Remove writable ldap configs from examples and spec

Keystone removed support for writable ldap support in Ocata. We should
remove these configs from the examples and the specification so that it
doesn't give the impression the functionality is still supported. It
also cleans up the configuration a little bit.

Relevant release notes that advertize the removal:

  https://docs.openstack.org/releasenotes/keystone/ocata.html#relnotes-11-0-0-origin-stable-ocata-other-notes

Change-Id: I83da28d3988960252708c60ce53fe36f34ee4204

examples/ldap_backend.pp

@@ -31,9 +31,6 @@ keystone::ldap_backend { 'domain_1':
   user_id_attribute            => 'uid',
   user_name_attribute          => 'uid',
   user_mail_attribute          => 'mail',
-  user_allow_create            => 'False',
-  user_allow_update            => 'False',
-  user_allow_delete            => 'False',
   user_enabled_emulation       => 'True',
   user_enabled_emulation_dn    => 'cn=openstack-enabled,cn=groups,cn=accounts,dc=example,dc=com',
   group_tree_dn                => 'ou=groups,ou=openstack,dc=example,dc=com',
@@ -42,9 +39,6 @@ keystone::ldap_backend { 'domain_1':
   group_name_attribute         => 'cn',
   group_member_attribute       => 'RoleOccupant',
   group_desc_attribute         => 'description',
-  group_allow_create           => 'True',
-  group_allow_update           => 'True',
-  group_allow_delete           => 'True',
   project_tree_dn              => 'ou=projects,ou=openstack,dc=example,dc=com',
   project_objectclass          => 'organizationalUnit',
   project_id_attribute         => 'ou',
@@ -87,9 +81,6 @@ keystone::ldap_backend { 'domain_2':
   user_id_attribute            => 'uid',
   user_name_attribute          => 'uid',
   user_mail_attribute          => 'mail',
-  user_allow_create            => 'False',
-  user_allow_update            => 'False',
-  user_allow_delete            => 'False',
   user_enabled_emulation       => 'True',
   user_enabled_emulation_dn    => 'cn=openstack-enabled,cn=groups,cn=accounts,dc=example_2,dc=com',
   group_tree_dn                => 'ou=groups,ou=openstack,dc=example_2,dc=com',
@@ -98,9 +89,6 @@ keystone::ldap_backend { 'domain_2':
   group_name_attribute         => 'cn',
   group_member_attribute       => 'RoleOccupant',
   group_desc_attribute         => 'description',
-  group_allow_create           => 'True',
-  group_allow_update           => 'True',
-  group_allow_delete           => 'True',
   project_tree_dn              => 'ou=projects,ou=openstack,dc=example_2,dc=com',
   project_objectclass          => 'organizationalUnit',
   project_id_attribute         => 'ou',

examples/ldap_full.pp

@@ -25,9 +25,6 @@ class { '::keystone:ldap':
   user_id_attribute            => 'uid',
   user_name_attribute          => 'uid',
   user_mail_attribute          => 'mail',
-  user_allow_create            => 'False',
-  user_allow_update            => 'False',
-  user_allow_delete            => 'False',
   user_enabled_emulation       => 'True',
   user_enabled_emulation_dn    => 'cn=openstack-enabled,cn=groups,cn=accounts,dc=example,dc=com',
   group_tree_dn                => 'ou=groups,ou=openstack,dc=example,dc=com',
@@ -36,9 +33,6 @@ class { '::keystone:ldap':
   group_name_attribute         => 'cn',
   group_member_attribute       => 'RoleOccupant',
   group_desc_attribute         => 'description',
-  group_allow_create           => 'True',
-  group_allow_update           => 'True',
-  group_allow_delete           => 'True',
   project_tree_dn              => 'ou=projects,ou=openstack,dc=example,dc=com',
   project_objectclass          => 'organizationalUnit',
   project_id_attribute         => 'ou',

examples/ldap_identity.pp

@@ -22,7 +22,4 @@ class { '::keystone:ldap':
   user_id_attribute   => 'uid',
   user_name_attribute => 'uid',
   user_mail_attribute => 'mail',
-  user_allow_create   => 'False',
-  user_allow_update   => 'False',
-  user_allow_delete   => 'False'
 }

