Browse Source

Merge "Deprecate old keystone session config opts"

Zuul 3 months ago
parent
commit
86f71cb20d

+ 0
- 8
doc/source/configuration/tables/manila-generic.inc View File

@@ -90,14 +90,10 @@
90 90
      - (String) Volume snapshot name template.
91 91
    * - **[cinder]**
92 92
      -
93
-   * - ``api_insecure`` = ``False``
94
-     - (Boolean) Allow to perform insecure SSL requests to cinder.
95 93
    * - ``auth_section`` = ``None``
96 94
      - (Unknown) Config Section from which to load plugin specific options
97 95
    * - ``auth_type`` = ``None``
98 96
      - (Unknown) Authentication type to load
99
-   * - ``ca_certificates_file`` = ``None``
100
-     - (String) Location of CA certificates file to use for cinder client requests.
101 97
    * - ``cafile`` = ``None``
102 98
      - (String) PEM encoded Certificate Authority to use when verifying HTTPs connections.
103 99
    * - ``certfile`` = ``None``
@@ -130,16 +126,12 @@
130 126
      - (Integer) Timeout value for http requests
131 127
    * - **[nova]**
132 128
      -
133
-   * - ``api_insecure`` = ``False``
134
-     - (Boolean) Allow to perform insecure SSL requests to nova.
135 129
    * - ``api_microversion`` = ``2.10``
136 130
      - (String) Version of Nova API to be used.
137 131
    * - ``auth_section`` = ``None``
138 132
      - (Unknown) Config Section from which to load plugin specific options
139 133
    * - ``auth_type`` = ``None``
140 134
      - (Unknown) Authentication type to load
141
-   * - ``ca_certificates_file`` = ``None``
142
-     - (String) Location of CA certificates file to use for nova client requests.
143 135
    * - ``cafile`` = ``None``
144 136
      - (String) PEM encoded Certificate Authority to use when verifying HTTPs connections.
145 137
    * - ``certfile`` = ``None``

+ 1
- 2
manila/common/client_auth.py View File

@@ -50,8 +50,7 @@ class AuthClientLoader(object):
50 50
         :param group: group name
51 51
         :return: list of auth default configuration
52 52
         """
53
-        opts = copy.deepcopy(ks_loading.register_session_conf_options(
54
-                             CONF, group))
53
+        opts = copy.deepcopy(ks_loading.get_session_conf_options())
55 54
         opts.insert(0, ks_loading.get_auth_common_conf_options()[0])
56 55
 
57 56
         for plugin_option in ks_loading.get_auth_plugin_conf_options(

+ 19
- 13
manila/compute/nova.py View File

@@ -39,16 +39,6 @@ nova_opts = [
39 39
                deprecated_group="DEFAULT",
40 40
                deprecated_name="nova_api_microversion",
41 41
                help='Version of Nova API to be used.'),
42
-    cfg.StrOpt('ca_certificates_file',
43
-               deprecated_group="DEFAULT",
44
-               deprecated_name="nova_ca_certificates_file",
45
-               help='Location of CA certificates file to use for nova client '
46
-                    'requests.'),
47
-    cfg.BoolOpt('api_insecure',
48
-                default=False,
49
-                deprecated_group="DEFAULT",
50
-                deprecated_name="nova_api_insecure",
51
-                help='Allow to perform insecure SSL requests to nova.'),
52 42
     cfg.StrOpt('endpoint_type',
53 43
                default='publicURL',
54 44
                help='Endpoint type to be used with nova client calls.'),
@@ -56,10 +46,28 @@ nova_opts = [
56 46
                help='Region name for connecting to nova.'),
57 47
     ]
58 48
 
