openstack/nova
Code Issues Proposed changes

Merge "Remove deprecated keymgr code"

Browse Source
This commit is contained in:
Jenkins 2017-09-14 17:51:13 +00:00 committed by Gerrit Code Review
commit 91addc87c6
6 changed files with 23 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
nova/compute/api.py
View File

@ -26,6 +26,7 @@ import functools
import re import re
import string import string
from castellan import key_manager
from oslo_log import log as logging from oslo_log import log as logging
from oslo_messaging import exceptions as oslo_exceptions from oslo_messaging import exceptions as oslo_exceptions
from oslo_serialization import base64 as base64utils from oslo_serialization import base64 as base64utils
@ -59,7 +60,6 @@ from nova import exception_wrapper
from nova import hooks from nova import hooks
from nova.i18n import _ from nova.i18n import _
from nova import image from nova import image
from nova import keymgr
from nova import network from nova import network
from nova.network import model as network_model from nova.network import model as network_model
from nova.network.security_group import openstack_driver from nova.network.security_group import openstack_driver
@ -256,7 +256,7 @@ class API(base.Base):
self.servicegroup_api = servicegroup.API() self.servicegroup_api = servicegroup.API()
self.notifier = rpc.get_notifier('compute', CONF.host) self.notifier = rpc.get_notifier('compute', CONF.host)
if CONF.ephemeral_storage_encryption.enabled: if CONF.ephemeral_storage_encryption.enabled:
self.key_manager = keymgr.API() self.key_manager = key_manager.API()
super(API, self).__init__(**kwargs) super(API, self).__init__(**kwargs)

2
nova/conf/key_manager.py
View File

@ -22,6 +22,8 @@ key_manager_group = cfg.OptGroup(
key_manager_opts = [ key_manager_opts = [
# TODO(raj_singh): Deprecate or move this option to The Castellan library # TODO(raj_singh): Deprecate or move this option to The Castellan library
# NOTE(kfarr): The ability to use fixed_key should be deprecated and
# removed and Barbican should be tested in the gate instead
cfg.StrOpt( cfg.StrOpt(
'fixed_key', 'fixed_key',
deprecated_group='keymgr', deprecated_group='keymgr',

69
nova/keymgr/__init__.py
View File

@ -1,69 +0,0 @@
# Copyright (c) 2013 The Johns Hopkins University/Applied Physics Laboratory
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from oslo_log import log as logging
from oslo_utils import importutils
import nova.conf
LOG = logging.getLogger(__name__)
CONF = nova.conf.CONF
# NOTE(kfarr): For backwards compatibility, everything below this comment
# is deprecated for removal
api_class = None
try:
api_class = CONF.key_manager.api_class
except cfg.NoSuchOptError:
LOG.warning("key_manager.api_class is not set, will use deprecated "
"option keymgr.api_class if set")
try:
api_class = CONF.keymgr.api_class
except cfg.NoSuchOptError:
LOG.warning("keymgr.api_class is not set")
deprecated_barbican = 'nova.keymgr.barbican.BarbicanKeyManager'
barbican = 'castellan.key_manager.barbican_key_manager.BarbicanKeyManager'
deprecated_mock = 'nova.tests.unit.keymgr.mock_key_mgr.MockKeyManager'
castellan_mock = ('castellan.tests.unit.key_manager.mock_key_manager.'
'MockKeyManager')
def log_deprecated_warning(deprecated, castellan):
LOG.warning("key manager api_class set to use deprecated option "
"%(deprecated)s, using %(castellan)s instead",
{'deprecated': deprecated, 'castellan': castellan})
if api_class == deprecated_barbican:
log_deprecated_warning(deprecated_barbican, barbican)
api_class = barbican
elif api_class == deprecated_mock:
log_deprecated_warning(deprecated_mock, castellan_mock)
api_class = castellan_mock
elif api_class is None:
# TODO(kfarr): key_manager.api_class should be set in DevStack, and this
# block can be removed
LOG.warning("key manager not set, using insecure default %s",
castellan_mock)
api_class = castellan_mock
CONF.set_override('api_class', api_class, 'key_manager')
def API(conf=CONF):
cls = importutils.import_class(CONF.key_manager.api_class)
return cls(conf)

