Deprecate old keystone session config opts
In the past, the options ca_certificates_file, nova_ca_certificates_file, cinder_ca_certificates_file, api_insecure, nova_api_insecure, cinder_api_insecure were supplied to instantiate nova, neutron and cinder clients. These options have now been subsumed in a more generic way into the Keystone session logic as 'cafile' and 'insecure'. Deprecate the older options in Stein so that we can remove them in a future release. This deprecation began many releases ago when we switched to using keystone sessions [1]. However, we were still overriding the values of "insecure" and "cafile" if provided, forcing users to continue using deprecated parameters "api_insecure" and "ca_certificates_file". So despite this fix originating in the Stein release, it would be prudent to backport it to all maintained releases and remove support for these older options in/beyond Train release (9.0.0). [1] Ic211a11308a3295409467efd88bff413482ee58d Change-Id: I148e9079c7c1ab119f519f727d4ad97758473325 Related-Bug: #1802393 Closes-Bug: #1809318
This commit is contained in:
parent
a724e3c276
commit
198bea78ac
@ -90,14 +90,10 @@
|
||||
- (String) Volume snapshot name template.
|
||||
* - **[cinder]**
|
||||
-
|
||||
* - ``api_insecure`` = ``False``
|
||||
- (Boolean) Allow to perform insecure SSL requests to cinder.
|
||||
* - ``auth_section`` = ``None``
|
||||
- (Unknown) Config Section from which to load plugin specific options
|
||||
* - ``auth_type`` = ``None``
|
||||
- (Unknown) Authentication type to load
|
||||
* - ``ca_certificates_file`` = ``None``
|
||||
- (String) Location of CA certificates file to use for cinder client requests.
|
||||
* - ``cafile`` = ``None``
|
||||
- (String) PEM encoded Certificate Authority to use when verifying HTTPs connections.
|
||||
* - ``certfile`` = ``None``
|
||||
@ -130,16 +126,12 @@
|
||||
- (Integer) Timeout value for http requests
|
||||
* - **[nova]**
|
||||
-
|
||||
* - ``api_insecure`` = ``False``
|
||||
- (Boolean) Allow to perform insecure SSL requests to nova.
|
||||
* - ``api_microversion`` = ``2.10``
|
||||
- (String) Version of Nova API to be used.
|
||||
* - ``auth_section`` = ``None``
|
||||
- (Unknown) Config Section from which to load plugin specific options
|
||||
* - ``auth_type`` = ``None``
|
||||
- (Unknown) Authentication type to load
|
||||
* - ``ca_certificates_file`` = ``None``
|
||||
- (String) Location of CA certificates file to use for nova client requests.
|
||||
* - ``cafile`` = ``None``
|
||||
- (String) PEM encoded Certificate Authority to use when verifying HTTPs connections.
|
||||
* - ``certfile`` = ``None``
|
||||
|
@ -50,8 +50,7 @@ class AuthClientLoader(object):
|
||||
:param group: group name
|
||||
:return: list of auth default configuration
|
||||
"""
|
||||
opts = copy.deepcopy(ks_loading.register_session_conf_options(
|
||||
CONF, group))
|
||||
opts = copy.deepcopy(ks_loading.get_session_conf_options())
|
||||
opts.insert(0, ks_loading.get_auth_common_conf_options()[0])
|
||||
|
||||
for plugin_option in ks_loading.get_auth_plugin_conf_options(
|
||||
|
@ -39,16 +39,6 @@ nova_opts = [
|
||||