49
+# These fallback options can be removed in/after 9.0.0 (Train)
50
+deprecated_opts = {
51
+    'cafile': [
52
+        cfg.DeprecatedOpt('ca_certificates_file', group="DEFAULT"),
53
+        cfg.DeprecatedOpt('ca_certificates_file', group=NOVA_GROUP),
54
+        cfg.DeprecatedOpt('nova_ca_certificates_file', group="DEFAULT"),
55
+        cfg.DeprecatedOpt('nova_ca_certificates_file', group=NOVA_GROUP),
56
+    ],
57
+    'insecure': [
58
+        cfg.DeprecatedOpt('api_insecure', group="DEFAULT"),
59
+        cfg.DeprecatedOpt('api_insecure', group=NOVA_GROUP),
60
+        cfg.DeprecatedOpt('nova_api_insecure', group="DEFAULT"),
61
+        cfg.DeprecatedOpt('nova_api_insecure', group=NOVA_GROUP),
62
+    ],
63
+}
64
+
59 65
 CONF = cfg.CONF
60 66
 CONF.register_opts(core_opts)
61 67
 CONF.register_opts(nova_opts, NOVA_GROUP)
62
-ks_loading.register_session_conf_options(CONF, NOVA_GROUP)
68
+ks_loading.register_session_conf_options(CONF,
69
+                                         NOVA_GROUP,
70
+                                         deprecated_opts=deprecated_opts)
63 71
 ks_loading.register_auth_conf_options(CONF, NOVA_GROUP)
64 72
 
65 73
 
@@ -76,8 +84,6 @@ def novaclient(context):
76 84
             cfg_group=NOVA_GROUP)
77 85
     return AUTH_OBJ.get_client(context,
78 86
                                version=CONF[NOVA_GROUP].api_microversion,
79
-                               insecure=CONF[NOVA_GROUP].api_insecure,
80
-                               cacert=CONF[NOVA_GROUP].ca_certificates_file,
81 87
                                endpoint_type=CONF[NOVA_GROUP].endpoint_type,
82 88
                                region_name=CONF[NOVA_GROUP].region_name)
83 89
 

+ 15
- 12
manila/network/neutron/api.py View File

@@ -41,22 +41,11 @@ neutron_opts = [
41 41
         deprecated_group="DEFAULT",
42 42
         deprecated_name="neutron_url_timeout",
43 43
         help='Timeout value for connecting to neutron in seconds.'),
44
-    cfg.BoolOpt(
45
-        'api_insecure',
46
-        default=False,
47
-        deprecated_group="DEFAULT",
48
-        help='If set, ignore any SSL validation issues.'),
49 44
     cfg.StrOpt(
50 45
         'auth_strategy',
51 46
         default='keystone',
52 47
         deprecated_group="DEFAULT",
53 48
         help='Auth strategy for connecting to neutron in admin context.'),
54
-    cfg.StrOpt(
55
-        'ca_certificates_file',
56
-        deprecated_for_removal=True,
57
-        deprecated_group="DEFAULT",
58
-        help='Location of CA certificates file to use for '
59
-             'neutron client requests.'),
60 49
     cfg.StrOpt(
61 50
         'endpoint_type',
62 51
         default='publicURL',
@@ -66,6 +55,19 @@ neutron_opts = [
66 55
         help='Region name for connecting to neutron in admin context.'),
67 56
 ]
68 57
 
58
+# These fallback options can be removed in/after 9.0.0 (Train)
59
+deprecated_opts = {
60
+    'cafile': [
61
+        cfg.DeprecatedOpt('ca_certificates_file', group="DEFAULT"),
62
+        cfg.DeprecatedOpt('ca_certificates_file', group=NEUTRON_GROUP),
63
+    ],
64
+    'insecure': [
65
+        cfg.DeprecatedOpt('api_insecure', group="DEFAULT"),
66
+        cfg.DeprecatedOpt('api_insecure', group=NEUTRON_GROUP),
67
+    ],
68
+}
69
+
70
+
69 71
 CONF = cfg.CONF
70 72
 LOG = log.getLogger(__name__)
71 73
 
