Remove 'admin_role' option

This option was deprecated in the Ussuri release by change I0f61f85a0aaa4f68e345fa08fbb6b039d3d32587 and it is now eligible for removal following the standard OpenStack deprecation policy. Change-Id: I78ec79f97bfdcc39772448296140f8d8f35adea1
2020-11-24 19:55:21 -05:00 · 2020-11-24 19:55:21 -05:00 · f102b74a28
commit f102b74a28
parent 1344c45772
5 changed files with 12 additions and 64 deletions
--- a/doc/source/admin/authentication.rst
+++ b/doc/source/admin/authentication.rst
@ -114,9 +114,3 @@ configuration file, select the appropriate deployment flavor by adding a
  [paste_deploy]
  flavor = keystone
 .. note::
  If your authentication service uses a role other than ``admin`` to identify
  which users should be granted admin-level privileges, you must define it
  in the ``admin_role`` config attribute in both ``glance-registry.conf`` and
  ``glance-api.conf``.
--- a/glance/api/middleware/context.py
+++ b/glance/api/middleware/context.py
@ -54,41 +54,6 @@ Possible values:
 Related options:
    * None
 """)),
    cfg.StrOpt('admin_role',
               default=('__NOT_A_ROLE_07697c71e6174332989d3d5f2a7d2e7c'
                        '_NOT_A_ROLE__'),
               deprecated_for_removal=True,
               deprecated_since="Ussuri",
               deprecated_reason=_("""
 This option is redundant as its goal can be achieved via policy file
 configuration.  Additionally, it can override any configured policies,
 leading to unexpected behavior and difficulty in policy configuration.
 The option will be removed early in the Victoria development cycle,
 following the standard OpenStack deprecation policy.
 Because this can be a security issue, the default value of this
 configuration option has been changed in this release.
 Please see the 'Deprecation Notes' section of the Ussuri Glance
 Release Notes for more information.
 """),
               help=_("""
 Role used to identify an authenticated user as administrator.
 Provide a string value representing a Keystone role to identify an
 administrative user. Users with this role will be granted
 administrative privileges.
 NOTE: The default value for this option has changed in this release.
 Possible values:
    * A string value which is a valid Keystone role
 Related options:
    * None
 """)),
    cfg.BoolOpt('allow_anonymous_access', default=False,
@ -221,9 +186,6 @@ class ContextMiddleware(BaseContextMiddleware):
        # fixed.
        ctxt.roles = [r.lower() for r in ctxt.roles]
        if CONF.admin_role.strip().lower() in ctxt.roles:
            ctxt.is_admin = True
        return ctxt
--- a/glance/tests/functional/init.py
+++ b/glance/tests/functional/init.py
@ -745,7 +745,6 @@ class ScrubberDaemon(Server):
        self.policy_default_rule = 'default'
        self.send_identity_headers = False
        self.admin_role = 'admin'
        self.conf_base = """[DEFAULT]
 debug = %(debug)s
--- a/glance/tests/unit/test_context_middleware.py
+++ b/glance/tests/unit/test_context_middleware.py
@ -56,11 +56,11 @@ class TestContextMiddleware(base.IsolatedUnitTest):
        self._build_middleware().process_request(req)
        self.assertFalse(req.context.is_admin)
-        # if we change the admin_role attribute, we should be able to use it
+        # the admin_role config option was removed in Wallaby
-        req = self._build_request()
+        from oslo_config.cfg import NoSuchOptError
-        self.config(admin_role='role1')
+        self.assertRaises(NoSuchOptError,
-        self._build_middleware().process_request(req)
+                          self.config,
-        self.assertTrue(req.context.is_admin)
+                          admin_role='role1')
    def test_roles_case_insensitive(self):
        # accept role from request
@ -68,24 +68,11 @@ class TestContextMiddleware(base.IsolatedUnitTest):
        self._build_middleware().process_request(req)
        self.assertTrue(req.context.is_admin)
        # accept role from config
        req = self._build_request(roles=['role1'])
        self.config(admin_role='rOLe1')
        self._build_middleware().process_request(req)
        self.assertTrue(req.context.is_admin)
    def test_roles_stripping(self):
        # stripping extra spaces in request
        req = self._build_request(roles=['\trole1'])
        self.config(admin_role='role1')
        self._build_middleware().process_request(req)
-        self.assertTrue(req.context.is_admin)
+        self.assertIn('role1', req.context.roles)
        # stripping extra spaces in config
        req = self._build_request(roles=['\trole1\n'])
        self.config(admin_role=' role1\t')
        self._build_middleware().process_request(req)
        self.assertTrue(req.context.is_admin)
    def test_anonymous_access_enabled(self):
        req = self._build_request(identity_status='Nope')
--- a/releasenotes/notes/remove-admin_role-f508754e98331fc4.yaml
+++ b/releasenotes/notes/remove-admin_role-f508754e98331fc4.yaml
@ -0,0 +1,6 @@
 ---
 upgrade:
  - |
    The Glance API configuration option ``admin_role``, having been deprecated
    in the Ussuri release, is now removed.  If present in a configuration file,
    it will be silently ignored.