Remove 'admin_role' option

ostackbrian · ostackbrian · commit f102b74a285a · 2020-11-24T20:31:21.000-05:00
This option was deprecated in the Ussuri release by change
I0f61f85a0aaa4f68e345fa08fbb6b039d3d32587 and it is now eligible
for removal following the standard OpenStack deprecation policy.

Change-Id: I78ec79f97bfdcc39772448296140f8d8f35adea1
diff --git a/doc/source/admin/authentication.rst b/doc/source/admin/authentication.rst
@@ -114,9 +114,3 @@ configuration file, select the appropriate deployment flavor by adding a
 
   [paste_deploy]
   flavor = keystone
-
-.. note::
-  If your authentication service uses a role other than ``admin`` to identify
-  which users should be granted admin-level privileges, you must define it
-  in the ``admin_role`` config attribute in both ``glance-registry.conf`` and
-  ``glance-api.conf``.
diff --git a/glance/api/middleware/context.py b/glance/api/middleware/context.py
@@ -54,41 +54,6 @@
 Related options:
     * None
 
-""")),
-
-    cfg.StrOpt('admin_role',
-               default=('__NOT_A_ROLE_07697c71e6174332989d3d5f2a7d2e7c'
-                        '_NOT_A_ROLE__'),
-               deprecated_for_removal=True,
-               deprecated_since="Ussuri",
-               deprecated_reason=_("""
-This option is redundant as its goal can be achieved via policy file
-configuration.  Additionally, it can override any configured policies,
-leading to unexpected behavior and difficulty in policy configuration.
-The option will be removed early in the Victoria development cycle,
-following the standard OpenStack deprecation policy.
-
-Because this can be a security issue, the default value of this
-configuration option has been changed in this release.
-
-Please see the 'Deprecation Notes' section of the Ussuri Glance
-Release Notes for more information.
-"""),
-               help=_("""
-Role used to identify an authenticated user as administrator.
-
-Provide a string value representing a Keystone role to identify an
-administrative user. Users with this role will be granted
-administrative privileges.
-
-NOTE: The default value for this option has changed in this release.
-
-Possible values:
-    * A string value which is a valid Keystone role
-
-Related options:
-    * None
-
 """)),
 
     cfg.BoolOpt('allow_anonymous_access', default=False,
@@ -221,9 +186,6 @@ def _get_authenticated_context(self, req):
         # fixed.
         ctxt.roles = [r.lower() for r in ctxt.roles]
 
-        if CONF.admin_role.strip().lower() in ctxt.roles:
-            ctxt.is_admin = True
-
         return ctxt
 
 
diff --git a/glance/tests/functional/__init__.py b/glance/tests/functional/__init__.py
@@ -745,7 +745,6 @@ def __init__(self, test_dir, policy_file, daemon=False, **kwargs):
         self.policy_default_rule = 'default'
 
         self.send_identity_headers = False
-        self.admin_role = 'admin'
 
         self.conf_base = """[DEFAULT]
 debug = %(debug)s
diff --git a/glance/tests/unit/test_context_middleware.py b/glance/tests/unit/test_context_middleware.py
@@ -56,36 +56,23 @@ def test_is_admin_flag(self):
         self._build_middleware().process_request(req)
         self.assertFalse(req.context.is_admin)
 
-        # if we change the admin_role attribute, we should be able to use it
-        req = self._build_request()
-        self.config(admin_role='role1')
-        self._build_middleware().process_request(req)
-        self.assertTrue(req.context.is_admin)
+        # the admin_role config option was removed in Wallaby
+        from oslo_config.cfg import NoSuchOptError
+        self.assertRaises(NoSuchOptError,
+                          self.config,
+                          admin_role='role1')
 
     def test_roles_case_insensitive(self):
         # accept role from request
         req = self._build_request(roles=['Admin', 'role2'])
         self._build_middleware().process_request(req)
         self.assertTrue(req.context.is_admin)
 
-        # accept role from config
-        req = self._build_request(roles=['role1'])
-        self.config(admin_role='rOLe1')
-        self._build_middleware().process_request(req)
-        self.assertTrue(req.context.is_admin)
-
     def test_roles_stripping(self):
         # stripping extra spaces in request
         req = self._build_request(roles=['\trole1'])
-        self.config(admin_role='role1')
         self._build_middleware().process_request(req)
-        self.assertTrue(req.context.is_admin)
-
-        # stripping extra spaces in config
-        req = self._build_request(roles=['\trole1\n'])
-        self.config(admin_role=' role1\t')
-        self._build_middleware().process_request(req)
-        self.assertTrue(req.context.is_admin)
+        self.assertIn('role1', req.context.roles)
 
     def test_anonymous_access_enabled(self):
         req = self._build_request(identity_status='Nope')
diff --git a/releasenotes/notes/remove-admin_role-f508754e98331fc4.yaml b/releasenotes/notes/remove-admin_role-f508754e98331fc4.yaml
@@ -0,0 +1,6 @@
+---
+upgrade:
+  - |
+    The Glance API configuration option ``admin_role``, having been deprecated
+    in the Ussuri release, is now removed.  If present in a configuration file,
+    it will be silently ignored.