@@ -83,7 +85,8 @@ class API(object):
83 85
     def __init__(self, config_group_name=None):
84 86
         self.config_group_name = config_group_name or 'DEFAULT'
85 87
 
86
-        ks_loading.register_session_conf_options(CONF, NEUTRON_GROUP)
88
+        ks_loading.register_session_conf_options(
89
+            CONF, NEUTRON_GROUP, deprecated_opts=deprecated_opts)
87 90
         ks_loading.register_auth_conf_options(CONF, NEUTRON_GROUP)
88 91
         CONF.register_opts(neutron_opts, NEUTRON_GROUP)
89 92
 

+ 8
- 8
manila/tests/common/test_client_auth.py View File

@@ -63,12 +63,12 @@ class ClientAuthTestCase(test.TestCase):
63 63
         self.assertRaises(fake_client_exception_class.Unauthorized,
64 64
                           self.auth._load_auth_plugin)
65 65
 
66
-    @mock.patch.object(auth, 'register_session_conf_options')
66
+    @mock.patch.object(auth, 'get_session_conf_options')
67 67
     @mock.patch.object(auth, 'get_auth_common_conf_options')
68 68
     @mock.patch.object(auth, 'get_auth_plugin_conf_options')
69
-    def test_list_opts(self, auth_conf, common_conf, register):
70
-        register.return_value = [cfg.StrOpt('username'),
71
-                                 cfg.StrOpt('password')]
69
+    def test_list_opts(self, auth_conf, common_conf, session_conf):
70
+        session_conf.return_value = [cfg.StrOpt('username'),
71
+                                     cfg.StrOpt('password')]
72 72
         common_conf.return_value = ([cfg.StrOpt('auth_url')])
73 73
         auth_conf.return_value = [cfg.StrOpt('password')]
74 74
 
@@ -80,12 +80,12 @@ class ClientAuthTestCase(test.TestCase):
80 80
         common_conf.assert_called_once_with()
81 81
         auth_conf.assert_called_once_with('password')
82 82
 
83
-    @mock.patch.object(auth, 'register_session_conf_options')
83
+    @mock.patch.object(auth, 'get_session_conf_options')
84 84
     @mock.patch.object(auth, 'get_auth_common_conf_options')
85 85
     @mock.patch.object(auth, 'get_auth_plugin_conf_options')
86
-    def test_list_opts_not_found(self, auth_conf, common_conf, register,):
87
-        register.return_value = [cfg.StrOpt('username'),
88
-                                 cfg.StrOpt('password')]
86
+    def test_list_opts_not_found(self, auth_conf, common_conf, session_conf):
87
+        session_conf.return_value = [cfg.StrOpt('username'),
88
+                                     cfg.StrOpt('password')]
89 89
         common_conf.return_value = ([cfg.StrOpt('auth_url')])
90 90
         auth_conf.return_value = [cfg.StrOpt('tenant')]
91 91
 

+ 0
- 8
manila/tests/compute/test_nova.py View File

@@ -135,8 +135,6 @@ class NovaclientTestCase(test.TestCase):
135 135
         data = {
136 136
             'nova': {
137 137
                 'api_microversion': 'foo_api_microversion',
138
-                'api_insecure': True,
139
-                'ca_certificates_file': 'foo_ca_certificates_file',
140 138
                 'endpoint_type': 'foo_endpoint_type',
141 139
                 'region_name': 'foo_region_name',
142 140
             }
@@ -153,8 +151,6 @@ class NovaclientTestCase(test.TestCase):
153 151
         mock_client_loader.return_value.get_client.assert_called_once_with(
154 152
             fake_context,
155 153
             version=data['nova']['api_microversion'],
156
-            insecure=data['nova']['api_insecure'],
157
-            cacert=data['nova']['ca_certificates_file'],
158 154
             endpoint_type=data['nova']['endpoint_type'],
159 155
             region_name=data['nova']['region_name'],
160 156
         )
@@ -165,8 +161,6 @@ class NovaclientTestCase(test.TestCase):
165 161
         data = {
166 162
             'nova': {
167 163
                 'api_microversion': 'foo_api_microversion',
168
-                'api_insecure': True,
169
-                'ca_certificates_file': 'foo_ca_certificates_file',
170 164
                 'endpoint_type': 'foo_endpoint_type',
171 165
                 'region_name': 'foo_region_name',
172 166
             }
@@ -178,8 +172,6 @@ class NovaclientTestCase(test.TestCase):
178 172
         nova.AUTH_OBJ.get_client.assert_called_once_with(
179 173
             fake_context,
180 174
             version=data['nova']['api_microversion'],
181
-            insecure=data['nova']['api_insecure'],
182
-            cacert=data['nova']['ca_certificates_file'],
183 175
             endpoint_type=data['nova']['endpoint_type'],
184 176
             region_name=data['nova']['region_name'],
185 177
         )

