diff --git a/etc/nova/api-paste.ini b/etc/nova/api-paste.ini
index 8bde418be4a0..2aaa7bf808c0 100644
--- a/etc/nova/api-paste.ini
+++ b/etc/nova/api-paste.ini
@@ -28,13 +28,17 @@ use = call:nova.api.openstack.urlmap:urlmap_factory
 
 [composite:openstack_compute_api_v21]
 use = call:nova.api.auth:pipeline_factory_v21
-noauth2 = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler noauth2 osapi_compute_app_v21
 keystone = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler authtoken keystonecontext osapi_compute_app_v21
+# DEPRECATED: The [api]auth_strategy conf option is deprecated and will be
+# removed in a subsequent release, whereupon this pipeline will be unreachable.
+noauth2 = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler noauth2 osapi_compute_app_v21
 
 [composite:openstack_compute_api_v21_legacy_v2_compatible]
 use = call:nova.api.auth:pipeline_factory_v21
-noauth2 = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler noauth2 legacy_v2_compatible osapi_compute_app_v21
 keystone = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler authtoken keystonecontext legacy_v2_compatible osapi_compute_app_v21
+# DEPRECATED: The [api]auth_strategy conf option is deprecated and will be
+# removed in a subsequent release, whereupon this pipeline will be unreachable.
+noauth2 = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler noauth2 legacy_v2_compatible osapi_compute_app_v21
 
 [filter:request_log]
 paste.filter_factory = nova.api.openstack.requestlog:RequestLog.factory
@@ -45,6 +49,8 @@ paste.filter_factory = nova.api.compute_req_id:ComputeReqIdMiddleware.factory
 [filter:faultwrap]
 paste.filter_factory = nova.api.openstack:FaultWrapper.factory
 
+# DEPRECATED: NoAuthMiddleware will be removed in a subsequent release,
+# whereupon this filter will cease to function.
 [filter:noauth2]
 paste.filter_factory = nova.api.openstack.auth:NoAuthMiddleware.factory
 
diff --git a/nova/api/auth.py b/nova/api/auth.py
index 4663d6444a99..e93e83f1af98 100644
--- a/nova/api/auth.py
+++ b/nova/api/auth.py
@@ -53,7 +53,16 @@ def pipeline_factory(loader, global_conf, **local_conf):
 
 def pipeline_factory_v21(loader, global_conf, **local_conf):
     """A paste pipeline replica that keys off of auth_strategy."""
-    return _load_pipeline(loader, local_conf[CONF.api.auth_strategy].split())
+    auth_strategy = CONF.api.auth_strategy
+    if auth_strategy == 'noauth2':
+        versionutils.report_deprecated_feature(
+            LOG,
+            "'[api]auth_strategy=noauth2' is deprecated as of the 21.0.0 "
+            "Ussuri release and will be removed in a future release. Please "
+            "remove any 'noauth2' entries from api-paste.ini; only the "
+            "'keystone' pipeline is supported."
+        )
+    return _load_pipeline(loader, local_conf[auth_strategy].split())
 
 
 class InjectContext(wsgi.Middleware):
diff --git a/nova/conf/api.py b/nova/conf/api.py
index eeba12894c16..e5dea5a24171 100644
--- a/nova/conf/api.py
+++ b/nova/conf/api.py
@@ -30,7 +30,13 @@ auth_opts = [
              "credential checking. 'noauth2' provides administrative "
              "credentials only if 'admin' is specified as the username."),
         ],
-        deprecated_group="DEFAULT",
+        deprecated_for_removal=True,
+        deprecated_since='21.0.0',
+        deprecated_reason="""
+The only non-default choice, ``noauth2``, is for internal development and
+testing purposes only and should not be used in deployments. This option and
+its middleware, NoAuthMiddleware[V2_18], will be removed in a future release.
+""",
         help="""
 Determine the strategy to use for authentication.
 """),
diff --git a/nova/tests/unit/api/test_auth.py b/nova/tests/unit/api/test_auth.py
index 9b207a6f945f..3be245b90e25 100644
--- a/nova/tests/unit/api/test_auth.py
+++ b/nova/tests/unit/api/test_auth.py
@@ -140,12 +140,23 @@ class TestPipeLineFactory(test.NoDBTestCase):
         self.assertEqual(app.name, pipeline.split()[-1])
         self.assertIsInstance(app, TestPipeLineFactory.FakeApp)
 
+    @mock.patch('oslo_log.versionutils.report_deprecated_feature',
+                new=mock.NonCallableMock())
     def test_pipeline_factory_v21(self):
+        fake_pipeline = 'test1 test2 test3'
+        CONF.set_override('auth_strategy', 'keystone', group='api')
+        app = nova.api.auth.pipeline_factory_v21(
+            TestPipeLineFactory.FakeLoader(), None, keystone=fake_pipeline)
+        self._test_pipeline(fake_pipeline, app)
+
+    @mock.patch('oslo_log.versionutils.report_deprecated_feature')
+    def test_pipeline_factory_v21_noauth2(self, mock_report_deprecated):
         fake_pipeline = 'test1 test2 test3'
         CONF.set_override('auth_strategy', 'noauth2', group='api')
         app = nova.api.auth.pipeline_factory_v21(
             TestPipeLineFactory.FakeLoader(), None, noauth2=fake_pipeline)
         self._test_pipeline(fake_pipeline, app)
+        self.assertTrue(mock_report_deprecated.called)
 
     @mock.patch('oslo_log.versionutils.report_deprecated_feature')
     def test_pipeline_factory_legacy_v2_deprecated(self,
diff --git a/releasenotes/notes/deprecate-api-auth_strategy-noauth2-ed29c499a68b08ce.yaml b/releasenotes/notes/deprecate-api-auth_strategy-noauth2-ed29c499a68b08ce.yaml
new file mode 100644
index 000000000000..3dcdc79862d2
--- /dev/null
+++ b/releasenotes/notes/deprecate-api-auth_strategy-noauth2-ed29c499a68b08ce.yaml
@@ -0,0 +1,7 @@
+---
+deprecations:
+  - |
+    The ``[api]auth_strategy`` conf option and the corresponding test-only
+    ``noauth2`` pipeline in ``api-paste.ini`` are deprecated and will be
+    removed in a future release. The only supported ``auth_strategy`` is
+    ``keystone``, the default.