From 9607ed3266ef84cf3bac8acec172e4088a00b93f Mon Sep 17 00:00:00 2001
From: Colleen Murphy <colleen.murphy@suse.de>
Date: Wed, 9 Oct 2019 17:45:06 -0700
Subject: [PATCH] Revert "Resource backend is SQL only now"

This reverts commit 3d46c8a5d93529b4050bab635486cfa6b05c9a85.

In the last commit, the foreign key constraints between the project
table and other tables were dropped, which allows us to restore the
configurability of the resource driver.

Change-Id: Iba4951e2d3965be5acec705385967d312456f1c7
---
 keystone/conf/resource.py                      |  8 --------
 keystone/resource/backends/sql.py              |  2 --
 keystone/resource/core.py                      | 11 ++---------
 keystone/tests/unit/test_backend_ldap.py       | 18 ++++++++++++------
 .../resource-driver-33793dd5080ee4d2.yaml      |  6 ++++++
 setup.cfg                                      |  3 +++
 6 files changed, 23 insertions(+), 25 deletions(-)
 create mode 100644 releasenotes/notes/resource-driver-33793dd5080ee4d2.yaml

diff --git a/keystone/conf/resource.py b/keystone/conf/resource.py
index 14482cd0fc..afed1c3b5a 100644
--- a/keystone/conf/resource.py
+++ b/keystone/conf/resource.py
@@ -11,7 +11,6 @@
 # under the License.
 
 from oslo_config import cfg
-from oslo_log import versionutils
 
 from keystone.conf import utils
 
@@ -19,13 +18,6 @@ from keystone.conf import utils
 driver = cfg.StrOpt(
     'driver',
     default='sql',
-    deprecated_for_removal=True,
-    deprecated_reason='Non-SQL resource cannot be used with SQL Identity and '
-                      'has been unable to be used since Ocata. SQL Resource '
-                      'backend is a requirement as of Pike. Setting this '
-                      'option no longer has an effect on how Keystone '
-                      'operates.',
-    deprecated_since=versionutils.deprecated.PIKE,
     help=utils.fmt("""
 Entry point for the resource driver in the `keystone.resource` namespace. Only
 a `sql` driver is supplied by keystone. Unless you are writing proprietary
diff --git a/keystone/resource/backends/sql.py b/keystone/resource/backends/sql.py
index de286c0005..bf09e789d1 100644
--- a/keystone/resource/backends/sql.py
+++ b/keystone/resource/backends/sql.py
@@ -26,8 +26,6 @@ LOG = log.getLogger(__name__)
 
 
 class Resource(base.ResourceDriverBase):
-    # TODO(morgan): Merge all of this code into the manager, Resource backend
-    # is only SQL. There is no configurable driver.
 
     def _encode_domain_id(self, ref):
         if 'domain_id' in ref and ref['domain_id'] is None:
diff --git a/keystone/resource/core.py b/keystone/resource/core.py
index 27f1ec6b9e..207b021174 100644
--- a/keystone/resource/core.py
+++ b/keystone/resource/core.py
@@ -27,7 +27,6 @@ from keystone import exception
 from keystone.i18n import _
 from keystone import notifications
 from keystone.resource.backends import base
-from keystone.resource.backends import sql as resource_sql
 from keystone.token import provider as token_provider
 
 CONF = keystone.conf.CONF
@@ -55,14 +54,8 @@ class Manager(manager.Manager):
     _PROJECT_TAG = 'project tag'
 
     def __init__(self):
-        # NOTE(morgan): The resource driver must be SQL. This is because there
-        # is a FK between identity and resource. Almost every deployment uses
-        # SQL Identity in some form. Even if SQL Identity is not used, there
-        # is almost no reason to have non-SQL Resource. Keystone requires
-        # SQL in a number of ways, this simply codifies it plainly for resource
-        # the driver_name = None simply implies we don't need to load a driver.
-        self.driver = resource_sql.Resource()
-        super(Manager, self).__init__(driver_name=None)
+        resource_driver = CONF.resource.driver
+        super(Manager, self).__init__(resource_driver)
 
