Deprecate all paste code

Keystone no longer uses it's paste ini file or uses the paste deploy parts so we deprecate all that now. [1] Unfortunately this should probably have been done in Rocky but got missed, in Stein keystone will effectively remove the paste ini file. [1] [1] https://docs.openstack.org/releasenotes/keystone/rocky.html Change-Id: Ifefea626f754d247b376745fbb2791e725ebafbc Closes-Bug: 1794045
2018-10-26 01:25:41 +02:00 · 2018-10-26 01:25:41 +02:00 · 697be3badb
parent b3c0b3a99a
commit 697be3badb
12 changed files with 43 additions and 106 deletions
--- a/lib/puppet/provider/keystone_paste_ini/ini_setting.rb
+++ b/lib/puppet/provider/keystone_paste_ini/ini_setting.rb
@ -1,3 +1,4 @@
+# TODO(tobias-urdin): This is deprecated and should be removed in T release.
 Puppet::Type.type(:keystone_paste_ini).provide(
  :ini_setting,
  :parent => Puppet::Type.type(:ini_setting).provider(:ruby)
--- a/lib/puppet/type/keystone_paste_ini.rb
+++ b/lib/puppet/type/keystone_paste_ini.rb
@ -1,3 +1,4 @@
+# TODO(tobias-urdin): This is deprecated and should be removed in T release.
 Puppet::Type.newtype(:keystone_paste_ini) do

  ensurable
@ -10,6 +11,8 @@ Puppet::Type.newtype(:keystone_paste_ini) do
  newproperty(:value) do
    desc 'The value of the setting to be defined.'
    munge do |value|
+      Puppet.deprecation_warning('keystone_paste_ini is deprecated, has no effect and will be removed in a later release')
+
      value = value.to_s.strip
      value.capitalize! if value =~ /^(true|false)$/i
      value
--- a/manifests/config.pp
+++ b/manifests/config.pp
@ -17,22 +17,26 @@
 #     DEFAULT/bar:
 #       value: barValue
 #
-# [*keystone_paste_ini*]
-#   (optional) Allow configuration of /etc/keystone/keystone-paste.ini options.
-#
 #   NOTE: The configuration MUST NOT be already handled by this module
 #   or Puppet catalog compilation will fail with duplicate resources.
 #
+#### DEPRECATED PARAMS
+#
+# [*keystone_paste_ini*]
+#   (optional) Allow configuration of /etc/keystone/keystone-paste.ini options.
+#
 class keystone::config (
-  $keystone_config  = {},
-  $keystone_paste_ini = {},
+  $keystone_config    = {},
+  # DEPRECATED PARAMS
+  $keystone_paste_ini = undef,
 ) {

  include ::keystone::deps

  validate_hash($keystone_config)
-  validate_hash($keystone_paste_ini)
-
  create_resources('keystone_config', $keystone_config)
-  create_resources('keystone_paste_ini', $keystone_paste_ini)
+
+  if $keystone_paste_ini {
+    warning('keystone_paste_ini is deprecated, has no effect and will be removed in a later release')
+  }
 }
--- a/manifests/deps.pp
+++ b/manifests/deps.pp
@ -32,6 +32,7 @@ class keystone::deps {
  # before dbsync starts
  Oslo::Db<||> -> Anchor['keystone::dbsync::begin']

+  # TODO(tobias-urdin): Remove this when keystone_paste_ini is removed.
  # paste-api.ini config should occur in the config block also.
  Anchor['keystone::config::begin']
  -> Keystone_paste_ini<||>
--- a/manifests/disable_admin_token_auth.pp
+++ b/manifests/disable_admin_token_auth.pp
@ -1,6 +1,8 @@
 #
 # Class to manage and secure the keystone-paste.ini pipeline configuration.
 #
+# DEPRECATED!
+#
 # The keystone module uses the admin_token parameter in keystone.conf to
 # bootstrap the basic setup of an admin user, project, and domain. However, the
 # admin_token provides an easy vector of attack for production keystone
@ -12,35 +14,5 @@
 #
 class keystone::disable_admin_token_auth {

