From 18de63deaab792a490e987663d96b6025309b862 Mon Sep 17 00:00:00 2001 From: Eric Fried Date: Tue, 8 Oct 2019 13:02:29 -0500 Subject: [PATCH] Deprecate [api]auth_strategy and noauth2 [api]auth_strategy defaults to `keystone`. The only other choice is `noauth2`, which activates noauth paste pipelines, which go through NoAuthMiddleware, which is crusty and bogus. It is used in our functional tests to avoid having to fixture out keystone, but should not be used in real deployments, ever. Deprecate the option for removal, and add a deprecation warning in the paste pipeline if it is used. When we remove the option, we could just hardcode to `keystone`. At that time, we also need to move the middleware under the nova.tests package -- or find a way to get rid of it entirely by instead stubbing out keystone in tests if that's relatively easy. Change-Id: I9e2be5423cc0821a628db7a68ad52bbd91264acd --- etc/nova/api-paste.ini | 10 ++++++++-- nova/api/auth.py | 11 ++++++++++- nova/conf/api.py | 8 +++++++- nova/tests/unit/api/test_auth.py | 11 +++++++++++ ...te-api-auth_strategy-noauth2-ed29c499a68b08ce.yaml | 7 +++++++ 5 files changed, 43 insertions(+), 4 deletions(-) create mode 100644 releasenotes/notes/deprecate-api-auth_strategy-noauth2-ed29c499a68b08ce.yaml diff --git a/etc/nova/api-paste.ini b/etc/nova/api-paste.ini index 8bde418be4a0..2aaa7bf808c0 100644 --- a/etc/nova/api-paste.ini +++ b/etc/nova/api-paste.ini @@ -28,13 +28,17 @@ use = call:nova.api.openstack.urlmap:urlmap_factory [composite:openstack_compute_api_v21] use = call:nova.api.auth:pipeline_factory_v21 -noauth2 = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler noauth2 osapi_compute_app_v21 keystone = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler authtoken keystonecontext osapi_compute_app_v21 +# DEPRECATED: The [api]auth_strategy conf option is deprecated and will be +# removed in a subsequent release, whereupon this pipeline will be unreachable. +noauth2 = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler noauth2 osapi_compute_app_v21 [composite:openstack_compute_api_v21_legacy_v2_compatible] use = call:nova.api.auth:pipeline_factory_v21 -noauth2 = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler noauth2 legacy_v2_compatible osapi_compute_app_v21 keystone = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler authtoken keystonecontext legacy_v2_compatible osapi_compute_app_v21 +# DEPRECATED: The [api]auth_strategy conf option is deprecated and will be +# removed in a subsequent release, whereupon this pipeline will be unreachable. +noauth2 = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler noauth2 legacy_v2_compatible osapi_compute_app_v21 [filter:request_log] paste.filter_factory = nova.api.openstack.requestlog:RequestLog.factory @@ -45,6 +49,8 @@ paste.filter_factory = nova.api.compute_req_id:ComputeReqIdMiddleware.factory [filter:faultwrap] paste.filter_factory = nova.api.openstack:FaultWrapper.factory +# DEPRECATED: NoAuthMiddleware will be removed in a subsequent release, +# whereupon this filter will cease to function. [filter:noauth2] paste.filter_factory = nova.api.openstack.auth:NoAuthMiddleware.factory diff --git a/nova/api/auth.py b/nova/api/auth.py index 4663d6444a99..e93e83f1af98 100644 --- a/nova/api/auth.py +++ b/nova/api/auth.py @@ -53,7 +53,16 @@ def pipeline_factory(loader, global_conf, **local_conf): def pipeline_factory_v21(loader, global_conf, **local_conf): """A paste pipeline replica that keys off of auth_strategy.""" - return _load_pipeline(loader, local_conf[CONF.api.auth_strategy].split()) + auth_strategy = CONF.api.auth_strategy + if auth_strategy == 'noauth2': + versionutils.report_deprecated_feature( + LOG, + "'[api]auth_strategy=noauth2' is deprecated as of the 21.0.0 " + "Ussuri release and will be removed in a future release. Please " + "remove any 'noauth2' entries from api-paste.ini; only the " + "'keystone' pipeline is supported." + ) + return _load_pipeline(loader, local_conf[auth_strategy].split()) class InjectContext(wsgi.Middleware): diff --git a/nova/conf/api.py b/nova/conf/api.py index eeba12894c16..e5dea5a24171 100644 --- a/nova/conf/api.py +++ b/nova/conf/api.py @@ -30,7 +30,13 @@ auth_opts = [ "credential checking. 'noauth2' provides administrative " "credentials only if 'admin' is specified as the username."), ], - deprecated_group="DEFAULT", + deprecated_for_removal=True, + deprecated_since='21.0.0', + deprecated_reason=""" +The only non-default choice, ``noauth2``, is for internal development and +testing purposes only and should not be used in deployments. This option and +its middleware, NoAuthMiddleware[V2_18], will be removed in a future release. +""", help=""" Determine the strategy to use for authentication. """), diff --git a/nova/tests/unit/api/test_auth.py b/nova/tests/unit/api/test_auth.py index 9b207a6f945f..3be245b90e25 100644 --- a/nova/tests/unit/api/test_auth.py +++ b/nova/tests/unit/api/test_auth.py @@ -140,12 +140,23 @@ class TestPipeLineFactory(test.NoDBTestCase): self.assertEqual(app.name, pipeline.split()[-1]) self.assertIsInstance(app, TestPipeLineFactory.FakeApp) + @mock.patch('oslo_log.versionutils.report_deprecated_feature', + new=mock.NonCallableMock()) def test_pipeline_factory_v21(self): + fake_pipeline = 'test1 test2 test3' + CONF.set_override('auth_strategy', 'keystone', group='api') + app = nova.api.auth.pipeline_factory_v21( + TestPipeLineFactory.FakeLoader(), None, keystone=fake_pipeline) + self._test_pipeline(fake_pipeline, app) + + @mock.patch('oslo_log.versionutils.report_deprecated_feature') + def test_pipeline_factory_v21_noauth2(self, mock_report_deprecated): fake_pipeline = 'test1 test2 test3' CONF.set_override('auth_strategy', 'noauth2', group='api') app = nova.api.auth.pipeline_factory_v21( TestPipeLineFactory.FakeLoader(), None, noauth2=fake_pipeline) self._test_pipeline(fake_pipeline, app) + self.assertTrue(mock_report_deprecated.called) @mock.patch('oslo_log.versionutils.report_deprecated_feature') def test_pipeline_factory_legacy_v2_deprecated(self, diff --git a/releasenotes/notes/deprecate-api-auth_strategy-noauth2-ed29c499a68b08ce.yaml b/releasenotes/notes/deprecate-api-auth_strategy-noauth2-ed29c499a68b08ce.yaml new file mode 100644 index 000000000000..3dcdc79862d2 --- /dev/null +++ b/releasenotes/notes/deprecate-api-auth_strategy-noauth2-ed29c499a68b08ce.yaml @@ -0,0 +1,7 @@ +--- +deprecations: + - | + The ``[api]auth_strategy`` conf option and the corresponding test-only + ``noauth2`` pipeline in ``api-paste.ini`` are deprecated and will be + removed in a future release. The only supported ``auth_strategy`` is + ``keystone``, the default.