diff --git a/keystone/conf/resource.py b/keystone/conf/resource.py index afed1c3b5a..14482cd0fc 100644 --- a/keystone/conf/resource.py +++ b/keystone/conf/resource.py @@ -11,6 +11,7 @@ # under the License. from oslo_config import cfg +from oslo_log import versionutils from keystone.conf import utils @@ -18,6 +19,13 @@ from keystone.conf import utils driver = cfg.StrOpt( 'driver', default='sql', + deprecated_for_removal=True, + deprecated_reason='Non-SQL resource cannot be used with SQL Identity and ' + 'has been unable to be used since Ocata. SQL Resource ' + 'backend is a requirement as of Pike. Setting this ' + 'option no longer has an effect on how Keystone ' + 'operates.', + deprecated_since=versionutils.deprecated.PIKE, help=utils.fmt(""" Entry point for the resource driver in the `keystone.resource` namespace. Only a `sql` driver is supplied by keystone. Unless you are writing proprietary diff --git a/keystone/resource/backends/sql.py b/keystone/resource/backends/sql.py index f2da7d1962..e0bd08aa13 100644 --- a/keystone/resource/backends/sql.py +++ b/keystone/resource/backends/sql.py @@ -22,6 +22,8 @@ LOG = log.getLogger(__name__) class Resource(base.ResourceDriverBase): + # TODO(morgan): Merge all of this code into the manager, Resource backend + # is only SQL. There is no configurable driver. def default_assignment_driver(self): return 'sql' diff --git a/keystone/resource/core.py b/keystone/resource/core.py index 1f7423eae3..0e9c209c12 100644 --- a/keystone/resource/core.py +++ b/keystone/resource/core.py @@ -27,6 +27,7 @@ from keystone import exception from keystone.i18n import _ from keystone import notifications from keystone.resource.backends import base +from keystone.resource.backends import sql as resource_sql from keystone.token import provider as token_provider CONF = keystone.conf.CONF @@ -51,8 +52,12 @@ class Manager(manager.Manager): _PROJECT = 'project' def __init__(self): - resource_driver = CONF.resource.driver - super(Manager, self).__init__(resource_driver) + # NOTE(morgan): The resource driver must be SQL. This is because there + # is a FK between identity and resource. Almost every deployment uses + # SQL Identity in some form. Even if SQL Identity is not used, there + # is almost no reason to have non-SQL Resource. Keystone requires + # SQL in a number of ways, this simply codifies it plainly for resource + self.driver = resource_sql.Resource() def _get_hierarchy_depth(self, parents_list): return len(parents_list) + 1 diff --git a/keystone/tests/unit/test_backend_ldap.py b/keystone/tests/unit/test_backend_ldap.py index ddf8852a5d..0d492908b2 100644 --- a/keystone/tests/unit/test_backend_ldap.py +++ b/keystone/tests/unit/test_backend_ldap.py @@ -1045,8 +1045,7 @@ class LDAPIdentity(BaseLDAPIdentity, unit.TestCase): def assert_backends(self): _assert_backends(self, assignment='sql', - identity='ldap', - resource='sql') + identity='ldap') def test_list_domains(self): domains = self.resource_api.list_domains() @@ -1756,8 +1755,7 @@ class LDAPLimitTests(unit.TestCase, identity_tests.LimitTests): identity_tests.LimitTests.setUp(self) _assert_backends(self, assignment='sql', - identity='ldap', - resource='sql') + identity='ldap') def config_overrides(self): super(LDAPLimitTests, self).config_overrides() @@ -2210,8 +2208,7 @@ class MultiLDAPandSQLIdentity(BaseLDAPIdentity, unit.SQLDriverOverrides, self.domain_default['id']: 'ldap', self.domains['domain1']['id']: 'ldap', self.domains['domain2']['id']: 'ldap', - }, - resource='sql') + }) def config_overrides(self): super(MultiLDAPandSQLIdentity, self).config_overrides() @@ -2532,8 +2529,7 @@ class MultiLDAPandSQLIdentityDomainConfigsInSQL(MultiLDAPandSQLIdentity): self.domain_default['id']: 'ldap', self.domains['domain1']['id']: 'ldap', self.domains['domain2']['id']: 'ldap', - }, - resource='sql') + }) def enable_multi_domain(self): # The values below are the same as in the domain_configs_multi_ldap @@ -2758,8 +2754,7 @@ class DomainSpecificLDAPandSQLIdentity( None: 'ldap', 'default': 'ldap', self.domains['domain1']['id']: 'sql', - }, - resource='sql') + }) def config_overrides(self): super(DomainSpecificLDAPandSQLIdentity, self).config_overrides() @@ -2927,8 +2922,7 @@ class DomainSpecificSQLIdentity(DomainSpecificLDAPandSQLIdentity): def assert_backends(self): _assert_backends(self, assignment='sql', - identity='ldap', - resource='sql') + identity='ldap') def config_overrides(self): super(DomainSpecificSQLIdentity, self).config_overrides() diff --git a/releasenotes/notes/resource-backend-sql-only-03154d8712b36bd0.yaml b/releasenotes/notes/resource-backend-sql-only-03154d8712b36bd0.yaml new file mode 100644 index 0000000000..a053e0a266 --- /dev/null +++ b/releasenotes/notes/resource-backend-sql-only-03154d8712b36bd0.yaml @@ -0,0 +1,12 @@ +--- +upgrade: + - | + The resource backend cannot be configured to anything but SQL if the SQL + Identity backend is being used. The resource backend must now be SQL which + allows for the use of Foreign Keys to domains/projects wherever desired. + This makes managing project relationships and such much more straight + forward. The inability to configure non-SQL resource backends has been + in Keystone since at least Ocata. This is eliminating some complexity + and preventing the need for some really ugly back-port SQL migrations + in favor of a better model. Resource is highly relational and should be + SQL based. diff --git a/setup.cfg b/setup.cfg index 43bb672943..f03acd1fc9 100644 --- a/setup.cfg +++ b/setup.cfg @@ -139,9 +139,6 @@ keystone.policy = rules = keystone.policy.backends.rules:Policy sql = keystone.policy.backends.sql:Policy -keystone.resource = - sql = keystone.resource.backends.sql:Resource - keystone.resource.domain_config = sql = keystone.resource.config_backends.sql:DomainConfig