Merge "Clean up deprecated configuration options"

This commit is contained in:
Jenkins 2017-02-01 12:00:20 +00:00 committed by Gerrit Code Review
commit 0b634ed5b3
11 changed files with 44 additions and 417 deletions

View File

@ -5,13 +5,11 @@
# #
# IP to listen on. (string value) # IP to listen on. (string value)
# Deprecated group/name - [discoverd]/listen_address
#listen_address = 0.0.0.0 #listen_address = 0.0.0.0
# Port to listen on. (port value) # Port to listen on. (port value)
# Minimum value: 0 # Minimum value: 0
# Maximum value: 65535 # Maximum value: 65535
# Deprecated group/name - [discoverd]/listen_port
#listen_port = 5050 #listen_port = 5050
# Authentication method used on the ironic-inspector API. Either # Authentication method used on the ironic-inspector API. Either
@ -20,26 +18,17 @@
# Allowed values: keystone, noauth # Allowed values: keystone, noauth
#auth_strategy = keystone #auth_strategy = keystone
# DEPRECATED: use auth_strategy. (boolean value)
# Deprecated group/name - [discoverd]/authenticate
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
#authenticate = <None>
# Timeout after which introspection is considered failed, set to 0 to # Timeout after which introspection is considered failed, set to 0 to
# disable. (integer value) # disable. (integer value)
# Deprecated group/name - [discoverd]/timeout
#timeout = 3600 #timeout = 3600
# For how much time (in seconds) to keep status information about # For how much time (in seconds) to keep status information about
# nodes after introspection was finished for them. Default value is 1 # nodes after introspection was finished for them. Default value is 1
# week. (integer value) # week. (integer value)
# Deprecated group/name - [discoverd]/node_status_keep_time
#node_status_keep_time = 604800 #node_status_keep_time = 604800
# Amount of time in seconds, after which repeat clean up of timed out # Amount of time in seconds, after which repeat clean up of timed out
# nodes and old nodes status information. (integer value) # nodes and old nodes status information. (integer value)
# Deprecated group/name - [discoverd]/clean_up_period
#clean_up_period = 60 #clean_up_period = 60
# SSL Enabled/Disabled (boolean value) # SSL Enabled/Disabled (boolean value)
@ -380,20 +369,6 @@
#db_max_retries = 20 #db_max_retries = 20
[discoverd]
#
# From ironic_inspector
#
# DEPRECATED: SQLite3 database to store nodes under introspection,
# required. Do not use :memory: here, it won't work. DEPRECATED: use
# [database]/connection. (string value)
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
#database =
[discovery] [discovery]
# #
@ -412,17 +387,14 @@
# #
# Whether to manage firewall rules for PXE port. (boolean value) # Whether to manage firewall rules for PXE port. (boolean value)
# Deprecated group/name - [discoverd]/manage_firewall
#manage_firewall = true #manage_firewall = true
# Interface on which dnsmasq listens, the default is for VM's. (string # Interface on which dnsmasq listens, the default is for VM's. (string
# value) # value)
# Deprecated group/name - [discoverd]/dnsmasq_interface
#dnsmasq_interface = br-ctlplane #dnsmasq_interface = br-ctlplane
# Amount of time in seconds, after which repeat periodic update of # Amount of time in seconds, after which repeat periodic update of
# firewall. (integer value) # firewall. (integer value)
# Deprecated group/name - [discoverd]/firewall_update_period
#firewall_update_period = 15 #firewall_update_period = 15
# iptables chain name to use. (string value) # iptables chain name to use. (string value)
@ -469,14 +441,6 @@
# Domain name to scope to (string value) # Domain name to scope to (string value)
#domain_name = <None> #domain_name = <None>
# DEPRECATED: Keystone admin endpoint. DEPRECATED: Use
# [keystone_authtoken] section for keystone token validation. (string
# value)
# Deprecated group/name - [discoverd]/identity_uri
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
#identity_uri =
# Verify HTTPS connections. (boolean value) # Verify HTTPS connections. (boolean value)
#insecure = false #insecure = false
@ -492,51 +456,15 @@
# (integer value) # (integer value)
#max_retries = 30 #max_retries = 30
# DEPRECATED: Keystone authentication endpoint for accessing Ironic
# API. Use [keystone_authtoken] section for keystone token validation.
# (string value)
# Deprecated group/name - [discoverd]/os_auth_url
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
# Reason: Use options presented by configured keystone auth plugin.
#os_auth_url =
# Ironic endpoint type. (string value) # Ironic endpoint type. (string value)
#os_endpoint_type = internalURL #os_endpoint_type = internalURL
# DEPRECATED: Password for accessing Ironic API. Use
# [keystone_authtoken] section for keystone token validation. (string
# value)
# Deprecated group/name - [discoverd]/os_password
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
# Reason: Use options presented by configured keystone auth plugin.
#os_password =
# Keystone region used to get Ironic endpoints. (string value) # Keystone region used to get Ironic endpoints. (string value)
#os_region = <None> #os_region = <None>
# Ironic service type. (string value) # Ironic service type. (string value)
#os_service_type = baremetal #os_service_type = baremetal
# DEPRECATED: Tenant name for accessing Ironic API. Use
# [keystone_authtoken] section for keystone token validation. (string
# value)
# Deprecated group/name - [discoverd]/os_tenant_name
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
