Remove 'admin_role' option

This option was deprecated in the Ussuri release by change I0f61f85a0aaa4f68e345fa08fbb6b039d3d32587 and it is now eligible for removal following the standard OpenStack deprecation policy. Change-Id: I78ec79f97bfdcc39772448296140f8d8f35adea1
2020-11-24 19:55:21 -05:00 · 2020-11-24 19:55:21 -05:00 · f102b74a28
commit f102b74a28
parent 1344c45772
5 changed files with 12 additions and 64 deletions
--- a/doc/source/admin/authentication.rst
+++ b/doc/source/admin/authentication.rst
@ -114,9 +114,3 @@ configuration file, select the appropriate deployment flavor by adding a

  [paste_deploy]
  flavor = keystone
-
-.. note::
-  If your authentication service uses a role other than ``admin`` to identify
-  which users should be granted admin-level privileges, you must define it
-  in the ``admin_role`` config attribute in both ``glance-registry.conf`` and
-  ``glance-api.conf``.
--- a/glance/api/middleware/context.py
+++ b/glance/api/middleware/context.py
@ -54,41 +54,6 @@ Possible values:
 Related options:
    * None

-""")),
-
-    cfg.StrOpt('admin_role',
-               default=('__NOT_A_ROLE_07697c71e6174332989d3d5f2a7d2e7c'
-                        '_NOT_A_ROLE__'),
-               deprecated_for_removal=True,
-               deprecated_since="Ussuri",
-               deprecated_reason=_("""
-This option is redundant as its goal can be achieved via policy file
-configuration.  Additionally, it can override any configured policies,
-leading to unexpected behavior and difficulty in policy configuration.
-The option will be removed early in the Victoria development cycle,
-following the standard OpenStack deprecation policy.
-
-Because this can be a security issue, the default value of this
-configuration option has been changed in this release.
-
-Please see the 'Deprecation Notes' section of the Ussuri Glance
-Release Notes for more information.
-"""),
-               help=_("""
-Role used to identify an authenticated user as administrator.
-
-Provide a string value representing a Keystone role to identify an
-administrative user. Users with this role will be granted
-administrative privileges.
-
-NOTE: The default value for this option has changed in this release.
-
-Possible values:
-    * A string value which is a valid Keystone role
-
-Related options:
-    * None
-
 """)),

    cfg.BoolOpt('allow_anonymous_access', default=False,
@ -221,9 +186,6 @@ class ContextMiddleware(BaseContextMiddleware):
        # fixed.
        ctxt.roles = [r.lower() for r in ctxt.roles]

-        if CONF.admin_role.strip().lower() in ctxt.roles:
-            ctxt.is_admin = True
-
        return ctxt


--- a/glance/tests/functional/init.py
+++ b/glance/tests/functional/init.py
@ -745,7 +745,6 @@ class ScrubberDaemon(Server):
        self.policy_default_rule = 'default'

        self.send_identity_headers = False
-        self.admin_role = 'admin'

        self.conf_base = """[DEFAULT]
 debug = %(debug)s
--- a/glance/tests/unit/test_context_middleware.py
+++ b/glance/tests/unit/test_context_middleware.py
@ -56,11 +56,11 @@ class TestContextMiddleware(base.IsolatedUnitTest):
        self._build_middleware().process_request(req)
        self.assertFalse(req.context.is_admin)

-        # if we change the admin_role attribute, we should be able to use it
-        req = self._build_request()
-        self.config(admin_role='role1')
-        self._build_middleware().process_request(req)
-        self.assertTrue(req.context.is_admin)
+        # the admin_role config option was removed in Wallaby
+        from oslo_config.cfg import NoSuchOptError
+        self.assertRaises(NoSuchOptError,
+                          self.config,
+                          admin_role='role1')

    def test_roles_case_insensitive(self):
        # accept role from request
@ -68,24 +68,11 @@ class TestContextMiddleware(base.IsolatedUnitTest):
        self._build_middleware().process_request(req)
        self.assertTrue(req.context.is_admin)

-        # accept role from config
-        req = self._build_request(roles=['role1'])
-        self.config(admin_role='rOLe1')
-        self._build_middleware().process_request(req)
-        self.assertTrue(req.context.is_admin)
-
    def test_roles_stripping(self):
        # stripping extra spaces in request
        req = self._build_request(roles=['\trole1'])
-        self.config(admin_role='role1')
        self._build_middleware().process_request(req)
-        self.assertTrue(req.context.is_admin)
-
-        # stripping extra spaces in config
-        req = self._build_request(roles=['\trole1\n'])
-        self.config(admin_role=' role1\t')
-        self._build_middleware().process_request(req)
-        self.assertTrue(req.context.is_admin)
+        self.assertIn('role1', req.context.roles)

    def test_anonymous_access_enabled(self):
        req = self._build_request(identity_status='Nope')
--- a/releasenotes/notes/remove-admin_role-f508754e98331fc4.yaml
+++ b/releasenotes/notes/remove-admin_role-f508754e98331fc4.yaml
@ -0,0 +1,6 @@
+---
+upgrade:
+  - |
+    The Glance API configuration option ``admin_role``, having been deprecated
+    in the Ussuri release, is now removed.  If present in a configuration file,
+    it will be silently ignored.