manifests/ldap_backend.pp

@@ -95,18 +95,6 @@
 #   LDAP attribute mapped to default_project_id for users. (string value)
 #   Defaults to 'undef'
 #
-# [*user_allow_create*]
-#   Allow user creation in LDAP backend. (boolean value)
-#   Defaults to 'undef'
-#
-# [*user_allow_update*]
-#   Allow user updates in LDAP backend. (boolean value)
-#   Defaults to 'undef'
-#
-# [*user_allow_delete*]
-#   Allow user deletion in LDAP backend. (boolean value)
-#   Defaults to 'undef'
-#
 # [*user_pass_attribute*]
 #   LDAP attribute mapped to password. (string value)
 #   Defaults to 'undef'
@@ -283,18 +271,6 @@
 #   List of attributes stripped off the group on update. (list value)
 #   Defaults to 'undef'
 #
-# [*group_allow_create*]
-#   Allow group creation in LDAP backend. (boolean value)
-#   Defaults to 'undef'
-#
-# [*group_allow_update*]
-#   Allow group update in LDAP backend. (boolean value)
-#   Defaults to 'undef'
-#
-# [*group_allow_delete*]
-#   Allow group deletion in LDAP backend. (boolean value)
-#   Defaults to 'undef'
-#
 # [*group_additional_attribute_mapping*]
 #   Additional attribute mappings for groups. Attribute mapping
 #   format is <ldap_attr>:<user_attr>, where ldap_attr is the
@@ -393,6 +369,30 @@
 #
 # === DEPRECATED group/name
 #
+# [*user_allow_create*]
+#   Allow user creation in LDAP backend. (boolean value)
+#   Defaults to 'undef'
+#
+# [*user_allow_update*]
+#   Allow user updates in LDAP backend. (boolean value)
+#   Defaults to 'undef'
+#
+# [*user_allow_delete*]
+#   Allow user deletion in LDAP backend. (boolean value)
+#   Defaults to 'undef'
+#
+# [*group_allow_create*]
+#   Allow group creation in LDAP backend. (boolean value)
+#   Defaults to 'undef'
+#
+# [*group_allow_update*]
+#   Allow group update in LDAP backend. (boolean value)
+#   Defaults to 'undef'
+#
+# [*group_allow_delete*]
+#   Allow group deletion in LDAP backend. (boolean value)
+#   Defaults to 'undef'
+#
 # == Dependencies
 # == Examples
 define keystone::ldap_backend(
@@ -415,9 +415,6 @@ define keystone::ldap_backend(
   $user_enabled_invert                  = undef,
   $user_attribute_ignore                = undef,
   $user_default_project_id_attribute    = undef,
-  $user_allow_create                    = undef,
-  $user_allow_update                    = undef,
-  $user_allow_delete                    = undef,
   $user_pass_attribute                  = undef,
   $user_enabled_emulation               = undef,
   $user_enabled_emulation_dn            = undef,
@@ -458,9 +455,6 @@ define keystone::ldap_backend(
   $group_members_are_ids                = undef,
   $group_desc_attribute                 = undef,
   $group_attribute_ignore               = undef,
-  $group_allow_create                   = undef,
-  $group_allow_update                   = undef,
-  $group_allow_delete                   = undef,
   $group_additional_attribute_mapping   = undef,
   $group_ad_nesting                     = undef,
   $chase_referrals                      = undef,
@@ -483,6 +477,13 @@ define keystone::ldap_backend(
   $package_ensure                       = present,
   $manage_packages                      = true,
   $create_domain_entry                  = false,
+  # DEPRECATED PARAMETERS
+  $user_allow_create                    = undef,
+  $user_allow_update                    = undef,
+  $user_allow_delete                    = undef,
+  $group_allow_create                   = undef,
+  $group_allow_update                   = undef,
+  $group_allow_delete                   = undef,
 ) {
 
   include ::keystone::deps
@@ -493,6 +494,30 @@ define keystone::ldap_backend(
 got \"${domain_enabled}\" for identity/domain_specific_drivers_enabled \
 and \"${domain_dir_enabled}\" for identity/domain_config_dir"
 
+  if $user_allow_create {
+    warning('keystone::user_allow_create is deprecated, has no effect and will be removed in a later release.')
+  }
+
+  if $user_allow_update {
+    warning('keystone::user_allow_update is deprecated, has no effect and will be removed in a later release.')
+  }
+
+  if $user_allow_delete {
+    warning('keystone::user_allow_delete is deprecated, has no effect and will be removed in a later release.')
+  }
+
+  if $group_allow_create {
+    warning('keystone::group_allow_create is deprecated, has no effect and will be removed in a later release.')
+  }
+
+  if $group_allow_update {
+    warning('keystone::group_allow_update is deprecated, has no effect and will be removed in a later release.')
+  }
+
+  if $group_allow_delete {
+    warning('keystone::group_allow_delete is deprecated, has no effect and will be removed in a later release.')
+  }
+
   if(bool2num($domain_enabled) == 0) {
     fail($err_msg)
   }
@@ -541,9 +566,6 @@ and \"${domain_dir_enabled}\" for identity/domain_config_dir"
     "${domain}::ldap/user_enabled_invert":                  value => $user_enabled_invert;
     "${domain}::ldap/user_attribute_ignore":                value => $user_attribute_ignore;
     "${domain}::ldap/user_default_project_id_attribute":    value => $user_default_project_id_attribute;
-    "${domain}::ldap/user_allow_create":                    value => $user_allow_create;
-    "${domain}::ldap/user_allow_update":                    value => $user_allow_update;
-    "${domain}::ldap/user_allow_delete":                    value => $user_allow_delete;
     "${domain}::ldap/user_pass_attribute":                  value => $user_pass_attribute;
     "${domain}::ldap/user_enabled_emulation":               value => $user_enabled_emulation;
     "${domain}::ldap/user_enabled_emulation_dn":            value => $user_enabled_emulation_dn;
@@ -584,9 +606,6 @@ and \"${domain_dir_enabled}\" for identity/domain_config_dir"
     "${domain}::ldap/group_members_are_ids":                value => $group_members_are_ids;
     "${domain}::ldap/group_desc_attribute":                 value => $group_desc_attribute;
     "${domain}::ldap/group_attribute_ignore":               value => $group_attribute_ignore;
-    "${domain}::ldap/group_allow_create":                   value => $group_allow_create;
-    "${domain}::ldap/group_allow_update":                   value => $group_allow_update;
-    "${domain}::ldap/group_allow_delete":                   value => $group_allow_delete;
     "${domain}::ldap/group_additional_attribute_mapping":   value => $group_additional_attribute_mapping;
     "${domain}::ldap/group_ad_nesting":                     value => $group_ad_nesting;
     "${domain}::ldap/chase_referrals":                      value => $chase_referrals;

