From 198bea78ac01aaf8a703ca7878b2a85a1b59667e Mon Sep 17 00:00:00 2001 From: Goutham Pacha Ravi Date: Wed, 19 Dec 2018 23:38:13 -0800 Subject: [PATCH] Deprecate old keystone session config opts In the past, the options ca_certificates_file, nova_ca_certificates_file, cinder_ca_certificates_file, api_insecure, nova_api_insecure, cinder_api_insecure were supplied to instantiate nova, neutron and cinder clients. These options have now been subsumed in a more generic way into the Keystone session logic as 'cafile' and 'insecure'. Deprecate the older options in Stein so that we can remove them in a future release. This deprecation began many releases ago when we switched to using keystone sessions [1]. However, we were still overriding the values of "insecure" and "cafile" if provided, forcing users to continue using deprecated parameters "api_insecure" and "ca_certificates_file". So despite this fix originating in the Stein release, it would be prudent to backport it to all maintained releases and remove support for these older options in/beyond Train release (9.0.0). [1] Ic211a11308a3295409467efd88bff413482ee58d Change-Id: I148e9079c7c1ab119f519f727d4ad97758473325 Related-Bug: #1802393 Closes-Bug: #1809318 --- .../configuration/tables/manila-generic.inc | 8 ----- manila/common/client_auth.py | 3 +- manila/compute/nova.py | 32 ++++++++++-------- manila/network/neutron/api.py | 27 ++++++++------- manila/tests/common/test_client_auth.py | 16 ++++----- manila/tests/compute/test_nova.py | 8 ----- manila/tests/volume/test_cinder.py | 8 ----- manila/volume/cinder.py | 33 +++++++++++-------- ...eutron-cinder-groups-e395015088d93fdc.yaml | 19 +++++++++++ 9 files changed, 82 insertions(+), 72 deletions(-) create mode 100644 releasenotes/notes/deprecate-old-ks-opts-in-nova-neutron-cinder-groups-e395015088d93fdc.yaml diff --git a/doc/source/configuration/tables/manila-generic.inc b/doc/source/configuration/tables/manila-generic.inc index 2145793810..83af94423e 100644 --- a/doc/source/configuration/tables/manila-generic.inc +++ b/doc/source/configuration/tables/manila-generic.inc @@ -90,14 +90,10 @@ - (String) Volume snapshot name template. * - **[cinder]** - - * - ``api_insecure`` = ``False`` - - (Boolean) Allow to perform insecure SSL requests to cinder. * - ``auth_section`` = ``None`` - (Unknown) Config Section from which to load plugin specific options * - ``auth_type`` = ``None`` - (Unknown) Authentication type to load - * - ``ca_certificates_file`` = ``None`` - - (String) Location of CA certificates file to use for cinder client requests. * - ``cafile`` = ``None`` - (String) PEM encoded Certificate Authority to use when verifying HTTPs connections. * - ``certfile`` = ``None`` @@ -130,16 +126,12 @@ - (Integer) Timeout value for http requests * - **[nova]** - - * - ``api_insecure`` = ``False`` - - (Boolean) Allow to perform insecure SSL requests to nova. * - ``api_microversion`` = ``2.10`` - (String) Version of Nova API to be used. * - ``auth_section`` = ``None`` - (Unknown) Config Section from which to load plugin specific options * - ``auth_type`` = ``None`` - (Unknown) Authentication type to load - * - ``ca_certificates_file`` = ``None`` - - (String) Location of CA certificates file to use for nova client requests. * - ``cafile`` = ``None`` - (String) PEM encoded Certificate Authority to use when verifying HTTPs connections. * - ``certfile`` = ``None`` diff --git a/manila/common/client_auth.py b/manila/common/client_auth.py index 5c84ee1854..9fbea1a227 100644 --- a/manila/common/client_auth.py +++ b/manila/common/client_auth.py @@ -50,8 +50,7 @@ class AuthClientLoader(object): :param group: group name :return: list of auth default configuration """ - opts = copy.deepcopy(ks_loading.register_session_conf_options( - CONF, group)) + opts = copy.deepcopy(ks_loading.get_session_conf_options()) opts.insert(0, ks_loading.get_auth_common_conf_options()[0]) for plugin_option in ks_loading.get_auth_plugin_conf_options( diff --git a/manila/compute/nova.py b/manila/compute/nova.py index 