removal=True,
-                   help='LDAP attribute mapped to role membership.'),
-        cfg.ListOpt('role_attribute_ignore', default=[],
-                    deprecated_for_removal=True,
-                    help='List of attributes stripped off the role on '
-                         'update.'),
-        cfg.BoolOpt('role_allow_create', default=True,
-                    deprecated_for_removal=True,
-                    help='Allow role creation in LDAP backend.'),
-        cfg.BoolOpt('role_allow_update', default=True,
-                    deprecated_for_removal=True,
-                    help='Allow role update in LDAP backend.'),
-        cfg.BoolOpt('role_allow_delete', default=True,
-                    deprecated_for_removal=True,
-                    help='Allow role deletion in LDAP backend.'),
-        cfg.ListOpt('role_additional_attribute_mapping',
-                    deprecated_for_removal=True,
-                    default=[],
-                    help='Additional attribute mappings for roles. Attribute '
-                         'mapping format is <ldap_attr>:<user_attr>, where '
-                         'ldap_attr is the attribute in the LDAP entry and '
-                         'user_attr is the Identity API attribute.'),
-
        cfg.StrOpt('group_tree_dn',
                   help='Search base for groups. '
                        'Defaults to the suffix value.'),
--- a/keystone/tests/unit/backend/role/test_ldap.py
+++ b/keystone/tests/unit/backend/role/test_ldap.py
@ -1,72 +0,0 @@
-# -*- coding: utf-8 -*-
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from oslo_config import cfg
-
-from keystone.tests import unit
-from keystone.tests.unit.backend import core_ldap
-from keystone.tests.unit.backend.role import core as core_role
-
-
-CONF = cfg.CONF
-
-
-class LdapRoleCommon(core_ldap.BaseBackendLdapCommon, core_role.RoleTests):
-    """Tests that should be run in every LDAP configuration.
-
-    Include additional tests that are unique to LDAP (or need to be overridden)
-    which should be run for all the various LDAP configurations we test.
-
-    """
-
-    pass
-
-
-class LdapRole(LdapRoleCommon, core_ldap.BaseBackendLdap, unit.TestCase):
-    """Test in an all-LDAP configuration.
-
-    Include additional tests that are unique to LDAP (or need to be overridden)
-    which only need to be run in a basic LDAP configurations.
-
-    """
-
-    def test_configurable_allowed_role_actions(self):
-        self.skipTest("An all-LDAP configuration is no longer supported")
-
-    def test_configurable_forbidden_role_actions(self):
-        self.skipTest("An all-LDAP configuration is no longer supported")
-
-    def test_role_filter(self):
-        self.skipTest("An all-LDAP configuration is no longer supported")
-
-    def test_role_attribute_mapping(self):
-        self.skipTest("An all-LDAP configuration is no longer supported")
-
-    def test_role_attribute_ignore(self):
-        self.skipTest("An all-LDAP configuration is no longer supported")
-
-
-class LdapIdentitySqlEverythingElseRole(
-    core_ldap.BaseBackendLdapIdentitySqlEverythingElse, LdapRoleCommon,
-        unit.TestCase):
-    """Test Identity in LDAP, Everything else in SQL."""
-
-    pass
-
-
-class LdapIdentitySqlEverythingElseWithMappingRole(
-    LdapIdentitySqlEverythingElseRole,
-        core_ldap.BaseBackendLdapIdentitySqlEverythingElseWithMapping):
-    """Test ID mapping of default LDAP backend."""
-
-    pass
--- a/releasenotes/notes/deprecate-ldap-role-ad28dce16863bbb1.yaml
+++ b/releasenotes/notes/deprecate-ldap-role-ad28dce16863bbb1.yaml
@ -1,7 +0,0 @@
---
-deprecations:
-  - >
-    [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]
-    Deprecated the LDAP backend for the *role* driver. The keystone team
-    suggests using the SQL backend instead. The LDAP role backend will be
-    removed in the 'O' release.
--- a/releasenotes/notes/removed-as-of-mitaka-9ff14f87d0b98e7e.yaml
+++ b/releasenotes/notes/removed-as-of-mitaka-9ff14f87d0b98e7e.yaml
@ -34,3 +34,7 @@ other:
    [`blueprint removed-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-mitaka>`_]
    The LDAP backend for Resource has been removed. This was deprecated in
    the Kilo release.
+  - >
+    [`blueprint removed-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-mitaka>`_]
+    The LDAP backend for Role has been removed. This was deprecated in the
+    Kilo release.
--- a/setup.cfg
+++ b/setup.cfg
@ -133,7 +133,6 @@ keystone.resource.domain_config =
    sql = keystone.resource.config_backends.sql:DomainConfig

 keystone.role =
-    ldap = keystone.assignment.role_backends.ldap:Role
    sql = keystone.assignment.role_backends.sql:Role

 keystone.token.persistence =