# Reason: Use options presented by configured keystone auth plugin.
#os_tenant_name =
# DEPRECATED: User name for accessing Ironic API. Use
# [keystone_authtoken] section for keystone token validation. (string
# value)
# Deprecated group/name - [discoverd]/os_username
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
# Reason: Use options presented by configured keystone auth plugin.
#os_username =
# User's password (string value) # User's password (string value)
#password = <None> #password = <None>
@ -746,6 +674,21 @@
# Reason: PKI token format is no longer supported. # Reason: PKI token format is no longer supported.
#hash_algorithms = md5 #hash_algorithms = md5
# A choice of roles that must be present in a service token. Service
# tokens are allowed to request that an expired token can be used and
# so this check should tightly control that only actual services
# should be sending this token. Roles here are applied as an ANY check
# so any role in this list must be present. For backwards
# compatibility reasons this currently only affects the allow_expired
# check. (list value)
#service_token_roles = service
# For backwards compatibility reasons we must let valid service tokens
# pass that don't pass the service_token_roles check as valid. Setting
# this true will become the default in a future release and should be
# enabled if possible. (boolean value)
#service_token_roles_required = false
# Authentication type to load (string value) # Authentication type to load (string value)
# Deprecated group/name - [keystone_authtoken]/auth_plugin # Deprecated group/name - [keystone_authtoken]/auth_plugin
#auth_type = <None> #auth_type = <None>
@ -779,7 +722,6 @@
# falls back to "active" if PXE MAC is not supplied by the ramdisk). # falls back to "active" if PXE MAC is not supplied by the ramdisk).
# (string value) # (string value)
# Allowed values: all, active, pxe # Allowed values: all, active, pxe
# Deprecated group/name - [discoverd]/add_ports
#add_ports = pxe #add_ports = pxe
# Which ports (already present on a node) to keep after introspection. # Which ports (already present on a node) to keep after introspection.
@ -787,19 +729,16 @@
# which MACs were present in introspection data), added (keep only # which MACs were present in introspection data), added (keep only
# MACs that we added during introspection). (string value) # MACs that we added during introspection). (string value)
# Allowed values: all, present, added # Allowed values: all, present, added
# Deprecated group/name - [discoverd]/keep_ports
#keep_ports = all #keep_ports = all
# Whether to overwrite existing values in node database. Disable this # Whether to overwrite existing values in node database. Disable this
# option to make introspection a non-destructive operation. (boolean # option to make introspection a non-destructive operation. (boolean
# value) # value)
# Deprecated group/name - [discoverd]/overwrite_existing
#overwrite_existing = true #overwrite_existing = true
# DEPRECATED: Whether to enable setting IPMI credentials during # DEPRECATED: Whether to enable setting IPMI credentials during
# introspection. This feature will be removed in the Pike release. # introspection. This feature will be removed in the Pike release.
# (boolean value) # (boolean value)
# Deprecated group/name - [discoverd]/enable_setting_ipmi_credentials
# This option is deprecated for removal. # This option is deprecated for removal.
# Its value may be silently ignored in the future. # Its value may be silently ignored in the future.
#enable_setting_ipmi_credentials = false #enable_setting_ipmi_credentials = false
@ -815,18 +754,15 @@
# default for this is $default_processing_hooks, hooks can be added # default for this is $default_processing_hooks, hooks can be added
# before or after the defaults like this: # before or after the defaults like this:
# "prehook,$default_processing_hooks,posthook". (string value) # "prehook,$default_processing_hooks,posthook". (string value)
# Deprecated group/name - [discoverd]/processing_hooks
#processing_hooks = $default_processing_hooks #processing_hooks = $default_processing_hooks
# If set, logs from ramdisk will be stored in this directory. (string # If set, logs from ramdisk will be stored in this directory. (string
# value) # value)
# Deprecated group/name - [discoverd]/ramdisk_logs_dir
#ramdisk_logs_dir = <None> #ramdisk_logs_dir = <None>
# Whether to store ramdisk logs even if it did not return an error # Whether to store ramdisk logs even if it did not return an error
# message (dependent upon "ramdisk_logs_dir" option being set). # message (dependent upon "ramdisk_logs_dir" option being set).
# (boolean value) # (boolean value)
# Deprecated group/name - [discoverd]/always_store_ramdisk_logs
#always_store_ramdisk_logs = false #always_store_ramdisk_logs = false
# The name of the hook to run when inspector receives inspection # The name of the hook to run when inspector receives inspection
@ -917,18 +853,6 @@
# (integer value) # (integer value)
#max_retries = 2 #max_retries = 2
# DEPRECATED: Keystone authentication URL (string value)
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
# Reason: Use options presented by configured keystone auth plugin.
#os_auth_url =
# DEPRECATED: Keystone authentication API version (string value)
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
# Reason: Use options presented by configured keystone auth plugin.
#os_auth_version = 2
# Swift endpoint type. (string value) # Swift endpoint type. (string value)
#os_endpoint_type = internalURL #os_endpoint_type = internalURL

