From 553b03a13278fd8fbdecf1915cf8f57fc6f23cc6 Mon Sep 17 00:00:00 2001 From: Tobias Urdin Date: Fri, 10 May 2019 16:42:04 +0200 Subject: [PATCH] Remove paste Removes all the deprecated resources for paste support in keystone which we notified about in Stein. Keystone doesn't use paste so it doesn't work in Stein either so we remove it for Train. Depends-On: https://review.opendev.org/#/c/658546/ Change-Id: Id7dfdf2f5cb9453044d39812b7cbd216b7f3eb50 --- .../keystone_paste_ini/ini_setting.rb | 28 ----------- lib/puppet/type/keystone_paste_ini.rb | 50 ------------------- manifests/config.pp | 13 +---- manifests/deps.pp | 6 --- manifests/disable_admin_token_auth.pp | 18 ------- manifests/disable_v2_api.pp | 15 ------ manifests/init.pp | 14 +----- .../notes/remove-paste-9b4a67cbe869e2bf.yaml | 6 +++ .../keystone_paste_ini/ini_setting_spec.rb | 29 ----------- spec/unit/type/keystone_paste_ini_spec.rb | 35 ------------- 10 files changed, 8 insertions(+), 206 deletions(-) delete mode 100644 lib/puppet/provider/keystone_paste_ini/ini_setting.rb delete mode 100644 lib/puppet/type/keystone_paste_ini.rb delete mode 100644 manifests/disable_admin_token_auth.pp delete mode 100644 manifests/disable_v2_api.pp create mode 100644 releasenotes/notes/remove-paste-9b4a67cbe869e2bf.yaml delete mode 100644 spec/unit/provider/keystone_paste_ini/ini_setting_spec.rb delete mode 100644 spec/unit/type/keystone_paste_ini_spec.rb diff --git a/lib/puppet/provider/keystone_paste_ini/ini_setting.rb b/lib/puppet/provider/keystone_paste_ini/ini_setting.rb deleted file mode 100644 index 77e5e694b..000000000 --- a/lib/puppet/provider/keystone_paste_ini/ini_setting.rb +++ /dev/null @@ -1,28 +0,0 @@ -# TODO(tobias-urdin): This is deprecated and should be removed in T release. -Puppet::Type.type(:keystone_paste_ini).provide( - :ini_setting, - :parent => Puppet::Type.type(:ini_setting).provider(:ruby) -) do - - def section - resource[:name].split('/', 2).first - end - - def setting - resource[:name].split('/', 2).last - end - - def separator - '=' - end - - def self.file_path - '/etc/keystone/keystone-paste.ini' - end - - # this needs to be removed. This has been replaced with the class method - def file_path - self.class.file_path - end - -end diff --git a/lib/puppet/type/keystone_paste_ini.rb b/lib/puppet/type/keystone_paste_ini.rb deleted file mode 100644 index 59b0c834e..000000000 --- a/lib/puppet/type/keystone_paste_ini.rb +++ /dev/null @@ -1,50 +0,0 @@ -# TODO(tobias-urdin): This is deprecated and should be removed in T release. -Puppet::Type.newtype(:keystone_paste_ini) do - - ensurable - - newparam(:name, :namevar => true) do - desc 'Section/setting name to manage from keystone/keystone-paste.ini' - newvalues(/\S+\/\S+/) - end - - newproperty(:value) do - desc 'The value of the setting to be defined.' - munge do |value| - Puppet.deprecation_warning('keystone_paste_ini is deprecated, has no effect and will be removed in a later release') - - value = value.to_s.strip - value.capitalize! if value =~ /^(true|false)$/i - value - end - - def is_to_s( currentvalue ) - if resource.secret? - return '[old secret redacted]' - else - return currentvalue - end - end - - def should_to_s( newvalue ) - if resource.secret? - return '[new secret redacted]' - else - return newvalue - end - end - end - - newparam(:secret, :boolean => true) do - desc 'Whether to hide the value from Puppet logs. Defaults to `false`.' - - newvalues(:true, :false) - - defaultto false - end - - autorequire(:package) do - 'keystone' - end - -end diff --git a/manifests/config.pp b/manifests/config.pp index 589f03a10..44d7974bd 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -20,15 +20,8 @@ # NOTE: The configuration MUST NOT be already