Resource backend is SQL only now

This change has been implemented to avoid the need to backport
signficantly impactful Foreign Key dropping backports.

Resource is highly relational data and it makes sense to allow the
use of FKs from other subsystems to project/domains.

Change-Id: Ic3831d1c7ae41fe4d406d60a013770cc1258584f

6 files changed, 35 insertions, 17 deletions

diff --git a/keystone/conf/resource.py b/keystone/conf/resource.py
index afed1c3b5..14482cd0f 100644
--- a/keystone/conf/resource.py
+++ b/keystone/conf/resource.py
@@ -11,6 +11,7 @@
 # under the License.
 
 from oslo_config import cfg
+from oslo_log import versionutils
 
 from keystone.conf import utils
 
@@ -18,6 +19,13 @@ from keystone.conf import utils
 driver = cfg.StrOpt(
     'driver',
     default='sql',
+    deprecated_for_removal=True,
+    deprecated_reason='Non-SQL resource cannot be used with SQL Identity and '
+                      'has been unable to be used since Ocata. SQL Resource '
+                      'backend is a requirement as of Pike. Setting this '
+                      'option no longer has an effect on how Keystone '
+                      'operates.',
+    deprecated_since=versionutils.deprecated.PIKE,
     help=utils.fmt("""
 Entry point for the resource driver in the `keystone.resource` namespace. Only
 a `sql` driver is supplied by keystone. Unless you are writing proprietary
diff --git a/keystone/resource/backends/sql.py b/keystone/resource/backends/sql.py
index f2da7d196..e0bd08aa1 100644
--- a/keystone/resource/backends/sql.py
+++ b/keystone/resource/backends/sql.py
@@ -22,6 +22,8 @@ LOG = log.getLogger(__name__)
 
 
 class Resource(base.ResourceDriverBase):
+    # TODO(morgan): Merge all of this code into the manager, Resource backend
+    # is only SQL. There is no configurable driver.
 
     def default_assignment_driver(self):
         return 'sql'
diff --git a/keystone/resource/core.py b/keystone/resource/core.py
index 1f7423eae..0e9c209c1 100644
--- a/keystone/resource/core.py
+++ b/keystone/resource/core.py
@@ -27,6 +27,7 @@ from keystone import exception
 from keystone.i18n import _
 from keystone import notifications
 from keystone.resource.backends import base
+from keystone.resource.backends import sql as resource_sql
 from keystone.token import provider as token_provider
 
 CONF = keystone.conf.CONF
@@ -51,8 +52,12 @@ class Manager(manager.Manager):
     _PROJECT = 'project'
 
     def __init__(self):
-        resource_driver = CONF.resource.driver
-        super(Manager, self).__init__(resource_driver)
+        # NOTE(morgan): The resource driver must be SQL. This is because there
+        # is a FK between identity and resource. Almost every deployment uses
+        # SQL Identity in some form. Even if SQL Identity is not used, there
+        # is almost no reason to have non-SQL Resource. Keystone requires
+        # SQL in a number of ways, this simply codifies it plainly for resource
+        self.driver = resource_sql.Resource()
 
     def _get_hierarchy_depth(self, parents_list):
         return len(parents_list) + 1
diff --git a/keystone/tests/unit/test_backend_ldap.py b/keystone/tests/unit/test_backend_ldap.py
index ddf8852a5..0d492908b 100644
--- a/keystone/tests/unit/test_backend_ldap.py
+++ b/keystone/tests/unit/test_backend_ldap.py
@@ -1045,8 +1045,7 @@ class LDAPIdentity(BaseLDAPIdentity, unit.TestCase):
     def assert_backends(self):
         _assert_backends(self,
                          assignment='sql',
-                         identity='ldap',
-                         resource='sql')
+                         identity='ldap')
 
     def test_list_domains(self):
         domains = self.resource_api.list_domains()
@@ -1756,8 +1755,7 @@ class LDAPLimitTests(unit.TestCase, identity_tests.LimitTests):
         identity_tests.LimitTests.setUp(self)
         _assert_backends(self,
                          assignment='sql',
-                         identity='ldap',
-                         resource='sql')
+                         identity='ldap')
 
     def config_overrides(self):
         super(LDAPLimitTests, self).config_overrides()
@@ -2210,8 +2208,7 @@ class MultiLDAPandSQLIdentity(BaseLDAPIdentity, unit.SQLDriverOverrides,
                              self.domain_default['id']: 'ldap',
                              self.domains['domain1']['id']: 'ldap',
                              self.domains['domain2']['id']: 'ldap',
-                         },
-                         resource='sql')
+                         })
 
     def config_overrides(self):
         super(MultiLDAPandSQLIdentity, self).config_overrides()
@@ -2532,8 +2529,7 @@ class MultiLDAPandSQLIdentityDomainConfigsInSQL(MultiLDAPandSQLIdentity):
                              self.domain_default['id']: 'ldap',
                              self.domains['domain1']['id']: 'ldap',
                              self.domains['domain2']['id']: 'ldap',
-                         },
-                         resource='sql')
+                         })
 
     def enable_multi_domain(self):
         # The values below are the same as in the domain_configs_multi_ldap
@@ -2758,8 +2754,7 @@ class DomainSpecificLDAPandSQLIdentity(
                 None: 'ldap',
                 'default': 'ldap',
                 self.domains['domain1']['id']: 'sql',
-            },
-            resource='sql')
+            })
 
     def config_overrides(self):
         super(DomainSpecificLDAPandSQLIdentity, self).config_overrides()
@@ -2927,8 +2922,7 @@ class DomainSpecificSQLIdentity(DomainSpecificLDAPandSQLIdentity):
     def assert_backends(self):
         _assert_backends(self,
                          assignment='sql',
-                         identity='ldap',
-                         resource='sql')
+                         identity='ldap')
 
     def config_overrides(self):
         super(DomainSpecificSQLIdentity, self).config_overrides()
diff --git a/releasenotes/notes/resource-backend-sql-only-03154d8712b36bd0.yaml b/releasenotes/notes/resource-backend-sql-only-03154d8712b36bd0.yaml
new file mode 100644
index 000000000..a053e0a26
--- /dev/null
+++ b/releasenotes/notes/resource-backend-sql-only-03154d8712b36bd0.yaml
@@ -0,0 +1,12 @@
+---
+upgrade:
+  - |
+    The resource backend cannot be configured to anything but SQL if the SQL
+    Identity backend is being used. The resource backend must now be SQL which
+    allows for the use of Foreign Keys to domains/projects wherever desired.
+    This makes managing project relationships and such much more straight
+    forward. The inability to configure non-SQL resource backends has been
+    in Keystone since at least Ocata. This is eliminating some complexity
+    and preventing the need for some really ugly back-port SQL migrations
+    in favor of a better model. Resource is highly relational and should be
+    SQL based.
diff --git a/setup.cfg b/setup.cfg
index 43bb67294..f03acd1fc 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -139,9 +139,6 @@ keystone.policy =
     rules = keystone.policy.backends.rules:Policy
     sql = keystone.policy.backends.sql:Policy
 
-keystone.resource =
-    sql = keystone.resource.backends.sql:Resource
-
 keystone.resource.domain_config =
     sql = keystone.resource.config_backends.sql:DomainConfig