diff --git a/example.conf b/example.conf index f764a8fa7..8546811f4 100644 --- a/example.conf +++ b/example.conf @@ -5,13 +5,11 @@ # # IP to listen on. (string value) -# Deprecated group/name - [discoverd]/listen_address #listen_address = 0.0.0.0 # Port to listen on. (port value) # Minimum value: 0 # Maximum value: 65535 -# Deprecated group/name - [discoverd]/listen_port #listen_port = 5050 # Authentication method used on the ironic-inspector API. Either @@ -20,26 +18,17 @@ # Allowed values: keystone, noauth #auth_strategy = keystone -# DEPRECATED: use auth_strategy. (boolean value) -# Deprecated group/name - [discoverd]/authenticate -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#authenticate = - # Timeout after which introspection is considered failed, set to 0 to # disable. (integer value) -# Deprecated group/name - [discoverd]/timeout #timeout = 3600 # For how much time (in seconds) to keep status information about # nodes after introspection was finished for them. Default value is 1 # week. (integer value) -# Deprecated group/name - [discoverd]/node_status_keep_time #node_status_keep_time = 604800 # Amount of time in seconds, after which repeat clean up of timed out # nodes and old nodes status information. (integer value) -# Deprecated group/name - [discoverd]/clean_up_period #clean_up_period = 60 # SSL Enabled/Disabled (boolean value) @@ -378,20 +367,6 @@ #db_max_retries = 20 -[discoverd] - -# -# From ironic_inspector -# - -# DEPRECATED: SQLite3 database to store nodes under introspection, -# required. Do not use :memory: here, it won't work. DEPRECATED: use -# [database]/connection. (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#database = - - [discovery] # @@ -410,17 +385,14 @@ # # Whether to manage firewall rules for PXE port. (boolean value) -# Deprecated group/name - [discoverd]/manage_firewall #manage_firewall = true # Interface on which dnsmasq listens, the default is for VM's. (string # value) -# Deprecated group/name - [discoverd]/dnsmasq_interface #dnsmasq_interface = br-ctlplane # Amount of time in seconds, after which repeat periodic update of # firewall. (integer value) -# Deprecated group/name - [discoverd]/firewall_update_period #firewall_update_period = 15 # iptables chain name to use. (string value) @@ -467,14 +439,6 @@ # Domain name to scope to (string value) #domain_name = -# DEPRECATED: Keystone admin endpoint. DEPRECATED: Use -# [keystone_authtoken] section for keystone token validation. (string -# value) -# Deprecated group/name - [discoverd]/identity_uri -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#identity_uri = - # Verify HTTPS connections. (boolean value) #insecure = false @@ -490,51 +454,15 @@ # (integer value) #max_retries = 30 -# DEPRECATED: Keystone authentication endpoint for accessing Ironic -# API. Use [keystone_authtoken] section for keystone token validation. -# (string value) -# Deprecated group/name - [discoverd]/os_auth_url -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Use options presented by configured keystone auth plugin. -#os_auth_url = - # Ironic endpoint type. (string value) #os_endpoint_type = internalURL -# DEPRECATED: Password for accessing Ironic API. Use -# [keystone_authtoken] section for keystone token validation. (string -# value) -# Deprecated group/name - [discoverd]/os_password -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Use options presented by configured keystone auth plugin. -#os_password = - # Keystone region used to get Ironic endpoints. (string value) #os_region = # Ironic service type. (string value) #os_service_type = baremetal -# DEPRECATED: Tenant name for accessing Ironic API. Use -# [keystone_authtoken] section for keystone token validation. (string -# value) -# Deprecated group/name - [discoverd]/os_tenant_name -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Use options presented by configured keystone auth plugin. -#os_tenant_name = - -# DEPRECATED: User name for accessing Ironic API. Use -# [keystone_authtoken] section for keystone token validation. (string -# value) -# Deprecated group/name - [discoverd]/os_username -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Use options presented by configured keystone auth plugin. -#os_username = - # User's password (string value) #password = @@ -744,6 +672,21 @@ # Reason: PKI token format is no longer supported. #hash_algorithms = md5 +# A choice of roles that must be present in a service token. Service +# tokens are allowed to request that an expired token can be used and +# so this check should tightly control that only actual services +# should be sending this token. Roles here are applied as an ANY check +# so any role in this list must be present. For backwards +# compatibility reasons this currently only affects the allow_expired +# check. (list value) +#service_token_roles = service + +# For backwards compatibility reasons we must let valid service tokens +# pass that don't pass the service_token_roles check as valid. Setting +# this true will become the default in a future release and should be +# enabled if possible. (boolean value) +#service_token_roles_required = false + # Authentication type to load (string value) # Deprecated group/name - [keystone_authtoken]/auth_plugin #auth_type = @@ -777,7 +720,6 @@ # falls back to "active" if PXE MAC is not supplied by the ramdisk). # (string value) # Allowed values: all, active, pxe -# Deprecated group/name - [discoverd]/add_ports #add_ports = pxe # Which ports (already present on a node) to keep after introspection. @@ -785,19 +727,16 @@ # which MACs were present in introspection data), added (keep only # MACs that we added during introspection). (string value) # Allowed values: all, present, added -# Deprecated group/name - [discoverd]/keep_ports #keep_ports = all # Whether to overwrite existing values in node database. Disable this # option to make introspection a non-destructive operation. (boolean # value) -# Deprecated group/name - [discoverd]/overwrite_existing #overwrite_existing = true # DEPRECATED: Whether to enable setting IPMI credentials during # introspection. This feature will be removed in the Pike release. # (boolean value) -# Deprecated group/name - [discoverd]/enable_setting_ipmi_credentials # This option is deprecated for removal. # Its value may be silently ignored in the future. #enable_setting_ipmi_credentials = false @@ -813,18 +752,15 @@ # default for this is $default_processing_hooks, hooks can be added # before or after the defaults like this: # "prehook,$default_processing_hooks,posthook". (string value) -# Deprecated group/name - [discoverd]/processing_hooks #processing_hooks = $default_processing_hooks # If set, logs from ramdisk will be stored in this directory. (string # value) -# Deprecated group/name - [discoverd]/ramdisk_logs_dir #ramdisk_logs_dir = # Whether to store ramdisk logs even if it did not return an error # message (dependent upon "ramdisk_logs_dir" option being set). # (boolean value) -# Deprecated group/name - [discoverd]/always_store_ramdisk_logs #always_store_ramdisk_logs = false # The name of the hook to run when inspector receives inspection @@ -913,18 +849,6 @@ # (integer value) #max_retries = 2 -# DEPRECATED: Keystone