Remove deprecated keystone::ldap parameters

The CONFIG_KEYSTONE_LDAP_USER_ALLOW_* and CONFIG_KEYSTONE_LDAP_GROUP_ALLOW_*
parameters have been removed from the answer file. Their corresponding
options were removed from Keystone long ago, and they are no longer
valid in puppet-keystone since the Rocky release.

Change-Id: Icd09dc8885731d611720be6a223c12dfef8fe621
Closes-Bug: #1927069

docs/packstack.rst

@@ -392,15 +392,6 @@ Keystone LDAP Identity Backend Config parameters
 **CONFIG_KEYSTONE_LDAP_USER_DEFAULT_PROJECT_ID_ATTRIBUTE**
     Identity service LDAP attribute mapped to default_project_id for users.
 
-**CONFIG_KEYSTONE_LDAP_USER_ALLOW_CREATE**
-    Specify 'y' if you want to be able to create Identity service users through the Identity service interface; specify 'n' if you will create directly in the LDAP backend. ['n', 'y']
-
-**CONFIG_KEYSTONE_LDAP_USER_ALLOW_UPDATE**
-    Specify 'y' if you want to be able to update Identity service users through the Identity service interface; specify 'n' if you will update directly in the LDAP backend. ['n', 'y']
-
-**CONFIG_KEYSTONE_LDAP_USER_ALLOW_DELETE**
-    Specify 'y' if you want to be able to delete Identity service users through the Identity service interface; specify 'n' if you will delete directly in the LDAP backend. ['n', 'y']
-
 **CONFIG_KEYSTONE_LDAP_USER_PASS_ATTRIBUTE**
     Identity service LDAP attribute mapped to password.
 
@@ -434,15 +425,6 @@ Keystone LDAP Identity Backend Config parameters
 **CONFIG_KEYSTONE_LDAP_GROUP_ATTRIBUTE_IGNORE**
     Comma-separated list of attributes stripped from LDAP group entry upon update.
 
-**CONFIG_KEYSTONE_LDAP_GROUP_ALLOW_CREATE**
-    Specify 'y' if you want to be able to create Identity service groups through the Identity service interface; specify 'n' if you will create directly in the LDAP backend. ['n', 'y']
-
-**CONFIG_KEYSTONE_LDAP_GROUP_ALLOW_UPDATE**
-    Specify 'y' if you want to be able to update Identity service groups through the Identity service interface; specify 'n' if you will update directly in the LDAP backend. ['n', 'y']
-
-**CONFIG_KEYSTONE_LDAP_GROUP_ALLOW_DELETE**
-    Specify 'y' if you want to be able to delete Identity service groups through the Identity service interface; specify 'n' if you will delete directly in the LDAP backend. ['n', 'y']
-
 **CONFIG_KEYSTONE_LDAP_GROUP_ADDITIONAL_ATTRIBUTE_MAPPING**
     List of additional LDAP attributes used for mapping additional attribute mappings for groups. The attribute=mapping format is <ldap_attr>:<group_attr>, where ldap_attr is the attribute in the LDAP entry and group_attr is the Identity API attribute.
 

packstack/plugins/keystone_100.py

@@ -384,48 +384,6 @@ def initConfig(controller):
              "NEED_CONFIRM": False,
              "CONDITION": False},
 
-            {"CMD_OPTION": "keystone-ldap-user-allow-create",
-             "PROMPT": (
-                 "Do you want to allow user create through Keystone (n or y)."
-             ),
-             "OPTION_LIST": ['n', 'y'],
-             "VALIDATORS": [validators.validate_options],
-             "DEFAULT_VALUE": 'n',
-             "MASK_INPUT": False,
-             "LOOSE_VALIDATION": False,
-             "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_USER_ALLOW_CREATE',
-             "USE_DEFAULT": False,
-             "NEED_CONFIRM": False,
-             "CONDITION": False},
-
-            {"CMD_OPTION": "keystone-ldap-user-allow-update",
-             "PROMPT": (
-                 "Do you want to allow user update through Keystone (n or y)."
-             ),
-             "OPTION_LIST": ['n', 'y'],
-             "VALIDATORS": [validators.validate_options],
-             "DEFAULT_VALUE": 'n',
-             "MASK_INPUT": False,
-             "LOOSE_VALIDATION": False,
-             "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_USER_ALLOW_UPDATE',
-             "USE_DEFAULT": False,
-             "NEED_CONFIRM": False,
-             "CONDITION": False},
-
-            {"CMD_OPTION": "keystone-ldap-user-allow-delete",
-             "PROMPT": (
-                 "Do you want to allow user delete through Keystone (n or y)."
-             ),
-             "OPTION_LIST": ['n', 'y'],
-             "VALIDATORS": [validators.validate_options],
-             "DEFAULT_VALUE": 'n',
-             "MASK_INPUT": False,
-             "LOOSE_VALIDATION": False,
-             "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_USER_ALLOW_DELETE',
-             "USE_DEFAULT": False,
-             "NEED_CONFIRM": False,
-             "CONDITION": False},
-
             {"CMD_OPTION": "keystone-ldap-user-pass-attribute",
              "PROMPT": "Enter the Keystone LDAP user password attribute.",
              "OPTION_LIST": [],
@@ -564,48 +522,6 @@ def initConfig(controller):
              "NEED_CONFIRM": False,
              "CONDITION": False},
 
