Stop handling cells v1 for console authentication
There were a lot of workarounds here to ensure we didn't switch to the new model (vs. the old 'nova-consoleauth' service) if users were on cells v1. These can go now, along with the old 'nova-consoleauth' service (though that's a later, separate change). Part of blueprint remove-cells-v1 Change-Id: I1b8f411b050d34e4e77e9a4f1e613135eb5f74b7 Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
This commit is contained in:
parent
7954b2714e
commit
6ac15734b9
|
@ -389,11 +389,9 @@ class UpgradeCommands(upgradecheck.UpgradeCommands):
|
|||
telling the user to set [workarounds]enable_consoleauth = True if they
|
||||
are performing a rolling upgrade.
|
||||
"""
|
||||
# If we're using cells v1, we don't need to check if the workaround
|
||||
# needs to be used because cells v1 always uses nova-consoleauth.
|
||||
# If the operator has already enabled the workaround, we don't need
|
||||
# to check anything.
|
||||
if CONF.cells.enable or CONF.workarounds.enable_consoleauth:
|
||||
if CONF.workarounds.enable_consoleauth:
|
||||
return upgradecheck.Result(upgradecheck.Code.SUCCESS)
|
||||
|
||||
# We need to check cell0 for nova-consoleauth service records because
|
||||
|
|
|
@ -2031,10 +2031,7 @@ class API(base.Base):
|
|||
instance.progress = 0
|
||||
instance.save()
|
||||
|
||||
# NOTE(dtp): cells.enable = False means "use cells v2".
|
||||
# Run everywhere except v1 compute cells.
|
||||
if (not CONF.cells.enable and CONF.workarounds.enable_consoleauth
|
||||
) or self.cell_type == 'api':
|
||||
if CONF.workarounds.enable_consoleauth:
|
||||
# TODO(melwitt): Remove the conditions for running this line
|
||||
# with cells v2, when consoleauth is no longer being used by
|
||||
# cells v2, in Stein.
|
||||
|
@ -4551,7 +4548,7 @@ class API(base.Base):
|
|||
# we convert to using the database. Remove the condition for running
|
||||
# this line with cells v2, when consoleauth is no longer being used by
|
||||
# cells v2, in Stein.
|
||||
if CONF.cells.enable or CONF.workarounds.enable_consoleauth:
|
||||
if CONF.workarounds.enable_consoleauth:
|
||||
self.consoleauth_rpcapi.delete_tokens_for_instance(
|
||||
context, instance.uuid)
|
||||
|
||||
|
|
|
@ -6927,8 +6927,8 @@ class ComputeManager(manager.Manager):
|
|||
def _clean_instance_console_tokens(self, ctxt, instance):
|
||||
"""Clean console tokens stored for an instance."""
|
||||
# If the database backend isn't in use, don't bother trying to clean
|
||||
# tokens. The database backend is not supported for cells v1.
|
||||
if not CONF.cells.enable and self._consoles_enabled():
|
||||
# tokens.
|
||||
if self._consoles_enabled():
|
||||
objects.ConsoleAuthToken.\
|
||||
clean_console_auths_for_instance(ctxt, instance.uuid)
|
||||
|
||||
|
@ -8530,8 +8530,5 @@ class ComputeManager(manager.Manager):
|
|||
instance. After a time they expire. We periodically remove any expired
|
||||
tokens from the database.
|
||||
"""
|
||||
# If the database backend isn't in use, don't bother looking for
|
||||
# expired tokens. The database backend is not supported for cells v1.
|
||||
if not CONF.cells.enable:
|
||||
objects.ConsoleAuthToken.\
|
||||
clean_expired_console_auths_for_host(context, self.host)
|
||||
objects.ConsoleAuthToken.clean_expired_console_auths_for_host(
|
||||
context, self.host)
|
||||
|
|
|
@ -181,12 +181,6 @@ this flag should be disabled. For example, if a deployment has configured a
|
|||
token TTL of one hour, the operator may disable the flag, one hour after
|
||||
deploying the new code during an upgrade.
|
||||
|
||||
.. note:: Cells v1 was not converted to use the database backend for
|
||||
console token authorizations. Cells v1 console token authorizations will
|
||||
continue to be supported by the ``nova-consoleauth`` service and use of
|
||||
the ``[workarounds]/enable_consoleauth`` option does not apply to
|
||||
Cells v1 users.
|
||||
|
||||
Related options:
|
||||
|
||||
* ``[consoleauth]/token_ttl``
|
||||
|
|
|
@ -150,26 +150,19 @@ class NovaProxyRequestHandlerBase(object):
|
|||
def _get_connect_info(self, ctxt, token):
|
||||
"""Validate the token and get the connect info."""