releasenotes/notes/remove-writable-ldap-configs-020f66d8b93003bc.yaml

@@ -0,0 +1,6 @@
+---
+deprecations:
+  - |
+    The user_allow_create, user_allow_update, user_allow_delete, group_allow_create,
+    group_allow_update and group_allow_delete parameters in keystone::ldap_backend
+    is deprecated, has no effect and will be removed in a later release.

spec/defines/keystone_ldap_backend_spec.rb

@@ -37,9 +37,6 @@ describe 'keystone::ldap_backend' do
           :user_enabled_invert                  => 'False',
           :user_attribute_ignore                => '',
           :user_default_project_id_attribute    => 'defaultProject',
-          :user_allow_create                    => 'False',
-          :user_allow_update                    => 'False',
-          :user_allow_delete                    => 'False',
           :user_pass_attribute                  => 'krbPassword',
           :user_enabled_emulation               => 'True',
           :user_enabled_emulation_dn            => 'cn=openstack-enabled,cn=groups,cn=accounts,dc=example,dc=com',
@@ -80,9 +77,6 @@ describe 'keystone::ldap_backend' do
           :group_members_are_ids                => 'True',
           :group_desc_attribute                 => 'description',
           :group_attribute_ignore               => '',
-          :group_allow_create                   => 'False',
-          :group_allow_update                   => 'False',
-          :group_allow_delete                   => 'False',
           :group_additional_attribute_mapping   => '',
           :group_ad_nesting                     => 'True',
           :chase_referrals                      => 'False',
@@ -127,9 +121,6 @@ describe 'keystone::ldap_backend' do
         is_expected.to contain_keystone_domain_config('Default::ldap/user_attribute_ignore').with_value('')
         is_expected.to contain_keystone_domain_config('Default::ldap/user_default_project_id_attribute').with_value('defaultProject')
         is_expected.to contain_keystone_domain_config('Default::ldap/user_tree_dn').with_value('cn=users,dc=example,dc=com')
-        is_expected.to contain_keystone_domain_config('Default::ldap/user_allow_create').with_value('False')
-        is_expected.to contain_keystone_domain_config('Default::ldap/user_allow_update').with_value('False')
-        is_expected.to contain_keystone_domain_config('Default::ldap/user_allow_delete').with_value('False')
         is_expected.to contain_keystone_domain_config('Default::ldap/user_pass_attribute').with_value('krbPassword')
         is_expected.to contain_keystone_domain_config('Default::ldap/user_enabled_emulation').with_value('True')
         is_expected.to contain_keystone_domain_config('Default::ldap/user_enabled_emulation_dn').with_value('cn=openstack-enabled,cn=groups,cn=accounts,dc=example,dc=com')
@@ -176,9 +167,6 @@ describe 'keystone::ldap_backend' do
         is_expected.to contain_keystone_domain_config('Default::ldap/group_desc_attribute').with_value('description')
         is_expected.to contain_keystone_domain_config('Default::ldap/group_name_attribute').with_value('cn')
         is_expected.to contain_keystone_domain_config('Default::ldap/group_attribute_ignore').with_value('')
-        is_expected.to contain_keystone_domain_config('Default::ldap/group_allow_create').with_value('False')
-        is_expected.to contain_keystone_domain_config('Default::ldap/group_allow_update').with_value('False')
-        is_expected.to contain_keystone_domain_config('Default::ldap/group_allow_delete').with_value('False')
         is_expected.to contain_keystone_domain_config('Default::ldap/group_additional_attribute_mapping').with_value('')
         is_expected.to contain_keystone_domain_config('Default::ldap/group_ad_nesting').with_value('True')