authentication URL (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Use options presented by configured keystone auth plugin. -#os_auth_url = - -# DEPRECATED: Keystone authentication API version (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Use options presented by configured keystone auth plugin. -#os_auth_version = 2 - # Swift endpoint type. (string value) #os_endpoint_type = internalURL diff --git a/ironic_inspector/common/ironic.py b/ironic_inspector/common/ironic.py index 6693b460d..57deee7ee 100644 --- a/ironic_inspector/common/ironic.py +++ b/ironic_inspector/common/ironic.py @@ -37,50 +37,6 @@ IRONIC_GROUP = 'ironic' IRONIC_OPTS = [ cfg.StrOpt('os_region', help=_('Keystone region used to get Ironic endpoints.')), - cfg.StrOpt('os_auth_url', - default='', - help=_('Keystone authentication endpoint for accessing Ironic ' - 'API. Use [keystone_authtoken] section for keystone ' - 'token validation.'), - deprecated_group='discoverd', - deprecated_for_removal=True, - deprecated_reason=_('Use options presented by configured ' - 'keystone auth plugin.')), - cfg.StrOpt('os_username', - default='', - help=_('User name for accessing Ironic API. ' - 'Use [keystone_authtoken] section for keystone ' - 'token validation.'), - deprecated_group='discoverd', - deprecated_for_removal=True, - deprecated_reason=_('Use options presented by configured ' - 'keystone auth plugin.')), - cfg.StrOpt('os_password', - default='', - help=_('Password for accessing Ironic API. ' - 'Use [keystone_authtoken] section for keystone ' - 'token validation.'), - secret=True, - deprecated_group='discoverd', - deprecated_for_removal=True, - deprecated_reason=_('Use options presented by configured ' - 'keystone auth plugin.')), - cfg.StrOpt('os_tenant_name', - default='', - help=_('Tenant name for accessing Ironic API. ' - 'Use [keystone_authtoken] section for keystone ' - 'token validation.'), - deprecated_group='discoverd', - deprecated_for_removal=True, - deprecated_reason=_('Use options presented by configured ' - 'keystone auth plugin.')), - cfg.StrOpt('identity_uri', - default='', - help=_('Keystone admin endpoint. ' - 'DEPRECATED: Use [keystone_authtoken] section for ' - 'keystone token validation.'), - deprecated_group='discoverd', - deprecated_for_removal=True), cfg.StrOpt('auth_strategy', default='keystone', choices=('keystone', 'noauth'), @@ -112,12 +68,6 @@ CONF.register_opts(IRONIC_OPTS, group=IRONIC_GROUP) keystone.register_auth_opts(IRONIC_GROUP) IRONIC_SESSION = None -LEGACY_MAP = { - 'auth_url': 'os_auth_url', - 'username': 'os_username', - 'password': 'os_password', - 'tenant_name': 'os_tenant_name' -} class NotFound(utils.Error): @@ -175,8 +125,7 @@ def get_client(token=None, else: global IRONIC_SESSION if not IRONIC_SESSION: - IRONIC_SESSION = keystone.get_session( - IRONIC_GROUP, legacy_mapping=LEGACY_MAP) + IRONIC_SESSION = keystone.get_session(IRONIC_GROUP) if token is None: args = {'session': IRONIC_SESSION, 'region_name': CONF.ironic.os_region} diff --git a/ironic_inspector/common/keystone.py b/ironic_inspector/common/keystone.py index 4965cec63..28bf6290f 100644 --- a/ironic_inspector/common/keystone.py +++ b/ironic_inspector/common/keystone.py @@ -13,16 +13,11 @@ import copy -from keystoneauth1 import exceptions from keystoneauth1 import loading from oslo_config import cfg -from oslo_log import log -from six.moves.urllib import parse # for legacy options loading only -from ironic_inspector.common.i18n import _LW CONF = cfg.CONF -LOG = log.getLogger(__name__) def register_auth_opts(group): @@ -31,81 +26,13 @@ def