Deprecate old keystone session config opts

In the past, the options ca_certificates_file,
nova_ca_certificates_file, cinder_ca_certificates_file,
api_insecure, nova_api_insecure, cinder_api_insecure
were supplied to instantiate nova, neutron and cinder
clients. These options have now been subsumed in a more
generic way into the Keystone session logic as 'cafile'
and 'insecure'. Deprecate the older options in Stein so
that we can remove them in a future release.

This deprecation began many releases ago when we switched
to using keystone sessions [1]. However, we were still
overriding the values of "insecure" and "cafile" if provided,
forcing users to continue using deprecated parameters
"api_insecure" and "ca_certificates_file". So despite
this fix originating in the Stein release, it would be
prudent to backport it to all maintained releases and
remove support for these older options in/beyond Train
release (9.0.0).

[1] Ic211a11308a3295409467efd88bff413482ee58d
Change-Id: I148e9079c7c1ab119f519f727d4ad97758473325
Related-Bug: #1802393
Closes-Bug: #1809318
This commit is contained in:
Goutham Pacha Ravi 2018-12-19 23:38:13 -08:00
parent a724e3c276
commit 198bea78ac
9 changed files with 82 additions and 72 deletions

View File

@ -90,14 +90,10 @@
- (String) Volume snapshot name template.
* - **[cinder]**
-
* - ``api_insecure`` = ``False``
- (Boolean) Allow to perform insecure SSL requests to cinder.
* - ``auth_section`` = ``None``
- (Unknown) Config Section from which to load plugin specific options
* - ``auth_type`` = ``None``
- (Unknown) Authentication type to load
* - ``ca_certificates_file`` = ``None``
- (String) Location of CA certificates file to use for cinder client requests.
* - ``cafile`` = ``None``
- (String) PEM encoded Certificate Authority to use when verifying HTTPs connections.
* - ``certfile`` = ``None``
@ -130,16 +126,12 @@
- (Integer) Timeout value for http requests
* - **[nova]**
-
* - ``api_insecure`` = ``False``
- (Boolean) Allow to perform insecure SSL requests to nova.
* - ``api_microversion`` = ``2.10``
- (String) Version of Nova API to be used.
* - ``auth_section`` = ``None``
- (Unknown) Config Section from which to load plugin specific options
* - ``auth_type`` = ``None``
- (Unknown) Authentication type to load
* - ``ca_certificates_file`` = ``None``
- (String) Location of CA certificates file to use for nova client requests.
* - ``cafile`` = ``None``
- (String) PEM encoded Certificate Authority to use when verifying HTTPs connections.
* - ``certfile`` = ``None``

View File

@ -50,8 +50,7 @@ class AuthClientLoader(object):
:param group: group name
:return: list of auth default configuration
"""
opts = copy.deepcopy(ks_loading.register_session_conf_options(
CONF, group))
opts = copy.deepcopy(ks_loading.get_session_conf_options())
opts.insert(0, ks_loading.get_auth_common_conf_options()[0])
for plugin_option in ks_loading.get_auth_plugin_conf_options(