|
||||
connect_info = None
|
||||
# NOTE(PaulMurray) if we are using cells v1, we use the old consoleauth
|
||||
# way of doing things. The database backend is not supported for cells
|
||||
# v1.
|
||||
if CONF.cells.enable:
|
||||
|
||||
# NOTE(melwitt): If consoleauth is enabled to aid in transitioning
|
||||
# to the database backend, check it first before falling back to
|
||||
# the database. Tokens that existed pre-database-backend will
|
||||
# reside in the consoleauth service storage.
|
||||
if CONF.workarounds.enable_consoleauth:
|
||||
connect_info = self._get_connect_info_consoleauth(ctxt, token)
|
||||
if not connect_info:
|
||||
raise exception.InvalidToken(token='***')
|
||||
else:
|
||||
# NOTE(melwitt): If consoleauth is enabled to aid in transitioning
|
||||
# to the database backend, check it first before falling back to
|
||||
# the database. Tokens that existed pre-database-backend will
|
||||
# reside in the consoleauth service storage.
|
||||
if CONF.workarounds.enable_consoleauth:
|
||||
connect_info = self._get_connect_info_consoleauth(ctxt, token)
|
||||
# If consoleauth is enabled to aid in transitioning to the database
|
||||
# backend and we didn't find a token in the consoleauth service
|
||||
# storage, check the database for a token because it's probably a
|
||||
# post-database-backend token, which are stored in the database.
|
||||
if not connect_info:
|
||||
connect_info = self._get_connect_info_database(ctxt, token)
|
||||
# If consoleauth is enabled to aid in transitioning to the database
|
||||
# backend and we didn't find a token in the consoleauth service
|
||||
# storage, check the database for a token because it's probably a
|
||||
# post-database-backend token, which are stored in the database.
|
||||
if not connect_info:
|
||||
connect_info = self._get_connect_info_database(ctxt, token)
|
||||
|
||||
return connect_info
|
||||
|
||||
|
|
|
@ -23,7 +23,6 @@ import oslo_messaging as messaging
|
|||
from oslo_serialization import jsonutils
|
||||
|
||||
from nova import cache_utils
|
||||
from nova.cells import rpcapi as cells_rpcapi
|
||||
from nova.compute import rpcapi as compute_rpcapi
|
||||
import nova.conf
|
||||
from nova import context as nova_context
|
||||
|
@ -47,7 +46,6 @@ class ConsoleAuthManager(manager.Manager):
|
|||
self._mc = None
|
||||
self._mc_instance = None
|
||||
self.compute_rpcapi = compute_rpcapi.ComputeAPI()
|
||||
self.cells_rpcapi = cells_rpcapi.CellsAPI()
|
||||
|
||||
@property
|
||||
def mc(self):
|
||||
|
@ -109,13 +107,6 @@ class ConsoleAuthManager(manager.Manager):
|
|||
if instance_uuid is None:
|
||||
return False
|
||||
|
||||
# NOTE(comstud): consoleauth was meant to run in API cells. So,
|
||||
# if cells is enabled, we must call down to the child cell for
|
||||
# the instance.
|
||||
if CONF.cells.enable:
|
||||
return self.cells_rpcapi.validate_console_port(context,
|
||||
instance_uuid, token['port'], token['console_type'])
|
||||
|
||||
mapping = objects.InstanceMapping.get_by_instance_uuid(context,
|
||||
instance_uuid)
|
||||
with nova_context.target_cell(context, mapping.cell_mapping) as cctxt:
|
||||
|
|
|
@ -662,14 +662,6 @@ class TestUpgradeCheckConsoles(test.NoDBTestCase):
|
|||
|
||||
return service
|
||||
|
||||
def test_check_cells_v1_enabled(self):
|
||||
"""This is a 'success' case since the console auths check is
|
||||
ignored when running cells v1.
|
||||
"""
|
||||
self.flags(enable=True, group='cells')
|
||||
result = self.cmd._check_console_auths()
|
||||
self.assertEqual(upgradecheck.Code.SUCCESS, result.code)
|
||||
|
||||
def test_check_workaround_enabled(self):
|
||||
"""This is a 'success' case since the console auths check is
|
||||
ignored when the workaround is already enabled.