handled by this module # or Puppet catalog compilation will fail with duplicate resources. # -#### DEPRECATED PARAMS -# -# [*keystone_paste_ini*] -# (optional) Allow configuration of /etc/keystone/keystone-paste.ini options. -# class keystone::config ( - $keystone_config = {}, - # DEPRECATED PARAMS - $keystone_paste_ini = undef, + $keystone_config = {}, ) { include ::keystone::deps @@ -36,8 +29,4 @@ class keystone::config ( validate_legacy(Hash, 'validate_hash', $keystone_config) create_resources('keystone_config', $keystone_config) - - if $keystone_paste_ini { - warning('keystone_paste_ini is deprecated, has no effect and will be removed in a later release') - } } diff --git a/manifests/deps.pp b/manifests/deps.pp index 56ff57ccd..1b88a46e4 100644 --- a/manifests/deps.pp +++ b/manifests/deps.pp @@ -32,12 +32,6 @@ class keystone::deps { # before dbsync starts Oslo::Db<||> -> Anchor['keystone::dbsync::begin'] - # TODO(tobias-urdin): Remove this when keystone_paste_ini is removed. - # paste-api.ini config should occur in the config block also. - Anchor['keystone::config::begin'] - -> Keystone_paste_ini<||> - ~> Anchor['keystone::config::end'] - # policy config should occur in the config block also. Anchor['keystone::config::begin'] -> Openstacklib::Policy::Base<||> diff --git a/manifests/disable_admin_token_auth.pp b/manifests/disable_admin_token_auth.pp deleted file mode 100644 index d3b00db58..000000000 --- a/manifests/disable_admin_token_auth.pp +++ /dev/null @@ -1,18 +0,0 @@ -# -# Class to manage and secure the keystone-paste.ini pipeline configuration. -# -# DEPRECATED! -# -# The keystone module uses the admin_token parameter in keystone.conf to -# bootstrap the basic setup of an admin user, project, and domain. However, the -# admin_token provides an easy vector of attack for production keystone -# installations. Including this class will remove the admin_token_auth -# from the paste pipeline to improve security. After this class is run, -# future puppet runs must have an openrc file with valid keystone v3 -# admin credentials in /root/openrc available, or else must be run with -# valid keystone v3 credentials set as environment variables. -# -class keystone::disable_admin_token_auth { - - warning('keystone::disable_admin_token_auth is deprecated, has no effect and will be removed in a later release') -} diff --git a/manifests/disable_v2_api.pp b/manifests/disable_v2_api.pp deleted file mode 100644 index 82b654376..000000000 --- a/manifests/disable_v2_api.pp +++ /dev/null @@ -1,15 +0,0 @@ -# Class to disable the Keystone v2.0 API via keystone-paste.ini. -# -# DEPRECATED! -# -# This class removes the /v2.0 entries for Keystone, ensuring that the -# only supported API's are v3. After this class is executed, the -# standard overcloudrc file will no longer work, the user needs to -# utilise the overcloudrc.v3 openrc file, or alternatively the clients -# must be using valid keystone v3 credentials set as environment variables. -# - -class keystone::disable_v2_api { - - warning('keystone::disable_v2_api has been deprecated, has no effect and will be removed in a later release') -} diff --git a/manifests/init.pp b/manifests/init.pp index 188568054..ab26e70a8 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -528,8 +528,7 @@ # Defaults to false # # [*enable_proxy_headers_parsing*] -# (Optional) Enable paste middleware to handle SSL requests through -# HTTPProxyToWSGI middleware. +# (Optional) Enable oslo middleware to parse proxy headers. # Defaults to $::os_service_default. # # [*purge_config*] @@ -543,11 +542,6 @@ # # === DEPRECATED PARAMETERS # -# [*paste_config*] -# (Optional) Name of the paste configuration file that defines the -# available pipelines. (string