Fix the loss of access to barbican secrets

The listener delete method could remove access to barbican secrets that
are used on multiple listeners, in different roles.
It is also not thread safe and was un-tested.
This patch removes the "unset_acls" calls from the listener delete method.

Change-Id: Ic832fcd2a5a45993f8414b7514b1a58dcec13de3
Story: 2005041
Task: 29536

octavia/api/v2/controllers/listener.py

@@ -396,45 +396,6 @@ class ListenersController(base.BaseController):
             driver_utils.call_provider(driver.name, driver.listener_delete,
                                        provider_listener)
 
-        # Revoke access of octavia service user to certificates
-        tls_refs = []
-
-        for sni in db_listener.sni_containers:
-            filters = {'tls_container_id': sni.tls_container_id}
-            snis = self.repositories.sni.get_all(context.session, **filters)[0]
-
-            if len(snis) == 1:
-                # referred only once, enqueue for access revoking
-                tls_refs.append(sni.tls_container_id)
-            else:
-                blocking_listeners = [s.listener_id for s in snis if
-                                      s.listener_id != id]
-                LOG.debug("Listeners %s using TLS ref %s. Access to TLS ref "
-                          "will not be revoked.", blocking_listeners,
-                          sni.tls_container_id)
-
-        if db_listener.tls_certificate_id:
-            filters = {'tls_certificate_id': db_listener.tls_certificate_id}
-            # Note get_all returns the list and links. We only want the list.
-            listeners = self.repositories.listener.get_all(
-                context.session, show_deleted=False, **filters)[0]
-
-            if len(listeners) == 1:
-                # referred only once, enqueue for access revoking
-                tls_refs.append(db_listener.tls_certificate_id)
-            else:
-                blocking_listeners = [l.id for l in listeners if l.id != id]
-                LOG.debug("Listeners %s using TLS ref %s. Access to TLS ref "
-                          "will not be revoked.", blocking_listeners,
-                          db_listener.tls_certificate_id)
-
-        for ref in tls_refs:
-            try:
-                self.cert_manager.unset_acls(context, ref)
-            except Exception:
-                # certificate may have been removed already
-                pass
-
     @pecan.expose()
     def _lookup(self, id, *remainder):
         """Overridden pecan _lookup method for custom routing.

releasenotes/notes/remove-bbq-unset-acl-e680020de6a9ad3d.yaml

@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Octavia will no longer automatically revoke access to secrets whenever
+    load balancing resources no longer require access to them. This may be
+    added in the future.