View File

@ -37,50 +37,6 @@ IRONIC_GROUP = 'ironic'
IRONIC_OPTS = [ IRONIC_OPTS = [
cfg.StrOpt('os_region', cfg.StrOpt('os_region',
help=_('Keystone region used to get Ironic endpoints.')), help=_('Keystone region used to get Ironic endpoints.')),
cfg.StrOpt('os_auth_url',
default='',
help=_('Keystone authentication endpoint for accessing Ironic '
'API. Use [keystone_authtoken] section for keystone '
'token validation.'),
deprecated_group='discoverd',
deprecated_for_removal=True,
deprecated_reason=_('Use options presented by configured '
'keystone auth plugin.')),
cfg.StrOpt('os_username',
default='',
help=_('User name for accessing Ironic API. '
'Use [keystone_authtoken] section for keystone '
'token validation.'),
deprecated_group='discoverd',
deprecated_for_removal=True,
deprecated_reason=_('Use options presented by configured '
'keystone auth plugin.')),
cfg.StrOpt('os_password',
default='',
help=_('Password for accessing Ironic API. '
'Use [keystone_authtoken] section for keystone '
'token validation.'),
secret=True,
deprecated_group='discoverd',
deprecated_for_removal=True,
deprecated_reason=_('Use options presented by configured '
'keystone auth plugin.')),
cfg.StrOpt('os_tenant_name',
default='',
help=_('Tenant name for accessing Ironic API. '
'Use [keystone_authtoken] section for keystone '
'token validation.'),
deprecated_group='discoverd',
deprecated_for_removal=True,
deprecated_reason=_('Use options presented by configured '
'keystone auth plugin.')),
cfg.StrOpt('identity_uri',
default='',
help=_('Keystone admin endpoint. '
'DEPRECATED: Use [keystone_authtoken] section for '
'keystone token validation.'),
deprecated_group='discoverd',
deprecated_for_removal=True),
cfg.StrOpt('auth_strategy', cfg.StrOpt('auth_strategy',
default='keystone', default='keystone',
choices=('keystone', 'noauth'), choices=('keystone', 'noauth'),
@ -112,12 +68,6 @@ CONF.register_opts(IRONIC_OPTS, group=IRONIC_GROUP)
keystone.register_auth_opts(IRONIC_GROUP) keystone.register_auth_opts(IRONIC_GROUP)
IRONIC_SESSION = None IRONIC_SESSION = None
LEGACY_MAP = {
'auth_url': 'os_auth_url',
'username': 'os_username',
'password': 'os_password',
'tenant_name': 'os_tenant_name'
}
class NotFound(utils.Error): class NotFound(utils.Error):
@ -175,8 +125,7 @@ def get_client(token=None,
else: else:
global IRONIC_SESSION global IRONIC_SESSION
if not IRONIC_SESSION: if not IRONIC_SESSION:
IRONIC_SESSION = keystone.get_session( IRONIC_SESSION = keystone.get_session(IRONIC_GROUP)
IRONIC_GROUP, legacy_mapping=LEGACY_MAP)
if token is None: if token is None:
args = {'session': IRONIC_SESSION, args = {'session': IRONIC_SESSION,
'region_name': CONF.ironic.os_region} 'region_name': CONF.ironic.os_region}

