Deprecate [trust]/enabled option

It's currently possible to disable the trusts API and trusts are
therefore essentially an API extension and not a first-class member of
the keystone API. By now, trusts are a widely-used feature and are
essential for services like Heat. Allowing optional APIs is an
interoperability nightmare that we should discourage. This patch marks
the config flag to enable trusts as deprecated so that in the future it
will not be possible to disable it.

bp deprecated-as-of-queens

Change-Id: Iac454ddf7878b8f2705e7abb44181f1a19af015f

keystone/conf/trust.py

@@ -11,6 +11,7 @@
 # under the License.
 
 from oslo_config import cfg
+from oslo_log import versionutils
 
 from keystone.conf import utils
 
@@ -18,6 +19,12 @@ from keystone.conf import utils
 enabled = cfg.BoolOpt(
     'enabled',
     default=True,
+    deprecated_for_removal=True,
+    deprecated_reason=utils.fmt("""
+Disabling the trusts API is deprecated. This option will be removed in the
+next release and trusts will always be enabled.
+"""),
+    deprecated_since=versionutils.deprecated.QUEENS,
     help=utils.fmt("""
 Delegation and impersonation features using trusts can be optionally disabled.
 """))

releasenotes/notes/deprecated-as-of-queens-8ad7f826e4f08f57.yaml

@@ -15,3 +15,6 @@ deprecations:
     role. This option is deprecated and will be removed in the S release. If
     you are depending on having a predictable role name and ID for this member
     role you will need to update your tooling.
+  - >
+    The ``enabled`` config option of the ``trust`` feature is deprecated and
+    will be removed in the next release. Trusts will then always be enabled.