Remove deprecated neutron auth options

As a step towards using keystoneauth instead of keystoneclient, remove
the deprecated to-be-removed-in-mitaka neutron auth options so that we
don't have to translate the deprecated code paths to the new library
interface.

bp: keystoneclient-to-keystoneauth

Co-Authored-By: Morgan Fainberg <morgan.fainberg@gmail.com>
Change-Id: I3e3393d99533a70379822178983f73d5eef09bee

nova/network/neutronv2/api.py

@@ -20,7 +20,6 @@ import time
 import uuid
 
 from keystoneclient import auth
-from keystoneclient.auth.identity import v2 as v2_auth
 from keystoneclient.auth import token_endpoint
 from keystoneclient import session
 from neutronclient.common import exceptions as neutron_client_exc
@@ -48,71 +47,8 @@ neutron_opts = [
     cfg.StrOpt('url',
                default='http://127.0.0.1:9696',
                help='URL for connecting to neutron'),
-    # deprecated in Kilo, may be removed in Mitaka
-    # NOTE(mikal): we could have removed in Liberty, but we forgot to set
-    # deprecated_for_removal for this flag so no warnings were emitted.
-    cfg.StrOpt('admin_user_id',
-               deprecated_for_removal=True,
-               help='User id for connecting to neutron in admin context. '
-                    'DEPRECATED: specify an auth_plugin and appropriate '
-                    'credentials instead.'),
-    # deprecated in Kilo, may be removed in Mitaka
-    # NOTE(mikal): we could have removed in Liberty, but we forgot to set
-    # deprecated_for_removal for this flag so no warnings were emitted.
-    cfg.StrOpt('admin_username',
-               deprecated_for_removal=True,
-               help='Username for connecting to neutron in admin context '
-                    'DEPRECATED: specify an auth_plugin and appropriate '
-                    'credentials instead.'),
-    # deprecated in Kilo, may be removed in Mitaka
-    # NOTE(mikal): we could have removed in Liberty, but we forgot to set
-    # deprecated_for_removal for this flag so no warnings were emitted.
-    cfg.StrOpt('admin_password',
-               deprecated_for_removal=True,
-               help='Password for connecting to neutron in admin context '
-                    'DEPRECATED: specify an auth_plugin and appropriate '
-                    'credentials instead.',
-               secret=True),
-    # deprecated in Kilo, may be removed in Mitaka
-    # NOTE(mikal): we could have removed in Liberty, but we forgot to set
-    # deprecated_for_removal for this flag so no warnings were emitted.
-    cfg.StrOpt('admin_tenant_id',
-               deprecated_for_removal=True,
-               help='Tenant id for connecting to neutron in admin context '
-                    'DEPRECATED: specify an auth_plugin and appropriate '
-                    'credentials instead.'),
-    # deprecated in Kilo, may be removed in Mitaka
-    # NOTE(mikal): we could have removed in Liberty, but we forgot to set
-    # deprecated_for_removal for this flag so no warnings were emitted.
-    cfg.StrOpt('admin_tenant_name',
-               deprecated_for_removal=True,
-               help='Tenant name for connecting to neutron in admin context. '
-                    'This option will be ignored if neutron_admin_tenant_id '
-                    'is set. Note that with Keystone V3 tenant names are '
-                    'only unique within a domain. '
-                    'DEPRECATED: specify an auth_plugin and appropriate '
-                    'credentials instead.'),
     cfg.StrOpt('region_name',
                help='Region name for connecting to neutron in admin context'),
-    # deprecated in Kilo, may be removed in Mitaka
-    # NOTE(mikal): we could have removed in Liberty, but we forgot to set
-    # deprecated_for_removal for this flag so no warnings were emitted.
-    cfg.StrOpt('admin_auth_url',
-               default='http://localhost:5000/v2.0',
-               deprecated_for_removal=True,
-               help='Authorization URL for connecting to neutron in admin '
-                    'context. DEPRECATED: specify an auth_plugin and '
-                    'appropriate credentials instead.'),
-    # deprecated in Kilo, may be removed in Mitaka
-    # NOTE(mikal): we could have removed in Liberty, but we forgot to set
-    # deprecated_for_removal for this flag so no warnings were emitted.
-    cfg.StrOpt('auth_strategy',
-               default='keystone',
-               deprecated_for_removal=True,
-               help='Authorization strategy for connecting to neutron in '
-                    'admin context. DEPRECATED: specify an auth_plugin and '
-                    'appropriate credentials instead. If an auth_plugin is '
-                    'specified strategy will be ignored.'),
     # TODO(berrange) temporary hack until Neutron can pass over the
     # name of the OVS bridge it is configured with
     cfg.StrOpt('ovs_bridge',
@@ -185,26 +121,7 @@ def _load_auth_plugin(conf):
     if auth_plugin:
         return auth_plugin
 
