Merge "Deprecate scheduler trusted filter"

4 files changed, 40 insertions, 8 deletions

diff --git a/doc/source/filter_scheduler.rst b/doc/source/filter_scheduler.rst
index 48a505cf5f..ab45341ad9 100644
--- a/doc/source/filter_scheduler.rst
+++ b/doc/source/filter_scheduler.rst
@@ -154,8 +154,14 @@ There are many standard filter classes which may be used
   a set of instances.
 * |RetryFilter| - filters hosts that have been attempted for scheduling.
   Only passes hosts that have not been previously attempted.
-* |TrustedFilter| (EXPERIMENTAL) - filters hosts based on their trust.  Only passes hosts
-  that meet the trust requirements specified in the instance properties.
+* |TrustedFilter| (EXPERIMENTAL) - filters hosts based on their trust.  Only
+  passes hosts that meet the trust requirements specified in the instance
+  properties.
+
+  .. warning:: TrustedFilter is deprecated for removal in the 17.0.0 Queens
+     release. There is no replacement planned for this filter. It has been
+     marked experimental since its inception. It is incomplete and not tested.
+
 * |TypeAffinityFilter| - Only passes hosts that are not already running an
   instance of the requested type.
 * |AggregateTypeAffinityFilter| - limits instance_type by aggregate.
diff --git a/nova/conf/scheduler.py b/nova/conf/scheduler.py
index 7aa2cf0d28..1bce7b6e76 100644
--- a/nova/conf/scheduler.py
+++ b/nova/conf/scheduler.py
@@ -589,6 +589,9 @@ Configuration options for enabling Trusted Platform Module.
 
 trusted_opts = [
     cfg.HostAddressOpt("attestation_server",
+                       deprecated_for_removal=True,
+                       deprecated_reason="Incomplete filter",
+                       deprecated_since="Pike",
                        help="""
 The host to use as the attestation server.
 
@@ -617,6 +620,9 @@ Related options:
 * attestation_insecure_ssl
 """),
     cfg.StrOpt("attestation_server_ca_file",
+            deprecated_for_removal=True,
+            deprecated_reason="Incomplete filter",
+            deprecated_since="Pike",
             help="""
 The absolute path to the certificate to use for authentication when connecting
 to the attestation server. See the `attestation_server` help text for more
@@ -642,6 +648,9 @@ Related options:
 """),
     cfg.PortOpt("attestation_port",
             default=8443,
+            deprecated_for_removal=True,
+            deprecated_reason="Incomplete filter",
+            deprecated_since="Pike",
             help="""
 The port to use when connecting to the attestation server. See the
 `attestation_server` help text for more information about host verification.
@@ -661,6 +670,9 @@ Related options:
 """),
     cfg.StrOpt("attestation_api_url",
             default="/OpenAttestationWebServices/V1.0",
+            deprecated_for_removal=True,
+            deprecated_reason="Incomplete filter",
+            deprecated_since="Pike",
             help="""
 The URL on the attestation server to use. See the `attestation_server` help
 text for more information about host verification.
@@ -687,6 +699,9 @@ Related options:
 """),
     cfg.StrOpt("attestation_auth_blob",
             secret=True,
+            deprecated_for_removal=True,
+            deprecated_reason="Incomplete filter",
+            deprecated_since="Pike",
             help="""
 Attestation servers require a specific blob that is used to authenticate. The
 content and format of the blob are determined by the particular attestation
@@ -714,6 +729,9 @@ Related options:
 """),
     cfg.IntOpt("attestation_auth_timeout",
             default=60,
+            deprecated_for_removal=True,
+            deprecated_reason="Incomplete filter",
+            deprecated_since="Pike",
             min=0,
             help="""
 This value controls how long a successful attestation is cached. Once this
@@ -741,6 +759,9 @@ Related options:
 """),
     cfg.BoolOpt("attestation_insecure_ssl",
             default=False,
+            deprecated_for_removal=True,
+            deprecated_reason="Incomplete filter",
+            deprecated_since="Pike",
             help="""
 When set to True, the SSL certificate verification is skipped for the
 attestation service. See the `attestation_server` help text for more
diff --git a/nova/scheduler/filters/trusted_filter.py b/nova/scheduler/filters/trusted_filter.py
index c54487ad4e..059b6d8030 100644
--- a/nova/scheduler/filters/trusted_filter.py
+++ b/nova/scheduler/filters/trusted_filter.py
@@ -44,6 +44,7 @@ the Open Attestation project at:
 """
 
 from oslo_log import log as logging
+from oslo_log import versionutils
 from oslo_serialization import jsonutils
 from oslo_utils import timeutils
 import requests
@@ -231,12 +232,10 @@ class TrustedFilter(filters.BaseHostFilter):
 
     def __init__(self):
         self.compute_attestation = ComputeAttestation()
-        LOG.warning(_LW('The TrustedFilter is considered experimental '
-                        'by the OpenStack project because it receives much '
-                        'less testing than the rest of Nova. This may change '
-                        'in the future, but current deployers should be aware '
-                        'that the use of it in production right now may be '
-                        'risky.'))
+        msg = _LW('The TrustedFilter is deprecated as it has been marked '
+                  'experimental for some time with no tests. It will be '
+                  'removed in the 17.0.0 Queens release.')
+        versionutils.report_deprecated_feature(LOG, msg)
 
     # The hosts the instances are running on doesn't change within a request
     run_filter_once_per_request = True
diff --git a/releasenotes/notes/deprecate_trustedfilter-d733a4b482967b00.yaml b/releasenotes/notes/deprecate_trustedfilter-d733a4b482967b00.yaml
new file mode 100644
index 0000000000..91455cd81e
--- /dev/null
+++ b/releasenotes/notes/deprecate_trustedfilter-d733a4b482967b00.yaml
@@ -0,0 +1,6 @@
+---
+deprecations:
+  - |
+    The ``TrustedFilter`` scheduler filter has been experimental since its existence on
+    May 18, 2012. Due to the lack of tests and activity with it, it's now
+    deprecated and set for removal in the 17.0.0 Queens release.