deprecated_group="DEFAULT",
|
||||
deprecated_name="nova_api_microversion",
|
||||
help='Version of Nova API to be used.'),
|
||||
cfg.StrOpt('ca_certificates_file',
|
||||
deprecated_group="DEFAULT",
|
||||
deprecated_name="nova_ca_certificates_file",
|
||||
help='Location of CA certificates file to use for nova client '
|
||||
'requests.'),
|
||||
cfg.BoolOpt('api_insecure',
|
||||
default=False,
|
||||
deprecated_group="DEFAULT",
|
||||
deprecated_name="nova_api_insecure",
|
||||
help='Allow to perform insecure SSL requests to nova.'),
|
||||
cfg.StrOpt('endpoint_type',
|
||||
default='publicURL',
|
||||
help='Endpoint type to be used with nova client calls.'),
|
||||
@ -56,10 +46,28 @@ nova_opts = [
|
||||
help='Region name for connecting to nova.'),
|
||||
]
|
||||
|
||||
# These fallback options can be removed in/after 9.0.0 (Train)
|
||||
deprecated_opts = {
|
||||
'cafile': [
|
||||
cfg.DeprecatedOpt('ca_certificates_file', group="DEFAULT"),
|
||||
cfg.DeprecatedOpt('ca_certificates_file', group=NOVA_GROUP),
|
||||
cfg.DeprecatedOpt('nova_ca_certificates_file', group="DEFAULT"),
|
||||
cfg.DeprecatedOpt('nova_ca_certificates_file', group=NOVA_GROUP),
|
||||
],
|
||||
'insecure': [
|
||||
cfg.DeprecatedOpt('api_insecure', group="DEFAULT"),
|
||||
cfg.DeprecatedOpt('api_insecure', group=NOVA_GROUP),
|
||||
cfg.DeprecatedOpt('nova_api_insecure', group="DEFAULT"),
|
||||
cfg.DeprecatedOpt('nova_api_insecure', group=NOVA_GROUP),
|
||||
],
|
||||
}
|
||||
|
||||
CONF = cfg.CONF
|
||||
CONF.register_opts(core_opts)
|
||||
CONF.register_opts(nova_opts, NOVA_GROUP)
|
||||
ks_loading.register_session_conf_options(CONF, NOVA_GROUP)
|
||||
ks_loading.register_session_conf_options(CONF,
|
||||
NOVA_GROUP,
|
||||
deprecated_opts=deprecated_opts)
|
||||
ks_loading.register_auth_conf_options(CONF, NOVA_GROUP)
|
||||
|
||||
|
||||
@ -76,8 +84,6 @@ def novaclient(context):
|
||||
cfg_group=NOVA_GROUP)
|
||||
return AUTH_OBJ.get_client(context,
|
||||
version=CONF[NOVA_GROUP].api_microversion,
|
||||
insecure=CONF[NOVA_GROUP].api_insecure,
|
||||
cacert=CONF[NOVA_GROUP].ca_certificates_file,
|
||||
endpoint_type=CONF[NOVA_GROUP].endpoint_type,
|
||||
region_name=CONF[NOVA_GROUP].region_name)
|
||||
|
||||
|
@ -41,22 +41,11 @@ neutron_opts = [
|
||||
deprecated_group="DEFAULT",
|
||||
deprecated_name="neutron_url_timeout",
|
||||
help='Timeout value for connecting to neutron in seconds.'),
|
||||
cfg.BoolOpt(
|
||||
'api_insecure',
|
||||
default=False,
|
||||
deprecated_group="DEFAULT",
|
||||
help='If set, ignore any SSL validation issues.'),
|
||||
cfg.StrOpt(
|
||||
'auth_strategy',
|
||||
default='keystone',
|
||||
deprecated_group="DEFAULT",
|
||||
help='Auth strategy for connecting to neutron in admin context.'),
|
||||
cfg.StrOpt(
|
||||
'ca_certificates_file',
|
||||
deprecated_for_removal=True,
|
||||
deprecated_group="DEFAULT",
|
||||
help='Location of CA certificates file to use for '
|
||||
'neutron client requests.'),
|
||||
cfg.StrOpt(
|
||||
'endpoint_type',
|
||||
default='publicURL',
|
||||
@ -66,6 +55,19 @@ neutron_opts = [
|
||||
help='Region name for connecting to neutron in admin context.'),