|
||||
|
|
|
@ -10178,7 +10178,7 @@ class ComputeAPITestCase(BaseTestCase):
|
|||
mock_get.assert_called_once_with(
|
||||
self.context, instance=fake_instance,
|
||||
console_type=fake_console_type)
|
||||
if enable_consoleauth or CONF.cells.enable:
|
||||
if enable_consoleauth:
|
||||
mock_auth.assert_called_once_with(
|
||||
self.context, 'fake_token', fake_console_type,
|
||||
'fake_console_host', 'fake_console_port', 'fake_access_path',
|
||||
|
@ -10222,7 +10222,7 @@ class ComputeAPITestCase(BaseTestCase):
|
|||
mock_spice.assert_called_once_with(self.context,
|
||||
instance=fake_instance,
|
||||
console_type=fake_console_type)
|
||||
if enable_consoleauth or CONF.cells.enable:
|
||||
if enable_consoleauth:
|
||||
mock_auth.assert_called_once_with(
|
||||
self.context, 'fake_token', fake_console_type,
|
||||
'fake_console_host', 'fake_console_port', 'fake_access_path',
|
||||
|
@ -10283,7 +10283,7 @@ class ComputeAPITestCase(BaseTestCase):
|
|||
self.assertEqual(console, {'url': 'fake_console_url'})
|
||||
mock_rdp.assert_called_once_with(self.context, instance=fake_instance,
|
||||
console_type=fake_console_type)
|
||||
if enable_consoleauth or CONF.cells.enable:
|
||||
if enable_consoleauth:
|
||||
mock_auth.assert_called_once_with(
|
||||
self.context, 'fake_token', fake_console_type,
|
||||
'fake_console_host', 'fake_console_port', 'fake_access_path',
|
||||
|
@ -11416,7 +11416,7 @@ class ComputeAPITestCase(BaseTestCase):
|
|||
disk_over_commit=True,
|
||||
request_spec=fake_spec, async_=False)
|
||||
|
||||
if CONF.workarounds.enable_consoleauth or CONF.cells.enable:
|
||||
if CONF.workarounds.enable_consoleauth:
|
||||
delete_tokens_for_instance.assert_called_once_with(
|
||||
self.context, instance.uuid)
|
||||
else:
|
||||
|
|
|
@ -1202,8 +1202,7 @@ class _ComputeAPIUnitTestMixIn(object):
|
|||
mock_terminate.assert_called_once_with(
|
||||
self.context, inst, [], delete_type=delete_type)
|
||||
|
||||
if ((self.cell_type is None and CONF.workarounds.enable_consoleauth)
|
||||
or self.cell_type == 'api'):
|
||||
if CONF.workarounds.enable_consoleauth:
|
||||
mock_del_token.assert_called_once_with(self.context, instance_uuid)
|
||||
else:
|
||||
mock_del_token.assert_not_called()
|
||||
|
|
|
@ -19,6 +19,7 @@ import copy
|
|||
import functools
|
||||
import inspect
|
||||
|
||||
import ddt
|
||||
import mock
|
||||
from oslo_utils.fixture import uuidsentinel as uuids
|
||||
from oslo_utils import timeutils
|
||||
|
@ -110,6 +111,7 @@ def deploy_stubs(stubs, api, original_instance=None):
|
|||
stubs.Set(api, '_cast_to_cells', cast)
|
||||
|
||||
|
||||
@ddt.ddt
|
||||
class CellsComputeAPITestCase(test_compute.ComputeAPITestCase):
|
||||
def setUp(self):
|
||||
self.flags(use_neutron=False)
|
||||
|
@ -520,6 +522,18 @@ class CellsComputeAPITestCase(test_compute.ComputeAPITestCase):
|
|||
super(CellsComputeAPITestCase,
|
||||
self).test_multi_instance_display_name(cells_enabled=True)
|
||||
|
||||
@ddt.data(True, False)
|
||||
def test_rdp_console(self, enabled_consoleauth):
|
||||
self.skipTest("Removing cells v1")
|
||||
|
||||
@ddt.data(True, False)
|
||||
def test_spice_console(self, enabled_consoleauth):
|
||||
self.skipTest("Removing cells v1")
|
||||
|
||||
@ddt.data(True, False)
|
||||
def test_vnc_console(self, enabled_consoleauth):
|
||||
self.skipTest("Removing cells v1")
|
||||
|
||||
|
||||
class CellsShelveComputeAPITestCase(test_shelve.ShelveComputeAPITestCase):
|
||||
def setUp(self):
|
||||
|
|
|
@ -4605,8 +4605,6 @@ class ComputeManagerUnitTestCase(test.NoDBTestCase,
|
|||
'clean_console_auths_for_instance')
|
||||
def test_clean_instance_console_tokens(self, g1, g2, g3, g4, g5,
|
||||
mock_clean):
|
||||
# Make sure cells v1 is disabled
|
||||
self.flags(enable=False, group='cells')
|
||||
# Enable one of each of the console types and disable the rest
|
||||
self.flags(enabled=True, group=g1)
|
||||
for g in [g2, g3, g4, g5]:
|
||||
|
@ -4625,30 +4623,12 @@ class ComputeManagerUnitTestCase(test.NoDBTestCase,
|
|||
self.compute._clean_instance_console_tokens(self.context, instance)
|
||||
mock_clean.assert_not_called()
|
||||
|
||||
@mock.patch('nova.objects.ConsoleAuthToken.'
