Remove deprecrated [rbac] config group

This PS removes the deprecated [rbac] config group. It was replaced
last release cycle with the [patrole] config group, which has
the exact same options. This is because [patrole] is more user-friendly
and congruent with the project name.

Change-Id: Id1a7af0445bd50f44ddcc4277f952391968726b8

devstack/plugin.sh

@@ -18,8 +18,8 @@ function install_patrole_tempest_plugin() {
             RBAC_TEST_ROLE="Member"
         fi
 
-        iniset $TEMPEST_CONFIG rbac enable_rbac True
-        iniset $TEMPEST_CONFIG rbac rbac_test_role $RBAC_TEST_ROLE
+        iniset $TEMPEST_CONFIG patrole enable_rbac True
+        iniset $TEMPEST_CONFIG patrole rbac_test_role $RBAC_TEST_ROLE
     fi
 }
 

doc/source/usage.rst

@@ -4,8 +4,8 @@
 Usage
 ========
 
-RBAC (API) Tests
-================
+Patrole (API) Tests
+===================
 
 If Patrole is installed correctly, then the RBAC tests can be executed
 from inside the tempest root directory as follows::
@@ -28,7 +28,7 @@ To execute patrole tests for a specific module, run::
 ..
 
 To change the role that the patrole tests are being run as, edit
-``rbac_test_role`` in the ``rbac`` section of tempest.conf: ::
+``rbac_test_role`` in the ``patrole`` section of tempest.conf: ::
 
     [patrole]
     rbac_test_role = Member

etc/patrole.conf.sample

@@ -14,11 +14,17 @@
 # Enables RBAC tests. (boolean value)
 #enable_rbac = true
 
-# If true, throws RbacParsingException for policies which
+# DEPRECATED: If true, throws RbacParsingException for policies which
 # don't exist or are not included in the service's policy file. If
 # false, throws
 # skipException. (boolean value)
-#strict_policy_check = false
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: This option allows for the possibility
+# of false positives. As a testing framework, Patrole should fail any
+# test that
+# passes in an invalid policy.
+#strict_policy_check = true
 
 # List of the paths to search for policy files. Each
 # policy path assumes that the service name is included in the path
@@ -32,46 +38,6 @@
 #  (list value)
 #custom_policy_files = /etc/%s/policy.json
 