|
||||
]
|
||||
|
||||
# These fallback options can be removed in/after 9.0.0 (Train)
|
||||
deprecated_opts = {
|
||||
'cafile': [
|
||||
cfg.DeprecatedOpt('ca_certificates_file', group="DEFAULT"),
|
||||
cfg.DeprecatedOpt('ca_certificates_file', group=NEUTRON_GROUP),
|
||||
],
|
||||
'insecure': [
|
||||
cfg.DeprecatedOpt('api_insecure', group="DEFAULT"),
|
||||
cfg.DeprecatedOpt('api_insecure', group=NEUTRON_GROUP),
|
||||
],
|
||||
}
|
||||
|
||||
|
||||
CONF = cfg.CONF
|
||||
LOG = log.getLogger(__name__)
|
||||
|
||||
@ -83,7 +85,8 @@ class API(object):
|
||||
def __init__(self, config_group_name=None):
|
||||
self.config_group_name = config_group_name or 'DEFAULT'
|
||||
|
||||
ks_loading.register_session_conf_options(CONF, NEUTRON_GROUP)
|
||||
ks_loading.register_session_conf_options(
|
||||
CONF, NEUTRON_GROUP, deprecated_opts=deprecated_opts)
|
||||
ks_loading.register_auth_conf_options(CONF, NEUTRON_GROUP)
|
||||
CONF.register_opts(neutron_opts, NEUTRON_GROUP)
|
||||
|
||||
|
@ -63,12 +63,12 @@ class ClientAuthTestCase(test.TestCase):
|
||||
self.assertRaises(fake_client_exception_class.Unauthorized,
|
||||
self.auth._load_auth_plugin)
|
||||
|
||||
@mock.patch.object(auth, 'register_session_conf_options')
|
||||
@mock.patch.object(auth, 'get_session_conf_options')
|
||||
@mock.patch.object(auth, 'get_auth_common_conf_options')
|
||||
@mock.patch.object(auth, 'get_auth_plugin_conf_options')
|
||||
def test_list_opts(self, auth_conf, common_conf, register):
|
||||
register.return_value = [cfg.StrOpt('username'),
|
||||
cfg.StrOpt('password')]
|
||||
def test_list_opts(self, auth_conf, common_conf, session_conf):
|
||||
session_conf.return_value = [cfg.StrOpt('username'),
|
||||
cfg.StrOpt('password')]
|
||||
common_conf.return_value = ([cfg.StrOpt('auth_url')])
|
||||
auth_conf.return_value = [cfg.StrOpt('password')]
|
||||
|
||||
@ -80,12 +80,12 @@ class ClientAuthTestCase(test.TestCase):
|
||||
common_conf.assert_called_once_with()
|
||||
auth_conf.assert_called_once_with('password')
|
||||
|
||||
@mock.patch.object(auth, 'register_session_conf_options')
|
||||
@mock.patch.object(auth, 'get_session_conf_options')
|
||||
@mock.patch.object(auth, 'get_auth_common_conf_options')
|
||||
@mock.patch.object(auth, 'get_auth_plugin_conf_options')
|
||||
def test_list_opts_not_found(self, auth_conf, common_conf, register,):
|
||||
register.return_value = [cfg.StrOpt('username'),
|
||||
cfg.StrOpt('password')]
|
||||
def test_list_opts_not_found(self, auth_conf, common_conf, session_conf):
|
||||
session_conf.return_value = [cfg.StrOpt('username'),
|
||||
cfg.StrOpt('password')]
|
||||
common_conf.return_value = ([cfg.StrOpt('auth_url')])
|
||||
auth_conf.return_value = [cfg.StrOpt('tenant')]
|
||||
|
||||
|
@ -135,8 +135,6 @@ class NovaclientTestCase(test.TestCase):
|
||||
data = {
|
||||
'nova': {
|
||||
'api_microversion': 'foo_api_microversion',
|
||||
'api_insecure': True,
|
||||
'ca_certificates_file': 'foo_ca_certificates_file',
|
||||
'endpoint_type': 'foo_endpoint_type',
|
||||
'region_name': 'foo_region_name',
|
||||
}
|
||||
@ -153,8 +151,6 @@ class NovaclientTestCase(test.TestCase):
