From a67394a05872c89699487fc3e1e6a1801a7714c2 Mon Sep 17 00:00:00 2001 From: Monty Taylor Date: Sat, 5 Dec 2015 00:41:24 -0500 Subject: [PATCH] Remove deprecated neutron auth options As a step towards using keystoneauth instead of keystoneclient, remove the deprecated to-be-removed-in-mitaka neutron auth options so that we don't have to translate the deprecated code paths to the new library interface. bp: keystoneclient-to-keystoneauth Co-Authored-By: Morgan Fainberg Change-Id: I3e3393d99533a70379822178983f73d5eef09bee --- nova/network/neutronv2/api.py | 85 +------------------ .../test_attach_interfaces.py | 2 - .../compute/test_attach_interfaces.py | 2 - nova/tests/unit/network/test_neutronv2.py | 45 +++++++--- ...ated-neutron-options-5f3a782aa9082fb5.yaml | 6 ++ 5 files changed, 38 insertions(+), 102 deletions(-) create mode 100644 releasenotes/notes/remove-deprecated-neutron-options-5f3a782aa9082fb5.yaml diff --git a/nova/network/neutronv2/api.py b/nova/network/neutronv2/api.py index efa21eac2d3d..8ec88bfe8ca4 100644 --- a/nova/network/neutronv2/api.py +++ b/nova/network/neutronv2/api.py @@ -20,7 +20,6 @@ import time import uuid from keystoneclient import auth -from keystoneclient.auth.identity import v2 as v2_auth from keystoneclient.auth import token_endpoint from keystoneclient import session from neutronclient.common import exceptions as neutron_client_exc @@ -48,71 +47,8 @@ neutron_opts = [ cfg.StrOpt('url', default='http://127.0.0.1:9696', help='URL for connecting to neutron'), - # deprecated in Kilo, may be removed in Mitaka - # NOTE(mikal): we could have removed in Liberty, but we forgot to set - # deprecated_for_removal for this flag so no warnings were emitted. - cfg.StrOpt('admin_user_id', - deprecated_for_removal=True, - help='User id for connecting to neutron in admin context. ' - 'DEPRECATED: specify an auth_plugin and appropriate ' - 'credentials instead.'), - # deprecated in Kilo, may be removed in Mitaka - # NOTE(mikal): we could have removed in Liberty, but we forgot to set - # deprecated_for_removal for this flag so no warnings were emitted. - cfg.StrOpt('admin_username', - deprecated_for_removal=True, - help='Username for connecting to neutron in admin context ' - 'DEPRECATED: specify an auth_plugin and appropriate ' - 'credentials instead.'), - # deprecated in Kilo, may be removed in Mitaka - # NOTE(mikal): we could have removed in Liberty, but we forgot to set - # deprecated_for_removal for this flag so no warnings were emitted. - cfg.StrOpt('admin_password', - deprecated_for_removal=True, - help='Password for connecting to neutron in admin context ' - 'DEPRECATED: specify an auth_plugin and appropriate ' - 'credentials instead.', - secret=True), - # deprecated in Kilo, may be removed in Mitaka - # NOTE(mikal): we could have removed in Liberty, but we forgot to set - # deprecated_for_removal for this flag so no warnings were emitted. - cfg.StrOpt('admin_tenant_id', - deprecated_for_removal=True, - help='Tenant id for connecting to neutron in admin context ' - 'DEPRECATED: specify an auth_plugin and appropriate ' - 'credentials instead.'), - # deprecated in Kilo, may be removed in Mitaka - # NOTE(mikal): we could have removed in Liberty, but we forgot to set - # deprecated_for_removal for this flag so no warnings were emitted. - cfg.StrOpt('admin_tenant_name', - deprecated_for_removal=True, - help='Tenant name for connecting to neutron in admin context. ' - 'This option will be ignored if neutron_admin_tenant_id ' - 'is set. Note that with Keystone V3 tenant names are ' - 'only unique within a domain. ' - 'DEPRECATED: specify an auth_plugin and appropriate ' - 'credentials instead.'), cfg.StrOpt('region_name', help='Region name for connecting to neutron in admin context'), - # deprecated in Kilo, may be removed in Mitaka - # NOTE(mikal): we could have removed in Liberty, but we forgot to set - # deprecated_for_removal for this flag so no warnings were