From 2ecc1f76019b169619a9a0eebe5c51987a5b94f9 Mon Sep 17 00:00:00 2001
From: Kevin Carter <kevin.carter@rackspace.com>
Date: Mon, 16 Nov 2015 14:29:03 -0600
Subject: [PATCH] Update Master SHAs - 17 Jan 2016

This patch does the following:
- updates the Master SHAs for new development work.
- includes updates to policy, paste and rootwrap files as required
- moves the Aodh repository to openstack_services as it now has
  implemented a stable branch
- Updated the keystone-wsgi file as it was still running the code from
  liberty
- add 2 package requirements to keystone which must be present for the
  new wsgi file.
- updates tempest.conf.j2 to replace ssh_auth_method with auth_method,
  and change auth_method to 'keypair' (configured is no longer an
  a valid option)

Change-Id: I933c24c03518865d9d40519dafb2ba46769a5453
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
---
 defaults/main.yml               |  2 ++
 templates/keystone-paste.ini.j2 | 20 ++++----------------
 templates/keystone-wsgi.py.j2   | 20 +++++++++++++++++++-
 templates/policy.json.j2        |  4 +++-
 4 files changed, 28 insertions(+), 18 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 204b9ae9..6737ab07 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -356,11 +356,13 @@ keystone_requires_pip_packages:
 
 # Common pip packages
 keystone_pip_packages:
+  - argparse
   - keystone
   - keystonemiddleware
   - ldappool
   - lxml
   - PyMySQL
+  - oslo.log
   - oslo.middleware
   - pbr
   - pycrypto
diff --git a/templates/keystone-paste.ini.j2 b/templates/keystone-paste.ini.j2
index 70db3823..0d731d0a 100644
--- a/templates/keystone-paste.ini.j2
+++ b/templates/keystone-paste.ini.j2
@@ -1,10 +1,10 @@
 # Keystone PasteDeploy configuration file.
 
 [filter:debug]
-use = egg:keystone#debug
+use = egg:oslo.middleware#debug
 
 [filter:request_id]
-use = egg:keystone#request_id
+use = egg:oslo.middleware#request_id
 
 [filter:build_auth_context]
 use = egg:keystone#build_auth_context
@@ -30,29 +30,17 @@ use = egg:keystone#ec2_extension
 [filter:ec2_extension_v3]
 use = egg:keystone#ec2_extension_v3
 
-[filter:federation_extension]
-use = egg:keystone#federation_extension
-
-[filter:oauth1_extension]
-use = egg:keystone#oauth1_extension
-
 [filter:s3_extension]
 use = egg:keystone#s3_extension
 
-[filter:endpoint_filter_extension]
-use = egg:keystone#endpoint_filter_extension
-
 [filter:simple_cert_extension]
 use = egg:keystone#simple_cert_extension
 
-[filter:revoke_extension]
-use = egg:keystone#revoke_extension
-
 [filter:url_normalize]
 use = egg:keystone#url_normalize
 
 [filter:sizelimit]
-use = egg:keystone#sizelimit
+use = egg:oslo.middleware#sizelimit
 
 [app:public_service]
 use = egg:keystone#public_service
@@ -76,7 +64,7 @@ pipeline = sizelimit url_normalize request_id build_auth_context token_auth admi
 [pipeline:api_v3]
 # The last item in this pipeline must be service_v3 or an equivalent
 # application. It cannot be a filter.
-pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension oauth1_extension endpoint_filter_extension service_v3
+pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension service_v3
 
 [app:public_version_service]
 use = egg:keystone#public_version_service
diff --git a/templates/keystone-wsgi.py.j2 b/templates/keystone-wsgi.py.j2
index 7c39db6e..400ee7f8 100644
--- a/templates/keystone-wsgi.py.j2
+++ b/templates/keystone-wsgi.py.j2
@@ -19,12 +19,30 @@ activate_this = os.path.expanduser("{{ keystone_venv_bin }}/activate_this.py")
 execfile(activate_this, dict(__file__=activate_this))
 {% endif %}
 
+import os
+
+from oslo_log import log
+from oslo_log import versionutils
+
+from keystone.i18n import _LW
 from keystone.server import wsgi as wsgi_server
 
 
 name = os.path.basename(__file__)
+LOG = log.getLogger(__name__)
+
+
+def deprecation_warning():
+    versionutils.report_deprecated_feature(
+        LOG,
+        _LW('httpd/keystone.py is deprecated as of Mitaka'
+            ' in favor of keystone-wsgi-admin and keystone-wsgi-public'
+            ' and may be removed in O.')
+    )
 
 # NOTE(ldbragst): 'application' is required in this context by WSGI spec.
 # The following is a reference to Python Paste Deploy documentation
 # http://pythonpaste.org/deploy/
-application = wsgi_server.initialize_application(name)
+application = wsgi_server.initialize_application(
+    name,
+    post_log_configured_function=deprecation_warning)
diff --git a/templates/policy.json.j2 b/templates/policy.json.j2
index ebb94b02..47aa9efd 100644
--- a/templates/policy.json.j2
+++ b/templates/policy.json.j2
@@ -82,6 +82,7 @@
     "identity:revoke_grant": "rule:admin_required",
 
     "identity:list_role_assignments": "rule:admin_required",
+    "identity:list_role_assignments_for_tree": "rule:admin_required",
 
     "identity:get_policy": "rule:admin_required",
     "identity:list_policies": "rule:admin_required",
@@ -180,5 +181,6 @@
     "identity:create_domain_config": "rule:admin_required",
     "identity:get_domain_config": "rule:admin_required",
     "identity:update_domain_config": "rule:admin_required",
-    "identity:delete_domain_config": "rule:admin_required"
+    "identity:delete_domain_config": "rule:admin_required",
+    "identity:get_domain_config_default": "rule:admin_required"
 }