View File

@ -13,16 +13,11 @@
import copy import copy
from keystoneauth1 import exceptions
from keystoneauth1 import loading from keystoneauth1 import loading
from oslo_config import cfg from oslo_config import cfg
from oslo_log import log
from six.moves.urllib import parse # for legacy options loading only
from ironic_inspector.common.i18n import _LW
CONF = cfg.CONF CONF = cfg.CONF
LOG = log.getLogger(__name__)
def register_auth_opts(group): def register_auth_opts(group):
@ -31,81 +26,13 @@ def register_auth_opts(group):
CONF.set_default('auth_type', default='password', group=group) CONF.set_default('auth_type', default='password', group=group)
def get_session(group, legacy_mapping=None, legacy_auth_opts=None): def get_session(group):
auth = _get_auth(group, legacy_mapping, legacy_auth_opts) auth = loading.load_auth_from_conf_options(CONF, group)
session = loading.load_session_from_conf_options( session = loading.load_session_from_conf_options(
CONF, group, auth=auth) CONF, group, auth=auth)
return session return session
def _get_auth(group, legacy_mapping=None, legacy_opts=None):
try:
auth = loading.load_auth_from_conf_options(CONF, group)
except exceptions.MissingRequiredOptions:
auth = _get_legacy_auth(group, legacy_mapping, legacy_opts)
else:
if auth is None:
auth = _get_legacy_auth(group, legacy_mapping, legacy_opts)
return auth
def _get_legacy_auth(group, legacy_mapping, legacy_opts):
"""Load auth plugin from legacy options.
If legacy_opts is not empty, these options will be registered first.
legacy_mapping is a dict that maps the following keys to legacy option
names:
auth_url
username
password
tenant_name
"""
LOG.warning(_LW("Group [%s]: Using legacy auth loader is deprecated. "
"Consider specifying appropriate keystone auth plugin as "
"'auth_type' and corresponding plugin options."), group)
if legacy_opts:
for opt in legacy_opts:
try:
CONF.register_opt(opt, group=group)
except cfg.DuplicateOptError:
pass
conf = getattr(CONF, group)
auth_params = {a: getattr(conf, legacy_mapping[a])
for a in legacy_mapping}
legacy_loader = loading.get_plugin_loader('password')
# NOTE(pas-ha) only Swift had this option, take it into account
try:
auth_version = conf.get('os_auth_version')
except cfg.NoSuchOptError:
auth_version = None
# NOTE(pas-ha) mimic defaults of keystoneclient
if _is_apiv3(auth_params['auth_url'], auth_version):
auth_params.update({
'project_domain_id': 'default',
'user_domain_id': 'default'})
return legacy_loader.load_from_options(**auth_params)
# NOTE(pas-ha): for backward compat with legacy options loading only
def _is_apiv3(auth_url, auth_version):
"""Check if V3 version of API is being used or not.
This method inspects auth_url and auth_version, and checks whether V3
version of the API is being used or not.
When no auth_version is specified and auth_url is not a versioned
endpoint, v2.0 is assumed.
:param auth_url: a http or https url to be inspected (like
'http://127.0.0.1:9898/').
:param auth_version: a string containing the version (like 'v2', 'v3.0')
or None
:returns: True if V3 of the API is being used.
"""
return (auth_version in ('v3.0', '3') or
'/v3' in parse.urlparse(auth_url).path)
def add_auth_options(options, group): def add_auth_options(options, group):
def add_options(opts, opts_to_add): def add_options(opts, opts_to_add):

View File

@ -42,18 +42,6 @@ SWIFT_OPTS = [
default='ironic-inspector', default='ironic-inspector',
help=_('Default Swift container to use when creating ' help=_('Default Swift container to use when creating '
'objects.')), 'objects.')),
cfg.StrOpt('os_auth_version',
default='2',
help=_('Keystone authentication API version'),
deprecated_for_removal=True,
deprecated_reason=_('Use options presented by configured '
'keystone auth plugin.')),
cfg.StrOpt('os_auth_url',
default='',
help=_('Keystone authentication URL'),
deprecated_for_removal=True,
deprecated_reason=_('Use options presented by configured '
'keystone auth plugin.')),
cfg.StrOpt('os_service_type', cfg.StrOpt('os_service_type',
default='object-store', default='object-store',
help=_('Swift service type.')), help=_('Swift service type.')),
@ -64,33 +52,11 @@ SWIFT_OPTS = [
help=_('Keystone region to get endpoint for.')), help=_('Keystone region to get endpoint for.')),
] ]
# NOTE(pas-ha) these old options conflict with options exported by
# most used keystone auth plugins. Need to register them manually
# for the backward-compat case.
LEGACY_OPTS = [
cfg.StrOpt('username',
default='',
help=_('User name for accessing Swift API.')),
cfg.StrOpt('password',
default='',
help=_('Password for accessing Swift API.'),
secret=True),
cfg.StrOpt('tenant_name',
default='',
help=_('Tenant name for accessing Swift API.')),
]
CONF.register_opts(SWIFT_OPTS, group=SWIFT_GROUP) CONF.register_opts(SWIFT_OPTS, group=SWIFT_GROUP)
keystone.register_auth_opts(SWIFT_GROUP) keystone.register_auth_opts(SWIFT_GROUP)
OBJECT_NAME_PREFIX = 'inspector_data' OBJECT_NAME_PREFIX = 'inspector_data'
SWIFT_SESSION = None SWIFT_SESSION = None
LEGACY_MAP = {
'auth_url': 'os_auth_url',
'username': 'username',
'password': 'password',
'tenant_name': 'tenant_name',
}
def reset_swift_session(): def reset_swift_session():
@ -112,9 +78,7 @@ class SwiftAPI(object):
""" """
global SWIFT_SESSION global SWIFT_SESSION
if not SWIFT_SESSION: if not SWIFT_SESSION:
SWIFT_SESSION = keystone.get_session( SWIFT_SESSION = keystone.get_session(SWIFT_GROUP)
SWIFT_GROUP, legacy_mapping=LEGACY_MAP,
legacy_auth_opts=LEGACY_OPTS)
# TODO(pas-ha): swiftclient does not support keystone sessions ATM. # TODO(pas-ha): swiftclient does not support keystone sessions ATM.
# Must be reworked when LP bug #1518938 is fixed. # Must be reworked when LP bug #1518938 is fixed.
swift_url = SWIFT_SESSION.get_endpoint( swift_url = SWIFT_SESSION.get_endpoint(

