Remove paste

Removes all the deprecated resources for paste
support in keystone which we notified about in Stein.

Keystone doesn't use paste so it doesn't work in Stein
either so we remove it for Train.

Depends-On: https://review.opendev.org/#/c/658546/
Change-Id: Id7dfdf2f5cb9453044d39812b7cbd216b7f3eb50
This commit is contained in:
Tobias Urdin 2019-05-10 16:42:04 +02:00
parent a4ff243d8a
commit 553b03a132
10 changed files with 8 additions and 206 deletions

View File

@ -1,28 +0,0 @@
# TODO(tobias-urdin): This is deprecated and should be removed in T release.
Puppet::Type.type(:keystone_paste_ini).provide(
:ini_setting,
:parent => Puppet::Type.type(:ini_setting).provider(:ruby)
) do
def section
resource[:name].split('/', 2).first
end
def setting
resource[:name].split('/', 2).last
end
def separator
'='
end
def self.file_path
'/etc/keystone/keystone-paste.ini'
end
# this needs to be removed. This has been replaced with the class method
def file_path
self.class.file_path
end
end

View File

@ -1,50 +0,0 @@
# TODO(tobias-urdin): This is deprecated and should be removed in T release.
Puppet::Type.newtype(:keystone_paste_ini) do
ensurable
newparam(:name, :namevar => true) do
desc 'Section/setting name to manage from keystone/keystone-paste.ini'
newvalues(/\S+\/\S+/)
end
newproperty(:value) do
desc 'The value of the setting to be defined.'
munge do |value|
Puppet.deprecation_warning('keystone_paste_ini is deprecated, has no effect and will be removed in a later release')
value = value.to_s.strip
value.capitalize! if value =~ /^(true|false)$/i
value
end
def is_to_s( currentvalue )
if resource.secret?
return '[old secret redacted]'
else
return currentvalue
end
end
def should_to_s( newvalue )
if resource.secret?
return '[new secret redacted]'
else
return newvalue
end
end
end
newparam(:secret, :boolean => true) do
desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
newvalues(:true, :false)
defaultto false
end
autorequire(:package) do
'keystone'
end
end

View File

@ -20,15 +20,8 @@
# NOTE: The configuration MUST NOT be already handled by this module
# or Puppet catalog compilation will fail with duplicate resources.
#
#### DEPRECATED PARAMS
#
# [*keystone_paste_ini*]
# (optional) Allow configuration of /etc/keystone/keystone-paste.ini options.
#
class keystone::config (
$keystone_config = {},
# DEPRECATED PARAMS
$keystone_paste_ini = undef,
$keystone_config = {},
) {
include ::keystone::deps
@ -36,8 +29,4 @@ class keystone::config (
validate_legacy(Hash, 'validate_hash', $keystone_config)
create_resources('keystone_config', $keystone_config)
if $keystone_paste_ini {
warning('keystone_paste_ini is deprecated, has no effect and will be removed in a later release')
}
}

View File

@ -32,12 +32,6 @@ class keystone::deps {
# before dbsync starts
Oslo::Db<||> -> Anchor['keystone::dbsync::begin']
# TODO(tobias-urdin): Remove this when keystone_paste_ini is removed.
# paste-api.ini config should occur in the config block also.
Anchor['keystone::config::begin']
-> Keystone_paste_ini<||>
~> Anchor['keystone::config::end']
# policy config should occur in the config block also.
Anchor['keystone::config::begin']
-> Openstacklib::Policy::Base<||>

View File

@ -1,18 +0,0 @@
#
# Class to manage and secure the keystone-paste.ini pipeline configuration.
#
# DEPRECATED!
#
# The keystone module uses the admin_token parameter in keystone.conf to
# bootstrap the basic setup of an admin user, project, and domain. However, the
# admin_token provides an easy vector of attack for production keystone
# installations. Including this class will remove the admin_token_auth
# from the paste pipeline to improve security. After this class is run,
# future puppet runs must have an openrc file with valid keystone v3
# admin credentials in /root/openrc available, or else must be run with
# valid keystone v3 credentials set as environment variables.
#
class keystone::disable_admin_token_auth {
warning('keystone::disable_admin_token_auth is deprecated, has no effect and will be removed in a later release')
}