+ 0
- 8
manila/tests/volume/test_cinder.py View File

@@ -55,8 +55,6 @@ class CinderclientTestCase(test.TestCase):
55 55
         fake_context = 'fake_context'
56 56
         data = {
57 57
             'cinder': {
58
-                'api_insecure': True,
59
-                'ca_certificates_file': 'foo_ca_certificates_file',
60 58
                 'http_retries': 3,
61 59
                 'endpoint_type': 'foo_endpoint_type',
62 60
                 'region_name': 'foo_region_name',
@@ -73,8 +71,6 @@ class CinderclientTestCase(test.TestCase):
73 71
         )
74 72
         mock_client_loader.return_value.get_client.assert_called_once_with(
75 73
             fake_context,
76
-            insecure=data['cinder']['api_insecure'],
77
-            cacert=data['cinder']['ca_certificates_file'],
78 74
             retries=data['cinder']['http_retries'],
79 75
             endpoint_type=data['cinder']['endpoint_type'],
80 76
             region_name=data['cinder']['region_name'],
@@ -85,8 +81,6 @@ class CinderclientTestCase(test.TestCase):
85 81
         fake_context = 'fake_context'
86 82
         data = {
87 83
             'cinder': {
88
-                'api_insecure': True,
89
-                'ca_certificates_file': 'foo_ca_certificates_file',
90 84
                 'http_retries': 3,
91 85
                 'endpoint_type': 'foo_endpoint_type',
92 86
                 'region_name': 'foo_region_name',
@@ -98,8 +92,6 @@ class CinderclientTestCase(test.TestCase):
98 92
 
99 93
         cinder.AUTH_OBJ.get_client.assert_called_once_with(
100 94
             fake_context,
101
-            insecure=data['cinder']['api_insecure'],
102
-            cacert=data['cinder']['ca_certificates_file'],
103 95
             retries=data['cinder']['http_retries'],
104 96
             endpoint_type=data['cinder']['endpoint_type'],
105 97
             region_name=data['cinder']['region_name'],

+ 20
- 13
manila/volume/cinder.py View File

@@ -42,21 +42,11 @@ cinder_opts = [
42 42
                 deprecated_name="cinder_cross_az_attach",
43 43
                 help='Allow attaching between instances and volumes in '
44 44
                      'different availability zones.'),
45
-    cfg.StrOpt('ca_certificates_file',
46
-               help='Location of CA certificates file to use for cinder '
47
-                    'client requests.',
48
-               deprecated_group='DEFAULT',
49
-               deprecated_name="cinder_ca_certificates_file"),
50 45
     cfg.IntOpt('http_retries',
51 46
                default=3,
52 47
                help='Number of cinderclient retries on failed HTTP calls.',
53 48
                deprecated_group='DEFAULT',
54 49
                deprecated_name="cinder_http_retries"),
55
-    cfg.BoolOpt('api_insecure',
56
-                default=False,
57
-                help='Allow to perform insecure SSL requests to cinder.',
58
-                deprecated_group='DEFAULT',
59
-                deprecated_name="cinder_api_insecure"),
60 50
     cfg.StrOpt('endpoint_type',
61 51
                default='publicURL',
62 52
                help='Endpoint type to be used with cinder client calls.'),
@@ -64,10 +54,29 @@ cinder_opts = [
64 54
                help='Region name for connecting to cinder.'),
65 55
     ]
66 56
 