View File

@ -39,16 +39,6 @@ nova_opts = [
deprecated_group="DEFAULT",
deprecated_name="nova_api_microversion",
help='Version of Nova API to be used.'),
cfg.StrOpt('ca_certificates_file',
deprecated_group="DEFAULT",
deprecated_name="nova_ca_certificates_file",
help='Location of CA certificates file to use for nova client '
'requests.'),
cfg.BoolOpt('api_insecure',
default=False,
deprecated_group="DEFAULT",
deprecated_name="nova_api_insecure",
help='Allow to perform insecure SSL requests to nova.'),
cfg.StrOpt('endpoint_type',
default='publicURL',
help='Endpoint type to be used with nova client calls.'),
@ -56,10 +46,28 @@ nova_opts = [
help='Region name for connecting to nova.'),
]
# These fallback options can be removed in/after 9.0.0 (Train)
deprecated_opts = {
'cafile': [
cfg.DeprecatedOpt('ca_certificates_file', group="DEFAULT"),
cfg.DeprecatedOpt('ca_certificates_file', group=NOVA_GROUP),
cfg.DeprecatedOpt('nova_ca_certificates_file', group="DEFAULT"),
cfg.DeprecatedOpt('nova_ca_certificates_file', group=NOVA_GROUP),
],
'insecure': [
cfg.DeprecatedOpt('api_insecure', group="DEFAULT"),
cfg.DeprecatedOpt('api_insecure', group=NOVA_GROUP),
cfg.DeprecatedOpt('nova_api_insecure', group="DEFAULT"),
cfg.DeprecatedOpt('nova_api_insecure', group=NOVA_GROUP),
],
}
CONF = cfg.CONF
CONF.register_opts(core_opts)
CONF.register_opts(nova_opts, NOVA_GROUP)
ks_loading.register_session_conf_options(CONF, NOVA_GROUP)
ks_loading.register_session_conf_options(CONF,
NOVA_GROUP,
deprecated_opts=deprecated_opts)
ks_loading.register_auth_conf_options(CONF, NOVA_GROUP)
@ -76,8 +84,6 @@ def novaclient(context):
cfg_group=NOVA_GROUP)
return AUTH_OBJ.get_client(context,
version=CONF[NOVA_GROUP].api_microversion,
insecure=CONF[NOVA_GROUP].api_insecure,
cacert=CONF[NOVA_GROUP].ca_certificates_file,
endpoint_type=CONF[NOVA_GROUP].endpoint_type,
region_name=CONF[NOVA_GROUP].region_name)

View File

@ -41,22 +41,11 @@ neutron_opts = [
deprecated_group="DEFAULT",
deprecated_name="neutron_url_timeout",
help='Timeout value for connecting to neutron in seconds.'),
cfg.BoolOpt(
'api_insecure',
default=False,
deprecated_group="DEFAULT",
help='If set, ignore any SSL validation issues.'),
cfg.StrOpt(
'auth_strategy',
default='keystone',
deprecated_group="DEFAULT",
help='Auth strategy for connecting to neutron in admin context.'),
cfg.StrOpt(
'ca_certificates_file',
deprecated_for_removal=True,
deprecated_group="DEFAULT",
help='Location of CA certificates file to use for '
'neutron client requests.'),
cfg.StrOpt(
'endpoint_type',
default='publicURL',
@ -66,6 +55,19 @@ neutron_opts = [
help='Region name for connecting to neutron in admin context.'),
]
# These fallback options can be removed in/after 9.0.0 (Train)
deprecated_opts = {
'cafile': [
cfg.DeprecatedOpt('ca_certificates_file', group="DEFAULT"),
cfg.DeprecatedOpt('ca_certificates_file', group=NEUTRON_GROUP),
],
'insecure': [
cfg.DeprecatedOpt('api_insecure', group="DEFAULT"),
cfg.DeprecatedOpt('api_insecure', group=NEUTRON_GROUP),
],
}
CONF = cfg.CONF
LOG = log.getLogger(__name__)
@ -83,7 +85,8 @@ class API(object):
def __init__(self, config_group_name=None):
self.config_group_name = config_group_name or 'DEFAULT'
ks_loading.register_session_conf_options(CONF, NEUTRON_GROUP)
ks_loading.register_session_conf_options(
CONF, NEUTRON_GROUP, deprecated_opts=deprecated_opts)
ks_loading.register_auth_conf_options(CONF, NEUTRON_GROUP)
CONF.register_opts(neutron_opts, NEUTRON_GROUP)

