Deprecate scheduler trusted filter

Due to being marked experimental since it has existed on May 28, 2012
with no real activity of development since, this filter is being
deprecated.

mailing list discussion:
http://lists.openstack.org/pipermail/openstack-operators/2017-May/013371.html

Change-Id: If6e53feeb97e6050c1eb7962110ed89504c952fc

doc/source/filter_scheduler.rst

@@ -154,8 +154,14 @@ There are many standard filter classes which may be used
   a set of instances.
 * |RetryFilter| - filters hosts that have been attempted for scheduling.
   Only passes hosts that have not been previously attempted.
-* |TrustedFilter| (EXPERIMENTAL) - filters hosts based on their trust.  Only passes hosts
-  that meet the trust requirements specified in the instance properties.
+* |TrustedFilter| (EXPERIMENTAL) - filters hosts based on their trust.  Only
+  passes hosts that meet the trust requirements specified in the instance
+  properties.
+
+  .. warning:: TrustedFilter is deprecated for removal in the 17.0.0 Queens
+     release. There is no replacement planned for this filter. It has been
+     marked experimental since its inception. It is incomplete and not tested.
+
 * |TypeAffinityFilter| - Only passes hosts that are not already running an
   instance of the requested type.
 * |AggregateTypeAffinityFilter| - limits instance_type by aggregate.

nova/conf/scheduler.py

@@ -590,6 +590,9 @@ Configuration options for enabling Trusted Platform Module.
 
 trusted_opts = [
     cfg.HostAddressOpt("attestation_server",
+                       deprecated_for_removal=True,
+                       deprecated_reason="Incomplete filter",
+                       deprecated_since="Pike",
                        help="""
 The host to use as the attestation server.
 
@@ -618,6 +621,9 @@ Related options:
 * attestation_insecure_ssl
 """),
     cfg.StrOpt("attestation_server_ca_file",
+            deprecated_for_removal=True,
+            deprecated_reason="Incomplete filter",
+            deprecated_since="Pike",
             help="""
 The absolute path to the certificate to use for authentication when connecting
 to the attestation server. See the `attestation_server` help text for more
@@ -643,6 +649,9 @@ Related options:
 """),
     cfg.PortOpt("attestation_port",
             default=8443,
+            deprecated_for_removal=True,
+            deprecated_reason="Incomplete filter",
+            deprecated_since="Pike",
             help="""
 The port to use when connecting to the attestation server. See the
 `attestation_server` help text for more information about host verification.
@@ -662,6 +671,9 @@ Related options:
 """),
     cfg.StrOpt("attestation_api_url",
             default="/OpenAttestationWebServices/V1.0",
+            deprecated_for_removal=True,
+            deprecated_reason="Incomplete filter",
+            deprecated_since="Pike",
             help="""
 The URL on the attestation server to use. See the `attestation_server` help
 text for more information about host verification.
@@ -688,6 +700,9 @@ Related options:
 """),
     cfg.StrOpt("attestation_auth_blob",
             secret=True,
+            deprecated_for_removal=True,
+            deprecated_reason="Incomplete filter",
+            deprecated_since="Pike",
             help="""
 Attestation servers require a specific blob that is used to authenticate. The
 content and format of the blob are determined by the particular attestation
@@ -715,6 +730,9 @@ Related options:
 """),
     cfg.IntOpt("attestation_auth_timeout",
             default=60,
+            deprecated_for_removal=True,
+            deprecated_reason="Incomplete filter",
+            deprecated_since="Pike",
             min=0,
             help="""
 This value controls how long a successful attestation is cached. Once this
@@ -742,6 +760,9 @@ Related options:
 """),
     cfg.BoolOpt("attestation_insecure_ssl",
             default=False,
+            deprecated_for_removal=True,
+            deprecated_reason="Incomplete filter",
+            deprecated_since="Pike",
             help="""
 When set to True, the SSL certificate verification is skipped for the
 attestation service. See the `attestation_server` help text for more

nova/scheduler/filters/trusted_filter.py

@@ -44,6 +44,7 @@ the Open Attestation project at:
 """
 
 from oslo_log import log as logging
+from oslo_log import versionutils
 from oslo_serialization import jsonutils
 from oslo_utils import timeutils
 import requests
@@ -231,12 +232,10 @@ class TrustedFilter(filters.BaseHostFilter):
 
     def __init__(self):
         self.compute_attestation = ComputeAttestation()
-        LOG.warning(_LW('The TrustedFilter is considered experimental '
-                        'by the OpenStack project because it receives much '
-                        'less testing than the rest of Nova. This may change '
-                        'in the future, but current deployers should be aware '
-                        'that the use of it in production right now may be '
-                        'risky.'))
+        msg = _LW('The TrustedFilter is deprecated as it has been marked '
+                  'experimental for some time with no tests. It will be '
+                  'removed in the 17.0.0 Queens release.')
+        versionutils.report_deprecated_feature(LOG, msg)
 
     # The hosts the instances are running on doesn't change within a request
     run_filter_once_per_request = True

releasenotes/notes/deprecate_trustedfilter-d733a4b482967b00.yaml

@@ -0,0 +1,6 @@
+---
+deprecations:
+  - |
+    The ``TrustedFilter`` scheduler filter has been experimental since its existence on
+    May 18, 2012. Due to the lack of tests and activity with it, it's now
+    deprecated and set for removal in the 17.0.0 Queens release.