5
nova/virt/libvirt/driver.py
View File

@ -41,6 +41,7 @@ import tempfile
import time import time
import uuid import uuid
from castellan import key_manager
import eventlet import eventlet
from eventlet import greenthread from eventlet import greenthread
from eventlet import tpool from eventlet import tpool
@ -74,7 +75,6 @@ from nova import context as nova_context
from nova import exception from nova import exception
from nova.i18n import _ from nova.i18n import _
from nova import image from nova import image
from nova import keymgr
from nova.network import model as network_model from nova.network import model as network_model
from nova import objects from nova import objects
from nova.objects import diagnostics as diagnostics_obj from nova.objects import diagnostics as diagnostics_obj
@ -1184,9 +1184,8 @@ class LibvirtDriver(driver.ComputeDriver):
def _get_volume_encryptor(self, connection_info, encryption): def _get_volume_encryptor(self, connection_info, encryption):
root_helper = utils.get_root_helper() root_helper = utils.get_root_helper()
key_manager = keymgr.API(CONF)
return encryptors.get_volume_encryptor(root_helper=root_helper, return encryptors.get_volume_encryptor(root_helper=root_helper,
keymgr=key_manager, keymgr=key_manager.API(CONF),
connection_info=connection_info, connection_info=connection_info,
**encryption) **encryption)

4
nova/virt/libvirt/imagebackend.py
View File

@ -20,6 +20,7 @@ import functools
import os import os
import shutil import shutil
from castellan import key_manager
from oslo_log import log as logging from oslo_log import log as logging
from oslo_serialization import jsonutils from oslo_serialization import jsonutils
from oslo_utils import excutils from oslo_utils import excutils
@ -32,7 +33,6 @@ import nova.conf
from nova import exception from nova import exception
from nova.i18n import _ from nova.i18n import _
from nova import image from nova import image
from nova import keymgr
from nova.privsep import dac_admin from nova.privsep import dac_admin
from nova import utils from nova import utils
from nova.virt.disk import api as disk from nova.virt.disk import api as disk
@ -657,7 +657,7 @@ class Lvm(Image):
self.ephemeral_key_uuid = instance.get('ephemeral_key_uuid') self.ephemeral_key_uuid = instance.get('ephemeral_key_uuid')
if self.ephemeral_key_uuid is not None: if self.ephemeral_key_uuid is not None:
self.key_manager = keymgr.API(CONF) self.key_manager = key_manager.API(CONF)
else: else:
self.key_manager = None self.key_manager = None

15
releasenotes/notes/remove-deprecated-keymgr-db807dc76c83263e.yaml Normal file
View File

@ -0,0 +1,15 @@
---
upgrade:
- |
The old deprecated ``keymgr`` options have been removed.
Configuration options using the ``[keymgr]`` group will not be
applied anymore. Use the ``[key_manager]`` group from Castellan instead.
The Castellan ``api_class`` options should also be used instead, as most
of the options that lived in Nova have migrated to Castellan.
- Instead of ``api_class`` option ``nova.keymgr.barbican.BarbicanKeyManager``,
use ``castellan.key_manager.barbican_key_manager.BarbicanKeyManager``
- Instead of ``api_class`` option ``nova.tests.unit.keymgr.mock_key_mgr.MockKeyManager``,
use ``castellan.tests.unit.key_manager.mock_key_manager.MockKeyManager``
- ``nova.keymgr.conf_key_mgr.ConfKeyManager`` still remains, but the ``fixed_key``
configuration options should be moved to the ``[key_manager]`` section