-            {"CMD_OPTION": "keystone-ldap-group-allow-create",
-             "PROMPT": (
-                 "Do you want to allow group create through Keystone (n or y)."
-             ),
-             "OPTION_LIST": ['n', 'y'],
-             "VALIDATORS": [validators.validate_options],
-             "DEFAULT_VALUE": 'n',
-             "MASK_INPUT": False,
-             "LOOSE_VALIDATION": False,
-             "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_GROUP_ALLOW_CREATE',
-             "USE_DEFAULT": False,
-             "NEED_CONFIRM": False,
-             "CONDITION": False},
-
-            {"CMD_OPTION": "keystone-ldap-group-allow-update",
-             "PROMPT": (
-                 "Do you want to allow group update through Keystone (n or y)."
-             ),
-             "OPTION_LIST": ['n', 'y'],
-             "VALIDATORS": [validators.validate_options],
-             "DEFAULT_VALUE": 'n',
-             "MASK_INPUT": False,
-             "LOOSE_VALIDATION": False,
-             "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_GROUP_ALLOW_UPDATE',
-             "USE_DEFAULT": False,
-             "NEED_CONFIRM": False,
-             "CONDITION": False},
-
-            {"CMD_OPTION": "keystone-ldap-group-allow-delete",
-             "PROMPT": (
-                 "Do you want to allow group delete through Keystone (n or y)."
-             ),
-             "OPTION_LIST": ['n', 'y'],
-             "VALIDATORS": [validators.validate_options],
-             "DEFAULT_VALUE": 'n',
-             "MASK_INPUT": False,
-             "LOOSE_VALIDATION": False,
-             "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_GROUP_ALLOW_DELETE',
-             "USE_DEFAULT": False,
-             "NEED_CONFIRM": False,
-             "CONDITION": False},
-
             {"CMD_OPTION": "keystone-ldap-group-additional-attribute-mapping",
              "PROMPT": (
                  "Enter the comma separated Keystone LDAP group additional "
@@ -723,12 +639,6 @@ def munge_ldap_config_params(config, messages):
     def is_bool(keyname):
         return keyname in (
             'CONFIG_KEYSTONE_LDAP_USER_ENABLED_INVERT',
-            'CONFIG_KEYSTONE_LDAP_USER_ALLOW_CREATE',
-            'CONFIG_KEYSTONE_LDAP_USER_ALLOW_UPDATE',
-            'CONFIG_KEYSTONE_LDAP_USER_ALLOW_DELETE',
-            'CONFIG_KEYSTONE_LDAP_GROUP_ALLOW_CREATE',
-            'CONFIG_KEYSTONE_LDAP_GROUP_ALLOW_UPDATE',
-            'CONFIG_KEYSTONE_LDAP_GROUP_ALLOW_DELETE',
             'CONFIG_KEYSTONE_LDAP_USE_TLS'
         )
 

packstack/puppet/modules/packstack/manifests/keystone.pp

@@ -88,9 +88,6 @@ class packstack::keystone ()
         user_enabled_invert                => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_ENABLED_INVERT', undef),
         user_attribute_ignore              => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_ATTRIBUTE_IGNORE', undef),
         user_default_project_id_attribute  => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_DEFAULT_PROJECT_ID_ATTRIBUTE', undef),
-        user_allow_create                  => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_ALLOW_CREATE', undef),
-        user_allow_update                  => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_ALLOW_UPDATE', undef),
-        user_allow_delete                  => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_ALLOW_DELETE', undef),
         user_pass_attribute                => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_PASS_ATTRIBUTE', undef),
         user_enabled_emulation             => $user_enabled_emulation,
         user_enabled_emulation_dn          => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_ENABLED_EMULATION_DN', undef),
@@ -103,9 +100,6 @@ class packstack::keystone ()
         group_member_attribute             => hiera_undef('CONFIG_KEYSTONE_LDAP_GROUP_MEMBER_ATTRIBUTE', undef),
         group_desc_attribute               => hiera_undef('CONFIG_KEYSTONE_LDAP_GROUP_DESC_ATTRIBUTE', undef),
         group_attribute_ignore             => hiera_undef('CONFIG_KEYSTONE_LDAP_GROUP_ATTRIBUTE_IGNORE', undef),
-        group_allow_create                 => hiera_undef('CONFIG_KEYSTONE_LDAP_GROUP_ALLOW_CREATE', undef),
-        group_allow_update                 => hiera_undef('CONFIG_KEYSTONE_LDAP_GROUP_ALLOW_UPDATE', undef),
-        group_allow_delete                 => hiera_undef('CONFIG_KEYSTONE_LDAP_GROUP_ALLOW_DELETE', undef),
         group_additional_attribute_mapping => hiera_undef('CONFIG_KEYSTONE_LDAP_GROUP_ADDITIONAL_ATTRIBUTE_MAPPING', undef),
         use_tls                            => hiera_undef('CONFIG_KEYSTONE_LDAP_USE_TLS', undef),
         tls_cacertdir                      => hiera_undef('CONFIG_KEYSTONE_LDAP_TLS_CACERTDIR', undef),

releasenotes/notes/Remove-deprecated-keystone-ldap-params-848d0eaf7a24273e.yaml

@@ -0,0 +1,8 @@
+---
+deprecations:
+  - |
+    The CONFIG_KEYSTONE_LDAP_USER_ALLOW_* and
+    CONFIG_KEYSTONE_LDAP_GROUP_ALLOW_* parameters have been removed from the
+    answer file. Their corresponding options were removed from Keystone long
+    ago, and they are no longer valid in puppet-keystone since the Rocky
+    release.