View File

@ -29,18 +29,15 @@ VALID_STORE_DATA_VALUES = ('none', 'swift')
FIREWALL_OPTS = [ FIREWALL_OPTS = [
cfg.BoolOpt('manage_firewall', cfg.BoolOpt('manage_firewall',
default=True, default=True,
help=_('Whether to manage firewall rules for PXE port.'), help=_('Whether to manage firewall rules for PXE port.')),
deprecated_group='discoverd'),
cfg.StrOpt('dnsmasq_interface', cfg.StrOpt('dnsmasq_interface',
default='br-ctlplane', default='br-ctlplane',
help=_('Interface on which dnsmasq listens, the default is for ' help=_('Interface on which dnsmasq listens, the default is for '
'VM\'s.'), 'VM\'s.')),
deprecated_group='discoverd'),
cfg.IntOpt('firewall_update_period', cfg.IntOpt('firewall_update_period',
default=15, default=15,
help=_('Amount of time in seconds, after which repeat periodic ' help=_('Amount of time in seconds, after which repeat periodic '
'update of firewall.'), 'update of firewall.')),
deprecated_group='discoverd'),
cfg.StrOpt('firewall_chain', cfg.StrOpt('firewall_chain',
default='ironic-inspector', default='ironic-inspector',
help=_('iptables chain name to use.')), help=_('iptables chain name to use.')),
@ -56,8 +53,7 @@ PROCESSING_OPTS = [
'IP addresses), pxe (only MAC address of NIC node PXE ' 'IP addresses), pxe (only MAC address of NIC node PXE '
'booted from, falls back to "active" if PXE MAC is not ' 'booted from, falls back to "active" if PXE MAC is not '
'supplied by the ramdisk).'), 'supplied by the ramdisk).'),
choices=VALID_ADD_PORTS_VALUES, choices=VALID_ADD_PORTS_VALUES),
deprecated_group='discoverd'),
cfg.StrOpt('keep_ports', cfg.StrOpt('keep_ports',
default='all', default='all',
help=_('Which ports (already present on a node) to keep after ' help=_('Which ports (already present on a node) to keep after '
@ -65,20 +61,17 @@ PROCESSING_OPTS = [
'anything), present (keep ports which MACs were present ' 'anything), present (keep ports which MACs were present '
'in introspection data), added (keep only MACs that we ' 'in introspection data), added (keep only MACs that we '
'added during introspection).'), 'added during introspection).'),
choices=VALID_KEEP_PORTS_VALUES, choices=VALID_KEEP_PORTS_VALUES),
deprecated_group='discoverd'),
cfg.BoolOpt('overwrite_existing', cfg.BoolOpt('overwrite_existing',
default=True, default=True,
help=_('Whether to overwrite existing values in node ' help=_('Whether to overwrite existing values in node '
'database. Disable this option to make ' 'database. Disable this option to make '
'introspection a non-destructive operation.'), 'introspection a non-destructive operation.')),
deprecated_group='discoverd'),
cfg.BoolOpt('enable_setting_ipmi_credentials', cfg.BoolOpt('enable_setting_ipmi_credentials',
default=False, default=False,
help=_('Whether to enable setting IPMI credentials during ' help=_('Whether to enable setting IPMI credentials during '
'introspection. This feature will be removed in the ' 'introspection. This feature will be removed in the '
'Pike release.'), 'Pike release.'),
deprecated_group='discoverd',
deprecated_for_removal=True), deprecated_for_removal=True),
cfg.StrOpt('default_processing_hooks', cfg.StrOpt('default_processing_hooks',
default='ramdisk_error,root_disk_selection,scheduler,' default='ramdisk_error,root_disk_selection,scheduler,'
@ -96,18 +89,15 @@ PROCESSING_OPTS = [
'pipeline. The default for this is ' 'pipeline. The default for this is '
'$default_processing_hooks, hooks can be added before ' '$default_processing_hooks, hooks can be added before '
'or after the defaults like this: ' 'or after the defaults like this: '
'"prehook,$default_processing_hooks,posthook".'), '"prehook,$default_processing_hooks,posthook".')),
deprecated_group='discoverd'),
cfg.StrOpt('ramdisk_logs_dir', cfg.StrOpt('ramdisk_logs_dir',
help=_('If set, logs from ramdisk will be stored in this ' help=_('If set, logs from ramdisk will be stored in this '
'directory.'), 'directory.')),
deprecated_group='discoverd'),
cfg.BoolOpt('always_store_ramdisk_logs', cfg.BoolOpt('always_store_ramdisk_logs',