8c47024680..d418a2fb1a 100644 --- a/manila/compute/nova.py +++ b/manila/compute/nova.py @@ -39,16 +39,6 @@ nova_opts = [ deprecated_group="DEFAULT", deprecated_name="nova_api_microversion", help='Version of Nova API to be used.'), - cfg.StrOpt('ca_certificates_file', - deprecated_group="DEFAULT", - deprecated_name="nova_ca_certificates_file", - help='Location of CA certificates file to use for nova client ' - 'requests.'), - cfg.BoolOpt('api_insecure', - default=False, - deprecated_group="DEFAULT", - deprecated_name="nova_api_insecure", - help='Allow to perform insecure SSL requests to nova.'), cfg.StrOpt('endpoint_type', default='publicURL', help='Endpoint type to be used with nova client calls.'), @@ -56,10 +46,28 @@ nova_opts = [ help='Region name for connecting to nova.'), ] +# These fallback options can be removed in/after 9.0.0 (Train) +deprecated_opts = { + 'cafile': [ + cfg.DeprecatedOpt('ca_certificates_file', group="DEFAULT"), + cfg.DeprecatedOpt('ca_certificates_file', group=NOVA_GROUP), + cfg.DeprecatedOpt('nova_ca_certificates_file', group="DEFAULT"), + cfg.DeprecatedOpt('nova_ca_certificates_file', group=NOVA_GROUP), + ], + 'insecure': [ + cfg.DeprecatedOpt('api_insecure', group="DEFAULT"), + cfg.DeprecatedOpt('api_insecure', group=NOVA_GROUP), + cfg.DeprecatedOpt('nova_api_insecure', group="DEFAULT"), + cfg.DeprecatedOpt('nova_api_insecure', group=NOVA_GROUP), + ], +} + CONF = cfg.CONF CONF.register_opts(core_opts) CONF.register_opts(nova_opts, NOVA_GROUP) -ks_loading.register_session_conf_options(CONF, NOVA_GROUP) +ks_loading.register_session_conf_options(CONF, + NOVA_GROUP, + deprecated_opts=deprecated_opts) ks_loading.register_auth_conf_options(CONF, NOVA_GROUP) @@ -76,8 +84,6 @@ def novaclient(context): cfg_group=NOVA_GROUP) return AUTH_OBJ.get_client(context, version=CONF[NOVA_GROUP].api_microversion, - insecure=CONF[NOVA_GROUP].api_insecure, - cacert=CONF[NOVA_GROUP].ca_certificates_file, endpoint_type=CONF[NOVA_GROUP].endpoint_type, region_name=CONF[NOVA_GROUP].region_name) diff --git a/manila/network/neutron/api.py b/manila/network/neutron/api.py index 2689c2e119..f607c825be 100644 --- a/manila/network/neutron/api.py +++ b/manila/network/neutron/api.py @@ -41,22 +41,11 @@ neutron_opts = [ deprecated_group="DEFAULT", deprecated_name="neutron_url_timeout", help='Timeout value for connecting to neutron in seconds.'), - cfg.BoolOpt( - 'api_insecure', - default=False, - deprecated_group="DEFAULT", - help='If set, ignore any SSL validation issues.'), cfg.StrOpt( 'auth_strategy', default='keystone', deprecated_group="DEFAULT", help='Auth strategy for connecting to neutron in admin context.'), - cfg.StrOpt( - 'ca_certificates_file', - deprecated_for_removal=True, - deprecated_group="DEFAULT", - help='Location of CA certificates file to use for ' - 'neutron client requests.'), cfg.StrOpt( 'endpoint_type', default='publicURL', @@ -66,6 +55,19 @@ neutron_opts = [ help='Region name for connecting to neutron in admin context.'), ] +# These fallback options can be removed in/after 9.0.0 (Train) +deprecated_opts = { + 'cafile': [ + cfg.DeprecatedOpt('ca_certificates_file', group="DEFAULT"), + cfg.DeprecatedOpt('ca_certificates_file', group=NEUTRON_GROUP), + ], + 'insecure': [ + cfg.DeprecatedOpt('api_insecure', group="DEFAULT"), + cfg.DeprecatedOpt('api_insecure', group=NEUTRON_GROUP), + ], +} + + CONF = cfg.CONF LOG = log.getLogger(__name__) @@ -83,7 +85,8 @@ class API(object): def __init__(self, config_group_name=None): self.config_group_name = config_group_name or 'DEFAULT' - ks_loading.register_session_conf_options(CONF, NEUTRON_GROUP) + ks_loading.register_session_conf_options( + CONF, NEUTRON_GROUP, deprecated_opts=deprecated_opts) ks_loading.register_auth_conf_options(CONF, NEUTRON_GROUP) CONF.register_opts(neutron_opts, NEUTRON_GROUP) diff --git a/manila/tests/common/test_client_auth.py b/manila/tests/common/test_client_auth.py index 46f3875c0f..1ad866ca9b 100644 --- a/manila/tests/common/test_client_auth.py +++ b/manila/tests/common/test_client_auth.py @@ -63,12 +63,12 @@ class ClientAuthTestCase(test.TestCase): self.assertRaises(fake_client_exception_class.Unauthorized, self.auth._load_auth_plugin) - @mock.patch.object(auth, 'register_session_conf_options') + @mock.patch.object(auth, 'get_session_conf_options') @mock.patch.object(auth, 'get_auth_common_conf_options') @mock.patch.object(auth, 'get_auth_plugin_conf_options') - def test_list_opts(self, auth_conf, common_conf, register): - register.return_value = [cfg.StrOpt('username'), - cfg.StrOpt('password')] + def test_list_opts(self, auth_conf, common_conf, session_conf): + session_conf.return_value = [cfg.StrOpt('username'), + cfg.StrOpt('password')] common_conf.return_value = ([cfg.StrOpt('auth_url')]) auth_conf.return_value = [cfg.StrOpt('password')] @@ -80,12 +80,12 @@ class ClientAuthTestCase(test.TestCase): common_conf.assert_called_once_with() auth_conf.assert_called_once_with('password') - @mock.patch.object(auth, 'register_session_conf_options') + @mock.patch.object(auth, 'get_session_conf_options') @mock.patch.object(auth, 'get_auth_common_conf_options') @mock.patch.object(auth, 'get_auth_plugin_conf_options') - def test_list_opts_not_found(self, auth_conf, common_conf, register,): - register.return_value = [cfg.StrOpt('username'), - cfg.StrOpt('password')] + def test_list_opts_not_found(self, auth_conf, common_conf, session_conf): + session_conf.return_value = [cfg.StrOpt('username'), + cfg.StrOpt('password')] common_conf.return_value = ([cfg.StrOpt('auth_url')]) auth_conf.return_value = [cfg.StrOpt('tenant')] diff --git a/manila/tests/compute/test_nova.py b/manila/tests/compute/test_nova.py index 4b2e659d0c..abf961f7e5 100644 --- a/manila/tests/compute/test_nova.py +++ b/manila/tests/compute/test_nova.py @@ -135,8 +135,6 @@ class NovaclientTestCase(test.TestCase): data = { 'nova': { 'api_microversion': 'foo_api_microversion', - 'api_insecure': True, - 'ca_certificates_file': 'foo_ca_certificates_file', 'endpoint_type': 'foo_endpoint_type', 'region_name': 'foo_region_name', } @@ -153,8 +151,6 @@ class NovaclientTestCase(test.TestCase): mock_client_loader.return_value.get_client.assert_called_once_with( fake_context, version=data['nova']['api_microversion'], - insecure=data['nova']['api_insecure'], - cacert=data['nova']['ca_certificates_file'], endpoint_type=data['nova']['endpoint_type'], region_name=data['nova']['region_name'], ) @@ -165,8 +161,6 @@ class NovaclientTestCase(test.TestCase): data = { 'nova': { 'api_microversion': 'foo_api_microversion', - 'api_insecure': True, - 'ca_certificates_file': 'foo_ca_certificates_file', 'endpoint_type': 'foo_endpoint_type', 'region_name': 'foo_region_name', } @@ -178,8 +172,6 @@ class NovaclientTestCase(test.TestCase): nova.AUTH_OBJ.get_client.assert_called_once_with( fake_context, version=data['nova']['api_microversion'], - insecure=data['nova']['api_insecure'], - cacert=data['nova']['ca_certificates_file'], endpoint_type=data['nova']['endpoint_type'], region_name=data['nova']['region_name'], ) diff --git a/manila/tests/volume/test_cinder.py b/manila/tests/volume/test_cinder.py index c89416dc19..f4de6fe17e 100644 --- a/manila/tests/volume/test_cinder.py +++ b/manila/tests/volume/test_cinder.py @@ -55,8 +55,6 @@ class CinderclientTestCase(test.TestCase): fake_context = 'fake_context' data = { 'cinder': { - 'api_insecure': True, - 'ca_certificates_file': 'foo_ca_certificates_file', 'http_retries': 3, 'endpoint_type': 'foo_endpoint_type', 'region_name': 'foo_region_name', @@ -73,8 +71,6 @@ class CinderclientTestCase(test.TestCase): ) mock_client_loader.return_value.get_client.assert_called_once_with( fake_context, - insecure=data['cinder']['api_insecure'], - cacert=data['cinder']['ca_certificates_file'], retries=data['cinder']['http_retries'], endpoint_type=data['cinder']['endpoint_type'], region_name=data['cinder']['region_name'], @@ -85,8 +81,6 @@ class CinderclientTestCase(test.TestCase): fake_context = 'fake_context' data = { 'cinder': { - 'api_insecure': True, - 'ca_certificates_file': 'foo_ca_certificates_file', 'http_retries': 3, 