View File

@ -63,12 +63,12 @@ class ClientAuthTestCase(test.TestCase):
self.assertRaises(fake_client_exception_class.Unauthorized,
self.auth._load_auth_plugin)
@mock.patch.object(auth, 'register_session_conf_options')
@mock.patch.object(auth, 'get_session_conf_options')
@mock.patch.object(auth, 'get_auth_common_conf_options')
@mock.patch.object(auth, 'get_auth_plugin_conf_options')
def test_list_opts(self, auth_conf, common_conf, register):
register.return_value = [cfg.StrOpt('username'),
cfg.StrOpt('password')]
def test_list_opts(self, auth_conf, common_conf, session_conf):
session_conf.return_value = [cfg.StrOpt('username'),
cfg.StrOpt('password')]
common_conf.return_value = ([cfg.StrOpt('auth_url')])
auth_conf.return_value = [cfg.StrOpt('password')]
@ -80,12 +80,12 @@ class ClientAuthTestCase(test.TestCase):
common_conf.assert_called_once_with()
auth_conf.assert_called_once_with('password')
@mock.patch.object(auth, 'register_session_conf_options')
@mock.patch.object(auth, 'get_session_conf_options')
@mock.patch.object(auth, 'get_auth_common_conf_options')
@mock.patch.object(auth, 'get_auth_plugin_conf_options')
def test_list_opts_not_found(self, auth_conf, common_conf, register,):
register.return_value = [cfg.StrOpt('username'),
cfg.StrOpt('password')]
def test_list_opts_not_found(self, auth_conf, common_conf, session_conf):
session_conf.return_value = [cfg.StrOpt('username'),
cfg.StrOpt('password')]
common_conf.return_value = ([cfg.StrOpt('auth_url')])
auth_conf.return_value = [cfg.StrOpt('tenant')]

View File

@ -135,8 +135,6 @@ class NovaclientTestCase(test.TestCase):
data = {
'nova': {
'api_microversion': 'foo_api_microversion',
'api_insecure': True,
'ca_certificates_file': 'foo_ca_certificates_file',
'endpoint_type': 'foo_endpoint_type',
'region_name': 'foo_region_name',
}
@ -153,8 +151,6 @@ class NovaclientTestCase(test.TestCase):
mock_client_loader.return_value.get_client.assert_called_once_with(
fake_context,
version=data['nova']['api_microversion'],
insecure=data['nova']['api_insecure'],
cacert=data['nova']['ca_certificates_file'],
endpoint_type=data['nova']['endpoint_type'],
region_name=data['nova']['region_name'],
)
@ -165,8 +161,6 @@ class NovaclientTestCase(test.TestCase):
data = {
'nova': {
'api_microversion': 'foo_api_microversion',
'api_insecure': True,
'ca_certificates_file': 'foo_ca_certificates_file',
'endpoint_type': 'foo_endpoint_type',
'region_name': 'foo_region_name',
}
@ -178,8 +172,6 @@ class NovaclientTestCase(test.TestCase):
nova.AUTH_OBJ.get_client.assert_called_once_with(
fake_context,
version=data['nova']['api_microversion'],
insecure=data['nova']['api_insecure'],
cacert=data['nova']['ca_certificates_file'],
endpoint_type=data['nova']['endpoint_type'],
region_name=data['nova']['region_name'],
)

View File

@ -55,8 +55,6 @@ class CinderclientTestCase(test.TestCase):
fake_context = 'fake_context'
data = {
'cinder': {
'api_insecure': True,
'ca_certificates_file': 'foo_ca_certificates_file',
'http_retries': 3,
'endpoint_type': 'foo_endpoint_type',
'region_name': 'foo_region_name',
@ -73,8 +71,6 @@ class CinderclientTestCase(test.TestCase):
)
mock_client_loader.return_value.get_client.assert_called_once_with(
fake_context,
insecure=data['cinder']['api_insecure'],
cacert=data['cinder']['ca_certificates_file'],
retries=data['cinder']['http_retries'],
endpoint_type=data['cinder']['endpoint_type'],
region_name=data['cinder']['region_name'],
@ -85,8 +81,6 @@ class CinderclientTestCase(test.TestCase):
fake_context = 'fake_context'
data = {
'cinder': {
'api_insecure': True,
'ca_certificates_file': 'foo_ca_certificates_file',
'http_retries': 3,
'endpoint_type': 'foo_endpoint_type',
'region_name': 'foo_region_name',
@ -98,8 +92,6 @@ class CinderclientTestCase(test.TestCase):
cinder.AUTH_OBJ.get_client.assert_called_once_with(
fake_context,
insecure=data['cinder']['api_insecure'],
cacert=data['cinder']['ca_certificates_file'],
retries=data['cinder']['http_retries'],
endpoint_type=data['cinder']['endpoint_type'],
region_name=data['cinder']['region_name'],