default=False, default=False,
help=_('Whether to store ramdisk logs even if it did not ' help=_('Whether to store ramdisk logs even if it did not '
'return an error message (dependent upon ' 'return an error message (dependent upon '
'"ramdisk_logs_dir" option being set).'), '"ramdisk_logs_dir" option being set).')),
deprecated_group='discoverd'),
cfg.StrOpt('node_not_found_hook', cfg.StrOpt('node_not_found_hook',
help=_('The name of the hook to run when inspector receives ' help=_('The name of the hook to run when inspector receives '
'inspection information from a node it isn\'t already ' 'inspection information from a node it isn\'t already '
@ -144,51 +134,32 @@ PROCESSING_OPTS = [
help=_('Whether to power off a node after introspection.')), help=_('Whether to power off a node after introspection.')),
] ]
DISCOVERD_OPTS = [
cfg.StrOpt('database',
default='',
help=_('SQLite3 database to store nodes under introspection, '
'required. Do not use :memory: here, it won\'t work. '
'DEPRECATED: use [database]/connection.'),
deprecated_for_removal=True),
]
SERVICE_OPTS = [ SERVICE_OPTS = [
cfg.StrOpt('listen_address', cfg.StrOpt('listen_address',
default='0.0.0.0', default='0.0.0.0',
help=_('IP to listen on.'), help=_('IP to listen on.')),
deprecated_group='discoverd'),
cfg.PortOpt('listen_port', cfg.PortOpt('listen_port',
default=5050, default=5050,
help=_('Port to listen on.'), help=_('Port to listen on.')),
deprecated_group='discoverd'),
cfg.StrOpt('auth_strategy', cfg.StrOpt('auth_strategy',
default='keystone', default='keystone',
choices=('keystone', 'noauth'), choices=('keystone', 'noauth'),
help=_('Authentication method used on the ironic-inspector ' help=_('Authentication method used on the ironic-inspector '
'API. Either "noauth" or "keystone" are currently valid ' 'API. Either "noauth" or "keystone" are currently valid '
'options. "noauth" will disable all authentication.')), 'options. "noauth" will disable all authentication.')),
cfg.BoolOpt('authenticate',
help=_('DEPRECATED: use auth_strategy.'),
deprecated_group='discoverd',
deprecated_for_removal=True),
cfg.IntOpt('timeout', cfg.IntOpt('timeout',
default=3600, default=3600,
help=_('Timeout after which introspection is considered ' help=_('Timeout after which introspection is considered '
'failed, set to 0 to disable.'), 'failed, set to 0 to disable.')),
deprecated_group='discoverd'),
cfg.IntOpt('node_status_keep_time', cfg.IntOpt('node_status_keep_time',
default=604800, default=604800,
help=_('For how much time (in seconds) to keep status ' help=_('For how much time (in seconds) to keep status '
'information about nodes after introspection was ' 'information about nodes after introspection was '
'finished for them. Default value is 1 week.'), 'finished for them. Default value is 1 week.')),
deprecated_group='discoverd'),
cfg.IntOpt('clean_up_period', cfg.IntOpt('clean_up_period',
default=60, default=60,
help=_('Amount of time in seconds, after which repeat clean up ' help=_('Amount of time in seconds, after which repeat clean up '
'of timed out nodes and old nodes status information.'), 'of timed out nodes and old nodes status information.')),
deprecated_group='discoverd'),
cfg.BoolOpt('use_ssl', cfg.BoolOpt('use_ssl',
default=False, default=False,
help=_('SSL Enabled/Disabled')), help=_('SSL Enabled/Disabled')),
@ -227,7 +198,6 @@ SERVICE_OPTS = [
cfg.CONF.register_opts(SERVICE_OPTS) cfg.CONF.register_opts(SERVICE_OPTS)
cfg.CONF.register_opts(FIREWALL_OPTS, group='firewall') cfg.CONF.register_opts(FIREWALL_OPTS, group='firewall')
cfg.CONF.register_opts(PROCESSING_OPTS, group='processing') cfg.CONF.register_opts(PROCESSING_OPTS, group='processing')
cfg.CONF.register_opts(DISCOVERD_OPTS, group='discoverd')
def list_opts(): def list_opts():
@ -235,7 +205,6 @@ def list_opts():
('', SERVICE_OPTS), ('', SERVICE_OPTS),
('firewall', FIREWALL_OPTS), ('firewall', FIREWALL_OPTS),
('processing', PROCESSING_OPTS), ('processing', PROCESSING_OPTS),
('discoverd', DISCOVERD_OPTS),
] ]