value) -# Defaults to undef -# # [*cache_dir*] # (Optional) Directory created when token_provider is pki. This folder is not # created unless enable_pki_setup is set to True. @@ -686,7 +680,6 @@ class keystone( # DEPRECATED PARAMETERS $admin_workers = $::os_workers, $public_workers = $::os_workers, - $paste_config = undef, $cache_dir = undef, $token_driver = undef, ) inherits keystone::params { @@ -695,11 +688,6 @@ class keystone( include ::keystone::logging include ::keystone::policy - # TODO(tobias-urdin): Remove when paste_config is removed. - if $paste_config { - warning('keystone::paste_config is deprecated, has no effect and will be removed in a later release') - } - if $cache_dir { warning('keystone::cache_dir is deprecated, has no effect and will be removed in a later release') } diff --git a/releasenotes/notes/remove-paste-9b4a67cbe869e2bf.yaml b/releasenotes/notes/remove-paste-9b4a67cbe869e2bf.yaml new file mode 100644 index 000000000..663611853 --- /dev/null +++ b/releasenotes/notes/remove-paste-9b4a67cbe869e2bf.yaml @@ -0,0 +1,6 @@ +--- +upgrade: + - | + The deprecated resources keystone_paste_ini, keystone::config::keystone_paste_config, + keystone::disable_admin_token_auth, keystone::disable_v2_api and keystone::paste_config + is removed. diff --git a/spec/unit/provider/keystone_paste_ini/ini_setting_spec.rb b/spec/unit/provider/keystone_paste_ini/ini_setting_spec.rb deleted file mode 100644 index 56379487f..000000000 --- a/spec/unit/provider/keystone_paste_ini/ini_setting_spec.rb +++ /dev/null @@ -1,29 +0,0 @@ -# -# these tests are a little concerning b/c they are hacking around the -# modulepath, so these tests will not catch issues that may eventually arise -# related to loading these plugins. -# I could not, for the life of me, figure out how to programatcally set the modulepath -$LOAD_PATH.push( - File.join( - File.dirname(__FILE__), - '..', - '..', - '..', - 'fixtures', - 'modules', - 'inifile', - 'lib') -) -require 'spec_helper' -provider_class = Puppet::Type.type(:keystone_paste_ini).provider(:ini_setting) -describe provider_class do - - it 'should allow setting to be set explicitly' do - resource = Puppet::Type::Keystone_paste_ini.new( - {:name => 'dude/foo', :value => 'bar'} - ) - provider = provider_class.new(resource) - expect(provider.section).to eq('dude') - expect(provider.setting).to eq('foo') - end -end diff --git a/spec/unit/type/keystone_paste_ini_spec.rb b/spec/unit/type/keystone_paste_ini_spec.rb deleted file mode 100644 index 89e4de738..000000000 --- a/spec/unit/type/keystone_paste_ini_spec.rb +++ /dev/null @@ -1,35 +0,0 @@ -# TODO(tobias-urdin): This is deprecated and should be removed in T release. -require 'spec_helper' -# this hack is required for now to ensure that the path is set up correctly -# to retrieve the parent provider -$LOAD_PATH.push( - File.join( - File.dirname(__FILE__), - '..', - '..', - 'fixtures', - 'modules', - 'inifile', - 'lib') -) -require 'puppet/type/keystone_paste_ini' -describe 'Puppet::Type.type(:keystone_paste_ini)' do - before :each do - @keystone_paste_ini = Puppet::Type.type(:keystone_paste_ini).new(:name => 'DEFAULT/foo', :value => 'bar') - end - it 'should accept a valid value' do - @keystone_paste_ini[:value] = 'bar' - expect(@keystone_paste_ini[:value]).to eq('bar') - end - - it 'should autorequire the package that install the file' do - catalog = Puppet::Resource::Catalog.new - package = Puppet::Type.type(:package).new(:name => 'keystone') - catalog.add_resource package, @keystone_paste_ini - dependency = @keystone_paste_ini.autorequire - expect(dependency.size).to eq(1) - expect(dependency[0].target).to eq(@keystone_paste_ini) - expect(dependency[0].source).to eq(package) - end - -end