From f65d436c114bbfc2051c6f5b6d7a9d12daacc29d Mon Sep 17 00:00:00 2001 From: Kaitlin Farr Date: Wed, 1 Mar 2017 15:15:29 -0500 Subject: [PATCH] Remove deprecated keymgr code Now that enough time has passed, the keymgr code that was deprecated for removal can be removed. Barbican is the default option for Castellan, but Barbican is not part of default DevStack yet. Until Barbican is used by default in the dsvm gates, ConfKeyManager (the fixed_key key manager) should be set in DevStack, which was added with I733279864ee1a4aaffc9c8eed81b5e12f8d8821b. Change-Id: I82ee74f3d2629281dc8116af55f6a7b5398fc473 --- nova/compute/api.py | 4 +- nova/conf/key_manager.py | 2 + nova/keymgr/__init__.py | 69 ------------------- nova/virt/libvirt/driver.py | 5 +- nova/virt/libvirt/imagebackend.py | 4 +- ...ve-deprecated-keymgr-db807dc76c83263e.yaml | 15 ++++ 6 files changed, 23 insertions(+), 76 deletions(-) create mode 100644 releasenotes/notes/remove-deprecated-keymgr-db807dc76c83263e.yaml diff --git a/nova/compute/api.py b/nova/compute/api.py index f977edcd2290..27eb71c5904d 100644 --- a/nova/compute/api.py +++ b/nova/compute/api.py @@ -26,6 +26,7 @@ import functools import re import string +from castellan import key_manager from oslo_log import log as logging from oslo_messaging import exceptions as oslo_exceptions from oslo_serialization import base64 as base64utils @@ -59,7 +60,6 @@ from nova import exception_wrapper from nova import hooks from nova.i18n import _ from nova import image -from nova import keymgr from nova import network from nova.network import model as network_model from nova.network.security_group import openstack_driver @@ -256,7 +256,7 @@ class API(base.Base): self.servicegroup_api = servicegroup.API() self.notifier = rpc.get_notifier('compute', CONF.host) if CONF.ephemeral_storage_encryption.enabled: - self.key_manager = keymgr.API() + self.key_manager = key_manager.API() super(API, self).__init__(**kwargs) diff --git a/nova/conf/key_manager.py b/nova/conf/key_manager.py index bafb2e04d392..d86182de7240 100644 --- a/nova/conf/key_manager.py +++ b/nova/conf/key_manager.py @@ -22,6 +22,8 @@ key_manager_group = cfg.OptGroup( key_manager_opts = [ # TODO(raj_singh): Deprecate or move this option to The Castellan library + # NOTE(kfarr): The ability to use fixed_key should be deprecated and + # removed and Barbican should be tested in the gate instead cfg.StrOpt( 'fixed_key', deprecated_group='keymgr', diff --git a/nova/keymgr/__init__.py b/nova/keymgr/__init__.py index 0d4f1a37ac0d..e69de29bb2d1 100644 --- a/nova/keymgr/__init__.py +++ b/nova/keymgr/__init__.py @@ -1,69 +0,0 @@ -# Copyright (c) 2013 The Johns Hopkins University/Applied Physics Laboratory -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - - -from oslo_config import cfg -from oslo_log import log as logging -from oslo_utils import importutils - -import nova.conf - -LOG = logging.getLogger(__name__) -CONF = nova.conf.CONF - -# NOTE(kfarr): For backwards compatibility, everything below this comment -# is deprecated for removal -api_class = None -try: - api_class = CONF.key_manager.api_class -except cfg.NoSuchOptError: - LOG.warning("key_manager.api_class is not set, will use deprecated " - "option keymgr.api_class if set") - try: - api_class = CONF.keymgr.api_class - except cfg.NoSuchOptError: - LOG.warning("keymgr.api_class is not set") - -deprecated_barbican = 'nova.keymgr.barbican.BarbicanKeyManager' -barbican = 'castellan.key_manager.barbican_key_manager.BarbicanKeyManager' -deprecated_mock = 'nova.tests.unit.keymgr.mock_key_mgr.MockKeyManager' -castellan_mock = ('castellan.tests.unit.key_manager.mock_key_manager.' - 'MockKeyManager') - - -def log_deprecated_warning(deprecated, castellan): - LOG.warning("key manager api_class set to use deprecated