emitted. - cfg.StrOpt('admin_auth_url', - default='http://localhost:5000/v2.0', - deprecated_for_removal=True, - help='Authorization URL for connecting to neutron in admin ' - 'context. DEPRECATED: specify an auth_plugin and ' - 'appropriate credentials instead.'), - # deprecated in Kilo, may be removed in Mitaka - # NOTE(mikal): we could have removed in Liberty, but we forgot to set - # deprecated_for_removal for this flag so no warnings were emitted. - cfg.StrOpt('auth_strategy', - default='keystone', - deprecated_for_removal=True, - help='Authorization strategy for connecting to neutron in ' - 'admin context. DEPRECATED: specify an auth_plugin and ' - 'appropriate credentials instead. If an auth_plugin is ' - 'specified strategy will be ignored.'), # TODO(berrange) temporary hack until Neutron can pass over the # name of the OVS bridge it is configured with cfg.StrOpt('ovs_bridge', @@ -185,26 +121,7 @@ def _load_auth_plugin(conf): if auth_plugin: return auth_plugin - if conf.neutron.auth_strategy == 'noauth': - if not conf.neutron.url: - message = _('For "noauth" authentication strategy, the ' - 'endpoint must be specified conf.neutron.url') - raise neutron_client_exc.Unauthorized(message=message) - - # NOTE(jamielennox): This will actually send 'noauth' as the token - # value because the plugin requires you to send something. It doesn't - # matter as it will be ignored anyway. - return token_endpoint.Token(conf.neutron.url, 'noauth') - - if conf.neutron.auth_strategy in ('keystone', None): - return v2_auth.Password(auth_url=conf.neutron.admin_auth_url, - user_id=conf.neutron.admin_user_id, - username=conf.neutron.admin_username, - password=conf.neutron.admin_password, - tenant_id=conf.neutron.admin_tenant_id, - tenant_name=conf.neutron.admin_tenant_name) - - err_msg = _('Unknown auth strategy: %s') % conf.neutron.auth_strategy + err_msg = _('Unknown auth plugin: %s') % conf.neutron.auth_plugin raise neutron_client_exc.Unauthorized(message=err_msg) diff --git a/nova/tests/functional/api_sample_tests/test_attach_interfaces.py b/nova/tests/functional/api_sample_tests/test_attach_interfaces.py index 5c903e7dbe14..836d05553f66 100644 --- a/nova/tests/functional/api_sample_tests/test_attach_interfaces.py +++ b/nova/tests/functional/api_sample_tests/test_attach_interfaces.py @@ -103,8 +103,6 @@ class AttachInterfacesSampleJsonTest(test_servers.ServersSampleBase): fake_attach_interface) self.stubs.Set(compute_api.API, 'detach_interface', fake_detach_interface) - self.flags(auth_strategy=None, group='neutron') - self.flags(url='http://anyhost/', group='neutron') self.flags(timeout=30, group='neutron') def generalize_subs(self, subs, vanilla_regexes): diff --git a/nova/tests/unit/api/openstack/compute/test_attach_interfaces.py b/nova/tests/unit/api/openstack/compute/test_attach_interfaces.py index 22efe32dbfc7..ddb7d00147bf 100644 --- a/nova/tests/unit/api/openstack/compute/test_attach_interfaces.py +++ b/nova/tests/unit/api/openstack/compute/test_attach_interfaces.py @@ -135,8 +135,6 @@ class InterfaceAttachTestsV21(test.NoDBTestCase): def setUp(self): super(InterfaceAttachTestsV21, self).setUp() - self.flags(auth_strategy=None, group='neutron') - self.flags(url='http://anyhost/', group='neutron') self.flags(timeout=30, group='neutron') self.stubs.Set(network_api.API, 'show_port', fake_show_port) self.stubs.Set(network_api.API, 'list_ports', fake_list_ports) diff --git a/nova/tests/unit/network/test_neutronv2.py b/nova/tests/unit/network/test_neutronv2.py index 3b86be079733..18b8563936c1 100644 --- a/nova/tests/unit/network/test_neutronv2.py +++ b/nova/tests/unit/network/test_neutronv2.py @@ -18,14 +18,18 @@ import collections import copy import uuid +from keystoneclient.auth import base as ksc_auth_base +from keystoneclient.fixture import V2Token import mock from mox3 import mox from neutronclient.common import exceptions from neutronclient.v2_0 import client from oslo_config import cfg +from oslo_config import fixture as config_fixture from oslo_policy import