|
||||
mock_client_loader.return_value.get_client.assert_called_once_with(
|
||||
fake_context,
|
||||
version=data['nova']['api_microversion'],
|
||||
insecure=data['nova']['api_insecure'],
|
||||
cacert=data['nova']['ca_certificates_file'],
|
||||
endpoint_type=data['nova']['endpoint_type'],
|
||||
region_name=data['nova']['region_name'],
|
||||
)
|
||||
@ -165,8 +161,6 @@ class NovaclientTestCase(test.TestCase):
|
||||
data = {
|
||||
'nova': {
|
||||
'api_microversion': 'foo_api_microversion',
|
||||
'api_insecure': True,
|
||||
'ca_certificates_file': 'foo_ca_certificates_file',
|
||||
'endpoint_type': 'foo_endpoint_type',
|
||||
'region_name': 'foo_region_name',
|
||||
}
|
||||
@ -178,8 +172,6 @@ class NovaclientTestCase(test.TestCase):
|
||||
nova.AUTH_OBJ.get_client.assert_called_once_with(
|
||||
fake_context,
|
||||
version=data['nova']['api_microversion'],
|
||||
insecure=data['nova']['api_insecure'],
|
||||
cacert=data['nova']['ca_certificates_file'],
|
||||
endpoint_type=data['nova']['endpoint_type'],
|
||||
region_name=data['nova']['region_name'],
|
||||
)
|
||||
|
@ -55,8 +55,6 @@ class CinderclientTestCase(test.TestCase):
|
||||
fake_context = 'fake_context'
|
||||
data = {
|
||||
'cinder': {
|
||||
'api_insecure': True,
|
||||
'ca_certificates_file': 'foo_ca_certificates_file',
|
||||
'http_retries': 3,
|
||||
'endpoint_type': 'foo_endpoint_type',
|
||||
'region_name': 'foo_region_name',
|
||||
@ -73,8 +71,6 @@ class CinderclientTestCase(test.TestCase):
|
||||
)
|
||||
mock_client_loader.return_value.get_client.assert_called_once_with(
|
||||
fake_context,
|
||||
insecure=data['cinder']['api_insecure'],
|
||||
cacert=data['cinder']['ca_certificates_file'],
|
||||
retries=data['cinder']['http_retries'],
|
||||
endpoint_type=data['cinder']['endpoint_type'],
|
||||
region_name=data['cinder']['region_name'],
|
||||
@ -85,8 +81,6 @@ class CinderclientTestCase(test.TestCase):
|
||||
fake_context = 'fake_context'
|
||||
data = {
|
||||
'cinder': {
|
||||
'api_insecure': True,
|
||||
'ca_certificates_file': 'foo_ca_certificates_file',
|
||||
'http_retries': 3,
|
||||
'endpoint_type': 'foo_endpoint_type',
|
||||
'region_name': 'foo_region_name',
|
||||
@ -98,8 +92,6 @@ class CinderclientTestCase(test.TestCase):
|
||||
|
||||
cinder.AUTH_OBJ.get_client.assert_called_once_with(
|
||||
fake_context,
|
||||
insecure=data['cinder']['api_insecure'],
|
||||
cacert=data['cinder']['ca_certificates_file'],
|
||||
retries=data['cinder']['http_retries'],
|
||||
endpoint_type=data['cinder']['endpoint_type'],
|
||||
region_name=data['cinder']['region_name'],
|
||||
|
@ -42,21 +42,11 @@ cinder_opts = [
|
||||
deprecated_name="cinder_cross_az_attach",
|
||||
help='Allow attaching between instances and volumes in '
|
||||
'different availability zones.'),
|
||||
cfg.StrOpt('ca_certificates_file',
|
||||
help='Location of CA certificates file to use for cinder '
|
||||
'client requests.',
|
||||
deprecated_group='DEFAULT',
|
||||
deprecated_name="cinder_ca_certificates_file"),
|
||||
cfg.IntOpt('http_retries',
|
||||
default=3,
|
||||
help='Number of cinderclient retries on failed HTTP calls.',
