diff --git a/doc/source/configuration/tables/manila-generic.inc b/doc/source/configuration/tables/manila-generic.inc index 3d42239179..178098f07d 100644 --- a/doc/source/configuration/tables/manila-generic.inc +++ b/doc/source/configuration/tables/manila-generic.inc @@ -102,14 +102,10 @@ - (String) Volume snapshot name template. * - **[cinder]** - - * - ``api_insecure`` = ``False`` - - (Boolean) Allow to perform insecure SSL requests to cinder. * - ``auth_section`` = ``None`` - (Unknown) Config Section from which to load plugin specific options * - ``auth_type`` = ``None`` - (Unknown) Authentication type to load - * - ``ca_certificates_file`` = ``None`` - - (String) Location of CA certificates file to use for cinder client requests. * - ``cafile`` = ``None`` - (String) PEM encoded Certificate Authority to use when verifying HTTPs connections. * - ``certfile`` = ``None`` @@ -142,16 +138,12 @@ - (Integer) Timeout value for http requests * - **[nova]** - - * - ``api_insecure`` = ``False`` - - (Boolean) Allow to perform insecure SSL requests to nova. * - ``api_microversion`` = ``2.10`` - (String) Version of Nova API to be used. * - ``auth_section`` = ``None`` - (Unknown) Config Section from which to load plugin specific options * - ``auth_type`` = ``None`` - (Unknown) Authentication type to load - * - ``ca_certificates_file`` = ``None`` - - (String) Location of CA certificates file to use for nova client requests. * - ``cafile`` = ``None`` - (String) PEM encoded Certificate Authority to use when verifying HTTPs connections. * - ``certfile`` = ``None`` diff --git a/manila/common/client_auth.py b/manila/common/client_auth.py index 76f75be947..dc9e557320 100644 --- a/manila/common/client_auth.py +++ b/manila/common/client_auth.py @@ -55,8 +55,7 @@ class AuthClientLoader(object): :param group: group name :return: list of auth default configuration """ - opts = copy.deepcopy(ks_loading.register_session_conf_options( - CONF, group)) + opts = copy.deepcopy(ks_loading.get_session_conf_options()) opts.insert(0, ks_loading.get_auth_common_conf_options()[0]) for plugin_option in ks_loading.get_auth_plugin_conf_options( diff --git a/manila/compute/nova.py b/manila/compute/nova.py index 7ea47d717c..e32766f096 100644 --- a/manila/compute/nova.py +++ b/manila/compute/nova.py @@ -82,16 +82,6 @@ nova_opts = [ deprecated_group="DEFAULT", deprecated_name="nova_api_microversion", help='Version of Nova API to be used.'), - cfg.StrOpt('ca_certificates_file', - deprecated_group="DEFAULT", - deprecated_name="nova_ca_certificates_file", - help='Location of CA certificates file to use for nova client ' - 'requests.'), - cfg.BoolOpt('api_insecure', - default=False, - deprecated_group="DEFAULT", - deprecated_name="nova_api_insecure", - help='Allow to perform insecure SSL requests to nova.'), cfg.StrOpt('endpoint_type', default='publicURL', help='Endpoint type to be used with nova client calls.'), @@ -99,11 +89,29 @@ nova_opts = [ help='Region name for connecting to nova.'), ] +# These fallback options can be removed in/after 9.0.0 (Train) +deprecated_opts = { + 'cafile': [ + cfg.DeprecatedOpt('ca_certificates_file', group="DEFAULT"), + cfg.DeprecatedOpt('ca_certificates_file', group=NOVA_GROUP), + cfg.DeprecatedOpt('nova_ca_certificates_file', group="DEFAULT"), + cfg.DeprecatedOpt('nova_ca_certificates_file', group=NOVA_GROUP), + ], + 'insecure': [ + cfg.DeprecatedOpt('api_insecure', group="DEFAULT"), + cfg.DeprecatedOpt('api_insecure', group=NOVA_GROUP), + cfg.DeprecatedOpt('nova_api_insecure', group="DEFAULT"), + cfg.DeprecatedOpt('nova_api_insecure', group=NOVA_GROUP), + ], +} + CONF = cfg.CONF CONF.register_opts(nova_deprecated_opts) CONF.register_opts(core_opts) CONF.register_opts(nova_opts, NOVA_GROUP) -ks_loading.register_session_conf_options(CONF, NOVA_GROUP) +ks_loading.register_session_conf_options(CONF, + NOVA_GROUP, + deprecated_opts=deprecated_opts) ks_loading.register_auth_conf_options(CONF, NOVA_GROUP) @@ -127,8 +135,6 @@ def novaclient(context): deprecated_opts_for_v2=deprecated_opts_for_v2) return AUTH_OBJ.get_client(context, version=CONF[NOVA_GROUP].api_microversion, - insecure=CONF[NOVA_GROUP].api_insecure, - cacert=CONF[NOVA_GROUP].ca_certificates_file, endpoint_type=CONF[NOVA_GROUP].endpoint_type, region_name=CONF[NOVA_GROUP].region_name) diff --git a/manila/network/neutron/api.py b/manila/network/neutron/api.py index 25b24687aa..c9f428508a 100644 --- a/manila/network/neutron/api.py +++ b/manila/network/neutron/api.py @@ -76,22 +76,11 @@ neutron_opts = [ deprecated_group="DEFAULT", deprecated_name="neutron_url_timeout", help='Timeout value for connecting to neutron in seconds.'), - cfg.BoolOpt( - 'api_insecure', - default=False, - deprecated_group="DEFAULT", - help='If set, ignore any SSL validation issues.'), cfg.StrOpt( 'auth_strategy', default='keystone', deprecated_group="DEFAULT", help='Auth strategy for connecting to neutron in admin context.'), - cfg.StrOpt( - 'ca_certificates_file', - deprecated_for_removal=True, - deprecated_group="DEFAULT", - help='Location of CA certificates file to use for ' - 'neutron client requests.'), cfg.StrOpt( 'endpoint_type', default='publicURL', @@ -101,6 +90,19 @@ neutron_opts = [ help='Region name for connecting to neutron in admin context.'), ] +# These fallback options can be removed in/after 9.0.0 (Train) +deprecated_opts = { + 'cafile': [ + cfg.DeprecatedOpt('ca_certificates_file', group="DEFAULT"), + cfg.DeprecatedOpt('ca_certificates_file', group=NEUTRON_GROUP), + ], + 'insecure': [ + cfg.DeprecatedOpt('api_insecure', group="DEFAULT"), + cfg.DeprecatedOpt('api_insecure', group=NEUTRON_GROUP), + ], +} + + CONF = cfg.CONF LOG = log.getLogger(__name__) @@ -118,7 +120,8 @@ class API(object): def __init__(self, config_group_name=None): self.config_group_name = config_group_name or 'DEFAULT' - ks_loading.register_session_conf_options(CONF, NEUTRON_GROUP) + ks_loading.register_session_conf_options( + CONF, NEUTRON_GROUP, deprecated_opts=deprecated_opts) ks_loading.register_auth_conf_options(CONF, NEUTRON_GROUP) CONF.register_opts(neutron_opts, NEUTRON_GROUP) CONF.register_opts(neutron_deprecated_opts, diff --git a/manila/tests/common/test_client_auth.py b/manila/tests/common/test_client_auth.py index 4d2a0969a5..e1b1980efc 100644 --- a/manila/tests/common/test_client_auth.py +++ b/manila/tests/common/test_client_auth.py @@ -78,12 +78,12 @@ class ClientAuthTestCase(test.TestCase): auth_result.load_from_options.assert_called_once_with(username='foo') self.assertEqual(result, 'foo_auth') - @mock.patch.object(auth, 'register_session_conf_options') + @mock.patch.object(auth, 'get_session_conf_options') @mock.patch.object(auth, 'get_auth_common_conf_options') @mock.patch.object(auth, 'get_auth_plugin_conf_options') - def test_list_opts(self, auth_conf, common_conf, register): - register.return_value = [cfg.StrOpt('username'), - cfg.StrOpt('password')] + def test_list_opts(self, auth_conf, common_conf, session_conf): + session_conf.return_value = [cfg.StrOpt('username'), + cfg.StrOpt('password')] common_conf.return_value = ([cfg.StrOpt('auth_url')]) auth_conf.return_value = [cfg.StrOpt('password')] @@ -95,12 +95,12 @@ class