     def _get_hierarchy_depth(self, parents_list):
         return len(parents_list) + 1
diff --git a/keystone/tests/unit/test_backend_ldap.py b/keystone/tests/unit/test_backend_ldap.py
index cfded416a0..7f3e13315f 100644
--- a/keystone/tests/unit/test_backend_ldap.py
+++ b/keystone/tests/unit/test_backend_ldap.py
@@ -1124,7 +1124,8 @@ class LDAPIdentity(BaseLDAPIdentity):
     def assert_backends(self):
         _assert_backends(self,
                          assignment='sql',
-                         identity='ldap')
+                         identity='ldap',
+                         resource='sql')
 
     def test_list_domains(self):
         domains = PROVIDERS.resource_api.list_domains()
@@ -1988,7 +1989,8 @@ class LDAPLimitTests(unit.TestCase, identity_tests.LimitTests):
         identity_tests.LimitTests.setUp(self)
         _assert_backends(self,
                          assignment='sql',
-                         identity='ldap')
+                         identity='ldap',
+                         resource='sql')
 
     def config_overrides(self):
         super(LDAPLimitTests, self).config_overrides()
@@ -2493,7 +2495,8 @@ class MultiLDAPandSQLIdentity(BaseLDAPIdentity, unit.SQLDriverOverrides,
                              self.domain_default['id']: 'ldap',
                              self.domains['domain1']['id']: 'ldap',
                              self.domains['domain2']['id']: 'ldap',
-                         })
+                         },
+                         resource='sql')
 
     def config_overrides(self):
         super(MultiLDAPandSQLIdentity, self).config_overrides()
@@ -2816,7 +2819,8 @@ class MultiLDAPandSQLIdentityDomainConfigsInSQL(MultiLDAPandSQLIdentity):
                              self.domain_default['id']: 'ldap',
                              self.domains['domain1']['id']: 'ldap',
                              self.domains['domain2']['id']: 'ldap',
-                         })
+                         },
+                         resource='sql')
 
     def enable_multi_domain(self):
         # The values below are the same as in the domain_configs_multi_ldap
@@ -3062,7 +3066,8 @@ class DomainSpecificLDAPandSQLIdentity(
                 None: 'ldap',
                 'default': 'ldap',
                 self.domains['domain1']['id']: 'sql',
-            })
+            },
+            resource='sql')
 
     def config_overrides(self):
         super(DomainSpecificLDAPandSQLIdentity, self).config_overrides()
@@ -3236,7 +3241,8 @@ class DomainSpecificSQLIdentity(DomainSpecificLDAPandSQLIdentity):
     def assert_backends(self):
         _assert_backends(self,
                          assignment='sql',
-                         identity='ldap')
+                         identity='ldap',
+                         resource='sql')
 
     def config_overrides(self):
         super(DomainSpecificSQLIdentity, self).config_overrides()
diff --git a/releasenotes/notes/resource-driver-33793dd5080ee4d2.yaml b/releasenotes/notes/resource-driver-33793dd5080ee4d2.yaml
new file mode 100644
index 0000000000..1759129f46
--- /dev/null
+++ b/releasenotes/notes/resource-driver-33793dd5080ee4d2.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Restores the configurability of the resource driver, so it is now possible
+    to create a custom resource driver if the built-in sql driver does not meet
+    business requirements.
diff --git a/setup.cfg b/setup.cfg
index 47a9469ad9..defc57c081 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -137,6 +137,9 @@ keystone.policy =
     rules = keystone.policy.backends.rules:Policy
     sql = keystone.policy.backends.sql:Policy
 
+keystone.resource =
+    sql = keystone.resource.backends.sql:Resource
+
 keystone.resource.domain_config =
     sql = keystone.resource.config_backends.sql:DomainConfig