|
||||
deprecated_group='DEFAULT',
|
||||
deprecated_name="cinder_http_retries"),
|
||||
cfg.BoolOpt('api_insecure',
|
||||
default=False,
|
||||
help='Allow to perform insecure SSL requests to cinder.',
|
||||
deprecated_group='DEFAULT',
|
||||
deprecated_name="cinder_api_insecure"),
|
||||
cfg.StrOpt('endpoint_type',
|
||||
default='publicURL',
|
||||
help='Endpoint type to be used with cinder client calls.'),
|
||||
@ -64,10 +54,29 @@ cinder_opts = [
|
||||
help='Region name for connecting to cinder.'),
|
||||
]
|
||||
|
||||
# These fallback options can be removed in/after 9.0.0 (Train)
|
||||
deprecated_opts = {
|
||||
'cafile': [
|
||||
cfg.DeprecatedOpt('ca_certificates_file', group="DEFAULT"),
|
||||
cfg.DeprecatedOpt('ca_certificates_file', group=CINDER_GROUP),
|
||||
cfg.DeprecatedOpt('cinder_ca_certificates_file', group="DEFAULT"),
|
||||
cfg.DeprecatedOpt('cinder_ca_certificates_file', group=CINDER_GROUP),
|
||||
],
|
||||
'insecure': [
|
||||
cfg.DeprecatedOpt('api_insecure', group="DEFAULT"),
|
||||
cfg.DeprecatedOpt('api_insecure', group=CINDER_GROUP),
|
||||
cfg.DeprecatedOpt('cinder_api_insecure', group="DEFAULT"),
|
||||
cfg.DeprecatedOpt('cinder_api_insecure', group=CINDER_GROUP),
|
||||
],
|
||||
}
|
||||
|
||||
|
||||
CONF = cfg.CONF
|
||||
CONF.register_opts(core_opts)
|
||||
CONF.register_opts(cinder_opts, CINDER_GROUP)
|
||||
ks_loading.register_session_conf_options(CONF, CINDER_GROUP)
|
||||
ks_loading.register_session_conf_options(CONF,
|
||||
CINDER_GROUP,
|
||||
deprecated_opts=deprecated_opts)
|
||||
ks_loading.register_auth_conf_options(CONF, CINDER_GROUP)
|
||||
|
||||
|
||||
@ -83,8 +92,6 @@ def cinderclient(context):
|
||||
exception_module=cinder_exception,
|
||||
cfg_group=CINDER_GROUP)
|
||||
return AUTH_OBJ.get_client(context,
|
||||
insecure=CONF[CINDER_GROUP].api_insecure,
|
||||
cacert=CONF[CINDER_GROUP].ca_certificates_file,
|
||||
retries=CONF[CINDER_GROUP].http_retries,
|
||||
endpoint_type=CONF[CINDER_GROUP].endpoint_type,
|
||||
region_name=CONF[CINDER_GROUP].region_name)
|
||||
|
@ -0,0 +1,19 @@
|
||||
---
|
||||
fixes:
|
||||
- |
|
||||
`Launchpad bug 1809318 <https://bugs.launchpad.net/manila/+bug/1809318>`_
|
||||
has been fixed. The deprecated options ``api_insecure`` and
|
||||
``ca_certificates_file`` from nova, cinder, neutron or DEFAULT
|
||||
configuration groups no longer override the newer ``insecure`` option if
|
||||
provided. Always use ``insecure`` and ``cafile`` to control SSL
|
||||
and validation since the deprecated options will be removed in a future
|
||||
release.
|
||||
deprecations:
|
||||
- |
|
||||
The options ``ca_certificates_file``, ``nova_ca_certificates_file``,
|
||||
``cinder_ca_certificates_file``, ``api_insecure``, ``nova_api_insecure``
|
||||
and ``cinder_api_insecure`` have been deprecated from the ``DEFAULT``
|
||||
group as well as ``nova``, ``neutron`` and ``cinder`` configuration
|
||||
groups. Use ``cafile`` to specify the CA certificates and ``insecure``
|
||||
to turn off SSL validation in these respective groups (nova, neutron and
|
||||
cinder).
|
Loading…
Reference in New Issue
Block a user