Remove deprecated keymgr code

Now that enough time has passed, the keymgr code that was deprecated for removal can be removed. Barbican is the default option for Castellan, but Barbican is not part of default DevStack yet. Until Barbican is used by default in the dsvm gates, ConfKeyManager (the fixed_key key manager) should be set in DevStack, which was added with I733279864ee1a4aaffc9c8eed81b5e12f8d8821b. Change-Id: I82ee74f3d2629281dc8116af55f6a7b5398fc473
2017-03-01 15:15:29 -05:00 · 2017-03-01 15:15:29 -05:00 · f65d436c11
parent d83e9c0b17
commit f65d436c11
6 changed files with 23 additions and 76 deletions
--- a/nova/compute/api.py
+++ b/nova/compute/api.py
@ -26,6 +26,7 @@ import functools
 import re
 import string

+from castellan import key_manager
 from oslo_log import log as logging
 from oslo_messaging import exceptions as oslo_exceptions
 from oslo_serialization import base64 as base64utils
@ -59,7 +60,6 @@ from nova import exception_wrapper
 from nova import hooks
 from nova.i18n import _
 from nova import image
-from nova import keymgr
 from nova import network
 from nova.network import model as network_model
 from nova.network.security_group import openstack_driver
@ -256,7 +256,7 @@ class API(base.Base):
        self.servicegroup_api = servicegroup.API()
        self.notifier = rpc.get_notifier('compute', CONF.host)
        if CONF.ephemeral_storage_encryption.enabled:
-            self.key_manager = keymgr.API()
+            self.key_manager = key_manager.API()

        super(API, self).__init__(**kwargs)

--- a/nova/conf/key_manager.py
+++ b/nova/conf/key_manager.py
@ -22,6 +22,8 @@ key_manager_group = cfg.OptGroup(

 key_manager_opts = [
    # TODO(raj_singh): Deprecate or move this option to The Castellan library
+    # NOTE(kfarr): The ability to use fixed_key should be deprecated and
+    # removed and Barbican should be tested in the gate instead
    cfg.StrOpt(
        'fixed_key',
        deprecated_group='keymgr',
--- a/nova/keymgr/init.py
+++ b/nova/keymgr/init.py
@ -1,69 +0,0 @@
-# Copyright (c) 2013 The Johns Hopkins University/Applied Physics Laboratory
-# All Rights Reserved.
-#
-#    Licensed under the Apache License, Version 2.0 (the "License"); you may
-#    not use this file except in compliance with the License. You may obtain
-#    a copy of the License at
-#
-#         http://www.apache.org/licenses/LICENSE-2.0
-#
-#    Unless required by applicable law or agreed to in writing, software
-#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#    License for the specific language governing permissions and limitations
-#    under the License.
-
-
-from oslo_config import cfg
-from oslo_log import log as logging
-from oslo_utils import importutils
-
-import nova.conf
-
-LOG = logging.getLogger(__name__)
-CONF = nova.conf.CONF
-
-# NOTE(kfarr): For backwards compatibility, everything below this comment
-# is deprecated for removal
-api_class = None
-try:
-    api_class = CONF.key_manager.api_class
-except cfg.NoSuchOptError:
-    LOG.warning("key_manager.api_class is not set, will use deprecated "
-                "option keymgr.api_class if set")
-    try:
-        api_class = CONF.keymgr.api_class
-    except cfg.NoSuchOptError:
-        LOG.warning("keymgr.api_class is not set")
-
-deprecated_barbican = 'nova.keymgr.barbican.BarbicanKeyManager'
-barbican = 'castellan.key_manager.barbican_key_manager.BarbicanKeyManager'
-deprecated_mock = 'nova.tests.unit.keymgr.mock_key_mgr.MockKeyManager'
-castellan_mock = ('castellan.tests.unit.key_manager.mock_key_manager.'
-                  'MockKeyManager')
-
-
-def log_deprecated_warning(deprecated, castellan):
-    LOG.warning("key manager api_class set to use deprecated option "
-                "%(deprecated)s, using %(castellan)s instead",
-                {'deprecated': deprecated, 'castellan': castellan})
-
-if api_class == deprecated_barbican:
-    log_deprecated_warning(deprecated_barbican, barbican)
-    api_class = barbican
-elif api_class == deprecated_mock:
-    log_deprecated_warning(deprecated_mock, castellan_mock)
-    api_class = castellan_mock
-elif api_class is None:
-    # TODO(kfarr): key_manager.api_class should be set in DevStack, and this
-    # block can be removed
-    LOG.warning("key manager not set, using insecure default %s",
-                castellan_mock)
-    api_class = castellan_mock
-
-CONF.set_override('api_class', api_class, 'key_manager')
-
-
-def API(conf=CONF):
-    cls = importutils.import_class(CONF.key_manager.api_class)
-    return cls(conf)
--- a/nova/virt/libvirt/driver.py
+++ b/nova/virt/libvirt/driver.py
@ -41,6 +41,7 @@ import tempfile
 import time
 import uuid

