Merge "Deprecate [api]auth_strategy and noauth2"

2019-10-14 20:56:08 +00:00 · 2019-10-14 20:56:08 +00:00 · 3387811743
parent d14ae3a126 18de63deaa
commit 3387811743
5 changed files with 43 additions and 4 deletions
--- a/etc/nova/api-paste.ini
+++ b/etc/nova/api-paste.ini
@ -28,13 +28,17 @@ use = call:nova.api.openstack.urlmap:urlmap_factory

 [composite:openstack_compute_api_v21]
 use = call:nova.api.auth:pipeline_factory_v21
-noauth2 = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler noauth2 osapi_compute_app_v21
 keystone = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler authtoken keystonecontext osapi_compute_app_v21
+# DEPRECATED: The [api]auth_strategy conf option is deprecated and will be
+# removed in a subsequent release, whereupon this pipeline will be unreachable.
+noauth2 = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler noauth2 osapi_compute_app_v21

 [composite:openstack_compute_api_v21_legacy_v2_compatible]
 use = call:nova.api.auth:pipeline_factory_v21
-noauth2 = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler noauth2 legacy_v2_compatible osapi_compute_app_v21
 keystone = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler authtoken keystonecontext legacy_v2_compatible osapi_compute_app_v21
+# DEPRECATED: The [api]auth_strategy conf option is deprecated and will be
+# removed in a subsequent release, whereupon this pipeline will be unreachable.
+noauth2 = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler noauth2 legacy_v2_compatible osapi_compute_app_v21

 [filter:request_log]
 paste.filter_factory = nova.api.openstack.requestlog:RequestLog.factory
@ -45,6 +49,8 @@ paste.filter_factory = nova.api.compute_req_id:ComputeReqIdMiddleware.factory
 [filter:faultwrap]
 paste.filter_factory = nova.api.openstack:FaultWrapper.factory

+# DEPRECATED: NoAuthMiddleware will be removed in a subsequent release,
+# whereupon this filter will cease to function.
 [filter:noauth2]
 paste.filter_factory = nova.api.openstack.auth:NoAuthMiddleware.factory

--- a/nova/api/auth.py
+++ b/nova/api/auth.py
@ -53,7 +53,16 @@ def pipeline_factory(loader, global_conf, **local_conf):

 def pipeline_factory_v21(loader, global_conf, **local_conf):
    """A paste pipeline replica that keys off of auth_strategy."""
-    return _load_pipeline(loader, local_conf[CONF.api.auth_strategy].split())
+    auth_strategy = CONF.api.auth_strategy
+    if auth_strategy == 'noauth2':
+        versionutils.report_deprecated_feature(
+            LOG,
+            "'[api]auth_strategy=noauth2' is deprecated as of the 21.0.0 "
+            "Ussuri release and will be removed in a future release. Please "
+            "remove any 'noauth2' entries from api-paste.ini; only the "
+            "'keystone' pipeline is supported."
+        )
+    return _load_pipeline(loader, local_conf[auth_strategy].split())


 class InjectContext(wsgi.Middleware):
--- a/nova/conf/api.py
+++ b/nova/conf/api.py
@ -30,7 +30,13 @@ auth_opts = [
             "credential checking. 'noauth2' provides administrative "
             "credentials only if 'admin' is specified as the username."),
        ],
-        deprecated_group="DEFAULT",
+        deprecated_for_removal=True,
+        deprecated_since='21.0.0',
+        deprecated_reason="""
+The only non-default choice, ``noauth2``, is for internal development and
+testing purposes only and should not be used in deployments. This option and
+its middleware, NoAuthMiddleware[V2_18], will be removed in a future release.
+""",
        help="""
 Determine the strategy to use for authentication.
 """),
--- a/nova/tests/unit/api/test_auth.py
+++ b/nova/tests/unit/api/test_auth.py
@ -140,12 +140,23 @@ class TestPipeLineFactory(test.NoDBTestCase):
        self.assertEqual(app.name, pipeline.split()[-1])
        self.assertIsInstance(app, TestPipeLineFactory.FakeApp)

+    @mock.patch('oslo_log.versionutils.report_deprecated_feature',
+                new=mock.NonCallableMock())
    def test_pipeline_factory_v21(self):
+        fake_pipeline = 'test1 test2 test3'
+        CONF.set_override('auth_strategy', 'keystone', group='api')
+        app = nova.api.auth.pipeline_factory_v21(
+            TestPipeLineFactory.FakeLoader(), None, keystone=fake_pipeline)
+        self._test_pipeline(fake_pipeline, app)
+
+    @mock.patch('oslo_log.versionutils.report_deprecated_feature')
+    def test_pipeline_factory_v21_noauth2(self, mock_report_deprecated):
        fake_pipeline = 'test1 test2 test3'
        CONF.set_override('auth_strategy', 'noauth2', group='api')
        app = nova.api.auth.pipeline_factory_v21(
            TestPipeLineFactory.FakeLoader(), None, noauth2=fake_pipeline)
        self._test_pipeline(fake_pipeline, app)
+        self.assertTrue(mock_report_deprecated.called)

    @mock.patch('oslo_log.versionutils.report_deprecated_feature')
    def test_pipeline_factory_legacy_v2_deprecated(self,
--- a/releasenotes/notes/deprecate-api-auth_strategy-noauth2-ed29c499a68b08ce.yaml
+++ b/releasenotes/notes/deprecate-api-auth_strategy-noauth2-ed29c499a68b08ce.yaml
@ -0,0 +1,7 @@
+---
+deprecations:
+  - |
+    The ``[api]auth_strategy`` conf option and the corresponding test-only
+    ``noauth2`` pipeline in ``api-paste.ini`` are deprecated and will be
+    removed in a future release. The only supported ``auth_strategy`` is
+    ``keystone``, the default.