'endpoint_type': 'foo_endpoint_type', 'region_name': 'foo_region_name', @@ -98,8 +92,6 @@ class CinderclientTestCase(test.TestCase): cinder.AUTH_OBJ.get_client.assert_called_once_with( fake_context, - insecure=data['cinder']['api_insecure'], - cacert=data['cinder']['ca_certificates_file'], retries=data['cinder']['http_retries'], endpoint_type=data['cinder']['endpoint_type'], region_name=data['cinder']['region_name'], diff --git a/manila/volume/cinder.py b/manila/volume/cinder.py index 747c67b07e..4424317c5c 100644 --- a/manila/volume/cinder.py +++ b/manila/volume/cinder.py @@ -42,21 +42,11 @@ cinder_opts = [ deprecated_name="cinder_cross_az_attach", help='Allow attaching between instances and volumes in ' 'different availability zones.'), - cfg.StrOpt('ca_certificates_file', - help='Location of CA certificates file to use for cinder ' - 'client requests.', - deprecated_group='DEFAULT', - deprecated_name="cinder_ca_certificates_file"), cfg.IntOpt('http_retries', default=3, help='Number of cinderclient retries on failed HTTP calls.', deprecated_group='DEFAULT', deprecated_name="cinder_http_retries"), - cfg.BoolOpt('api_insecure', - default=False, - help='Allow to perform insecure SSL requests to cinder.', - deprecated_group='DEFAULT', - deprecated_name="cinder_api_insecure"), cfg.StrOpt('endpoint_type', default='publicURL', help='Endpoint type to be used with cinder client calls.'), @@ -64,10 +54,29 @@ cinder_opts = [ help='Region name for connecting to cinder.'), ] +# These fallback options can be removed in/after 9.0.0 (Train) +deprecated_opts = { + 'cafile': [ + cfg.DeprecatedOpt('ca_certificates_file', group="DEFAULT"), + cfg.DeprecatedOpt('ca_certificates_file', group=CINDER_GROUP), + cfg.DeprecatedOpt('cinder_ca_certificates_file', group="DEFAULT"), + cfg.DeprecatedOpt('cinder_ca_certificates_file', group=CINDER_GROUP), + ], + 'insecure': [ + cfg.DeprecatedOpt('api_insecure', group="DEFAULT"), + cfg.DeprecatedOpt('api_insecure', group=CINDER_GROUP), + cfg.DeprecatedOpt('cinder_api_insecure', group="DEFAULT"), + cfg.DeprecatedOpt('cinder_api_insecure', group=CINDER_GROUP), + ], +} + + CONF = cfg.CONF CONF.register_opts(core_opts) CONF.register_opts(cinder_opts, CINDER_GROUP) -ks_loading.register_session_conf_options(CONF, CINDER_GROUP) +ks_loading.register_session_conf_options(CONF, + CINDER_GROUP, + deprecated_opts=deprecated_opts) ks_loading.register_auth_conf_options(CONF, CINDER_GROUP) @@ -83,8 +92,6 @@ def cinderclient(context): exception_module=cinder_exception, cfg_group=CINDER_GROUP) return AUTH_OBJ.get_client(context, - insecure=CONF[CINDER_GROUP].api_insecure, - cacert=CONF[CINDER_GROUP].ca_certificates_file, retries=CONF[CINDER_GROUP].http_retries, endpoint_type=CONF[CINDER_GROUP].endpoint_type, region_name=CONF[CINDER_GROUP].region_name) diff --git a/releasenotes/notes/deprecate-old-ks-opts-in-nova-neutron-cinder-groups-e395015088d93fdc.yaml b/releasenotes/notes/deprecate-old-ks-opts-in-nova-neutron-cinder-groups-e395015088d93fdc.yaml new file mode 100644 index 0000000000..6c3ddfa02a --- /dev/null +++ b/releasenotes/notes/deprecate-old-ks-opts-in-nova-neutron-cinder-groups-e395015088d93fdc.yaml @@ -0,0 +1,19 @@ +--- +fixes: + - | + `Launchpad bug 1809318 `_ + has been fixed. The deprecated options ``api_insecure`` and + ``ca_certificates_file`` from nova, cinder, neutron or DEFAULT + configuration groups no longer override the newer ``insecure`` option if + provided. Always use ``insecure`` and ``cafile`` to control SSL + and validation since the deprecated options will be removed in a future + release. +deprecations: + - | + The options ``ca_certificates_file``, ``nova_ca_certificates_file``, + ``cinder_ca_certificates_file``, ``api_insecure``, ``nova_api_insecure`` + and ``cinder_api_insecure`` have been deprecated from the ``DEFAULT`` + group as well as ``nova``, ``neutron`` and ``cinder`` configuration + groups. Use ``cafile`` to specify the CA certificates and ``insecure`` + to turn off SSL validation in these respective groups (nova, neutron and + cinder).