+from castellan import key_manager
 import eventlet
 from eventlet import greenthread
 from eventlet import tpool
@ -74,7 +75,6 @@ from nova import context as nova_context
 from nova import exception
 from nova.i18n import _
 from nova import image
-from nova import keymgr
 from nova.network import model as network_model
 from nova import objects
 from nova.objects import diagnostics as diagnostics_obj
@ -1184,9 +1184,8 @@ class LibvirtDriver(driver.ComputeDriver):

    def _get_volume_encryptor(self, connection_info, encryption):
        root_helper = utils.get_root_helper()
-        key_manager = keymgr.API(CONF)
        return encryptors.get_volume_encryptor(root_helper=root_helper,
-                                               keymgr=key_manager,
+                                               keymgr=key_manager.API(CONF),
                                               connection_info=connection_info,
                                               **encryption)

--- a/nova/virt/libvirt/imagebackend.py
+++ b/nova/virt/libvirt/imagebackend.py
@ -20,6 +20,7 @@ import functools
 import os
 import shutil

+from castellan import key_manager
 from oslo_log import log as logging
 from oslo_serialization import jsonutils
 from oslo_utils import excutils
@ -32,7 +33,6 @@ import nova.conf
 from nova import exception
 from nova.i18n import _
 from nova import image
-from nova import keymgr
 from nova.privsep import dac_admin
 from nova import utils
 from nova.virt.disk import api as disk
@ -657,7 +657,7 @@ class Lvm(Image):
        self.ephemeral_key_uuid = instance.get('ephemeral_key_uuid')

        if self.ephemeral_key_uuid is not None:
-            self.key_manager = keymgr.API(CONF)
+            self.key_manager = key_manager.API(CONF)
        else:
            self.key_manager = None

--- a/releasenotes/notes/remove-deprecated-keymgr-db807dc76c83263e.yaml
+++ b/releasenotes/notes/remove-deprecated-keymgr-db807dc76c83263e.yaml
@ -0,0 +1,15 @@
+---
+upgrade:
+  - |
+    The old deprecated ``keymgr`` options have been removed.
+    Configuration options using the ``[keymgr]`` group will not be
+    applied anymore. Use the ``[key_manager]`` group from Castellan instead.
+    The Castellan ``api_class`` options should also be used instead, as most
+    of the options that lived in Nova have migrated to Castellan.
+
+    - Instead of ``api_class`` option ``nova.keymgr.barbican.BarbicanKeyManager``,
+      use ``castellan.key_manager.barbican_key_manager.BarbicanKeyManager``
+    - Instead of ``api_class`` option ``nova.tests.unit.keymgr.mock_key_mgr.MockKeyManager``,
+      use ``castellan.tests.unit.key_manager.mock_key_manager.MockKeyManager``
+    - ``nova.keymgr.conf_key_mgr.ConfKeyManager`` still remains, but the ``fixed_key``
+      configuration options should be moved to the ``[key_manager]`` section