View File

@ -1,15 +0,0 @@
# Class to disable the Keystone v2.0 API via keystone-paste.ini.
#
# DEPRECATED!
#
# This class removes the /v2.0 entries for Keystone, ensuring that the
# only supported API's are v3. After this class is executed, the
# standard overcloudrc file will no longer work, the user needs to
# utilise the overcloudrc.v3 openrc file, or alternatively the clients
# must be using valid keystone v3 credentials set as environment variables.
#
class keystone::disable_v2_api {
warning('keystone::disable_v2_api has been deprecated, has no effect and will be removed in a later release')
}

View File

@ -528,8 +528,7 @@
# Defaults to false
#
# [*enable_proxy_headers_parsing*]
# (Optional) Enable paste middleware to handle SSL requests through
# HTTPProxyToWSGI middleware.
# (Optional) Enable oslo middleware to parse proxy headers.
# Defaults to $::os_service_default.
#
# [*purge_config*]
@ -543,11 +542,6 @@
#
# === DEPRECATED PARAMETERS
#
# [*paste_config*]
# (Optional) Name of the paste configuration file that defines the
# available pipelines. (string value)
# Defaults to undef
#
# [*cache_dir*]
# (Optional) Directory created when token_provider is pki. This folder is not
# created unless enable_pki_setup is set to True.
@ -686,7 +680,6 @@ class keystone(
# DEPRECATED PARAMETERS
$admin_workers = $::os_workers,
$public_workers = $::os_workers,
$paste_config = undef,
$cache_dir = undef,
$token_driver = undef,
) inherits keystone::params {
@ -695,11 +688,6 @@ class keystone(
include ::keystone::logging
include ::keystone::policy
# TODO(tobias-urdin): Remove when paste_config is removed.
if $paste_config {
warning('keystone::paste_config is deprecated, has no effect and will be removed in a later release')
}
if $cache_dir {
warning('keystone::cache_dir is deprecated, has no effect and will be removed in a later release')
}

View File

@ -0,0 +1,6 @@
---
upgrade:
- |
The deprecated resources keystone_paste_ini, keystone::config::keystone_paste_config,
keystone::disable_admin_token_auth, keystone::disable_v2_api and keystone::paste_config
is removed.

View File

@ -1,29 +0,0 @@
#
# these tests are a little concerning b/c they are hacking around the
# modulepath, so these tests will not catch issues that may eventually arise
# related to loading these plugins.
# I could not, for the life of me, figure out how to programatcally set the modulepath
$LOAD_PATH.push(
File.join(
File.dirname(__FILE__),
'..',
'..',
'..',
'fixtures',
'modules',
'inifile',
'lib')
)
require 'spec_helper'
provider_class = Puppet::Type.type(:keystone_paste_ini).provider(:ini_setting)
describe provider_class do
it 'should allow setting to be set explicitly' do
resource = Puppet::Type::Keystone_paste_ini.new(
{:name => 'dude/foo', :value => 'bar'}
)
provider = provider_class.new(resource)
expect(provider.section).to eq('dude')
expect(provider.setting).to eq('foo')
end
end

View File

@ -1,35 +0,0 @@
# TODO(tobias-urdin): This is deprecated and should be removed in T release.
require 'spec_helper'
# this hack is required for now to ensure that the path is set up correctly
# to retrieve the parent provider
$LOAD_PATH.push(
File.join(
File.dirname(__FILE__),
'..',
'..',
'fixtures',
'modules',
'inifile',
'lib')
)
require 'puppet/type/keystone_paste_ini'
describe 'Puppet::Type.type(:keystone_paste_ini)' do
before :each do
@keystone_paste_ini = Puppet::Type.type(:keystone_paste_ini).new(:name => 'DEFAULT/foo', :value => 'bar')
end
it 'should accept a valid value' do
@keystone_paste_ini[:value] = 'bar'
expect(@keystone_paste_ini[:value]).to eq('bar')
end
it 'should autorequire the package that install the file' do
catalog = Puppet::Resource::Catalog.new
package = Puppet::Type.type(:package).new(:name => 'keystone')
catalog.add_resource package, @keystone_paste_ini
dependency = @keystone_paste_ini.autorequire
expect(dependency.size).to eq(1)
expect(dependency[0].target).to eq(@keystone_paste_ini)
expect(dependency[0].source).to eq(package)
end
end