register_auth_opts(group): CONF.set_default('auth_type', default='password', group=group) -def get_session(group, legacy_mapping=None, legacy_auth_opts=None): - auth = _get_auth(group, legacy_mapping, legacy_auth_opts) +def get_session(group): + auth = loading.load_auth_from_conf_options(CONF, group) session = loading.load_session_from_conf_options( CONF, group, auth=auth) return session -def _get_auth(group, legacy_mapping=None, legacy_opts=None): - try: - auth = loading.load_auth_from_conf_options(CONF, group) - except exceptions.MissingRequiredOptions: - auth = _get_legacy_auth(group, legacy_mapping, legacy_opts) - else: - if auth is None: - auth = _get_legacy_auth(group, legacy_mapping, legacy_opts) - return auth - - -def _get_legacy_auth(group, legacy_mapping, legacy_opts): - """Load auth plugin from legacy options. - - If legacy_opts is not empty, these options will be registered first. - - legacy_mapping is a dict that maps the following keys to legacy option - names: - auth_url - username - password - tenant_name - """ - LOG.warning(_LW("Group [%s]: Using legacy auth loader is deprecated. " - "Consider specifying appropriate keystone auth plugin as " - "'auth_type' and corresponding plugin options."), group) - if legacy_opts: - for opt in legacy_opts: - try: - CONF.register_opt(opt, group=group) - except cfg.DuplicateOptError: - pass - - conf = getattr(CONF, group) - auth_params = {a: getattr(conf, legacy_mapping[a]) - for a in legacy_mapping} - legacy_loader = loading.get_plugin_loader('password') - # NOTE(pas-ha) only Swift had this option, take it into account - try: - auth_version = conf.get('os_auth_version') - except cfg.NoSuchOptError: - auth_version = None - # NOTE(pas-ha) mimic defaults of keystoneclient - if _is_apiv3(auth_params['auth_url'], auth_version): - auth_params.update({ - 'project_domain_id': 'default', - 'user_domain_id': 'default'}) - return legacy_loader.load_from_options(**auth_params) - - -# NOTE(pas-ha): for backward compat with legacy options loading only -def _is_apiv3(auth_url, auth_version): - """Check if V3 version of API is being used or not. - - This method inspects auth_url and auth_version, and checks whether V3 - version of the API is being used or not. - When no auth_version is specified and auth_url is not a versioned - endpoint, v2.0 is assumed. - :param auth_url: a http or https url to be inspected (like - 'http://127.0.0.1:9898/'). - :param auth_version: a string containing the version (like 'v2', 'v3.0') - or None - :returns: True if V3 of the API is being used. - """ - return (auth_version in ('v3.0', '3') or - '/v3' in parse.urlparse(auth_url).path) - - def add_auth_options(options, group): def add_options(opts, opts_to_add): diff --git a/ironic_inspector/common/swift.py b/ironic_inspector/common/swift.py index b5691f621..4ed753ef5 100644 --- a/ironic_inspector/common/swift.py +++ b/ironic_inspector/common/swift.py @@ -42,18 +42,6 @@ SWIFT_OPTS = [ default='ironic-inspector', help=_('Default Swift container to use when creating ' 'objects.')), - cfg.StrOpt('os_auth_version', - default='2', - help=_('Keystone authentication API version'), - deprecated_for_removal=True, - deprecated_reason=_('Use options presented by configured ' - 'keystone auth plugin.')), - cfg.StrOpt('os_auth_url', - default='', - help=_('Keystone authentication URL'), - deprecated_for_removal=True, - deprecated_reason=_('Use options presented by configured ' - 'keystone auth plugin.')), cfg.StrOpt('os_service_type', default='object-store', help=_('Swift service type.')), @@ -64,33 +52,11 @@ SWIFT_OPTS = [ help=_('Keystone region to get endpoint for.')), ] -# NOTE(pas-ha) these