-    if conf.neutron.auth_strategy == 'noauth':
-        if not conf.neutron.url:
-            message = _('For "noauth" authentication strategy, the '
-                        'endpoint must be specified conf.neutron.url')
-            raise neutron_client_exc.Unauthorized(message=message)
-
-        # NOTE(jamielennox): This will actually send 'noauth' as the token
-        # value because the plugin requires you to send something. It doesn't
-        # matter as it will be ignored anyway.
-        return token_endpoint.Token(conf.neutron.url, 'noauth')
-
-    if conf.neutron.auth_strategy in ('keystone', None):
-        return v2_auth.Password(auth_url=conf.neutron.admin_auth_url,
-                                user_id=conf.neutron.admin_user_id,
-                                username=conf.neutron.admin_username,
-                                password=conf.neutron.admin_password,
-                                tenant_id=conf.neutron.admin_tenant_id,
-                                tenant_name=conf.neutron.admin_tenant_name)
-
-    err_msg = _('Unknown auth strategy: %s') % conf.neutron.auth_strategy
+    err_msg = _('Unknown auth plugin: %s') % conf.neutron.auth_plugin
     raise neutron_client_exc.Unauthorized(message=err_msg)
 
 

nova/tests/functional/api_sample_tests/test_attach_interfaces.py

@@ -103,8 +103,6 @@ class AttachInterfacesSampleJsonTest(test_servers.ServersSampleBase):
                        fake_attach_interface)
         self.stubs.Set(compute_api.API, 'detach_interface',
                        fake_detach_interface)
-        self.flags(auth_strategy=None, group='neutron')
-        self.flags(url='http://anyhost/', group='neutron')
         self.flags(timeout=30, group='neutron')
 
     def generalize_subs(self, subs, vanilla_regexes):

nova/tests/unit/api/openstack/compute/test_attach_interfaces.py

@@ -135,8 +135,6 @@ class InterfaceAttachTestsV21(test.NoDBTestCase):
 
     def setUp(self):
         super(InterfaceAttachTestsV21, self).setUp()
-        self.flags(auth_strategy=None, group='neutron')
-        self.flags(url='http://anyhost/', group='neutron')
         self.flags(timeout=30, group='neutron')
         self.stubs.Set(network_api.API, 'show_port', fake_show_port)
         self.stubs.Set(network_api.API, 'list_ports', fake_list_ports)

nova/tests/unit/network/test_neutronv2.py

@@ -18,14 +18,18 @@ import collections
 import copy
 import uuid
 
+from keystoneclient.auth import base as ksc_auth_base
+from keystoneclient.fixture import V2Token
 import mock
 from mox3 import mox
 from neutronclient.common import exceptions
 from neutronclient.v2_0 import client
 from oslo_config import cfg
+from oslo_config import fixture as config_fixture
 from oslo_policy import policy as oslo_policy
 from oslo_serialization import jsonutils
 from oslo_utils import timeutils
+import requests_mock
 import six
 from six.moves import range
 
