Remove password_expires_ignore_user_ids

The above was deprecated in Ocata in favor of the user option ignore password expiry. Implements: bp removed-as-of-pike Change-Id: Ib69418c797595ec62ee3f2162fbf141c8bd47813
2017-02-25 10:53:43 -05:00 · 2017-02-25 10:53:43 -05:00 · 88cc5cff87
parent 900349583c
commit 88cc5cff87
4 changed files with 10 additions and 56 deletions
--- a/keystone/conf/security_compliance.py
+++ b/keystone/conf/security_compliance.py
@ -11,7 +11,6 @@
 # under the License.

 from oslo_config import cfg
-from oslo_log import versionutils

 from keystone.conf import utils

@ -65,25 +64,6 @@ passwords would not be impacted. This feature depends on the `sql` backend for
 the `[identity] driver`.
 """))

-password_expires_ignore_user_ids = cfg.ListOpt(
-    'password_expires_ignore_user_ids',
-    deprecated_for_removal=True,
-    deprecated_reason=utils.fmt("""
-Functionality added as a per-user option "ignore_password_expiry" in Ocata.
-Each user that should ignore password expiry should have the value set to
-"true" in the user's `options` attribute (e.g.
-`user['options']['ignore_password_expiry'] = True`) with an "update_user" call.
-This avoids the need to restart keystone to adjust the users that ignore
-password expiry. This option will be removed in the Pike release.
-"""),
-    deprecated_since=versionutils.deprecated.OCATA,
-    default=[],
-    help=utils.fmt("""
-Comma separated list of user IDs to be ignored when checking if a password
-is expired. Passwords for users in this list will not expire. This feature
-will only be enabled if `[security_compliance] password_expires_days` is set.
-"""))
-
 unique_last_password_count = cfg.IntOpt(
    'unique_last_password_count',
    default=1,
@ -150,7 +130,6 @@ ALL_OPTS = [
    lockout_failure_attempts,
    lockout_duration,
    password_expires_days,
-    password_expires_ignore_user_ids,
    unique_last_password_count,
    minimum_password_age,
    password_regex,
--- a/keystone/identity/backends/sql_model.py
+++ b/keystone/identity/backends/sql_model.py
@ -14,7 +14,6 @@

 import datetime

-from oslo_log import versionutils
 import sqlalchemy
 from sqlalchemy.ext.hybrid import hybrid_property
 from sqlalchemy import orm
@ -150,29 +149,16 @@ class User(sql.ModelBase, sql.DictBase):

    def _get_password_expires_at(self, created_at):
        expires_days = CONF.security_compliance.password_expires_days
-        # NOTE(notmorgan): This option is deprecated and subject to removal
-        # in a future release.
-        ignore_list = CONF.security_compliance.password_expires_ignore_user_ids
-        if ignore_list:
-            versionutils.deprecated(
-                what='[security_compliance]\password_expires_ignore_user_ids',
-                as_of=versionutils.deprecated.OCATA,
-                remove_in=+1,
-                in_favor_of=('Using the `ignore_password_expiry` value set to '
-                             '`True` in the `user["options"]` dictionary on '
-                             'User creation or update (via API call).'))
        # Get the IGNORE_PASSWORD_EXPIRY_OPT value from the user's
        # option_mapper.
-
        ignore_pw_expiry = getattr(
            self.get_resource_option(iro.IGNORE_PASSWORD_EXPIRY_OPT.option_id),
            'option_value',
            False)
-        if (self.id not in ignore_list) and not ignore_pw_expiry:
-            if expires_days:
-                expired_date = (created_at +
-                                datetime.timedelta(days=expires_days))
-                return expired_date.replace(microsecond=0)
+        if not ignore_pw_expiry and expires_days:
+            expired_date = (created_at +
+                            datetime.timedelta(days=expires_days))
+            return expired_date.replace(microsecond=0)
        return None

    @password.expression
--- a/keystone/tests/unit/identity/test_backend_sql.py
+++ b/keystone/tests/unit/identity/test_backend_sql.py
@ -679,23 +679,6 @@ class PasswordExpiresValidationTests(test_backend_sql.SqlTests):
                                       user_id=user['id'],
                                       password=self.password)

-    def test_authenticate_with_expired_password_for_ignore_user(self):
-        # add the user id to the ignore list
-        self.config_fixture.config(
-            group='security_compliance',
-            password_expires_ignore_user_ids=[self.user_dict['id']])
-        # set password created_at so that the password will expire
-        password_created_at = (
-            datetime.datetime.utcnow() -
-            datetime.timedelta(
-                days=CONF.security_compliance.password_expires_days + 1)
-        )
-        user = self._create_user(self.user_dict, password_created_at)
-        # test password is not expired due to ignore list
-        self.identity_api.authenticate(self.make_request(),
-                                       user_id=user['id'],
-                                       password=self.password)
-
    def test_authenticate_with_expired_password_for_ignore_user_option(self):
        # set user to have the 'ignore_password_expiry' option set to False
        self.user_dict.setdefault('options', {})[
--- a/releasenotes/notes/removed-as-of-pike-deadbeefdeadbeef.yaml
+++ b/releasenotes/notes/removed-as-of-pike-deadbeefdeadbeef.yaml
@ -20,3 +20,9 @@ other:
    The catalog backend ``endpoint_filter.sql`` has been removed. It has been
    consolidated with the ``sql`` backend, therefore replace the
    ``endpoint_filter.sql`` catalog backend with the ``sql`` backend.
+  - >
+    The ``[security_compliance] password_expires_ignore_user_ids`` option has
+    been removed. Each user that should ignore password expiry should have the
+    value set to "true" in the user's ``options`` attribute (e.g.
+    ``user['options']['ignore_password_expiry'] = True``) with a user update
+    call.