-  require ::keystone::roles::admin
-
-  Keystone::Resource::Service_identity<||> -> Class['::keystone::disable_admin_token_auth']
-
-  ini_subsetting { 'public_api/admin_token_auth':
-    ensure     => absent,
-    path       => '/etc/keystone/keystone-paste.ini',
-    section    => 'pipeline:public_api',
-    setting    => 'pipeline',
-    subsetting => 'admin_token_auth',
-    tag        => 'disable-admin-token-auth',
-  }
-  ini_subsetting { 'admin_api/admin_token_auth':
-    ensure     => absent,
-    path       => '/etc/keystone/keystone-paste.ini',
-    section    => 'pipeline:admin_api',
-    setting    => 'pipeline',
-    subsetting => 'admin_token_auth',
-    tag        => 'disable-admin-token-auth',
-  }
-  ini_subsetting { 'api_v3/admin_token_auth':
-    ensure     => absent,
-    path       => '/etc/keystone/keystone-paste.ini',
-    section    => 'pipeline:api_v3',
-    setting    => 'pipeline',
-    subsetting => 'admin_token_auth',
-    tag        => 'disable-admin-token-auth',
-  }
-
-  Ini_subsetting <| tag == 'disable-admin-token-auth' |>
-    ~> Exec<| name == 'restart_keystone' |>
+  warning('keystone::disable_admin_token_auth is deprecated, has no effect and will be removed in a later release')
 }
--- a/manifests/disable_v2_api.pp
+++ b/manifests/disable_v2_api.pp
@ -1,5 +1,7 @@
 # Class to disable the Keystone v2.0 API via keystone-paste.ini.
 #
+# DEPRECATED!
+#
 # This class removes the /v2.0 entries for Keystone, ensuring that the
 # only supported API's are v3. After this class is executed, the
 # standard overcloudrc file will no longer work, the user needs to
@ -9,25 +11,5 @@

 class keystone::disable_v2_api {

-  require ::keystone::roles::admin
-
-  Keystone::Resource::Service_identity<||> -> Class['::keystone::disable_v2_api']
-  ini_setting { 'disable_admin/v2.0':
-    ensure  => absent,
-    path    => '/etc/keystone/keystone-paste.ini',
-    section => 'composite:admin',
-    setting => '/v2.0',
-    value   => undef,
-    tag     => 'disable-v2.0-api',
-  }
-  ini_setting { 'disable_main/v2.0':
-    ensure  => absent,
-    path    => '/etc/keystone/keystone-paste.ini',
-    section => 'composite:main',
-    setting => '/v2.0',
-    value   => undef,
-    tag     => 'disable-v2.0-api',
-  }
-  Ini_subsetting <| tag == 'disable-v2.0-api' |>
-    ~> Exec<| name == 'restart_keystone' |>
+  warning('keystone::disable_v2_api has been deprecated, has no effect and will be removed in a later release')
 }
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -395,11 +395,6 @@
 #   Defaults to '$::keystone::params::service_name'
 #   NOTE: validate_service only applies if the default value is used.
 #
-# [*paste_config*]
-#   (optional) Name of the paste configuration file that defines the
-#   available pipelines. (string value)
-#   Defaults to $::os_service_default
-#
 # [*max_token_size*]
 #   (optional) maximum allowable Keystone token size
 #   Defaults to $::os_service_default
@ -626,6 +621,11 @@
 #   (optional) Deprecated. Key size (in bits) for token signing cert (auto generated certificate)
 #   Defaults to $::os_service_default
 #
+# [*paste_config*]
+#   (optional) Name of the paste configuration file that defines the
+#   available pipelines. (string value)
+#   Defaults to undef
+#
 # == Dependencies
 #  None
 #
@ -729,7 +729,6 @@ class keystone(
  $validate_insecure                    = false,
  $validate_auth_url                    = false,
  $validate_cacert                      = undef,
-  $paste_config                         = $::os_service_default,
  $service_name                         = $::keystone::params::service_name,
  $max_token_size                       = $::os_service_default,
  $sync_db                              = true,
@ -770,12 +769,18 @@ class keystone(
  $signing_ca_key                       = $::os_service_default,
  $signing_cert_subject                 = $::os_service_default,
  $signing_key_size                     = $::os_service_default,
+  $paste_config                         = undef,
 ) inherits keystone::params {

  include ::keystone::deps
  include ::keystone::logging
  include ::keystone::policy

+  # TODO(tobias-urdin): Remove when paste_config is removed.
+  if $paste_config {
+    warning('keystone::paste_config is deprecated, has no effect and will be removed in a later release')
+  }
+
  if ! $catalog_driver {
    validate_re($catalog_type, 'template|sql')
  }
@ -837,7 +842,6 @@ admin_token will be removed in a later release")
    'DEFAULT/admin_port':       value => $admin_port;
    'DEFAULT/member_role_id':   value => $member_role_id;
    'DEFAULT/member_role_name': value => $member_role_name;
-    'paste_deploy/config_file': value => $paste_config;
  }

