Merge "Fix the loss of access to barbican secrets"

2019-02-25 06:22:43 +00:00 · 2019-02-25 06:22:43 +00:00 · 6008859476
commit 6008859476
parent 68b86f85f5 72b382b46d
2 changed files with 6 additions and 39 deletions
--- a/octavia/api/v2/controllers/listener.py
+++ b/octavia/api/v2/controllers/listener.py
@ -396,45 +396,6 @@ class ListenersController(base.BaseController):
            driver_utils.call_provider(driver.name, driver.listener_delete,
                                       provider_listener)

-        # Revoke access of octavia service user to certificates
-        tls_refs = []
-
-        for sni in db_listener.sni_containers:
-            filters = {'tls_container_id': sni.tls_container_id}
-            snis = self.repositories.sni.get_all(context.session, **filters)[0]
-
-            if len(snis) == 1:
-                # referred only once, enqueue for access revoking
-                tls_refs.append(sni.tls_container_id)
-            else:
-                blocking_listeners = [s.listener_id for s in snis if
-                                      s.listener_id != id]
-                LOG.debug("Listeners %s using TLS ref %s. Access to TLS ref "
-                          "will not be revoked.", blocking_listeners,
-                          sni.tls_container_id)
-
-        if db_listener.tls_certificate_id:
-            filters = {'tls_certificate_id': db_listener.tls_certificate_id}
-            # Note get_all returns the list and links. We only want the list.
-            listeners = self.repositories.listener.get_all(
-                context.session, show_deleted=False, **filters)[0]
-
-            if len(listeners) == 1:
-                # referred only once, enqueue for access revoking
-                tls_refs.append(db_listener.tls_certificate_id)
-            else:
-                blocking_listeners = [l.id for l in listeners if l.id != id]
-                LOG.debug("Listeners %s using TLS ref %s. Access to TLS ref "
-                          "will not be revoked.", blocking_listeners,
-                          db_listener.tls_certificate_id)
-
-        for ref in tls_refs:
-            try:
-                self.cert_manager.unset_acls(context, ref)
-            except Exception:
-                # certificate may have been removed already
-                pass
-
    @pecan.expose()
    def _lookup(self, id, *remainder):
        """Overridden pecan _lookup method for custom routing.
--- a/releasenotes/notes/remove-bbq-unset-acl-e680020de6a9ad3d.yaml
+++ b/releasenotes/notes/remove-bbq-unset-acl-e680020de6a9ad3d.yaml
@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Octavia will no longer automatically revoke access to secrets whenever
+    load balancing resources no longer require access to them. This may be
+    added in the future.