Stop handling cells v1 for console authentication

There were a lot of workarounds here to ensure we didn't switch to the
new model (vs. the old 'nova-consoleauth' service) if users were on
cells v1. These can go now, along with the old 'nova-consoleauth'
service (though that's a later, separate change).

Part of blueprint remove-cells-v1

Change-Id: I1b8f411b050d34e4e77e9a4f1e613135eb5f74b7
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
This commit is contained in:
Stephen Finucane 2019-04-04 14:08:56 +01:00
parent 7954b2714e
commit 6ac15734b9
13 changed files with 38 additions and 114 deletions

View File

@ -389,11 +389,9 @@ class UpgradeCommands(upgradecheck.UpgradeCommands):
telling the user to set [workarounds]enable_consoleauth = True if they
are performing a rolling upgrade.
"""
# If we're using cells v1, we don't need to check if the workaround
# needs to be used because cells v1 always uses nova-consoleauth.
# If the operator has already enabled the workaround, we don't need
# to check anything.
if CONF.cells.enable or CONF.workarounds.enable_consoleauth:
if CONF.workarounds.enable_consoleauth:
return upgradecheck.Result(upgradecheck.Code.SUCCESS)
# We need to check cell0 for nova-consoleauth service records because

View File

@ -2031,10 +2031,7 @@ class API(base.Base):
instance.progress = 0
instance.save()
# NOTE(dtp): cells.enable = False means "use cells v2".
# Run everywhere except v1 compute cells.
if (not CONF.cells.enable and CONF.workarounds.enable_consoleauth
) or self.cell_type == 'api':
if CONF.workarounds.enable_consoleauth:
# TODO(melwitt): Remove the conditions for running this line
# with cells v2, when consoleauth is no longer being used by
# cells v2, in Stein.
@ -4551,7 +4548,7 @@ class API(base.Base):
# we convert to using the database. Remove the condition for running
# this line with cells v2, when consoleauth is no longer being used by
# cells v2, in Stein.
if CONF.cells.enable or CONF.workarounds.enable_consoleauth:
if CONF.workarounds.enable_consoleauth:
self.consoleauth_rpcapi.delete_tokens_for_instance(
context, instance.uuid)

View File

@ -6927,8 +6927,8 @@ class ComputeManager(manager.Manager):
def _clean_instance_console_tokens(self, ctxt, instance):
"""Clean console tokens stored for an instance."""
# If the database backend isn't in use, don't bother trying to clean
# tokens. The database backend is not supported for cells v1.
if not CONF.cells.enable and self._consoles_enabled():
# tokens.
if self._consoles_enabled():
objects.ConsoleAuthToken.\
clean_console_auths_for_instance(ctxt, instance.uuid)
@ -8530,8 +8530,5 @@ class ComputeManager(manager.Manager):
instance. After a time they expire. We periodically remove any expired
tokens from the database.
"""
# If the database backend isn't in use, don't bother looking for
# expired tokens. The database backend is not supported for cells v1.
if not CONF.cells.enable:
objects.ConsoleAuthToken.\
clean_expired_console_auths_for_host(context, self.host)
objects.ConsoleAuthToken.clean_expired_console_auths_for_host(
context, self.host)

View File

@ -181,12 +181,6 @@ this flag should be disabled. For example, if a deployment has configured a
token TTL of one hour, the operator may disable the flag, one hour after
deploying the new code during an upgrade.
.. note:: Cells v1 was not converted to use the database backend for
console token authorizations. Cells v1 console token authorizations will
continue to be supported by the ``nova-consoleauth`` service and use of
the ``[workarounds]/enable_consoleauth`` option does not apply to
Cells v1 users.
Related options:
* ``[consoleauth]/token_ttl``

View File

@ -150,26 +150,19 @@ class NovaProxyRequestHandlerBase(object):
def _get_connect_info(self, ctxt, token):
"""Validate the token and get the connect info."""
connect_info = None
# NOTE(PaulMurray) if we are using cells v1, we use the old consoleauth
# way of doing things. The database backend is not supported for cells
# v1.
if CONF.cells.enable:
# NOTE(melwitt): If consoleauth is enabled to aid in transitioning
# to the database backend, check it first before falling back to
# the database. Tokens that existed pre-database-backend will
# reside in the consoleauth service storage.
if CONF.workarounds.enable_consoleauth:
connect_info = self._get_connect_info_consoleauth(ctxt, token)
if not connect_info:
raise exception.InvalidToken(token='***')
else:
# NOTE(melwitt): If consoleauth is enabled to aid in transitioning
# to the database backend, check it first before falling back to
# the database. Tokens that existed pre-database-backend will
# reside in the consoleauth service storage.
if CONF.workarounds.enable_consoleauth:
connect_info = self._get_connect_info_consoleauth(ctxt, token)
# If consoleauth is enabled to aid in transitioning to the database
# backend and we didn't find a token in the consoleauth service
# storage, check the database for a token because it's probably a
# post-database-backend token, which are stored in the database.
if not connect_info:
connect_info = self._get_connect_info_database(ctxt, token)
# If consoleauth is enabled to aid in transitioning to the database
# backend and we didn't find a token in the consoleauth service
# storage, check the database for a token because it's probably a
# post-database-backend token, which are stored in the database.
if not connect_info:
connect_info = self._get_connect_info_database(ctxt, token)
return connect_info