option " - "%(deprecated)s, using %(castellan)s instead", - {'deprecated': deprecated, 'castellan': castellan}) - -if api_class == deprecated_barbican: - log_deprecated_warning(deprecated_barbican, barbican) - api_class = barbican -elif api_class == deprecated_mock: - log_deprecated_warning(deprecated_mock, castellan_mock) - api_class = castellan_mock -elif api_class is None: - # TODO(kfarr): key_manager.api_class should be set in DevStack, and this - # block can be removed - LOG.warning("key manager not set, using insecure default %s", - castellan_mock) - api_class = castellan_mock - -CONF.set_override('api_class', api_class, 'key_manager') - - -def API(conf=CONF): - cls = importutils.import_class(CONF.key_manager.api_class) - return cls(conf) diff --git a/nova/virt/libvirt/driver.py b/nova/virt/libvirt/driver.py index e5c55f07741d..8c235840abb4 100644 --- a/nova/virt/libvirt/driver.py +++ b/nova/virt/libvirt/driver.py @@ -41,6 +41,7 @@ import tempfile import time import uuid +from castellan import key_manager import eventlet from eventlet import greenthread from eventlet import tpool @@ -74,7 +75,6 @@ from nova import context as nova_context from nova import exception from nova.i18n import _ from nova import image -from nova import keymgr from nova.network import model as network_model from nova import objects from nova.objects import diagnostics as diagnostics_obj @@ -1184,9 +1184,8 @@ class LibvirtDriver(driver.ComputeDriver): def _get_volume_encryptor(self, connection_info, encryption): root_helper = utils.get_root_helper() - key_manager = keymgr.API(CONF) return encryptors.get_volume_encryptor(root_helper=root_helper, - keymgr=key_manager, + keymgr=key_manager.API(CONF), connection_info=connection_info, **encryption) diff --git a/nova/virt/libvirt/imagebackend.py b/nova/virt/libvirt/imagebackend.py index a6cd05f7548d..cb6e122db62d 100644 --- a/nova/virt/libvirt/imagebackend.py +++ b/nova/virt/libvirt/imagebackend.py @@ -20,6 +20,7 @@ import functools import os import shutil +from castellan import key_manager from oslo_log import log as logging from oslo_serialization import jsonutils from oslo_utils import excutils @@ -32,7 +33,6 @@ import nova.conf from nova import exception from nova.i18n import _ from nova import image -from nova import keymgr from nova.privsep import dac_admin from nova import utils from nova.virt.disk import api as disk @@ -657,7 +657,7 @@ class Lvm(Image): self.ephemeral_key_uuid = instance.get('ephemeral_key_uuid') if self.ephemeral_key_uuid is not None: - self.key_manager = keymgr.API(CONF) + self.key_manager = key_manager.API(CONF) else: self.key_manager = None diff --git a/releasenotes/notes/remove-deprecated-keymgr-db807dc76c83263e.yaml b/releasenotes/notes/remove-deprecated-keymgr-db807dc76c83263e.yaml new file mode 100644 index 000000000000..f318ea92d5cd --- /dev/null +++ b/releasenotes/notes/remove-deprecated-keymgr-db807dc76c83263e.yaml @@ -0,0 +1,15 @@ +--- +upgrade: + - | + The old deprecated ``keymgr`` options have been removed. + Configuration options using the ``[keymgr]`` group will not be + applied anymore. Use the ``[key_manager]`` group from Castellan instead. + The Castellan ``api_class`` options should also be used instead, as most + of the options that lived in Nova have migrated to Castellan. + + - Instead of ``api_class`` option ``nova.keymgr.barbican.BarbicanKeyManager``, + use ``castellan.key_manager.barbican_key_manager.BarbicanKeyManager`` + - Instead of ``api_class`` option ``nova.tests.unit.keymgr.mock_key_mgr.MockKeyManager``, + use ``castellan.tests.unit.key_manager.mock_key_manager.MockKeyManager`` + - ``nova.keymgr.conf_key_mgr.ConfKeyManager`` still remains, but the ``fixed_key`` + configuration options should be moved to the ``[key_manager]`` section