old options conflict with options exported by -# most used keystone auth plugins. Need to register them manually -# for the backward-compat case. -LEGACY_OPTS = [ - cfg.StrOpt('username', - default='', - help=_('User name for accessing Swift API.')), - cfg.StrOpt('password', - default='', - help=_('Password for accessing Swift API.'), - secret=True), - cfg.StrOpt('tenant_name', - default='', - help=_('Tenant name for accessing Swift API.')), -] - CONF.register_opts(SWIFT_OPTS, group=SWIFT_GROUP) keystone.register_auth_opts(SWIFT_GROUP) OBJECT_NAME_PREFIX = 'inspector_data' SWIFT_SESSION = None -LEGACY_MAP = { - 'auth_url': 'os_auth_url', - 'username': 'username', - 'password': 'password', - 'tenant_name': 'tenant_name', -} def reset_swift_session(): @@ -112,9 +78,7 @@ class SwiftAPI(object): """ global SWIFT_SESSION if not SWIFT_SESSION: - SWIFT_SESSION = keystone.get_session( - SWIFT_GROUP, legacy_mapping=LEGACY_MAP, - legacy_auth_opts=LEGACY_OPTS) + SWIFT_SESSION = keystone.get_session(SWIFT_GROUP) # TODO(pas-ha): swiftclient does not support keystone sessions ATM. # Must be reworked when LP bug #1518938 is fixed. swift_url = SWIFT_SESSION.get_endpoint( diff --git a/ironic_inspector/conf.py b/ironic_inspector/conf.py index d15b1b624..07e61a75b 100644 --- a/ironic_inspector/conf.py +++ b/ironic_inspector/conf.py @@ -29,18 +29,15 @@ VALID_STORE_DATA_VALUES = ('none', 'swift') FIREWALL_OPTS = [ cfg.BoolOpt('manage_firewall', default=True, - help=_('Whether to manage firewall rules for PXE port.'), - deprecated_group='discoverd'), + help=_('Whether to manage firewall rules for PXE port.')), cfg.StrOpt('dnsmasq_interface', default='br-ctlplane', help=_('Interface on which dnsmasq listens, the default is for ' - 'VM\'s.'), - deprecated_group='discoverd'), + 'VM\'s.')), cfg.IntOpt('firewall_update_period', default=15, help=_('Amount of time in seconds, after which repeat periodic ' - 'update of firewall.'), - deprecated_group='discoverd'), + 'update of firewall.')), cfg.StrOpt('firewall_chain', default='ironic-inspector', help=_('iptables chain name to use.')), @@ -56,8 +53,7 @@ PROCESSING_OPTS = [ 'IP addresses), pxe (only MAC address of NIC node PXE ' 'booted from, falls back to "active" if PXE MAC is not ' 'supplied by the ramdisk).'), - choices=VALID_ADD_PORTS_VALUES, - deprecated_group='discoverd'), + choices=VALID_ADD_PORTS_VALUES), cfg.StrOpt('keep_ports', default='all', help=_('Which ports (already present on a node) to keep after ' @@ -65,20 +61,17 @@ PROCESSING_OPTS = [ 'anything), present (keep ports which MACs were present ' 'in introspection data), added (keep only MACs that we ' 'added during introspection).'), - choices=VALID_KEEP_PORTS_VALUES, - deprecated_group='discoverd'), + choices=VALID_KEEP_PORTS_VALUES), cfg.BoolOpt('overwrite_existing', default=True, help=_('Whether to overwrite existing values in node ' 'database. Disable this option to make ' - 'introspection a non-destructive operation.'), - deprecated_group='discoverd'), + 'introspection a non-destructive operation.')), cfg.BoolOpt('enable_setting_ipmi_credentials', default=False, help=_('Whether to enable setting IPMI credentials during ' 'introspection. This feature will be removed in the ' 'Pike release.'), - deprecated_group='discoverd', deprecated_for_removal=True), cfg.StrOpt('default_processing_hooks', default='ramdisk_error,root_disk_selection,scheduler,' @@ -96,18 +89,15 @@ PROCESSING_OPTS = [ 'pipeline. The default for this is ' '$default_processing_hooks, hooks can be added before ' 'or after the defaults like this: ' - '"prehook,$default_processing_hooks,posthook".'), - deprecated_group='discoverd'), + '"prehook,$default_processing_hooks,posthook".')), cfg.StrOpt('ramdisk_logs_dir', help=_('If set, logs from ramdisk will be stored in this ' - 'directory.'), - deprecated_group='discoverd'), + 'directory.')), cfg.BoolOpt('always_store_ramdisk_logs', default=False, help=_('Whether to store ramdisk logs even if it did not ' 'return an error message (dependent upon ' - '"ramdisk_logs_dir" option being set).'), - deprecated_group='discoverd'), + '"ramdisk_logs_dir" option being set).')), cfg.StrOpt('node_not_found_hook', help=_('The name of the hook to run when inspector receives ' 'inspection information from a node it isn\'t already ' @@ -143,51 +133,32 @@ PROCESSING_OPTS = [ help=_('Whether to power off a node after introspection.')), ] - -DISCOVERD_OPTS = [ - cfg.StrOpt('database', - default='', - help=_('SQLite3 database to store nodes under introspection, ' - 'required. Do not use :memory: here, it won\'t work. ' - 'DEPRECATED: use [database]/connection.'), - deprecated_for_removal=True), -] - SERVICE_OPTS = [ cfg.StrOpt('listen_address', default='0.0.0.0', - help=_('IP to listen on.'), - deprecated_group='discoverd'), + help=_('IP to listen on.')), cfg.PortOpt('listen_port', default=5050, - help=_('Port to listen on.'), - deprecated_group='discoverd'), + help=_('Port to listen on.')), cfg.StrOpt('auth_strategy', default='keystone', choices=('keystone', 'noauth'), help=_('Authentication method used on the ironic-inspector ' 'API. Either "noauth" or "keystone" are currently valid ' 'options. "noauth" will disable all authentication.')), - cfg.BoolOpt('authenticate', - help=_('DEPRECATED: use auth_strategy.'), - deprecated_group='discoverd', - deprecated_for_removal=True), cfg.IntOpt('timeout', default=3600, help=_('Timeout after which introspection is considered ' - 'failed, set to 0 to disable.'), - deprecated_group='discoverd'), + 'failed, set to 0 to disable.')), cfg.IntOpt('node_status_keep_time', default=604800, help=_('For how much time (in seconds) to keep status ' 'information about nodes after introspection was ' - 'finished for them. Default value is 1 week.'), - deprecated_group='discoverd'), + 'finished for them. Default value is 1 week.')), cfg.IntOpt('clean_up_period', default=60, help=_('Amount of time in seconds, after which repeat clean up ' - 'of timed out nodes and old nodes status information.'), - deprecated_group='discoverd'), + 'of timed out nodes and old nodes status information.')), cfg.BoolOpt('use_ssl', default=False, help=_('SSL Enabled/Disabled')), @@ -225,7 +196,6 @@ SERVICE_OPTS = [ cfg.CONF.register_opts(SERVICE_OPTS) cfg.CONF.register_opts(FIREWALL_OPTS, group='firewall') cfg.CONF.register_opts(PROCESSING_OPTS, group='processing') -cfg.CONF.register_opts(DISCOVERD_OPTS, group='discoverd') def list_opts(): @@ -233,7 +203,6 @@ def list_opts(): ('', SERVICE_OPTS), ('firewall', FIREWALL_OPTS), ('processing', PROCESSING_OPTS), - ('discoverd', DISCOVERD_OPTS), ] diff --git a/ironic_inspector/db.py b/ironic_inspector/db.py index d489e6f90..6f4302356 100644 --- a/ironic_inspector/db.py +++ b/ironic_inspector/db.py @@ -43,10 +43,6 @@ _FACADE = None db_opts.set_defaults(cfg.CONF, _DEFAULT_SQL_CONNECTION, 'ironic_inspector.sqlite') -if CONF.discoverd.database: - db_opts.set_defaults(CONF, - connection='sqlite:///%s' % - str(CONF.discoverd.database).strip()) class Node(Base): diff --git a/ironic_inspector/main.py b/ironic_inspector/main.py index 96d380d11..09fd14d75 100644 --- a/ironic_inspector/main.py +++ b/ironic_inspector/main.py @@ -429,7 +429,7 @@ class