Deprecate [api]auth_strategy and noauth2

[api]auth_strategy defaults to `keystone`. The only other choice is
`noauth2`, which activates noauth paste pipelines, which go through
NoAuthMiddleware, which is crusty and bogus. It is used in our
functional tests to avoid having to fixture out keystone, but should not
be used in real deployments, ever. Deprecate the option for removal, and
add a deprecation warning in the paste pipeline if it is used.

When we remove the option, we could just hardcode to `keystone`. At that
time, we also need to move the middleware under the nova.tests package
-- or find a way to get rid of it entirely by instead stubbing out
keystone in tests if that's relatively easy.

Change-Id: I9e2be5423cc0821a628db7a68ad52bbd91264acd

etc/nova/api-paste.ini

@@ -28,13 +28,17 @@ use = call:nova.api.openstack.urlmap:urlmap_factory
 
 [composite:openstack_compute_api_v21]
 use = call:nova.api.auth:pipeline_factory_v21
-noauth2 = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler noauth2 osapi_compute_app_v21
 keystone = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler authtoken keystonecontext osapi_compute_app_v21
+# DEPRECATED: The [api]auth_strategy conf option is deprecated and will be
+# removed in a subsequent release, whereupon this pipeline will be unreachable.
+noauth2 = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler noauth2 osapi_compute_app_v21
 
 [composite:openstack_compute_api_v21_legacy_v2_compatible]
 use = call:nova.api.auth:pipeline_factory_v21
-noauth2 = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler noauth2 legacy_v2_compatible osapi_compute_app_v21
 keystone = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler authtoken keystonecontext legacy_v2_compatible osapi_compute_app_v21
+# DEPRECATED: The [api]auth_strategy conf option is deprecated and will be
+# removed in a subsequent release, whereupon this pipeline will be unreachable.
+noauth2 = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler noauth2 legacy_v2_compatible osapi_compute_app_v21
 
 [filter:request_log]
 paste.filter_factory = nova.api.openstack.requestlog:RequestLog.factory
@@ -45,6 +49,8 @@ paste.filter_factory = nova.api.compute_req_id:ComputeReqIdMiddleware.factory
 [filter:faultwrap]
 paste.filter_factory = nova.api.openstack:FaultWrapper.factory
 
+# DEPRECATED: NoAuthMiddleware will be removed in a subsequent release,
+# whereupon this filter will cease to function.
 [filter:noauth2]
 paste.filter_factory = nova.api.openstack.auth:NoAuthMiddleware.factory
 

nova/api/auth.py

@@ -53,7 +53,16 @@ def pipeline_factory(loader, global_conf, **local_conf):
 
 def pipeline_factory_v21(loader, global_conf, **local_conf):
     """A paste pipeline replica that keys off of auth_strategy."""
-    return _load_pipeline(loader, local_conf[CONF.api.auth_strategy].split())
+    auth_strategy = CONF.api.auth_strategy
+    if auth_strategy == 'noauth2':
+        versionutils.report_deprecated_feature(
+            LOG,
+            "'[api]auth_strategy=noauth2' is deprecated as of the 21.0.0 "
+            "Ussuri release and will be removed in a future release. Please "
+            "remove any 'noauth2' entries from api-paste.ini; only the "
+            "'keystone' pipeline is supported."
+        )
+    return _load_pipeline(loader, local_conf[auth_strategy].split())
 
 
 class InjectContext(wsgi.Middleware):

nova/conf/api.py

@@ -30,7 +30,13 @@ auth_opts = [
              "credential checking. 'noauth2' provides administrative "
              "credentials only if 'admin' is specified as the username."),
         ],
-        deprecated_group="DEFAULT",
+        deprecated_for_removal=True,
+        deprecated_since='21.0.0',
+        deprecated_reason="""
+The only non-default choice, ``noauth2``, is for internal development and
+testing purposes only and should not be used in deployments. This option and
+its middleware, NoAuthMiddleware[V2_18], will be removed in a future release.
+""",
         help="""
 Determine the strategy to use for authentication.
 """),

nova/tests/unit/api/test_auth.py

@@ -140,12 +140,23 @@ class TestPipeLineFactory(test.NoDBTestCase):
         self.assertEqual(app.name, pipeline.split()[-1])
         self.assertIsInstance(app, TestPipeLineFactory.FakeApp)
 
+    @mock.patch('oslo_log.versionutils.report_deprecated_feature',
+                new=mock.NonCallableMock())
     def test_pipeline_factory_v21(self):
+        fake_pipeline = 'test1 test2 test3'
+        CONF.set_override('auth_strategy', 'keystone', group='api')
+        app = nova.api.auth.pipeline_factory_v21(
+            TestPipeLineFactory.FakeLoader(), None, keystone=fake_pipeline)
+        self._test_pipeline(fake_pipeline, app)
+
+    @mock.patch('oslo_log.versionutils.report_deprecated_feature')
+    def test_pipeline_factory_v21_noauth2(self, mock_report_deprecated):
         fake_pipeline = 'test1 test2 test3'
         CONF.set_override('auth_strategy', 'noauth2', group='api')
         app = nova.api.auth.pipeline_factory_v21(
             TestPipeLineFactory.FakeLoader(), None, noauth2=fake_pipeline)
         self._test_pipeline(fake_pipeline, app)
+        self.assertTrue(mock_report_deprecated.called)
 
     @mock.patch('oslo_log.versionutils.report_deprecated_feature')
     def test_pipeline_factory_legacy_v2_deprecated(self,

releasenotes/notes/deprecate-api-auth_strategy-noauth2-ed29c499a68b08ce.yaml

@@ -0,0 +1,7 @@
+---
+deprecations:
+  - |
+    The ``[api]auth_strategy`` conf option and the corresponding test-only
+    ``noauth2`` pipeline in ``api-paste.ini`` are deprecated and will be
+    removed in a future release. The only supported ``auth_strategy`` is
+    ``keystone``, the default.