From c838d93c35fdacae5f5bd77a55c62978b8a0b138 Mon Sep 17 00:00:00 2001 From: wangxiyuan Date: Fri, 31 Aug 2018 15:05:00 +0800 Subject: [PATCH] Remove member_role_id/name Remove depepated ``member_role_id`` and ``member_role_name`` config options. Change-Id: I4a29d52da8a7b97baa0cbc52b011b3225fe6ab54 bp: removed-as-of-stein --- keystone/api/roles.py | 8 +--- keystone/assignment/core.py | 16 -------- keystone/conf/default.py | 40 ------------------- keystone/tests/unit/test_v3_assignment.py | 12 ------ .../removed-as-of-stein-5eb23253b72ab54e.yaml | 6 +++ 5 files changed, 7 insertions(+), 75 deletions(-) create mode 100644 releasenotes/notes/removed-as-of-stein-5eb23253b72ab54e.yaml diff --git a/keystone/api/roles.py b/keystone/api/roles.py index bc6c312045..606594911c 100644 --- a/keystone/api/roles.py +++ b/keystone/api/roles.py @@ -112,13 +112,7 @@ class RoleResource(ks_flask.ResourceBase): else: ENFORCER.enforce_call(action='identity:create_role') validation.lazy_validate(schema.role_create, role) - if role['name'] == CONF.member_role_name: - # Use the configured member role ID when creating the configured - # member role name. This avoids the potential of creating - # a "member" role with an unexpected ID. - role['id'] = CONF.member_role_id - else: - role = self._assign_unique_id(role) + role = self._assign_unique_id(role) role = self._normalize_dict(role) ref = PROVIDERS.role_api.create_role( role['id'], role, initiator=self.audit_initiator) diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py index 1f5fb7de38..bc95746a63 100644 --- a/keystone/assignment/core.py +++ b/keystone/assignment/core.py @@ -165,22 +165,6 @@ class Manager(manager.Manager): role_ids = list(set([x['role_id'] for x in assignment_list])) return PROVIDERS.role_api.list_roles_from_ids(role_ids) - def ensure_default_role(self): - try: - PROVIDERS.role_api.get_role(CONF.member_role_id) - except exception.RoleNotFound: - LOG.info("Creating the default role %s " - "because it does not exist.", - CONF.member_role_id) - role = {'id': CONF.member_role_id, - 'name': CONF.member_role_name} - try: - PROVIDERS.role_api.create_role(CONF.member_role_id, role) - except exception.Conflict: - LOG.info("Creating the default role %s failed because it " - "was already created", - CONF.member_role_id) - @notifications.role_assignment('created') def _add_role_to_user_and_project_adapter(self, role_id, user_id=None, group_id=None, domain_id=None, diff --git a/keystone/conf/default.py b/keystone/conf/default.py index 1150696500..3ea85e636e 100644 --- a/keystone/conf/default.py +++ b/keystone/conf/default.py @@ -21,16 +21,6 @@ This option has been deprecated in the N release and will be removed in the P release. Use oslo.middleware.http_proxy_to_wsgi configuration instead. """) - -_DEPRECATE_MEMBER_ID_AND_NAME = utils.fmt(""" -This option was used to create a default member role for keystone v2 role -assignments, but with the removal of the v2 API it is no longer necessary to -create this default role. This option is deprecated and will be removed in the -S release. If you are depending on having a predictable role name and ID for -this member role you will need to update your tooling. -""") - - admin_token = cfg.StrOpt( 'admin_token', secret=True, @@ -101,34 +91,6 @@ values. With Fernet tokens, this can be set as low as 255. With UUID tokens, this should be set to 32). """)) -member_role_id = cfg.StrOpt( - 'member_role_id', - default='9fe2ff9ee4384b1894a90878d3e92bab', - deprecated_for_removal=True, - deprecated_reason=_DEPRECATE_MEMBER_ID_AND_NAME, - deprecated_since=versionutils.deprecated.QUEENS, - help=utils.fmt(""" -Similar to the `[DEFAULT] member_role_name` option, this represents the default -role ID used to associate users with their default projects in the v2 API. This -will be used as the explicit role where one is not specified by the v2 API. You -do not need to set this value unless you want keystone to use an existing role -with a different ID, other than the arbitrarily defined `_member_` role (in -which case, you should set `[DEFAULT] member_role_name` as well). -""")) - -member_role_name = cfg.StrOpt( - 'member_role_name', - default='_member_', - deprecated_for_removal=True, - deprecated_reason=_DEPRECATE_MEMBER_ID_AND_NAME, - deprecated_since=versionutils.deprecated.QUEENS, - help=utils.fmt(""" -This is the role name used in combination with the `[DEFAULT] member_role_id` -option; see that option for more detail. You do not need to set this option -unless you want keystone to use an existing role (in which case, you should set -`[DEFAULT] member_role_id` as well). -""")) - # NOTE(lbragstad/morganfainberg): This value of 10k was measured as having an # approximate 30% clock-time savings over the old default of 40k. The passlib # default is not static and grows over time to constantly approximate ~300ms of @@ -245,8 +207,6 @@ ALL_OPTS = [ max_project_tree_depth, max_param_size, max_token_size, - member_role_id, - member_role_name, crypt_strength, list_limit, strict_password_check, diff --git a/keystone/tests/unit/test_v3_assignment.py b/keystone/tests/unit/test_v3_assignment.py index 7c53cfb59d..e70ec79638 100644 --- a/keystone/tests/unit/test_v3_assignment.py +++ b/keystone/tests/unit/test_v3_assignment.py @@ -119,18 +119,6 @@ class AssignmentTestCase(test_v3.RestfulTestCase, self.delete('/roles/%(role_id)s' % { 'role_id': self.role_id}) - def test_create_member_role(self): - """Call ``POST /roles``.""" - # specify only the name on creation - ref = unit.new_role_ref(name=CONF.member_role_name) - r = self.post( - '/roles', - body={'role': ref}) - self.assertValidRoleResponse(r, ref) - - # but the ID should be set as defined in CONF - self.assertEqual(CONF.member_role_id, r.json['role']['id']) - # Role Grants tests def test_crud_user_project_role_grants(self): diff --git a/releasenotes/notes/removed-as-of-stein-5eb23253b72ab54e.yaml b/releasenotes/notes/removed-as-of-stein-5eb23253b72ab54e.yaml new file mode 100644 index 0000000000..bf93b58a12 --- /dev/null +++ b/releasenotes/notes/removed-as-of-stein-5eb23253b72ab54e.yaml @@ -0,0 +1,6 @@ +--- +other: + - | + [`blueprint removed-as-of-stein `_] + The options ``member_role_id`` and ``member_role_name`` which were + deprecated in Queens and only used for V2 are removed now.