View File

@ -42,21 +42,11 @@ cinder_opts = [
deprecated_name="cinder_cross_az_attach",
help='Allow attaching between instances and volumes in '
'different availability zones.'),
cfg.StrOpt('ca_certificates_file',
help='Location of CA certificates file to use for cinder '
'client requests.',
deprecated_group='DEFAULT',
deprecated_name="cinder_ca_certificates_file"),
cfg.IntOpt('http_retries',
default=3,
help='Number of cinderclient retries on failed HTTP calls.',
deprecated_group='DEFAULT',
deprecated_name="cinder_http_retries"),
cfg.BoolOpt('api_insecure',
default=False,
help='Allow to perform insecure SSL requests to cinder.',
deprecated_group='DEFAULT',
deprecated_name="cinder_api_insecure"),
cfg.StrOpt('endpoint_type',
default='publicURL',
help='Endpoint type to be used with cinder client calls.'),
@ -64,10 +54,29 @@ cinder_opts = [
help='Region name for connecting to cinder.'),
]
# These fallback options can be removed in/after 9.0.0 (Train)
deprecated_opts = {
'cafile': [
cfg.DeprecatedOpt('ca_certificates_file', group="DEFAULT"),
cfg.DeprecatedOpt('ca_certificates_file', group=CINDER_GROUP),
cfg.DeprecatedOpt('cinder_ca_certificates_file', group="DEFAULT"),
cfg.DeprecatedOpt('cinder_ca_certificates_file', group=CINDER_GROUP),
],
'insecure': [
cfg.DeprecatedOpt('api_insecure', group="DEFAULT"),
cfg.DeprecatedOpt('api_insecure', group=CINDER_GROUP),
cfg.DeprecatedOpt('cinder_api_insecure', group="DEFAULT"),
cfg.DeprecatedOpt('cinder_api_insecure', group=CINDER_GROUP),
],
}
CONF = cfg.CONF
CONF.register_opts(core_opts)
CONF.register_opts(cinder_opts, CINDER_GROUP)
ks_loading.register_session_conf_options(CONF, CINDER_GROUP)
ks_loading.register_session_conf_options(CONF,
CINDER_GROUP,
deprecated_opts=deprecated_opts)
ks_loading.register_auth_conf_options(CONF, CINDER_GROUP)
@ -83,8 +92,6 @@ def cinderclient(context):
exception_module=cinder_exception,
cfg_group=CINDER_GROUP)
return AUTH_OBJ.get_client(context,
insecure=CONF[CINDER_GROUP].api_insecure,
cacert=CONF[CINDER_GROUP].ca_certificates_file,
retries=CONF[CINDER_GROUP].http_retries,
endpoint_type=CONF[CINDER_GROUP].endpoint_type,
region_name=CONF[CINDER_GROUP].region_name)

View File

@ -0,0 +1,19 @@
---
fixes:
- |
`Launchpad bug 1809318 <https://bugs.launchpad.net/manila/+bug/1809318>`_
has been fixed. The deprecated options ``api_insecure`` and
``ca_certificates_file`` from nova, cinder, neutron or DEFAULT
configuration groups no longer override the newer ``insecure`` option if
provided. Always use ``insecure`` and ``cafile`` to control SSL
and validation since the deprecated options will be removed in a future
release.
deprecations:
- |
The options ``ca_certificates_file``, ``nova_ca_certificates_file``,
``cinder_ca_certificates_file``, ``api_insecure``, ``nova_api_insecure``
and ``cinder_api_insecure`` have been deprecated from the ``DEFAULT``
group as well as ``nova``, ``neutron`` and ``cinder`` configuration
groups. Use ``cafile`` to specify the CA certificates and ``insecure``
to turn off SSL validation in these respective groups (nova, neutron and
cinder).