-# DEPRECATED: Location of the Cinder policy file. Assumed to be on
-# the same host as Patrole. (string value)
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-# Reason: It is better to use `custom_policy_files` which supports any
-# OpenStack service.
-#cinder_policy_file = /etc/cinder/policy.json
-
-# DEPRECATED: Location of the Glance policy file. Assumed to be on
-# the same host as Patrole. (string value)
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-# Reason: It is better to use `custom_policy_files` which supports any
-# OpenStack service.
-#glance_policy_file = /etc/glance/policy.json
-
-# DEPRECATED: Location of the custom Keystone policy file. Assumed to
-# be on the same host as Patrole. (string value)
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-# Reason: It is better to use `custom_policy_files` which supports any
-# OpenStack service.
-#keystone_policy_file = /etc/keystone/policy.json
-
-# DEPRECATED: Location of the Neutron policy file. Assumed to be on
-# the same host as Patrole. (string value)
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-# Reason: It is better to use `custom_policy_files` which supports any
-# OpenStack service.
-#neutron_policy_file = /etc/neutron/policy.json
-
-# DEPRECATED: Location of the custom Nova policy file. Assumed to be
-# on the same host as Patrole. (string value)
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-# Reason: It is better to use `custom_policy_files` which supports any
-# OpenStack service.
-#nova_policy_file = /etc/nova/policy.json
-
 #
 # This option determines whether Patrole should run against a
 # `custom_requirements_file` which defines RBAC requirements. The
@@ -146,131 +112,3 @@
 # is logged. This is combined withreport_log_name to generate the full
 # path. (string value)
 #report_log_path = .
-
-
-[rbac]
-# This group is deprecated and will be removed in the next release.
-# Use the [patrole] group instead.
-
-#
-# From patrole.config
-#
-
-# The current RBAC role against which to run Patrole
-# tests. (string value)
-#rbac_test_role = admin
-
-# Enables RBAC tests. (boolean value)
-#enable_rbac = true
-
-# If true, throws RbacParsingException for policies which
-# don't exist or are not included in the service's policy file. If
-# false, throws
-# skipException. (boolean value)
-#strict_policy_check = false
-
-# List of the paths to search for policy files. Each
-# policy path assumes that the service name is included in the path
-# once. Also
-# assumes Patrole is on the same host as the policy files. The paths
-# should be
-# ordered by precedence, with high-priority paths before low-priority
-# paths. The
-# first path that is found to contain the service's policy file will
-# be used.
-#  (list value)
-#custom_policy_files = /etc/%s/policy.json
-
-# DEPRECATED: Location of the Cinder policy file. Assumed to be on
-# the same host as Patrole. (string value)
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-# Reason: It is better to use `custom_policy_files` which supports any
-# OpenStack service.
-#cinder_policy_file = /etc/cinder/policy.json
-
-# DEPRECATED: Location of the Glance policy file. Assumed to be on
-# the same host as Patrole. (string value)
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-# Reason: It is better to use `custom_policy_files` which supports any
-# OpenStack service.
-#glance_policy_file = /etc/glance/policy.json
-
-# DEPRECATED: Location of the custom Keystone policy file. Assumed to
-# be on the same host as Patrole. (string value)
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-# Reason: It is better to use `custom_policy_files` which supports any
-# OpenStack service.
-#keystone_policy_file = /etc/keystone/policy.json
-
-# DEPRECATED: Location of the Neutron policy file. Assumed to be on
-# the same host as Patrole. (string value)
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-# Reason: It is better to use `custom_policy_files` which supports any
-# OpenStack service.
-#neutron_policy_file = /etc/neutron/policy.json
-
-# DEPRECATED: Location of the custom Nova policy file. Assumed to be
-# on the same host as Patrole. (string value)
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-# Reason: It is better to use `custom_policy_files` which supports any
-# OpenStack service.
-#nova_policy_file = /etc/nova/policy.json
-
-#
-# This option determines whether Patrole should run against a
-# `custom_requirements_file` which defines RBAC requirements. The
-# purpose of setting this flag to True is to verify that RBAC policy
-# is in accordance to requirements. The idea is that the
-# `custom_requirements_file` perfectly defines what the RBAC
-# requirements are.
-#
-# Here are the possible outcomes when running the Patrole tests
-# against
-# a `custom_requirements_file`:
-#
-# YAML definition: allowed
-# test run: allowed
-# test result: pass
-#
-# YAML definition: allowed
-# test run: not allowed
-# test result: fail (under-permission)
-#
-# YAML definition: not allowed
-# test run: allowed
-# test result: fail (over-permission)
-#  (boolean value)
-#test_custom_requirements = false
-
-#
-# File path of the yaml file that defines your RBAC requirements. This
-# file must be located on the same host that Patrole runs on. The yaml
-# file should be written as follows:
-#
-# ```
-# <service>:
-#   <api_action>:
-#     - <allowed_role>
-#     - <allowed_role>
-#     - <allowed_role>
-#   <api_action>:
-#     - <allowed_role>
-#     - <allowed_role>
-# <service>
-#   <api_action>:
-#     - <allowed_role>
-# ```
-# Where:
-# service = the service that is being tested (cinder, nova, etc)
-# api_action = the policy action that is being tested. Examples:
-#              - volume:create
-#              - os_compute_api:servers:start
-#              - add_image
-# allowed_role = the Keystone role that is allowed to perform the API
-#  (string value)
-#custom_requirements_file = <None>

