user_allow_* options for ldap are deprecated

These options are deprecated in keystone and setting them either true or
false will produce a warning in Keystone.

Change-Id: Icab0d0dd5558cfb03e0a9cef738beb26d9245269

manifests/ldap.pp

@@ -88,18 +88,6 @@
 #   LDAP attribute mapped to default_project_id for users. (string value)
 #   Defaults to 'undef'
 #
-# [*user_allow_create*]
-#   Allow user creation in LDAP backend. (boolean value)
-#   Defaults to 'undef'
-#
-# [*user_allow_update*]
-#   Allow user updates in LDAP backend. (boolean value)
-#   Defaults to 'undef'
-#
-# [*user_allow_delete*]
-#   Allow user deletion in LDAP backend. (boolean value)
-#   Defaults to 'undef'
-#
 # [*user_pass_attribute*]
 #   LDAP attribute mapped to password. (string value)
 #   Defaults to 'undef'
@@ -372,6 +360,18 @@
 #
 # === DEPRECATED group/name
 #
+# [*user_allow_create*]
+#   Allow user creation in LDAP backend. (boolean value)
+#   Defaults to 'undef' DEPRECATED: Has no effect.
+#
+# [*user_allow_update*]
+#   Allow user updates in LDAP backend. (boolean value)
+#   Defaults to 'undef' DEPRECATED: Has no effect.
+#
+# [*user_allow_delete*]
+#   Allow user deletion in LDAP backend. (boolean value)
+#   Defaults to 'undef' DEPRECATED: Has no effect.
+#
 # == Dependencies
 # == Examples
 # == Authors
@@ -402,9 +402,6 @@ class keystone::ldap(
   $user_enabled_invert                 = undef,
   $user_attribute_ignore               = undef,
   $user_default_project_id_attribute   = undef,
-  $user_allow_create                   = undef,
-  $user_allow_update                   = undef,
-  $user_allow_delete                   = undef,
   $user_pass_attribute                 = undef,
   $user_enabled_emulation              = undef,
   $user_enabled_emulation_dn           = undef,
@@ -467,6 +464,10 @@ class keystone::ldap(
   $auth_pool_connection_lifetime       = 60,
   $package_ensure                      = present,
   $manage_packages                     = true,
+  # DEPRECATED
+  $user_allow_create                   = undef,
+  $user_allow_update                   = undef,
+  $user_allow_delete                   = undef,
 ) {
 
   include ::keystone::deps
@@ -483,6 +484,11 @@ class keystone::ldap(
     }
   }
 
+  if $user_allow_create or $user_allow_update or $user_allow_delete {
+    warning("all user_allow_ options are deprecated and have no effect, \
+      they will be removed in the future")
+  }
+
   keystone_config {
     'ldap/url':                                  value => $url;
     'ldap/user':                                 value => $user;
@@ -502,9 +508,6 @@ class keystone::ldap(
     'ldap/user_enabled_invert':                  value => $user_enabled_invert;
     'ldap/user_attribute_ignore':                value => $user_attribute_ignore;
     'ldap/user_default_project_id_attribute':    value => $user_default_project_id_attribute;
-    'ldap/user_allow_create':                    value => $user_allow_create;
-    'ldap/user_allow_update':                    value => $user_allow_update;
-    'ldap/user_allow_delete':                    value => $user_allow_delete;
     'ldap/user_pass_attribute':                  value => $user_pass_attribute;
     'ldap/user_enabled_emulation':               value => $user_enabled_emulation;
     'ldap/user_enabled_emulation_dn':            value => $user_enabled_emulation_dn;

releasenotes/notes/deprecate-user_allow_ldap-params-0b8b6d2a53d7d818.yaml

@@ -0,0 +1,5 @@
+---
+deprecations:
+  - user_allow_* options for ldap are deprecated in Keystone.
+    Setting these will now have no effect and these will be
+    removed as parameters in a future release.

spec/classes/keystone_ldap_spec.rb

@@ -22,9 +22,6 @@ describe 'keystone::ldap' do
         :user_enabled_invert => 'False',
         :user_attribute_ignore => '',
         :user_default_project_id_attribute => 'defaultProject',
-        :user_allow_create => 'False',
-        :user_allow_update => 'False',
-        :user_allow_delete => 'False',
         :user_pass_attribute => 'krbPassword',
         :user_enabled_emulation => 'True',
         :user_enabled_emulation_dn => 'cn=openstack-enabled,cn=groups,cn=accounts,dc=example,dc=com',
@@ -110,9 +107,6 @@ describe 'keystone::ldap' do
       is_expected.to contain_keystone_config('ldap/user_attribute_ignore').with_value('')
       is_expected.to contain_keystone_config('ldap/user_default_project_id_attribute').with_value('defaultProject')
       is_expected.to contain_keystone_config('ldap/user_tree_dn').with_value('cn=users,dc=example,dc=com')
-      is_expected.to contain_keystone_config('ldap/user_allow_create').with_value('False')
-      is_expected.to contain_keystone_config('ldap/user_allow_update').with_value('False')
-      is_expected.to contain_keystone_config('ldap/user_allow_delete').with_value('False')
       is_expected.to contain_keystone_config('ldap/user_pass_attribute').with_value('krbPassword')
       is_expected.to contain_keystone_config('ldap/user_enabled_emulation').with_value('True')
       is_expected.to contain_keystone_config('ldap/user_enabled_emulation_dn').with_value('cn=openstack-enabled,cn=groups,cn=accounts,dc=example,dc=com')