policy as oslo_policy from oslo_serialization import jsonutils from oslo_utils import timeutils +import requests_mock import six from six.moves import range @@ -147,7 +151,6 @@ class TestNeutronClient(test.NoDBTestCase): self.assertEqual(CONF.neutron.timeout, cl.httpclient.session.timeout) def test_withouttoken_keystone_connection_error(self): - self.flags(auth_strategy='keystone', group='neutron') self.flags(url='http://anyhost/', group='neutron') my_context = context.RequestContext('userid', 'my_tenantid') self.assertRaises(NEUTRON_CLIENT_EXCEPTION, @@ -3835,18 +3838,34 @@ class TestNeutronv2ExtraDhcpOpts(TestNeutronv2Base): class TestNeutronClientForAdminScenarios(test.NoDBTestCase): - @mock.patch('keystoneclient.auth.identity.v2.Password.get_token') - def _test_get_client_for_admin(self, auth_mock, + def setUp(self): + super(TestNeutronClientForAdminScenarios, self).setUp() + # NOTE(morganfainberg): The real configuration fixture here is used + # instead o the already existing fixtures to ensure that the new + # config options are automatically deregistered at the end of the + # test run. Without the use of this fixture, the config options + # from the plugin(s) would persist for all subsequent tests from when + # these are run (due to glonal conf object) and not be fully + # representative of a "clean" slate at the start of a test. + self.config_fixture = self.useFixture(config_fixture.Config()) + plugin_class = ksc_auth_base.get_plugin_class('v2password') + plugin_class.register_conf_options(self.config_fixture, 'neutron') + + @requests_mock.mock() + def _test_get_client_for_admin(self, req_mock, use_id=False, admin_context=False): token_value = uuid.uuid4().hex - auth_mock.return_value = token_value + auth_url = 'http://anyhost/auth' + token_resp = V2Token(token_id=token_value) + req_mock.post(auth_url + '/tokens', json=token_resp) - self.flags(auth_strategy=None, group='neutron') self.flags(url='http://anyhost/', group='neutron') + self.flags(auth_plugin='v2password', group='neutron') + self.flags(auth_url=auth_url, group='neutron') self.flags(timeout=30, group='neutron') if use_id: - self.flags(admin_tenant_id='admin_tenant_id', group='neutron') - self.flags(admin_user_id='admin_user_id', group='neutron') + self.flags(tenant_id='tenant_id', group='neutron') + self.flags(user_id='user_id', group='neutron') if admin_context: my_context = context.get_admin_context() @@ -3870,20 +3889,18 @@ class TestNeutronClientForAdminScenarios(test.NoDBTestCase): admin_auth = neutronapi._ADMIN_AUTH - self.assertEqual(CONF.neutron.admin_auth_url, admin_auth.auth_url) - self.assertEqual(CONF.neutron.admin_password, admin_auth.password) + self.assertEqual(CONF.neutron.auth_url, admin_auth.auth_url) + self.assertEqual(CONF.neutron.password, admin_auth.password) if use_id: - self.assertEqual(CONF.neutron.admin_tenant_id, + self.assertEqual(CONF.neutron.tenant_id, admin_auth.tenant_id) - self.assertEqual(CONF.neutron.admin_user_id, admin_auth.user_id) + self.assertEqual(CONF.neutron.user_id, admin_auth.user_id) self.assertIsNone(admin_auth.tenant_name) self.assertIsNone(admin_auth.username) else: - self.assertEqual(CONF.neutron.admin_tenant_name, - admin_auth.tenant_name) - self.assertEqual(CONF.neutron.admin_username, admin_auth.username) + self.assertEqual(CONF.neutron.username, admin_auth.username) self.assertIsNone(admin_auth.tenant_id) self.assertIsNone(admin_auth.user_id) diff --git a/releasenotes/notes/remove-deprecated-neutron-options-5f3a782aa9082fb5.yaml b/releasenotes/notes/remove-deprecated-neutron-options-5f3a782aa9082fb5.yaml new file mode 100644 index 000000000000..d976144117d7 --- /dev/null +++ b/releasenotes/notes/remove-deprecated-neutron-options-5f3a782aa9082fb5.yaml @@ -0,0 +1,6 @@ +--- +upgrade: + - The old neutron communication options that were + slated for removal in Mitaka are no longer available. + This means that going forward communication to neutron + will need to be configured using auth plugins.