Service(object): CONF.log_opt_values(LOG, log.DEBUG) def init(self): - if utils.get_auth_strategy() != 'noauth': + if CONF.auth_strategy != 'noauth': utils.add_auth_middleware(app) else: LOG.warning(_LW('Starting unauthenticated, please check' diff --git a/ironic_inspector/test/unit/test_keystone.py b/ironic_inspector/test/unit/test_keystone.py index f6394766d..3d9d4cf5d 100644 --- a/ironic_inspector/test/unit/test_keystone.py +++ b/ironic_inspector/test/unit/test_keystone.py @@ -13,7 +13,6 @@ import mock -from keystoneauth1 import exceptions as kaexc from keystoneauth1 import loading as kaloading from oslo_config import cfg @@ -38,7 +37,7 @@ class KeystoneTest(base.BaseTest): self.assertIn(o, self.cfg.conf[TESTGROUP]) self.assertEqual('password', self.cfg.conf[TESTGROUP]['auth_type']) - @mock.patch.object(keystone, '_get_auth') + @mock.patch.object(kaloading, 'load_auth_from_conf_options', autospec=True) def test_get_session(self, auth_mock): keystone.register_auth_opts(TESTGROUP) self.cfg.config(group=TESTGROUP, @@ -49,57 +48,6 @@ class KeystoneTest(base.BaseTest): self.assertEqual('/path/to/ca/file', sess.verify) self.assertEqual(auth1, sess.auth) - @mock.patch('keystoneauth1.loading.load_auth_from_conf_options') - @mock.patch.object(keystone, '_get_legacy_auth') - def test__get_auth(self, legacy_mock, load_mock): - auth1 = mock.Mock() - load_mock.side_effect = [ - auth1, - None, - kaexc.MissingRequiredOptions([kaloading.Opt('spam')])] - auth2 = mock.Mock() - legacy_mock.return_value = auth2 - self.assertEqual(auth1, keystone._get_auth(TESTGROUP)) - self.assertEqual(auth2, keystone._get_auth(TESTGROUP)) - self.assertEqual(auth2, keystone._get_auth(TESTGROUP)) - - @mock.patch('keystoneauth1.loading._plugins.identity.generic.Password.' - 'load_from_options') - def test__get_legacy_auth(self, load_mock): - self.cfg.register_opts( - [cfg.StrOpt('identity_url'), - cfg.StrOpt('old_user'), - cfg.StrOpt('old_password')], - group=TESTGROUP) - self.cfg.config(group=TESTGROUP, - identity_url='http://fake:5000/v3', - old_password='ham', - old_user='spam') - options = [cfg.StrOpt('old_tenant_name', default='fake'), - cfg.StrOpt('old_user')] - mapping = {'username': 'old_user', - 'password': 'old_password', - 'auth_url': 'identity_url', - 'tenant_name': 'old_tenant_name'} - - keystone._get_legacy_auth(TESTGROUP, mapping, options) - load_mock.assert_called_once_with(username='spam', - password='ham', - tenant_name='fake', - user_domain_id='default', - project_domain_id='default', - auth_url='http://fake:5000/v3') - - def test__is_api_v3(self): - cases = ((False, 'http://fake:5000', None), - (False, 'http://fake:5000/v2.0', None), - (True, 'http://fake:5000/v3', None), - (True, 'http://fake:5000', '3'), - (True, 'http://fake:5000', 'v3.0')) - for case in cases: - result, url, version = case - self.assertEqual(result, keystone._is_apiv3(url, version)) - def test_add_auth_options(self): group, opts = keystone.add_auth_options([], TESTGROUP)[0] self.assertEqual(TESTGROUP, group) diff --git a/ironic_inspector/test/unit/test_utils.py b/ironic_inspector/test/unit/test_utils.py index ba1131e4f..6002673b4 100644 --- a/ironic_inspector/test/unit/test_utils.py +++ b/ironic_inspector/test/unit/test_utils.py @@ -57,35 +57,6 @@ class TestCheckAuth(base.BaseTest): self.assertEqual('http://127.0.0.1:5000', args1['auth_uri']) self.assertEqual('http://127.0.0.1:35357', args1['identity_uri']) - @mock.patch.object(auth_token, 'AuthProtocol') - def test_add_auth_middleware_with_deprecated_items(self, mock_auth): - CONF.set_override('os_password', 'os_password', 'ironic') - CONF.set_override('admin_password', 