|
||||
'clean_console_auths_for_instance')
|
||||
def test_clean_instance_console_tokens_cells_v1_enabled(self, mock_clean):
|
||||
# Enable cells v1
|
||||
self.flags(enable=True, group='cells')
|
||||
self.flags(enabled=True, group='vnc')
|
||||
instance = objects.Instance(uuid=uuids.instance)
|
||||
self.compute._clean_instance_console_tokens(self.context, instance)
|
||||
mock_clean.assert_not_called()
|
||||
|
||||
@mock.patch('nova.objects.ConsoleAuthToken.'
|
||||
'clean_expired_console_auths_for_host')
|
||||
def test_cleanup_expired_console_auth_tokens(self, mock_clean):
|
||||
# Make sure cells v1 is disabled
|
||||
self.flags(enable=False, group='cells')
|
||||
self.compute._cleanup_expired_console_auth_tokens(self.context)
|
||||
mock_clean.assert_called_once_with(self.context, self.compute.host)
|
||||
|
||||
# Enable cells v1
|
||||
mock_clean.reset_mock()
|
||||
self.flags(enable=True, group='cells')
|
||||
self.compute._cleanup_expired_console_auth_tokens(self.context)
|
||||
mock_clean.assert_not_called()
|
||||
|
||||
@mock.patch.object(nova.context.RequestContext, 'elevated')
|
||||
@mock.patch.object(nova.objects.InstanceList, 'get_by_host')
|
||||
@mock.patch.object(nova.scheduler.client.query.SchedulerQueryClient,
|
||||
|
|
|
@ -197,26 +197,6 @@ class NovaProxyRequestHandlerBaseTestCase(test.NoDBTestCase):
|
|||
'Host': 'example.net:6080',
|
||||
}
|
||||
|
||||
@mock.patch('nova.consoleauth.rpcapi.ConsoleAuthAPI.check_token')
|
||||
def test_new_websocket_client_with_server_with_cells(self, check_token):
|
||||
# this test cells enabled, so consoleauth should be used
|
||||
CONF.set_override('enable', True, group='cells')
|
||||
check_token.return_value = {
|
||||
'host': 'node1',
|
||||
'port': '10000',
|
||||
'console_type': 'novnc',
|
||||
'access_url': 'https://example.net:6080'
|
||||
}
|
||||
self.wh.socket.return_value = '<socket>'
|
||||
self.wh.path = "http://127.0.0.1/?token=123-456-789"
|
||||
self.wh.headers = self.fake_header
|
||||
|
||||
self.wh.new_websocket_client()
|
||||
|
||||
check_token.assert_called_with(mock.ANY, token="123-456-789")
|
||||
self.wh.socket.assert_called_with('node1', 10000, connect=True)
|
||||
self.wh.do_proxy.assert_called_with('<socket>')
|
||||
|
||||
@mock.patch('nova.consoleauth.rpcapi.ConsoleAuthAPI.check_token')
|
||||
def test_new_websocket_client_enable_consoleauth(self, check_token):
|
||||
self.flags(enable_consoleauth=True, group='workarounds')
|
||||
|
|
|
@ -238,14 +238,3 @@ class ControlauthMemcacheEncodingTestCase(test.NoDBTestCase):
|
|||
mock_instance_get.assert_has_calls([mock.call(b'instance')])
|
||||
mock_instance_delete.assert_has_calls([mock.call(b'instance')])
|
||||
mock_delete_multi.assert_has_calls([mock.call([b'token'])])
|
||||
|
||||
|
||||
class CellsConsoleauthTestCase(ConsoleauthTestCase):
|
||||
"""Test Case for consoleauth w/ cells enabled."""
|
||||
|
||||
rpcapi = 'nova.cells.rpcapi.CellsAPI.'
|
||||
|
||||
def setUp(self):
|
||||
super(CellsConsoleauthTestCase, self).setUp()
|
||||
self.flags(enable=True, group='cells')
|
||||
self.is_cells = True
|
||||
|
|
Loading…
Reference in New Issue