57
+# These fallback options can be removed in/after 9.0.0 (Train)
58
+deprecated_opts = {
59
+    'cafile': [
60
+        cfg.DeprecatedOpt('ca_certificates_file', group="DEFAULT"),
61
+        cfg.DeprecatedOpt('ca_certificates_file', group=CINDER_GROUP),
62
+        cfg.DeprecatedOpt('cinder_ca_certificates_file', group="DEFAULT"),
63
+        cfg.DeprecatedOpt('cinder_ca_certificates_file', group=CINDER_GROUP),
64
+    ],
65
+    'insecure': [
66
+        cfg.DeprecatedOpt('api_insecure', group="DEFAULT"),
67
+        cfg.DeprecatedOpt('api_insecure', group=CINDER_GROUP),
68
+        cfg.DeprecatedOpt('cinder_api_insecure', group="DEFAULT"),
69
+        cfg.DeprecatedOpt('cinder_api_insecure', group=CINDER_GROUP),
70
+    ],
71
+}
72
+
73
+
67 74
 CONF = cfg.CONF
68 75
 CONF.register_opts(core_opts)
69 76
 CONF.register_opts(cinder_opts, CINDER_GROUP)
70
-ks_loading.register_session_conf_options(CONF, CINDER_GROUP)
77
+ks_loading.register_session_conf_options(CONF,
78
+                                         CINDER_GROUP,
79
+                                         deprecated_opts=deprecated_opts)
71 80
 ks_loading.register_auth_conf_options(CONF, CINDER_GROUP)
72 81
 
73 82
 
@@ -83,8 +92,6 @@ def cinderclient(context):
83 92
             exception_module=cinder_exception,
84 93
             cfg_group=CINDER_GROUP)
85 94
     return AUTH_OBJ.get_client(context,
86
-                               insecure=CONF[CINDER_GROUP].api_insecure,
87
-                               cacert=CONF[CINDER_GROUP].ca_certificates_file,
88 95
                                retries=CONF[CINDER_GROUP].http_retries,
89 96
                                endpoint_type=CONF[CINDER_GROUP].endpoint_type,
90 97
                                region_name=CONF[CINDER_GROUP].region_name)

+ 19
- 0
releasenotes/notes/deprecate-old-ks-opts-in-nova-neutron-cinder-groups-e395015088d93fdc.yaml View File

@@ -0,0 +1,19 @@
1
+---
2
+fixes:
3
+  - |
4
+    `Launchpad bug 1809318 <https://bugs.launchpad.net/manila/+bug/1809318>`_
5
+    has been fixed. The deprecated options ``api_insecure`` and
6
+    ``ca_certificates_file`` from nova, cinder, neutron or DEFAULT
7
+    configuration groups no longer override the newer ``insecure`` option if
8
+    provided. Always use ``insecure`` and ``cafile`` to control SSL
9
+    and validation since the deprecated options will be removed in a future
10
+    release.
11
+deprecations:
12
+  - |
13
+    The options ``ca_certificates_file``, ``nova_ca_certificates_file``,
14
+    ``cinder_ca_certificates_file``, ``api_insecure``, ``nova_api_insecure``
15
+    and ``cinder_api_insecure`` have been deprecated from the ``DEFAULT``
16
+    group as well as ``nova``, ``neutron`` and ``cinder`` configuration
17
+    groups. Use ``cafile`` to specify the CA certificates and ``insecure``
18
+    to turn off SSL validation in these respective groups (nova, neutron and
19
+    cinder).

Loading…
Cancel
Save