'admin_password', - 'keystone_authtoken') - CONF.set_override('os_username', 'os_username', 'ironic') - CONF.set_override('admin_user', 'admin_user', 'keystone_authtoken') - CONF.set_override('os_auth_url', 'os_auth_url', 'ironic') - CONF.set_override('auth_uri', 'auth_uri', 'keystone_authtoken') - CONF.set_override('os_tenant_name', 'os_tenant_name', 'ironic') - CONF.set_override('admin_tenant_name', 'admin_tenant_name', - 'keystone_authtoken') - CONF.set_override('identity_uri', 'identity_uri_ironic', 'ironic') - CONF.set_override('identity_uri', 'identity_uri', 'keystone_authtoken') - - app = mock.Mock(wsgi_app=mock.sentinel.app) - utils.add_auth_middleware(app) - - call_args = mock_auth.call_args_list[0] - args = call_args[0] - self.assertEqual(mock.sentinel.app, args[0]) - args1 = args[1] - self.assertEqual('os_password', args1['admin_password']) - self.assertEqual('os_username', args1['admin_user']) - self.assertEqual('os_auth_url', args1['auth_uri']) - self.assertEqual('os_tenant_name', args1['admin_tenant_name']) - self.assertTrue(args1['delay_auth_decision']) - self.assertEqual('identity_uri_ironic', args1['identity_uri']) - def test_ok(self): request = mock.Mock(headers={'X-Identity-Status': 'Confirmed', 'X-Roles': 'admin,member'}) diff --git a/ironic_inspector/utils.py b/ironic_inspector/utils.py index e2b6a5b84..8f55ce01d 100644 --- a/ironic_inspector/utils.py +++ b/ironic_inspector/utils.py @@ -150,29 +150,6 @@ def add_auth_middleware(app): :param app: application. """ auth_conf = dict(CONF.keystone_authtoken) - # These items should only be used for accessing Ironic API. - # For keystonemiddleware's authentication, - # keystone_authtoken's items will be used and - # these items will be unsupported. - # [ironic]/os_password - # [ironic]/os_username - # [ironic]/os_auth_url - # [ironic]/os_tenant_name - auth_conf.update({'admin_password': - CONF.ironic.os_password or - CONF.keystone_authtoken.admin_password, - 'admin_user': - CONF.ironic.os_username or - CONF.keystone_authtoken.admin_user, - 'auth_uri': - CONF.ironic.os_auth_url or - CONF.keystone_authtoken.auth_uri, - 'admin_tenant_name': - CONF.ironic.os_tenant_name or - CONF.keystone_authtoken.admin_tenant_name, - 'identity_uri': - CONF.ironic.identity_uri or - CONF.keystone_authtoken.identity_uri}) auth_conf['delay_auth_decision'] = True app.wsgi_app = auth_token.AuthProtocol(app.wsgi_app, auth_conf) @@ -194,7 +171,7 @@ def check_auth(request): :param request: Flask request :raises: utils.Error if access is denied """ - if get_auth_strategy() == 'noauth': + if CONF.auth_strategy == 'noauth': return if request.headers.get('X-Identity-Status').lower() == 'invalid': raise Error(_('Authentication required'), code=401) @@ -204,12 +181,6 @@ def check_auth(request): raise Error(_('Access denied'), code=403) -def get_auth_strategy(): - if CONF.authenticate is not None: - return 'keystone' if CONF.authenticate else 'noauth' - return CONF.auth_strategy - - def get_valid_macs(data): """Get a list of valid MAC's from the introspection data.""" return [m['mac'] diff --git a/releasenotes/notes/deprecated-options-removal-ocata-a44dadf3bcf8d6fc.yaml b/releasenotes/notes/deprecated-options-removal-ocata-a44dadf3bcf8d6fc.yaml new file mode 100644 index 000000000..208e5817c --- /dev/null +++ b/releasenotes/notes/deprecated-options-removal-ocata-a44dadf3bcf8d6fc.yaml @@ -0,0 +1,8 @@ +--- +upgrade: + - | + Removed previously deprecated authentication options from "ironic", + "swift", and "keystone_authtoken" sections. + - | + Removed long deprecated support for "discoverd" section in configuration + file.