Merge "Remove enable config option of trust feature"

2018-07-12 01:37:57 +00:00 · 2018-07-12 01:37:57 +00:00 · c755dea3e3
parent 4cdb4a0b72 59e1d211a6
commit c755dea3e3
6 changed files with 11 additions and 52 deletions
--- a/keystone/auth/core.py
+++ b/keystone/auth/core.py
@ -289,8 +289,6 @@ class AuthInfo(provider_api.ProviderAPIMixin, object):
            domain_ref = self._lookup_domain(self.auth['scope']['domain'])
            self._scope_data = (domain_ref['id'], None, None, None, None)
        elif 'OS-TRUST:trust' in self.auth['scope']:
-            if not CONF.trust.enabled:
-                raise exception.Forbidden('Trusts are disabled.')
            trust_ref = self._lookup_trust(
                self.auth['scope']['OS-TRUST:trust'])
            # TODO(ayoung): when trusts support domains, fill in domain data
--- a/keystone/conf/trust.py
+++ b/keystone/conf/trust.py
@ -11,24 +11,10 @@
 # under the License.

 from oslo_config import cfg
-from oslo_log import versionutils

 from keystone.conf import utils


-enabled = cfg.BoolOpt(
-    'enabled',
-    default=True,
-    deprecated_for_removal=True,
-    deprecated_reason=utils.fmt("""
-Disabling the trusts API is deprecated. This option will be removed in the
-next release and trusts will always be enabled.
-"""),
-    deprecated_since=versionutils.deprecated.QUEENS,
-    help=utils.fmt("""
-Delegation and impersonation features using trusts can be optionally disabled.
-"""))
-
 allow_redelegation = cfg.BoolOpt(
    'allow_redelegation',
    default=False,
@ -59,7 +45,6 @@ unless you are providing a custom entry point.

 GROUP_NAME = __name__.split('.')[-1]
 ALL_OPTS = [
-    enabled,
    allow_redelegation,
    max_redelegation_count,
    driver,
--- a/keystone/tests/unit/test_v3_auth.py
+++ b/keystone/tests/unit/test_v3_auth.py
@ -3618,31 +3618,6 @@ class TestAuthJSONExternal(test_v3.RestfulTestCase):
                          auth_context)


-class TestTrustOptional(test_v3.RestfulTestCase):
-    def setUp(self):
-        super(TestTrustOptional, self).setUp()
-        # TODO(morgan): remove this test case, trusts are not optional.
-        self.skipTest('Trusts are no longer optional.')
-
-    def config_overrides(self):
-        super(TestTrustOptional, self).config_overrides()
-        self.config_fixture.config(group='trust', enabled=False)
-
-    def test_trusts_returns_not_found(self):
-        self.get('/OS-TRUST/trusts', body={'trust': {}},
-                 expected_status=http_client.NOT_FOUND)
-        self.post('/OS-TRUST/trusts', body={'trust': {}},
-                  expected_status=http_client.NOT_FOUND)
-
-    def test_auth_with_scope_in_trust_forbidden(self):
-        auth_data = self.build_authentication_request(
-            user_id=self.user['id'],
-            password=self.user['password'],
-            trust_id=uuid.uuid4().hex)
-        self.v3_create_token(auth_data,
-                             expected_status=http_client.FORBIDDEN)
-
-
 class TrustAPIBehavior(test_v3.RestfulTestCase):
    """Redelegation valid and secure.

@ -3673,7 +3648,6 @@ class TrustAPIBehavior(test_v3.RestfulTestCase):
        super(TrustAPIBehavior, self).config_overrides()
        self.config_fixture.config(
            group='trust',
-            enabled=True,
            allow_redelegation=True,
            max_redelegation_count=10
        )
@ -4463,7 +4437,6 @@ class TestTrustChain(test_v3.RestfulTestCase):
        super(TestTrustChain, self).config_overrides()
        self.config_fixture.config(
            group='trust',
-            enabled=True,
            allow_redelegation=True,
            max_redelegation_count=10
        )
@ -4905,8 +4878,7 @@ class TestTrustAuthFernetTokenProvider(TrustAPIBehavior, TestTrustChain):
        self.config_fixture.config(group='token',
                                   provider='fernet',
                                   revoke_by_id=False)
-        self.config_fixture.config(group='trust',
-                                   enabled=True)
+        self.config_fixture.config(group='trust')
        self.useFixture(
            ksfixtures.KeyRepository(
                self.config_fixture,
--- a/keystone/tests/unit/test_v3_credential.py
+++ b/keystone/tests/unit/test_v3_credential.py
@ -370,7 +370,7 @@ class TestCredentialTrustScoped(test_v3.RestfulTestCase):

    def config_overrides(self):
        super(TestCredentialTrustScoped, self).config_overrides()
-        self.config_fixture.config(group='trust', enabled=True)
+        self.config_fixture.config(group='trust')

    def test_trust_scoped_ec2_credential(self):
        """Test creating trust scoped ec2 credential.
--- a/keystone/token/providers/common.py
+++ b/keystone/token/providers/common.py
@ -277,7 +277,7 @@ class V3TokenDataHelper(provider_api.ProviderAPIMixin, object):
            return

        user_ref = PROVIDERS.identity_api.get_user(user_id)
-        if CONF.trust.enabled and trust and 'OS-TRUST:trust' not in token_data:
+        if trust and 'OS-TRUST:trust' not in token_data:
            trustor_user_ref = (PROVIDERS.identity_api.get_user(
                                trust['trustor_user_id']))
            trustee_user_ref = (PROVIDERS.identity_api.get_user(
@ -343,7 +343,7 @@ class V3TokenDataHelper(provider_api.ProviderAPIMixin, object):
            token_data['roles'] = filtered_roles
            return

-        if CONF.trust.enabled and trust:
+        if trust:
            # If redelegated_trust_id is set, then we must traverse the
            # trust_chain in order to determine who the original trustor is. We
            # need to do this because the user ID of the original trustor helps
@ -366,7 +366,7 @@ class V3TokenDataHelper(provider_api.ProviderAPIMixin, object):

        if system or token_domain_id or token_project_id:
            filtered_roles = []
-            if CONF.trust.enabled and trust:
+            if trust:
                # First expand out any roles that were in the trust to include
                # any implied roles, whether global or domain specific
                refs = [{'role_id': role['id']} for role in trust['roles']]
@ -439,7 +439,7 @@ class V3TokenDataHelper(provider_api.ProviderAPIMixin, object):
            # no need to repopulate service catalog
            return

-        if CONF.trust.enabled and trust:
+        if trust:
            user_id = trust['trustor_user_id']

        # NOTE(lbragstad): The catalog API requires a project in order to
@ -565,7 +565,7 @@ class BaseProvider(provider_api.ProviderAPIMixin, base.Provider):
                    'The configured token provider does not support bind '
                    'authentication.'))

-        if CONF.trust.enabled and trust:
+        if trust:
            if user_id != trust['trustee_user_id']:
                raise exception.Forbidden(_('User is not a trustee.'))

--- a/releasenotes/notes/removed-as-of-rocky-f44c3ba7c3e73d01.yaml
+++ b/releasenotes/notes/removed-as-of-rocky-f44c3ba7c3e73d01.yaml
@ -14,3 +14,7 @@ other:
    Removed support for token bind operations, which were supported by the
    ``uuid``, ``pki``, and ``pkiz`` token providers. Support for this
    feature was deprecated in Pike.
+  - >
+    [`blueprint removed-as-of-rocky <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-rocky>`_]
+    The deprecated `enable` config option of the trust feature is removed.
+    Trusts now is always enabled.