ClientAuthTestCase(test.TestCase): common_conf.assert_called_once_with() auth_conf.assert_called_once_with('password') - @mock.patch.object(auth, 'register_session_conf_options') + @mock.patch.object(auth, 'get_session_conf_options') @mock.patch.object(auth, 'get_auth_common_conf_options') @mock.patch.object(auth, 'get_auth_plugin_conf_options') - def test_list_opts_not_found(self, auth_conf, common_conf, register,): - register.return_value = [cfg.StrOpt('username'), - cfg.StrOpt('password')] + def test_list_opts_not_found(self, auth_conf, common_conf, session_conf): + session_conf.return_value = [cfg.StrOpt('username'), + cfg.StrOpt('password')] common_conf.return_value = ([cfg.StrOpt('auth_url')]) auth_conf.return_value = [cfg.StrOpt('tenant')] diff --git a/manila/tests/compute/test_nova.py b/manila/tests/compute/test_nova.py index f65436ea90..796356b4cf 100644 --- a/manila/tests/compute/test_nova.py +++ b/manila/tests/compute/test_nova.py @@ -141,8 +141,6 @@ class NovaclientTestCase(test.TestCase): }, 'nova': { 'api_microversion': 'foo_api_microversion', - 'api_insecure': True, - 'ca_certificates_file': 'foo_ca_certificates_file', 'endpoint_type': 'foo_endpoint_type', 'region_name': 'foo_region_name', } @@ -165,8 +163,6 @@ class NovaclientTestCase(test.TestCase): mock_client_loader.return_value.get_client.assert_called_once_with( fake_context, version=data['nova']['api_microversion'], - insecure=data['nova']['api_insecure'], - cacert=data['nova']['ca_certificates_file'], endpoint_type=data['nova']['endpoint_type'], region_name=data['nova']['region_name'], ) @@ -177,8 +173,6 @@ class NovaclientTestCase(test.TestCase): data = { 'nova': { 'api_microversion': 'foo_api_microversion', - 'api_insecure': True, - 'ca_certificates_file': 'foo_ca_certificates_file', 'endpoint_type': 'foo_endpoint_type', 'region_name': 'foo_region_name', } @@ -190,8 +184,6 @@ class NovaclientTestCase(test.TestCase): nova.AUTH_OBJ.get_client.assert_called_once_with( fake_context, version=data['nova']['api_microversion'], - insecure=data['nova']['api_insecure'], - cacert=data['nova']['ca_certificates_file'], endpoint_type=data['nova']['endpoint_type'], region_name=data['nova']['region_name'], ) diff --git a/manila/tests/volume/test_cinder.py b/manila/tests/volume/test_cinder.py index c89416dc19..f4de6fe17e 100644 --- a/manila/tests/volume/test_cinder.py +++ b/manila/tests/volume/test_cinder.py @@ -55,8 +55,6 @@ class CinderclientTestCase(test.TestCase): fake_context = 'fake_context' data = { 'cinder': { - 'api_insecure': True, - 'ca_certificates_file': 'foo_ca_certificates_file', 'http_retries': 3, 'endpoint_type': 'foo_endpoint_type', 'region_name': 'foo_region_name', @@ -73,8 +71,6 @@ class CinderclientTestCase(test.TestCase): ) mock_client_loader.return_value.get_client.assert_called_once_with( fake_context, - insecure=data['cinder']['api_insecure'], - cacert=data['cinder']['ca_certificates_file'], retries=data['cinder']['http_retries'], endpoint_type=data['cinder']['endpoint_type'], region_name=data['cinder']['region_name'], @@ -85,8 +81,6 @@ class CinderclientTestCase(test.TestCase): fake_context = 'fake_context' data = { 'cinder': { - 'api_insecure': True, - 'ca_certificates_file': 'foo_ca_certificates_file', 'http_retries': 3, 'endpoint_type': 'foo_endpoint_type', 'region_name': 'foo_region_name', @@ -98,8 +92,6 @@ class CinderclientTestCase(test.TestCase): cinder.AUTH_OBJ.get_client.assert_called_once_with( fake_context, - insecure=data['cinder']['api_insecure'], - cacert=data['cinder']['ca_certificates_file'], retries=data['cinder']['http_retries'], endpoint_type=data['cinder']['endpoint_type'], region_name=data['cinder']['region_name'], diff --git a/manila/volume/cinder.py b/manila/volume/cinder.py index 747c67b07e..4424317c5c 100644 --- a/manila/volume/cinder.py +++ b/manila/volume/cinder.py @@ -42,21 +42,11 @@ cinder_opts = [ deprecated_name="cinder_cross_az_attach", help='Allow attaching between instances and volumes in ' 'different availability zones.'), - cfg.StrOpt('ca_certificates_file', - help='Location of CA certificates file to use for cinder ' - 'client requests.', - deprecated_group='DEFAULT', - deprecated_name="cinder_ca_certificates_file"), cfg.IntOpt('http_retries', default=3, help='Number of cinderclient retries on failed HTTP calls.', deprecated_group='DEFAULT', deprecated_name="cinder_http_retries"), - cfg.BoolOpt('api_insecure', - default=False, - help='Allow to perform insecure SSL requests to cinder.', - deprecated_group='DEFAULT', - deprecated_name="cinder_api_insecure"), cfg.StrOpt('endpoint_type', default='publicURL', help='Endpoint type to be used with cinder client calls.'), @@ -64,10 +54,29 @@ cinder_opts = [ help='Region name for connecting to cinder.'), ] +# These fallback options can be removed in/after 9.0.0 (Train) +deprecated_opts = { + 'cafile': [ + cfg.DeprecatedOpt('ca_certificates_file', group="DEFAULT"), + cfg.DeprecatedOpt('ca_certificates_file', group=CINDER_GROUP), + cfg.DeprecatedOpt('cinder_ca_certificates_file', group="DEFAULT"), + cfg.DeprecatedOpt('cinder_ca_certificates_file', group=CINDER_GROUP), + ], + 'insecure': [ + cfg.DeprecatedOpt('api_insecure', group="DEFAULT"), + cfg.DeprecatedOpt('api_insecure', group=CINDER_GROUP), + cfg.DeprecatedOpt('cinder_api_insecure', group="DEFAULT"), + cfg.DeprecatedOpt('cinder_api_insecure', group=CINDER_GROUP), + ], +} + + CONF = cfg.CONF CONF.register_opts(core_opts) CONF.register_opts(cinder_opts, CINDER_GROUP) -ks_loading.register_session_conf_options(CONF, CINDER_GROUP) +ks_loading.register_session_conf_options(CONF, + CINDER_GROUP, + deprecated_opts=deprecated_opts) ks_loading.register_auth_conf_options(CONF, CINDER_GROUP) @@ -83,8 +92,6 @@ def cinderclient(context): exception_module=cinder_exception, cfg_group=CINDER_GROUP) return AUTH_OBJ.get_client(context, - insecure=CONF[CINDER_GROUP].api_insecure, - cacert=CONF[CINDER_GROUP].ca_certificates_file, retries=CONF[CINDER_GROUP].http_retries, endpoint_type=CONF[CINDER_GROUP].endpoint_type, region_name=CONF[CINDER_GROUP].region_name) diff --git a/releasenotes/notes/deprecate-old-ks-opts-in-nova-neutron-cinder-groups-e395015088d93fdc.yaml b/releasenotes/notes/deprecate-old-ks-opts-in-nova-neutron-cinder-groups-e395015088d93fdc.yaml new file mode 100644 index 0000000000..6c3ddfa02a --- /dev/null +++ b/releasenotes/notes/deprecate-old-ks-opts-in-nova-neutron-cinder-groups-e395015088d93fdc.yaml @@ -0,0 +1,19 @@ +--- +fixes: + - | + `Launchpad bug 1809318 `_ + has been fixed. The deprecated options ``api_insecure`` and + ``ca_certificates_file`` from nova, cinder, neutron or DEFAULT + configuration groups no longer override the newer ``insecure`` option if + provided. Always use ``insecure`` and ``cafile`` to control SSL + and validation since the deprecated options will be removed in a future + release. +deprecations: + - | + The options ``ca_certificates_file``, ``nova_ca_certificates_file``, + ``cinder_ca_certificates_file``, ``api_insecure``, ``nova_api_insecure`` + and ``cinder_api_insecure`` have been deprecated from the ``DEFAULT`` + group as well as ``nova``, ``neutron`` and ``cinder`` configuration + groups. Use ``cafile`` to specify the CA certificates and ``insecure`` + to turn off SSL validation in these respective groups (nova, neutron and + cinder).