Merge "Resource backend is SQL only now" into stable/pike

author: Jenkins <jenkins@review.openstack.org> 2017-08-16 21:35:38 +0000
committer: Gerrit Code Review <review@openstack.org> 2017-08-16 21:35:38 +0000
commit: 15811bf2c8430bc69993e7450746ec7fc2d1eb67 (patch)
tree: d235b7d0a6c1b858bc6b66402758199982d301eb
parent: 66a1047e8c9b58a1d52f8f4417ca5d4c74a4997f (diff)
parent: 05c535c0bc1dbabd651f8369c9e2a09365b9a248 (diff)
download: keystone-15811bf2c8430bc69993e7450746ec7fc2d1eb67.tar.gz
6 files changed, 35 insertions, 17 deletions
diff --git a/keystone/conf/resource.py b/keystone/conf/resource.py
index afed1c3b5..14482cd0f 100644
--- a/keystone/conf/resource.py
+++ b/keystone/conf/resource.py
@@ -11,6 +11,7 @@
 # under the License.
 
 from oslo_config import cfg
+from oslo_log import versionutils
 
 from keystone.conf import utils
 
@@ -18,6 +19,13 @@ from keystone.conf import utils
 driver = cfg.StrOpt(
     'driver',
     default='sql',
+    deprecated_for_removal=True,
+    deprecated_reason='Non-SQL resource cannot be used with SQL Identity and '
+                      'has been unable to be used since Ocata. SQL Resource '
+                      'backend is a requirement as of Pike. Setting this '
+                      'option no longer has an effect on how Keystone '
+                      'operates.',
+    deprecated_since=versionutils.deprecated.PIKE,
     help=utils.fmt("""
 Entry point for the resource driver in the `keystone.resource` namespace. Only
 a `sql` driver is supplied by keystone. Unless you are writing proprietary
diff --git a/keystone/resource/backends/sql.py b/keystone/resource/backends/sql.py
index f2da7d196..e0bd08aa1 100644
--- a/keystone/resource/backends/sql.py
+++ b/keystone/resource/backends/sql.py
@@ -22,6 +22,8 @@ LOG = log.getLogger(__name__)
 
 
 class Resource(base.ResourceDriverBase):
+    # TODO(morgan): Merge all of this code into the manager, Resource backend
+    # is only SQL. There is no configurable driver.
 
     def default_assignment_driver(self):
         return 'sql'
diff --git a/keystone/resource/core.py b/keystone/resource/core.py
index 1f7423eae..0e9c209c1 100644
--- a/keystone/resource/core.py
+++ b/keystone/resource/core.py
@@ -27,6 +27,7 @@ from keystone import exception
 from keystone.i18n import _
 from keystone import notifications
 from keystone.resource.backends import base
+from keystone.resource.backends import sql as resource_sql
 from keystone.token import provider as token_provider
 
 CONF = keystone.conf.CONF
@@ -51,8 +52,12 @@ class Manager(manager.Manager):
     _PROJECT = 'project'
 
     def __init__(self):
-        resource_driver = CONF.resource.driver
-        super(Manager, self).__init__(resource_driver)
+        # NOTE(morgan): The resource driver must be SQL. This is because there
+        # is a FK between identity and resource. Almost every deployment uses
+        # SQL Identity in some form. Even if SQL Identity is not used, there
+        # is almost no reason to have non-SQL Resource. Keystone requires
+        # SQL in a number of ways, this simply codifies it plainly for resource
+        self.driver = resource_sql.Resource()
 
     def _get_hierarchy_depth(self, parents_list):
         return len(parents_list) + 1
diff --git a/keystone/tests/unit/test_backend_ldap.py b/keystone/tests/unit/test_backend_ldap.py
index ddf8852a5..0d492908b 100644
--- a/keystone/tests/unit/test_backend_ldap.py
+++ b/keystone/tests/unit/test_backend_ldap.py
@@ -1045,8 +1045,7 @@ class LDAPIdentity(BaseLDAPIdentity, unit.TestCase):
     def assert_backends(self):
         _assert_backends(self,
                          assignment='sql',
-                         identity='ldap',
-                         resource='sql')
+                         identity='ldap')
 