View File

@ -43,10 +43,6 @@ _FACADE = None
db_opts.set_defaults(cfg.CONF, _DEFAULT_SQL_CONNECTION, db_opts.set_defaults(cfg.CONF, _DEFAULT_SQL_CONNECTION,
'ironic_inspector.sqlite') 'ironic_inspector.sqlite')
if CONF.discoverd.database:
db_opts.set_defaults(CONF,
connection='sqlite:///%s' %
str(CONF.discoverd.database).strip())
class Node(Base): class Node(Base):

View File

@ -429,7 +429,7 @@ class Service(object):
CONF.log_opt_values(LOG, log.DEBUG) CONF.log_opt_values(LOG, log.DEBUG)
def init(self): def init(self):
if utils.get_auth_strategy() != 'noauth': if CONF.auth_strategy != 'noauth':
utils.add_auth_middleware(app) utils.add_auth_middleware(app)
else: else:
LOG.warning(_LW('Starting unauthenticated, please check' LOG.warning(_LW('Starting unauthenticated, please check'

View File

@ -13,7 +13,6 @@
import mock import mock
from keystoneauth1 import exceptions as kaexc
from keystoneauth1 import loading as kaloading from keystoneauth1 import loading as kaloading
from oslo_config import cfg from oslo_config import cfg
@ -38,7 +37,7 @@ class KeystoneTest(base.BaseTest):
self.assertIn(o, self.cfg.conf[TESTGROUP]) self.assertIn(o, self.cfg.conf[TESTGROUP])
self.assertEqual('password', self.cfg.conf[TESTGROUP]['auth_type']) self.assertEqual('password', self.cfg.conf[TESTGROUP]['auth_type'])
@mock.patch.object(keystone, '_get_auth') @mock.patch.object(kaloading, 'load_auth_from_conf_options', autospec=True)
def test_get_session(self, auth_mock): def test_get_session(self, auth_mock):
keystone.register_auth_opts(TESTGROUP) keystone.register_auth_opts(TESTGROUP)
self.cfg.config(group=TESTGROUP, self.cfg.config(group=TESTGROUP,
@ -49,57 +48,6 @@ class KeystoneTest(base.BaseTest):
self.assertEqual('/path/to/ca/file', sess.verify) self.assertEqual('/path/to/ca/file', sess.verify)
self.assertEqual(auth1, sess.auth) self.assertEqual(auth1, sess.auth)
@mock.patch('keystoneauth1.loading.load_auth_from_conf_options')
@mock.patch.object(keystone, '_get_legacy_auth')
def test__get_auth(self, legacy_mock, load_mock):
auth1 = mock.Mock()
load_mock.side_effect = [
auth1,
None,
kaexc.MissingRequiredOptions([kaloading.Opt('spam')])]
auth2 = mock.Mock()
legacy_mock.return_value = auth2
self.assertEqual(auth1, keystone._get_auth(TESTGROUP))
self.assertEqual(auth2, keystone._get_auth(TESTGROUP))
self.assertEqual(auth2, keystone._get_auth(TESTGROUP))
@mock.patch('keystoneauth1.loading._plugins.identity.generic.Password.'
'load_from_options')
def test__get_legacy_auth(self, load_mock):
self.cfg.register_opts(
[cfg.StrOpt('identity_url'),
cfg.StrOpt('old_user'),
cfg.StrOpt('old_password')],
group=TESTGROUP)
self.cfg.config(group=TESTGROUP,
identity_url='http://fake:5000/v3',
old_password='ham',
old_user='spam')
options = [cfg.StrOpt('old_tenant_name', default='fake'),
cfg.StrOpt('old_user')]
mapping = {'username': 'old_user',
'password': 'old_password',
'auth_url': 'identity_url',
'tenant_name': 'old_tenant_name'}
keystone._get_legacy_auth(TESTGROUP, mapping, options)
load_mock.assert_called_once_with(username='spam',
password='ham',
tenant_name='fake',
user_domain_id='default',
project_domain_id='default',
auth_url='http://fake:5000/v3')
def test__is_api_v3(self):
cases = ((False, 'http://fake:5000', None),
(False, 'http://fake:5000/v2.0', None),
(True, 'http://fake:5000/v3', None),
(True, 'http://fake:5000', '3'),
(True, 'http://fake:5000', 'v3.0'))
for case in cases:
result, url, version = case
self.assertEqual(result, keystone._is_apiv3(url, version))
def test_add_auth_options(self): def test_add_auth_options(self):
group, opts = keystone.add_auth_options([], TESTGROUP)[0] group, opts = keystone.add_auth_options([], TESTGROUP)[0]
self.assertEqual(TESTGROUP, group) self.assertEqual(TESTGROUP, group)

