Remove deprecated keymgr code
Now that enough time has passed, the keymgr code that was deprecated for removal can be removed. Barbican is the default option for Castellan, but Barbican is not part of default DevStack yet. Until Barbican is used by default in the dsvm gates, ConfKeyManager (the fixed_key key manager) should be set in DevStack, which was added with I733279864ee1a4aaffc9c8eed81b5e12f8d8821b. Change-Id: I82ee74f3d2629281dc8116af55f6a7b5398fc473
This commit is contained in:
parent
d83e9c0b17
commit
f65d436c11
nova
releasenotes/notes
@ -26,6 +26,7 @@ import functools
|
||||
import re
|
||||
import string
|
||||
|
||||
from castellan import key_manager
|
||||
from oslo_log import log as logging
|
||||
from oslo_messaging import exceptions as oslo_exceptions
|
||||
from oslo_serialization import base64 as base64utils
|
||||
@ -59,7 +60,6 @@ from nova import exception_wrapper
|
||||
from nova import hooks
|
||||
from nova.i18n import _
|
||||
from nova import image
|
||||
from nova import keymgr
|
||||
from nova import network
|
||||
from nova.network import model as network_model
|
||||
from nova.network.security_group import openstack_driver
|
||||
@ -256,7 +256,7 @@ class API(base.Base):
|
||||
self.servicegroup_api = servicegroup.API()
|
||||
self.notifier = rpc.get_notifier('compute', CONF.host)
|
||||
if CONF.ephemeral_storage_encryption.enabled:
|
||||
self.key_manager = keymgr.API()
|
||||
self.key_manager = key_manager.API()
|
||||
|
||||
super(API, self).__init__(**kwargs)
|
||||
|
||||
|
@ -22,6 +22,8 @@ key_manager_group = cfg.OptGroup(
|
||||
|
||||
key_manager_opts = [
|
||||
# TODO(raj_singh): Deprecate or move this option to The Castellan library
|
||||
# NOTE(kfarr): The ability to use fixed_key should be deprecated and
|
||||
# removed and Barbican should be tested in the gate instead
|
||||
cfg.StrOpt(
|
||||
'fixed_key',
|
||||
deprecated_group='keymgr',
|
||||
|
@ -1,69 +0,0 @@
|
||||
# Copyright (c) 2013 The Johns Hopkins University/Applied Physics Laboratory
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
from oslo_config import cfg
|
||||
from oslo_log import log as logging
|
||||
from oslo_utils import importutils
|
||||
|
||||
import nova.conf
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
CONF = nova.conf.CONF
|
||||
|
||||
# NOTE(kfarr): For backwards compatibility, everything below this comment
|
||||
# is deprecated for removal
|
||||
api_class = None
|
||||
try:
|
||||
api_class = CONF.key_manager.api_class
|
||||
except cfg.NoSuchOptError:
|
||||
LOG.warning("key_manager.api_class is not set, will use deprecated "
|
||||
"option keymgr.api_class if set")
|
||||
try:
|
||||
api_class = CONF.keymgr.api_class
|
||||
except cfg.NoSuchOptError:
|
||||
LOG.warning("keymgr.api_class is not set")
|
||||
|
||||
deprecated_barbican = 'nova.keymgr.barbican.BarbicanKeyManager'
|
||||
barbican = 'castellan.key_manager.barbican_key_manager.BarbicanKeyManager'
|
||||
deprecated_mock = 'nova.tests.unit.keymgr.mock_key_mgr.MockKeyManager'
|
||||
castellan_mock = ('castellan.tests.unit.key_manager.mock_key_manager.'