View File

@ -23,7 +23,6 @@ import oslo_messaging as messaging
from oslo_serialization import jsonutils
from nova import cache_utils
from nova.cells import rpcapi as cells_rpcapi
from nova.compute import rpcapi as compute_rpcapi
import nova.conf
from nova import context as nova_context
@ -47,7 +46,6 @@ class ConsoleAuthManager(manager.Manager):
self._mc = None
self._mc_instance = None
self.compute_rpcapi = compute_rpcapi.ComputeAPI()
self.cells_rpcapi = cells_rpcapi.CellsAPI()
@property
def mc(self):
@ -109,13 +107,6 @@ class ConsoleAuthManager(manager.Manager):
if instance_uuid is None:
return False
# NOTE(comstud): consoleauth was meant to run in API cells. So,
# if cells is enabled, we must call down to the child cell for
# the instance.
if CONF.cells.enable:
return self.cells_rpcapi.validate_console_port(context,
instance_uuid, token['port'], token['console_type'])
mapping = objects.InstanceMapping.get_by_instance_uuid(context,
instance_uuid)
with nova_context.target_cell(context, mapping.cell_mapping) as cctxt:

View File

@ -662,14 +662,6 @@ class TestUpgradeCheckConsoles(test.NoDBTestCase):
return service
def test_check_cells_v1_enabled(self):
"""This is a 'success' case since the console auths check is
ignored when running cells v1.
"""
self.flags(enable=True, group='cells')
result = self.cmd._check_console_auths()
self.assertEqual(upgradecheck.Code.SUCCESS, result.code)
def test_check_workaround_enabled(self):
"""This is a 'success' case since the console auths check is
ignored when the workaround is already enabled.

View File

@ -10178,7 +10178,7 @@ class ComputeAPITestCase(BaseTestCase):
mock_get.assert_called_once_with(
self.context, instance=fake_instance,
console_type=fake_console_type)
if enable_consoleauth or CONF.cells.enable:
if enable_consoleauth:
mock_auth.assert_called_once_with(
self.context, 'fake_token', fake_console_type,
'fake_console_host', 'fake_console_port', 'fake_access_path',
@ -10222,7 +10222,7 @@ class ComputeAPITestCase(BaseTestCase):
mock_spice.assert_called_once_with(self.context,
instance=fake_instance,
console_type=fake_console_type)
if enable_consoleauth or CONF.cells.enable:
if enable_consoleauth:
mock_auth.assert_called_once_with(
self.context, 'fake_token', fake_console_type,
'fake_console_host', 'fake_console_port', 'fake_access_path',
@ -10283,7 +10283,7 @@ class ComputeAPITestCase(BaseTestCase):
self.assertEqual(console, {'url': 'fake_console_url'})
mock_rdp.assert_called_once_with(self.context, instance=fake_instance,
console_type=fake_console_type)
if enable_consoleauth or CONF.cells.enable:
if enable_consoleauth:
mock_auth.assert_called_once_with(
self.context, 'fake_token', fake_console_type,
'fake_console_host', 'fake_console_port', 'fake_access_path',
@ -11416,7 +11416,7 @@ class ComputeAPITestCase(BaseTestCase):
disk_over_commit=True,
request_spec=fake_spec, async_=False)
if CONF.workarounds.enable_consoleauth or CONF.cells.enable:
if CONF.workarounds.enable_consoleauth:
delete_tokens_for_instance.assert_called_once_with(
self.context, instance.uuid)
else:

View File

@ -1202,8 +1202,7 @@ class _ComputeAPIUnitTestMixIn(object):
mock_terminate.assert_called_once_with(
self.context, inst, [], delete_type=delete_type)
if ((self.cell_type is None and CONF.workarounds.enable_consoleauth)
or self.cell_type == 'api'):
if CONF.workarounds.enable_consoleauth:
mock_del_token.assert_called_once_with(self.context, instance_uuid)
else:
mock_del_token.assert_not_called()