  # Endpoint configuration
--- a/releasenotes/notes/deprecate-keystone-paste-01d714353e5544df.yaml
+++ b/releasenotes/notes/deprecate-keystone-paste-01d714353e5544df.yaml
@ -0,0 +1,8 @@
+---
+deprecations:
+  - |
+    keystone_paste_ini resource, keystone::config::keystone_paste_config,
+    keystone::disable_admin_token_auth, keystone::disable_v2_api and
+    keystone::paste_config is all deprecated and has no effect on how
+    Keystone behaves. These will be removed in the next release, keystone
+    is not reading the paste configuration in Stein.
--- a/spec/classes/keystone_config_spec.rb
+++ b/spec/classes/keystone_config_spec.rb
@ -23,18 +23,6 @@ describe 'keystone::config' do
    end
  end

-  shared_examples_for 'keystone_paste_ini' do
-    let :params do
-      { :keystone_paste_ini => config_hash }
-    end
-
-    it 'configures arbitrary keystone-paste-ini configurations' do
-      is_expected.to contain_keystone_paste_ini('DEFAULT/foo').with_value('fooValue')
-      is_expected.to contain_keystone_paste_ini('DEFAULT/bar').with_value('barValue')
-      is_expected.to contain_keystone_paste_ini('DEFAULT/baz').with_ensure('absent')
-    end
-  end
-
  on_supported_os({
    :supported_os   => OSDefaults.get_supported_os
  }).each do |os,facts|
@ -44,7 +32,6 @@ describe 'keystone::config' do
      end

      it_configures 'keystone_config'
-      it_configures 'keystone_paste_ini'
    end
  end
 end
--- a/spec/classes/keystone_disable_admin_token_auth_spec.rb
+++ b/spec/classes/keystone_disable_admin_token_auth_spec.rb
@ -1,20 +0,0 @@
-require 'spec_helper'
-
-describe 'keystone::disable_admin_token_auth' do
-  let :facts do
-    @default_facts.merge({
-       :osfamily => 'Debian',
-       :os       => { :name  => 'Debian', :family => 'Debian', :release => { :major => '8', :minor => '0' } },
-    })
-  end
-
-  let :pre_condition do
-    'class { "::keystone": admin_token => "secret", }
-     class { "::keystone::roles::admin": password => "secret" }
-    '
-  end
-
-  it { is_expected.to contain_ini_subsetting('public_api/admin_token_auth') }
-  it { is_expected.to contain_ini_subsetting('admin_api/admin_token_auth') }
-  it { is_expected.to contain_ini_subsetting('api_v3/admin_token_auth') }
-end
--- a/spec/classes/keystone_init_spec.rb
+++ b/spec/classes/keystone_init_spec.rb
@ -68,7 +68,6 @@ describe 'keystone' do
      'public_workers'                     => 20,
      'member_role_id'                     => '<SERVICE DEFAULT>',
      'member_role_name'                   => '<SERVICE DEFAULT>',
-      'paste_config'                       => '<SERVICE DEFAULT>',
      'sync_db'                            => true,
      'purge_config'                       => false,
      'keystone_user'                      => 'keystone',
@ -121,7 +120,6 @@ describe 'keystone' do
      'default_domain'                     => 'other_domain',
      'member_role_id'                     => '123456789',
      'member_role_name'                   => 'othermember',
-      'paste_config'                       => '/usr/share/keystone/keystone-paste.ini',
      'using_domain_config'                => false,
      'keystone_user'                      => 'test_user',
      'keystone_group'                     => 'test_group',
@ -222,10 +220,6 @@ describe 'keystone' do
      is_expected.to contain_keystone_config('token/revoke_by_id').with_value(param_hash['revoke_by_id'])
    end

-    it 'should contain default paste_config' do
-      is_expected.to contain_keystone_config('paste_deploy/config_file').with_value(param_hash['paste_config'])
-    end
-
    it 'should ensure proper setting of admin_endpoint and public_endpoint' do
      if param_hash['admin_endpoint']
        is_expected.to contain_keystone_config('DEFAULT/admin_endpoint').with_value(param_hash['admin_endpoint'])
--- a/spec/unit/type/keystone_paste_ini_spec.rb
+++ b/spec/unit/type/keystone_paste_ini_spec.rb
@ -1,3 +1,4 @@
+# TODO(tobias-urdin): This is deprecated and should be removed in T release.
 require 'spec_helper'
 # this hack is required for now to ensure that the path is set up correctly
 # to retrieve the parent provider