Remove [token]/ infer_roles

infer_roles in [token] is deprecated. This patch
removes the same.

Partial-Bug: #1829453
Change-Id: If77d73eeac6db215d7710b33c6dba926c14ae2b2

keystone/assignment/core.py

@@ -646,8 +646,6 @@ class Manager(manager.Manager):
             indirect['role_id'] = prior_ref['role_id']
             return implied_ref
 
-        if not CONF.token.infer_roles:
-            return role_refs
         try:
             implied_roles_cache = {}
             role_refs_to_check = list(role_refs)

keystone/conf/token.py

@@ -89,23 +89,6 @@ for tokens with a more specific scope) or to provide their credentials in every
 request for a scoped token to avoid re-scoping altogether.
 """))
 
-infer_roles = cfg.BoolOpt(
-    'infer_roles',
-    default=True,
-    deprecated_since=versionutils.deprecated.ROCKY,
-    deprecated_reason=utils.fmt("""
-Default roles depend on a chain of implied role assignments. Ex: an admin user
-will also have the reader and member role. By ensuring that all these roles
-will always appear on the token validation response, we can improve the
-simplicity and readability of policy files.
-"""),
-    deprecated_for_removal=True,
-    help=utils.fmt("""
-This controls whether roles should be included with tokens that are not
-directly assigned to the token's scope, but are instead linked implicitly to
-other role assignments.
-"""))
-
 cache_on_issue = cfg.BoolOpt(
     'cache_on_issue',
     default=True,
@@ -144,7 +127,6 @@ ALL_OPTS = [
     cache_time,
     revoke_by_id,
     allow_rescope_scoped_token,
-    infer_roles,
     cache_on_issue,
     allow_expired_window,
 ]

keystone/tests/unit/test_v3_auth.py

@@ -2061,11 +2061,11 @@ class TokenAPITests(object):
     def test_create_implied_role_shows_in_v3_project_token(self):
         # regardless of the default chosen, this should always
         # test with the option set.
-        self.config_fixture.config(group='token', infer_roles=True)
+        self.config_fixture.config(group='token')
         self._create_implied_role_shows_in_v3_token(False)
 
     def test_create_implied_role_shows_in_v3_domain_token(self):
-        self.config_fixture.config(group='token', infer_roles=True)
+        self.config_fixture.config(group='token')
         PROVIDERS.assignment_api.create_grant(
             self.role['id'], user_id=self.user['id'],
             domain_id=self.domain['id']
@@ -2074,7 +2074,7 @@ class TokenAPITests(object):
         self._create_implied_role_shows_in_v3_token(True)
 
     def test_create_implied_role_shows_in_v3_system_token(self):
-        self.config_fixture.config(group='token', infer_roles=True)
+        self.config_fixture.config(group='token')
         PROVIDERS.assignment_api.create_system_grant_for_user(
             self.user['id'], self.role['id']
         )
@@ -2091,7 +2091,7 @@ class TokenAPITests(object):
         self.assertEqual(2, len(token_roles))
 
     def test_group_assigned_implied_role_shows_in_v3_token(self):
-        self.config_fixture.config(group='token', infer_roles=True)
+        self.config_fixture.config(group='token')
         is_domain = False
         token_roles = self._get_scoped_token_roles(is_domain)
         self.assertEqual(1, len(token_roles))
@@ -2130,7 +2130,7 @@ class TokenAPITests(object):
         self.assertIn(implied2['id'], token_role_ids)
 
     def test_multiple_implied_roles_show_in_v3_token(self):
-        self.config_fixture.config(group='token', infer_roles=True)
+        self.config_fixture.config(group='token')
         token_roles = self._get_scoped_token_roles()
         self.assertEqual(1, len(token_roles))
 
@@ -2149,7 +2149,7 @@ class TokenAPITests(object):
         self.assertIn(implied3['id'], token_role_ids)
 
     def test_chained_implied_role_shows_in_v3_token(self):
-        self.config_fixture.config(group='token', infer_roles=True)
+        self.config_fixture.config(group='token')
         token_roles = self._get_scoped_token_roles()
         self.assertEqual(1, len(token_roles))
 
@@ -2169,7 +2169,7 @@ class TokenAPITests(object):
         self.assertIn(implied3['id'], token_role_ids)
 
     def test_implied_role_disabled_by_config(self):
-        self.config_fixture.config(group='token', infer_roles=False)
+        self.config_fixture.config(group='token')
         token_roles = self._get_scoped_token_roles()
         self.assertEqual(1, len(token_roles))
 
@@ -2179,12 +2179,12 @@ class TokenAPITests(object):
         self._create_implied_role(implied2['id'])
 
         token_roles = self._get_scoped_token_roles()
-        self.assertEqual(1, len(token_roles))
+        self.assertEqual(4, len(token_roles))
         token_role_ids = [role['id'] for role in token_roles]
         self.assertIn(prior, token_role_ids)
 
     def test_delete_implied_role_do_not_show_in_v3_token(self):
-        self.config_fixture.config(group='token', infer_roles=True)
+        self.config_fixture.config(group='token')
         token_roles = self._get_scoped_token_roles()
         prior = token_roles[0]['id']
         implied = self._create_implied_role(prior)
@@ -2197,7 +2197,7 @@ class TokenAPITests(object):
         self.assertEqual(1, len(token_roles))
 
     def test_unrelated_implied_roles_do_not_change_v3_token(self):
-        self.config_fixture.config(group='token', infer_roles=True)
+        self.config_fixture.config(group='token')
         token_roles = self._get_scoped_token_roles()
         prior = token_roles[0]['id']
         implied = self._create_implied_role(prior)
@@ -2217,7 +2217,7 @@ class TokenAPITests(object):
         self.assertEqual(2, len(token_roles))
 
     def test_domain_specific_roles_do_not_show_v3_token(self):
-        self.config_fixture.config(group='token', infer_roles=True)
+        self.config_fixture.config(group='token')
         initial_token_roles = self._get_scoped_token_roles()
 
         new_role = self._create_role(domain_id=self.domain_id)

releasenotes/notes/removed-as-of-train-92b2942a680eb859.yaml

@@ -0,0 +1,5 @@
+---
+other:
+  - |
+    [`bug 1829453 <https://bugs.launchpad.net/keystone/+bug/1829453>`_]
+    The deprecated config option `infer_roles` is removed now.