     def test_list_domains(self):
         domains = self.resource_api.list_domains()
@@ -1756,8 +1755,7 @@ class LDAPLimitTests(unit.TestCase, identity_tests.LimitTests):
         identity_tests.LimitTests.setUp(self)
         _assert_backends(self,
                          assignment='sql',
-                         identity='ldap',
-                         resource='sql')
+                         identity='ldap')
 
     def config_overrides(self):
         super(LDAPLimitTests, self).config_overrides()
@@ -2210,8 +2208,7 @@ class MultiLDAPandSQLIdentity(BaseLDAPIdentity, unit.SQLDriverOverrides,
                              self.domain_default['id']: 'ldap',
                              self.domains['domain1']['id']: 'ldap',
                              self.domains['domain2']['id']: 'ldap',
-                         },
-                         resource='sql')
+                         })
 
     def config_overrides(self):
         super(MultiLDAPandSQLIdentity, self).config_overrides()
@@ -2532,8 +2529,7 @@ class MultiLDAPandSQLIdentityDomainConfigsInSQL(MultiLDAPandSQLIdentity):
                              self.domain_default['id']: 'ldap',
                              self.domains['domain1']['id']: 'ldap',
                              self.domains['domain2']['id']: 'ldap',
-                         },
-                         resource='sql')
+                         })
 
     def enable_multi_domain(self):
         # The values below are the same as in the domain_configs_multi_ldap
@@ -2758,8 +2754,7 @@ class DomainSpecificLDAPandSQLIdentity(
                 None: 'ldap',
                 'default': 'ldap',
                 self.domains['domain1']['id']: 'sql',
-            },
-            resource='sql')
+            })
 
     def config_overrides(self):
         super(DomainSpecificLDAPandSQLIdentity, self).config_overrides()
@@ -2927,8 +2922,7 @@ class DomainSpecificSQLIdentity(DomainSpecificLDAPandSQLIdentity):
     def assert_backends(self):
         _assert_backends(self,
                          assignment='sql',
-                         identity='ldap',
-                         resource='sql')
+                         identity='ldap')
 
     def config_overrides(self):
         super(DomainSpecificSQLIdentity, self).config_overrides()
diff --git a/releasenotes/notes/resource-backend-sql-only-03154d8712b36bd0.yaml b/releasenotes/notes/resource-backend-sql-only-03154d8712b36bd0.yaml
new file mode 100644
index 000000000..a053e0a26
--- /dev/null
+++ b/releasenotes/notes/resource-backend-sql-only-03154d8712b36bd0.yaml
@@ -0,0 +1,12 @@
+---
+upgrade:
+  - |
+    The resource backend cannot be configured to anything but SQL if the SQL
+    Identity backend is being used. The resource backend must now be SQL which
+    allows for the use of Foreign Keys to domains/projects wherever desired.
+    This makes managing project relationships and such much more straight
+    forward. The inability to configure non-SQL resource backends has been
+    in Keystone since at least Ocata. This is eliminating some complexity
+    and preventing the need for some really ugly back-port SQL migrations
+    in favor of a better model. Resource is highly relational and should be
+    SQL based.
diff --git a/setup.cfg b/setup.cfg
index 43bb67294..f03acd1fc 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -139,9 +139,6 @@ keystone.policy =
     rules = keystone.policy.backends.rules:Policy
     sql = keystone.policy.backends.sql:Policy
 
-keystone.resource =
-    sql = keystone.resource.backends.sql:Resource
-
 keystone.resource.domain_config =
     sql = keystone.resource.config_backends.sql:DomainConfig
author	Jenkins <jenkins@review.openstack.org>	2017-08-16 21:35:38 +0000
committer	Gerrit Code Review <review@openstack.org>	2017-08-16 21:35:38 +0000
commit	15811bf2c8430bc69993e7450746ec7fc2d1eb67 (patch)
tree	d235b7d0a6c1b858bc6b66402758199982d301eb
parent	66a1047e8c9b58a1d52f8f4417ca5d4c74a4997f (diff)
parent	05c535c0bc1dbabd651f8369c9e2a09365b9a248 (diff)
download	keystone-15811bf2c8430bc69993e7450746ec7fc2d1eb67.tar.gz