Keystone middleware deprecated option is_admin removed

onovy · Alistair Coles · commit 335d58611d0d · 2016-02-11T10:52:47.000Z
It has been deprecated from Swift 1.8.0 (Grizzly)

Change-Id: Id6bc10c3e84262c0a9e6160a76af03c0ad363e9c
diff --git a/doc/manpages/proxy-server.conf.5 b/doc/manpages/proxy-server.conf.5
@@ -330,11 +330,6 @@ This allows middleware higher in the WSGI pipeline to override auth
 processing, useful for middleware such as tempurl and formpost. If you know
 you're not going to use such middleware and you want a bit of extra security,
 you can set this to false.
-.IP \fBis_admin\fR
-[DEPRECATED] If is_admin is true, a user whose username is the same as the project name
-and who has any role on the project will have access rights elevated to be
-the same as if the user had an operator role. Note that the condition
-compares names rather than UUIDs. This option is deprecated.
 .IP \fBservice_roles\fR
 If the service_roles parameter is present, an X-Service-Token must be
 present in the request that when validated, grants at least one role listed
diff --git a/etc/proxy-server.conf-sample b/etc/proxy-server.conf-sample
@@ -337,12 +337,6 @@ user_test5_tester5 = testing5 service
 # you can set this to false.
 # allow_overrides = true
 #
-# If is_admin is true, a user whose username is the same as the project name
-# and who has any role on the project will have access rights elevated to be
-# the same as if the user had an operator role. Note that the condition
-# compares names rather than UUIDs. This option is deprecated.
-# is_admin = false
-#
 # If the service_roles parameter is present, an X-Service-Token must be
 # present in the request that when validated, grants at least one role listed
 # in the parameter. The X-Service-Token may be scoped to any project.
diff --git a/swift/common/middleware/keystoneauth.py b/swift/common/middleware/keystoneauth.py
@@ -75,12 +75,6 @@ class KeystoneAuth(object):
     id.. For example, if the project id is ``1234``, the path is
     ``/v1/AUTH_1234``.
 
-    If the ``is_admin`` option is ``true``, a user whose username is the same
-    as the project name and who has any role on the project will have access
-    rights elevated to be the same as if the user had one of the
-    ``operator_roles``. Note that the condition compares names rather than
-    UUIDs. This option is deprecated. It is ``false`` by default.
-
     If you need to have a different reseller_prefix to be able to
     mix different auth servers you can configure the option
     ``reseller_prefix`` in your keystoneauth entry like this::
@@ -188,7 +182,11 @@ def __init__(self, app, conf):
         self.reseller_admin_role = conf.get('reseller_admin_role',
                                             'ResellerAdmin').lower()
         config_is_admin = conf.get('is_admin', "false").lower()
-        self.is_admin = swift_utils.config_true_value(config_is_admin)
+        if swift_utils.config_true_value(config_is_admin):
+            self.logger.warning("The 'is_admin' option for keystoneauth is no "
+                                "longer supported. Remove the 'is_admin' "
+                                "option from your keystoneauth config")
+
         config_overrides = conf.get('allow_overrides', 't').lower()
         self.allow_overrides = swift_utils.config_true_value(config_overrides)
         self.default_domain_id = conf.get('default_domain_id', 'default')
@@ -484,14 +482,6 @@ def authorize(self, env_identity, req):
             req.environ['swift_owner'] = True
             return
 
-        # If user is of the same name of the tenant then make owner of it.
-        if self.is_admin and user_name == tenant_name:
-            self.logger.warning("the is_admin feature has been deprecated "
-                                "and will be removed in the future "
-                                "update your config file")
-            req.environ['swift_owner'] = True
-            return
-
         if acl_authorized is not None:
             return self.denied_response(req)
 
diff --git a/test/unit/common/middleware/test_keystoneauth.py b/test/unit/common/middleware/test_keystoneauth.py
@@ -647,21 +647,16 @@ def test_authorize_succeeds_as_owner_for_insensitive_operator_role(self):
         req = self._check_authenticate(identity=identity)
         self.assertTrue(req.environ.get('swift_owner'))
 
-    def _check_authorize_for_tenant_owner_match(self, exception=None):
+    def test_authorize_fails_same_user_and_tenant(self):
+        # Historically the is_admin option allowed access when user_name
+        # matched tenant_name, but it is no longer supported. This test is a
+        # sanity check that the option no longer works.
+        self.test_auth.is_admin = True
         identity = self._get_identity(user_name='same_name',
                                       tenant_name='same_name')
-        req = self._check_authenticate(identity=identity, exception=exception)
-        expected = bool(exception is None)
-        self.assertEqual(bool(req.environ.get('swift_owner')), expected)
-
-    def test_authorize_succeeds_as_owner_for_tenant_owner_match(self):
-        self.test_auth.is_admin = True
-        self._check_authorize_for_tenant_owner_match()
-
-    def test_authorize_fails_as_owner_for_tenant_owner_match(self):
-        self.test_auth.is_admin = False
-        self._check_authorize_for_tenant_owner_match(
-            exception=HTTP_FORBIDDEN)
+        req = self._check_authenticate(identity=identity,
+                                       exception=HTTP_FORBIDDEN)
+        self.assertFalse(bool(req.environ.get('swift_owner')))
 
     def test_authorize_succeeds_for_container_sync(self):
         env = {'swift_sync_key': 'foo', 'REMOTE_ADDR': '127.0.0.1'}