@@ -147,7 +151,6 @@ class TestNeutronClient(test.NoDBTestCase):
         self.assertEqual(CONF.neutron.timeout, cl.httpclient.session.timeout)
 
     def test_withouttoken_keystone_connection_error(self):
-        self.flags(auth_strategy='keystone', group='neutron')
         self.flags(url='http://anyhost/', group='neutron')
         my_context = context.RequestContext('userid', 'my_tenantid')
         self.assertRaises(NEUTRON_CLIENT_EXCEPTION,
@@ -3835,18 +3838,34 @@ class TestNeutronv2ExtraDhcpOpts(TestNeutronv2Base):
 
 class TestNeutronClientForAdminScenarios(test.NoDBTestCase):
 
-    @mock.patch('keystoneclient.auth.identity.v2.Password.get_token')
-    def _test_get_client_for_admin(self, auth_mock,
+    def setUp(self):
+        super(TestNeutronClientForAdminScenarios, self).setUp()
+        # NOTE(morganfainberg): The real configuration fixture here is used
+        # instead o the already existing fixtures to ensure that the new
+        # config options are automatically deregistered at the end of the
+        # test run. Without the use of this fixture, the config options
+        # from the plugin(s) would persist for all subsequent tests from when
+        # these are run (due to glonal conf object) and not be fully
+        # representative of a "clean" slate at the start of a test.
+        self.config_fixture = self.useFixture(config_fixture.Config())
+        plugin_class = ksc_auth_base.get_plugin_class('v2password')
+        plugin_class.register_conf_options(self.config_fixture, 'neutron')
+
+    @requests_mock.mock()
+    def _test_get_client_for_admin(self, req_mock,
                                    use_id=False, admin_context=False):
         token_value = uuid.uuid4().hex
-        auth_mock.return_value = token_value
+        auth_url = 'http://anyhost/auth'
+        token_resp = V2Token(token_id=token_value)
+        req_mock.post(auth_url + '/tokens', json=token_resp)
 
-        self.flags(auth_strategy=None, group='neutron')
         self.flags(url='http://anyhost/', group='neutron')
+        self.flags(auth_plugin='v2password', group='neutron')
+        self.flags(auth_url=auth_url, group='neutron')
         self.flags(timeout=30, group='neutron')
         if use_id:
-            self.flags(admin_tenant_id='admin_tenant_id', group='neutron')
-            self.flags(admin_user_id='admin_user_id', group='neutron')
+            self.flags(tenant_id='tenant_id', group='neutron')
+            self.flags(user_id='user_id', group='neutron')
 
         if admin_context:
             my_context = context.get_admin_context()
@@ -3870,20 +3889,18 @@ class TestNeutronClientForAdminScenarios(test.NoDBTestCase):
 
         admin_auth = neutronapi._ADMIN_AUTH
 
-        self.assertEqual(CONF.neutron.admin_auth_url, admin_auth.auth_url)
-        self.assertEqual(CONF.neutron.admin_password, admin_auth.password)
+        self.assertEqual(CONF.neutron.auth_url, admin_auth.auth_url)
+        self.assertEqual(CONF.neutron.password, admin_auth.password)
 
         if use_id:
-            self.assertEqual(CONF.neutron.admin_tenant_id,
+            self.assertEqual(CONF.neutron.tenant_id,
                              admin_auth.tenant_id)
-            self.assertEqual(CONF.neutron.admin_user_id, admin_auth.user_id)
+            self.assertEqual(CONF.neutron.user_id, admin_auth.user_id)
 
             self.assertIsNone(admin_auth.tenant_name)
             self.assertIsNone(admin_auth.username)
         else:
-            self.assertEqual(CONF.neutron.admin_tenant_name,
-                             admin_auth.tenant_name)
-            self.assertEqual(CONF.neutron.admin_username, admin_auth.username)
+            self.assertEqual(CONF.neutron.username, admin_auth.username)
 
             self.assertIsNone(admin_auth.tenant_id)
             self.assertIsNone(admin_auth.user_id)

releasenotes/notes/remove-deprecated-neutron-options-5f3a782aa9082fb5.yaml

@@ -0,0 +1,6 @@
+---
+upgrade:
+  - The old neutron communication options that were
+    slated for removal in Mitaka are no longer available.
+    This means that going forward communication to neutron
+    will need to be configured using auth plugins.