Merge "Remove deprecated keymgr code"

2017-09-14 17:51:13 +00:00 · 2017-09-14 17:51:13 +00:00 · 91addc87c6
commit 91addc87c6
parent 65129e41e9 f65d436c11
6 changed files with 23 additions and 76 deletions
--- a/nova/compute/api.py
+++ b/nova/compute/api.py
@ -26,6 +26,7 @@ import functools
 import re
 import string

+from castellan import key_manager
 from oslo_log import log as logging
 from oslo_messaging import exceptions as oslo_exceptions
 from oslo_serialization import base64 as base64utils
@ -59,7 +60,6 @@ from nova import exception_wrapper
 from nova import hooks
 from nova.i18n import _
 from nova import image
-from nova import keymgr
 from nova import network
 from nova.network import model as network_model
 from nova.network.security_group import openstack_driver
@ -256,7 +256,7 @@ class API(base.Base):
        self.servicegroup_api = servicegroup.API()
        self.notifier = rpc.get_notifier('compute', CONF.host)
        if CONF.ephemeral_storage_encryption.enabled:
-            self.key_manager = keymgr.API()
+            self.key_manager = key_manager.API()

        super(API, self).__init__(**kwargs)

--- a/nova/conf/key_manager.py
+++ b/nova/conf/key_manager.py
@ -22,6 +22,8 @@ key_manager_group = cfg.OptGroup(

 key_manager_opts = [
    # TODO(raj_singh): Deprecate or move this option to The Castellan library
+    # NOTE(kfarr): The ability to use fixed_key should be deprecated and
+    # removed and Barbican should be tested in the gate instead
    cfg.StrOpt(
        'fixed_key',
        deprecated_group='keymgr',
--- a/nova/keymgr/init.py
+++ b/nova/keymgr/init.py
@ -1,69 +0,0 @@
-# Copyright (c) 2013 The Johns Hopkins University/Applied Physics Laboratory
-# All Rights Reserved.
-#
-#    Licensed under the Apache License, Version 2.0 (the "License"); you may
-#    not use this file except in compliance with the License. You may obtain
-#    a copy of the License at
-#
-#         http://www.apache.org/licenses/LICENSE-2.0
-#
-#    Unless required by applicable law or agreed to in writing, software
-#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#    License for the specific language governing permissions and limitations
-#    under the License.
-
-
-from oslo_config import cfg
-from oslo_log import log as logging
-from oslo_utils import importutils
-
-import nova.conf
-
-LOG = logging.getLogger(__name__)
-CONF = nova.conf.CONF
-
-# NOTE(kfarr): For backwards compatibility, everything below this comment
-# is deprecated for removal
-api_class = None
-try:
-    api_class = CONF.key_manager.api_class
-except cfg.NoSuchOptError:
-    LOG.warning("key_manager.api_class is not set, will use deprecated "
-                "option keymgr.api_class if set")
-    try:
-        api_class = CONF.keymgr.api_class
-    except cfg.NoSuchOptError:
-        LOG.warning("keymgr.api_class is not set")
-
-deprecated_barbican = 'nova.keymgr.barbican.BarbicanKeyManager'
-barbican = 'castellan.key_manager.barbican_key_manager.BarbicanKeyManager'
-deprecated_mock = 'nova.tests.unit.keymgr.mock_key_mgr.MockKeyManager'
-castellan_mock = ('castellan.tests.unit.key_manager.mock_key_manager.'
-                  'MockKeyManager')
-
-
-def log_deprecated_warning(deprecated, castellan):
-    LOG.warning("key manager api_class set to use deprecated option "
-                "%(deprecated)s, using %(castellan)s instead",
-                {'deprecated': deprecated, 'castellan': castellan})
-
-if api_class == deprecated_barbican:
-    log_deprecated_warning(deprecated_barbican, barbican)
-    api_class = barbican
-elif api_class == deprecated_mock:
-    log_deprecated_warning(deprecated_mock, castellan_mock)
-    api_class = castellan_mock
-elif api_class is None:
-    # TODO(kfarr): key_manager.api_class should be set in DevStack, and this
-    # block can be removed
-    LOG.warning("key manager not set, using insecure default %s",
-                castellan_mock)
-    api_class = castellan_mock
-
-CONF.set_override('api_class', api_class, 'key_manager')
-
-
-def API(conf=CONF):
-    cls = importutils.import_class(CONF.key_manager.api_class)
-    return cls(conf)
--- a/nova/virt/libvirt/driver.py
+++ b/nova/virt/libvirt/driver.py
@ -41,6 +41,7 @@ import tempfile
 import time
 import uuid

+from castellan import key_manager
 import eventlet
 from eventlet import greenthread
 from eventlet import tpool
@ -74,7 +75,6 @@ from nova import context as nova_context
 from nova import exception
 from nova.i18n import _
 from nova import image
-from nova import keymgr
 from nova.network import model as network_model
 from nova import objects
 from nova.objects import diagnostics as diagnostics_obj
@ -1184,9 +1184,8 @@ class LibvirtDriver(driver.ComputeDriver):

    def _get_volume_encryptor(self, connection_info, encryption):
        root_helper = utils.get_root_helper()
-        key_manager = keymgr.API(CONF)
        return encryptors.get_volume_encryptor(root_helper=root_helper,
-                                               keymgr=key_manager,
+                                               keymgr=key_manager.API(CONF),
                                               connection_info=connection_info,
                                               **encryption)

--- a/nova/virt/libvirt/imagebackend.py
+++ b/nova/virt/libvirt/imagebackend.py
@ -20,6 +20,7 @@ import functools
 import os
 import shutil

+from castellan import key_manager
 from oslo_log import log as logging
 from oslo_serialization import jsonutils
 from oslo_utils import excutils
@ -32,7 +33,6 @@ import nova.conf
 from nova import exception
 from nova.i18n import _
 from nova import image
-from nova import keymgr
 from nova.privsep import dac_admin
 from nova import utils
 from nova.virt.disk import api as disk
@ -657,7 +657,7 @@ class Lvm(Image):
        self.ephemeral_key_uuid = instance.get('ephemeral_key_uuid')

        if self.ephemeral_key_uuid is not None:
-            self.key_manager = keymgr.API(CONF)
+            self.key_manager = key_manager.API(CONF)
        else:
            self.key_manager = None

--- a/releasenotes/notes/remove-deprecated-keymgr-db807dc76c83263e.yaml
+++ b/releasenotes/notes/remove-deprecated-keymgr-db807dc76c83263e.yaml
@ -0,0 +1,15 @@
+---
+upgrade:
+  - |
+    The old deprecated ``keymgr`` options have been removed.
+    Configuration options using the ``[keymgr]`` group will not be
+    applied anymore. Use the ``[key_manager]`` group from Castellan instead.
+    The Castellan ``api_class`` options should also be used instead, as most
+    of the options that lived in Nova have migrated to Castellan.
+
+    - Instead of ``api_class`` option ``nova.keymgr.barbican.BarbicanKeyManager``,
+      use ``castellan.key_manager.barbican_key_manager.BarbicanKeyManager``
+    - Instead of ``api_class`` option ``nova.tests.unit.keymgr.mock_key_mgr.MockKeyManager``,
+      use ``castellan.tests.unit.key_manager.mock_key_manager.MockKeyManager``
+    - ``nova.keymgr.conf_key_mgr.ConfKeyManager`` still remains, but the ``fixed_key``
+      configuration options should be moved to the ``[key_manager]`` section