|
||||
'MockKeyManager')
|
||||
|
||||
|
||||
def log_deprecated_warning(deprecated, castellan):
|
||||
LOG.warning("key manager api_class set to use deprecated option "
|
||||
"%(deprecated)s, using %(castellan)s instead",
|
||||
{'deprecated': deprecated, 'castellan': castellan})
|
||||
|
||||
if api_class == deprecated_barbican:
|
||||
log_deprecated_warning(deprecated_barbican, barbican)
|
||||
api_class = barbican
|
||||
elif api_class == deprecated_mock:
|
||||
log_deprecated_warning(deprecated_mock, castellan_mock)
|
||||
api_class = castellan_mock
|
||||
elif api_class is None:
|
||||
# TODO(kfarr): key_manager.api_class should be set in DevStack, and this
|
||||
# block can be removed
|
||||
LOG.warning("key manager not set, using insecure default %s",
|
||||
castellan_mock)
|
||||
api_class = castellan_mock
|
||||
|
||||
CONF.set_override('api_class', api_class, 'key_manager')
|
||||
|
||||
|
||||
def API(conf=CONF):
|
||||
cls = importutils.import_class(CONF.key_manager.api_class)
|
||||
return cls(conf)
|
@ -41,6 +41,7 @@ import tempfile
|
||||
import time
|
||||
import uuid
|
||||
|
||||
from castellan import key_manager
|
||||
import eventlet
|
||||
from eventlet import greenthread
|
||||
from eventlet import tpool
|
||||
@ -74,7 +75,6 @@ from nova import context as nova_context
|
||||
from nova import exception
|
||||
from nova.i18n import _
|
||||
from nova import image
|
||||
from nova import keymgr
|
||||
from nova.network import model as network_model
|
||||
from nova import objects
|
||||
from nova.objects import diagnostics as diagnostics_obj
|
||||
@ -1184,9 +1184,8 @@ class LibvirtDriver(driver.ComputeDriver):
|
||||
|
||||
def _get_volume_encryptor(self, connection_info, encryption):
|
||||
root_helper = utils.get_root_helper()
|
||||
key_manager = keymgr.API(CONF)
|
||||
return encryptors.get_volume_encryptor(root_helper=root_helper,
|
||||
keymgr=key_manager,
|
||||
keymgr=key_manager.API(CONF),
|
||||
connection_info=connection_info,
|
||||
**encryption)
|
||||
|
||||
|
@ -20,6 +20,7 @@ import functools
|
||||
import os
|
||||
import shutil
|
||||
|
||||
from castellan import key_manager
|
||||
from oslo_log import log as logging
|
||||
from oslo_serialization import jsonutils
|
||||
from oslo_utils import excutils
|
||||
@ -32,7 +33,6 @@ import nova.conf
|
||||
from nova import exception
|
||||
from nova.i18n import _
|
||||
from nova import image
|
||||
from nova import keymgr
|
||||
from nova.privsep import dac_admin
|
||||
from nova import utils
|
||||
from nova.virt.disk import api as disk
|
||||
@ -657,7 +657,7 @@ class Lvm(Image):
|
||||
self.ephemeral_key_uuid = instance.get('ephemeral_key_uuid')
|
||||
|
||||
if self.ephemeral_key_uuid is not None:
|
||||
self.key_manager = keymgr.API(CONF)
|
||||
self.key_manager = key_manager.API(CONF)
|
||||
else:
|
||||
self.key_manager = None
|
||||
|
||||
|
@ -0,0 +1,15 @@
|
||||
---
|
||||
upgrade:
|
||||
- |
|
||||
The old deprecated ``keymgr`` options have been removed.
|
||||
Configuration options using the ``[keymgr]`` group will not be
|
||||
applied anymore. Use the ``[key_manager]`` group from Castellan instead.
|
||||
The Castellan ``api_class`` options should also be used instead, as most
|
||||
of the options that lived in Nova have migrated to Castellan.
|
||||
|
||||
- Instead of ``api_class`` option ``nova.keymgr.barbican.BarbicanKeyManager``,
|
||||
use ``castellan.key_manager.barbican_key_manager.BarbicanKeyManager``
|
||||
- Instead of ``api_class`` option ``nova.tests.unit.keymgr.mock_key_mgr.MockKeyManager``,
|
||||
use ``castellan.tests.unit.key_manager.mock_key_manager.MockKeyManager``
|
||||
- ``nova.keymgr.conf_key_mgr.ConfKeyManager`` still remains, but the ``fixed_key``
|
||||
configuration options should be moved to the ``[key_manager]`` section
|
Loading…
x
Reference in New Issue
Block a user