View File

@ -19,6 +19,7 @@ import copy
import functools
import inspect
import ddt
import mock
from oslo_utils.fixture import uuidsentinel as uuids
from oslo_utils import timeutils
@ -110,6 +111,7 @@ def deploy_stubs(stubs, api, original_instance=None):
stubs.Set(api, '_cast_to_cells', cast)
@ddt.ddt
class CellsComputeAPITestCase(test_compute.ComputeAPITestCase):
def setUp(self):
self.flags(use_neutron=False)
@ -520,6 +522,18 @@ class CellsComputeAPITestCase(test_compute.ComputeAPITestCase):
super(CellsComputeAPITestCase,
self).test_multi_instance_display_name(cells_enabled=True)
@ddt.data(True, False)
def test_rdp_console(self, enabled_consoleauth):
self.skipTest("Removing cells v1")
@ddt.data(True, False)
def test_spice_console(self, enabled_consoleauth):
self.skipTest("Removing cells v1")
@ddt.data(True, False)
def test_vnc_console(self, enabled_consoleauth):
self.skipTest("Removing cells v1")
class CellsShelveComputeAPITestCase(test_shelve.ShelveComputeAPITestCase):
def setUp(self):

View File

@ -4605,8 +4605,6 @@ class ComputeManagerUnitTestCase(test.NoDBTestCase,
'clean_console_auths_for_instance')
def test_clean_instance_console_tokens(self, g1, g2, g3, g4, g5,
mock_clean):
# Make sure cells v1 is disabled
self.flags(enable=False, group='cells')
# Enable one of each of the console types and disable the rest
self.flags(enabled=True, group=g1)
for g in [g2, g3, g4, g5]:
@ -4625,30 +4623,12 @@ class ComputeManagerUnitTestCase(test.NoDBTestCase,
self.compute._clean_instance_console_tokens(self.context, instance)
mock_clean.assert_not_called()
@mock.patch('nova.objects.ConsoleAuthToken.'
'clean_console_auths_for_instance')
def test_clean_instance_console_tokens_cells_v1_enabled(self, mock_clean):
# Enable cells v1
self.flags(enable=True, group='cells')
self.flags(enabled=True, group='vnc')
instance = objects.Instance(uuid=uuids.instance)
self.compute._clean_instance_console_tokens(self.context, instance)
mock_clean.assert_not_called()
@mock.patch('nova.objects.ConsoleAuthToken.'
'clean_expired_console_auths_for_host')
def test_cleanup_expired_console_auth_tokens(self, mock_clean):
# Make sure cells v1 is disabled
self.flags(enable=False, group='cells')
self.compute._cleanup_expired_console_auth_tokens(self.context)
mock_clean.assert_called_once_with(self.context, self.compute.host)
# Enable cells v1
mock_clean.reset_mock()
self.flags(enable=True, group='cells')
self.compute._cleanup_expired_console_auth_tokens(self.context)
mock_clean.assert_not_called()
@mock.patch.object(nova.context.RequestContext, 'elevated')
@mock.patch.object(nova.objects.InstanceList, 'get_by_host')
@mock.patch.object(nova.scheduler.client.query.SchedulerQueryClient,

View File

@ -197,26 +197,6 @@ class NovaProxyRequestHandlerBaseTestCase(test.NoDBTestCase):
'Host': 'example.net:6080',
}
@mock.patch('nova.consoleauth.rpcapi.ConsoleAuthAPI.check_token')
def test_new_websocket_client_with_server_with_cells(self, check_token):
# this test cells enabled, so consoleauth should be used
CONF.set_override('enable', True, group='cells')
check_token.return_value = {
'host': 'node1',
'port': '10000',
'console_type': 'novnc',
'access_url': 'https://example.net:6080'
}
self.wh.socket.return_value = '<socket>'
self.wh.path = "http://127.0.0.1/?token=123-456-789"
self.wh.headers = self.fake_header
self.wh.new_websocket_client()
check_token.assert_called_with(mock.ANY, token="123-456-789")
self.wh.socket.assert_called_with('node1', 10000, connect=True)
self.wh.do_proxy.assert_called_with('<socket>')
@mock.patch('nova.consoleauth.rpcapi.ConsoleAuthAPI.check_token')
def test_new_websocket_client_enable_consoleauth(self, check_token):
self.flags(enable_consoleauth=True, group='workarounds')

View File

@ -238,14 +238,3 @@ class ControlauthMemcacheEncodingTestCase(test.NoDBTestCase):
mock_instance_get.assert_has_calls([mock.call(b'instance')])
mock_instance_delete.assert_has_calls([mock.call(b'instance')])
mock_delete_multi.assert_has_calls([mock.call([b'token'])])
class CellsConsoleauthTestCase(ConsoleauthTestCase):
"""Test Case for consoleauth w/ cells enabled."""
rpcapi = 'nova.cells.rpcapi.CellsAPI.'
def setUp(self):
super(CellsConsoleauthTestCase, self).setUp()
self.flags(enable=True, group='cells')
self.is_cells = True