patrole_tempest_plugin/config.py

@@ -22,16 +22,13 @@ patrole_group = cfg.OptGroup(name='patrole', title='Patrole Testing Options')
 PatroleGroup = [
     cfg.StrOpt('rbac_test_role',
                default='admin',
-               deprecated_group='rbac',
                help="""The current RBAC role against which to run Patrole
 tests."""),
     cfg.BoolOpt('enable_rbac',
                 default=True,
-                deprecated_group='rbac',
                 help="Enables RBAC tests."),
     cfg.BoolOpt('strict_policy_check',
                 default=True,
-                deprecated_group='rbac',
                 deprecated_for_removal=True,
                 deprecated_reason="""This option allows for the possibility
 of false positives. As a testing framework, Patrole should fail any test that
@@ -43,7 +40,6 @@ skipException."""),
     # other hosts. It may be possible to leverage the v3 identity policy API.
     cfg.ListOpt('custom_policy_files',
                 default=['/etc/%s/policy.json'],
-                deprecated_group='rbac',
                 help="""List of the paths to search for policy files. Each
 policy path assumes that the service name is included in the path once. Also
 assumes Patrole is on the same host as the policy files. The paths should be
@@ -52,7 +48,6 @@ first path that is found to contain the service's policy file will be used.
 """),
     cfg.BoolOpt('test_custom_requirements',
                 default=False,
-                deprecated_group='rbac',
                 help="""
 This option determines whether Patrole should run against a
 `custom_requirements_file` which defines RBAC requirements. The
@@ -76,7 +71,6 @@ test run: allowed
 test result: fail (over-permission)
 """),
     cfg.StrOpt('custom_requirements_file',
-               deprecated_group='rbac',
                help="""
 File path of the yaml file that defines your RBAC requirements. This
 file must be located on the same host that Patrole runs on. The yaml
@@ -106,12 +100,6 @@ allowed_role = the Keystone role that is allowed to perform the API
 ]
 
 
-rbac_group = cfg.OptGroup(name='rbac',
-                          title='RBAC testing options',
-                          help="This group is deprecated and will be removed "
-                               "in the next release. Use the [patrole] group "
-                               "instead.")
-
 patrole_log_group = cfg.OptGroup(
     name='patrole_log', title='Patrole Logging Options')
 
@@ -141,8 +129,7 @@ def list_opts():
     """
     opt_list = [
         (patrole_group, PatroleGroup),
-        (patrole_log_group, PatroleLogGroup),
-        (rbac_group, PatroleGroup)
+        (patrole_log_group, PatroleLogGroup)
     ]
 
     return opt_list

patrole_tempest_plugin/plugin.py

@@ -62,12 +62,6 @@ class PatroleTempestPlugin(plugins.TempestPlugin):
         RBACLOG.addHandler(rbac_report_handler)
 
     def register_opts(self, conf):
-        # TODO(fmontei): Remove ``rbac_group`` in a future release as it is
-        # currently deprecated.
-        config.register_opt_group(
-            conf,
-            project_config.rbac_group,
-            project_config.PatroleGroup)
         config.register_opt_group(
             conf,
             project_config.patrole_group,

patrole_tempest_plugin/rbac_utils.py

@@ -107,7 +107,7 @@ class RbacUtils(object):
             # passing the second boundary before attempting to authenticate.
             # Only sleep if a token revocation occurred as a result of role
             # switching. This will optimize test runtime in the case where
-            # ``[identity] admin_role`` == ``[rbac] rbac_test_role``.
+            # ``[identity] admin_role`` == ``[patrole] rbac_test_role``.
             if not role_already_present:
                 time.sleep(1)
             test_obj.os_primary.auth_provider.set_auth()

patrole_tempest_plugin/tests/unit/test_patrole.py

@@ -1,36 +0,0 @@
-# Copyright 2017 AT&T Corporation.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-"""
-Tests for `patrole` module.
-"""
-
-from tempest import config
-
-from patrole_tempest_plugin.tests.unit import base
-
-CONF = config.CONF
-
-
-class TestPatrole(base.TestCase):
-
-    def test_rbac_group_backwards_compatability(self):
-        """Validate that the deprecated group [rbac] is available and has the
-        same options and option values as [patrole] group, which is current.
-        """
-        self.assertTrue(hasattr(CONF, 'patrole'))
-        self.assertTrue(hasattr(CONF, 'rbac'))
-        # Validate that both groups are identical.
-        self.assertEqual(CONF.patrole.items(), CONF.rbac.items())

releasenotes/notes/remove-rbac-config-group-097c200f3db99fad.yaml

@@ -0,0 +1,5 @@
+---
+upgrade:
+  - |
+    The ``[rbac]`` config group has been removed. Use the ``[patrole]`` group
+    instead which contains the exact same options.