View File

@ -57,35 +57,6 @@ class TestCheckAuth(base.BaseTest):
self.assertEqual('http://127.0.0.1:5000', args1['auth_uri']) self.assertEqual('http://127.0.0.1:5000', args1['auth_uri'])
self.assertEqual('http://127.0.0.1:35357', args1['identity_uri']) self.assertEqual('http://127.0.0.1:35357', args1['identity_uri'])
@mock.patch.object(auth_token, 'AuthProtocol')
def test_add_auth_middleware_with_deprecated_items(self, mock_auth):
CONF.set_override('os_password', 'os_password', 'ironic')
CONF.set_override('admin_password', 'admin_password',
'keystone_authtoken')
CONF.set_override('os_username', 'os_username', 'ironic')
CONF.set_override('admin_user', 'admin_user', 'keystone_authtoken')
CONF.set_override('os_auth_url', 'os_auth_url', 'ironic')
CONF.set_override('auth_uri', 'auth_uri', 'keystone_authtoken')
CONF.set_override('os_tenant_name', 'os_tenant_name', 'ironic')
CONF.set_override('admin_tenant_name', 'admin_tenant_name',
'keystone_authtoken')
CONF.set_override('identity_uri', 'identity_uri_ironic', 'ironic')
CONF.set_override('identity_uri', 'identity_uri', 'keystone_authtoken')
app = mock.Mock(wsgi_app=mock.sentinel.app)
utils.add_auth_middleware(app)
call_args = mock_auth.call_args_list[0]
args = call_args[0]
self.assertEqual(mock.sentinel.app, args[0])
args1 = args[1]
self.assertEqual('os_password', args1['admin_password'])
self.assertEqual('os_username', args1['admin_user'])
self.assertEqual('os_auth_url', args1['auth_uri'])
self.assertEqual('os_tenant_name', args1['admin_tenant_name'])
self.assertTrue(args1['delay_auth_decision'])
self.assertEqual('identity_uri_ironic', args1['identity_uri'])
def test_ok(self): def test_ok(self):
request = mock.Mock(headers={'X-Identity-Status': 'Confirmed', request = mock.Mock(headers={'X-Identity-Status': 'Confirmed',
'X-Roles': 'admin,member'}) 'X-Roles': 'admin,member'})

View File

@ -150,29 +150,6 @@ def add_auth_middleware(app):
:param app: application. :param app: application.
""" """
auth_conf = dict(CONF.keystone_authtoken) auth_conf = dict(CONF.keystone_authtoken)
# These items should only be used for accessing Ironic API.
# For keystonemiddleware's authentication,
# keystone_authtoken's items will be used and
# these items will be unsupported.
# [ironic]/os_password
# [ironic]/os_username
# [ironic]/os_auth_url
# [ironic]/os_tenant_name
auth_conf.update({'admin_password':
CONF.ironic.os_password or
CONF.keystone_authtoken.admin_password,
'admin_user':
CONF.ironic.os_username or
CONF.keystone_authtoken.admin_user,
'auth_uri':
CONF.ironic.os_auth_url or
CONF.keystone_authtoken.auth_uri,
'admin_tenant_name':
CONF.ironic.os_tenant_name or
CONF.keystone_authtoken.admin_tenant_name,
'identity_uri':
CONF.ironic.identity_uri or
CONF.keystone_authtoken.identity_uri})
auth_conf['delay_auth_decision'] = True auth_conf['delay_auth_decision'] = True
app.wsgi_app = auth_token.AuthProtocol(app.wsgi_app, auth_conf) app.wsgi_app = auth_token.AuthProtocol(app.wsgi_app, auth_conf)
@ -194,7 +171,7 @@ def check_auth(request):
:param request: Flask request :param request: Flask request
:raises: utils.Error if access is denied :raises: utils.Error if access is denied
""" """
if get_auth_strategy() == 'noauth': if CONF.auth_strategy == 'noauth':
return return
if request.headers.get('X-Identity-Status').lower() == 'invalid': if request.headers.get('X-Identity-Status').lower() == 'invalid':
raise Error(_('Authentication required'), code=401) raise Error(_('Authentication required'), code=401)
@ -204,12 +181,6 @@ def check_auth(request):
raise Error(_('Access denied'), code=403) raise Error(_('Access denied'), code=403)
def get_auth_strategy():
if CONF.authenticate is not None:
return 'keystone' if CONF.authenticate else 'noauth'
return CONF.auth_strategy
def get_valid_macs(data): def get_valid_macs(data):
"""Get a list of valid MAC's from the introspection data.""" """Get a list of valid MAC's from the introspection data."""
return [m['mac'] return [m['mac']

View File

@ -0,0 +1,8 @@
---
upgrade:
- |
Removed previously deprecated authentication options from "ironic",
"swift", and "keystone_authtoken" sections.
- |
Removed long deprecated support for "discoverd" section in configuration
file.