Stop handling cells v1 for console authentication

There were a lot of workarounds here to ensure we didn't switch to the
new model (vs. the old 'nova-consoleauth' service) if users were on
cells v1. These can go now, along with the old 'nova-consoleauth'
service (though that's a later, separate change).

Part of blueprint remove-cells-v1

Change-Id: I1b8f411b050d34e4e77e9a4f1e613135eb5f74b7
Signed-off-by: Stephen Finucane <[email protected]>

Author: stephenfin

nova/cmd/status.py

@@ -389,11 +389,9 @@ def _check_console_auths(self):
         telling the user to set [workarounds]enable_consoleauth = True if they
         are performing a rolling upgrade.
         """
-        # If we're using cells v1, we don't need to check if the workaround
-        # needs to be used because cells v1 always uses nova-consoleauth.
         # If the operator has already enabled the workaround, we don't need
         # to check anything.
-        if CONF.cells.enable or CONF.workarounds.enable_consoleauth:
+        if CONF.workarounds.enable_consoleauth:
             return upgradecheck.Result(upgradecheck.Code.SUCCESS)
 
         # We need to check cell0 for nova-consoleauth service records because

nova/compute/api.py

@@ -2031,10 +2031,7 @@ def _delete(self, context, instance, delete_type, cb, **instance_attrs):
             instance.progress = 0
             instance.save()
 
-            # NOTE(dtp): cells.enable = False means "use cells v2".
-            # Run everywhere except v1 compute cells.
-            if (not CONF.cells.enable and CONF.workarounds.enable_consoleauth
-               ) or self.cell_type == 'api':
+            if CONF.workarounds.enable_consoleauth:
                 # TODO(melwitt): Remove the conditions for running this line
                 # with cells v2, when consoleauth is no longer being used by
                 # cells v2, in Stein.
@@ -4551,7 +4548,7 @@ def live_migrate(self, context, instance, block_migration,
         # we convert to using the database. Remove the condition for running
         # this line with cells v2, when consoleauth is no longer being used by
         # cells v2, in Stein.
-        if CONF.cells.enable or CONF.workarounds.enable_consoleauth:
+        if CONF.workarounds.enable_consoleauth:
             self.consoleauth_rpcapi.delete_tokens_for_instance(
                 context, instance.uuid)
 

nova/compute/manager.py

@@ -6927,8 +6927,8 @@ def _consoles_enabled(self):
     def _clean_instance_console_tokens(self, ctxt, instance):
         """Clean console tokens stored for an instance."""
         # If the database backend isn't in use, don't bother trying to clean
-        # tokens. The database backend is not supported for cells v1.
-        if not CONF.cells.enable and self._consoles_enabled():
+        # tokens.
+        if self._consoles_enabled():
             objects.ConsoleAuthToken.\
                 clean_console_auths_for_instance(ctxt, instance.uuid)
 
@@ -8530,8 +8530,5 @@ def _cleanup_expired_console_auth_tokens(self, context):
         instance. After a time they expire. We periodically remove any expired
         tokens from the database.
         """
-        # If the database backend isn't in use, don't bother looking for
-        # expired tokens. The database backend is not supported for cells v1.
-        if not CONF.cells.enable:
-            objects.ConsoleAuthToken.\
-                clean_expired_console_auths_for_host(context, self.host)
+        objects.ConsoleAuthToken.clean_expired_console_auths_for_host(
+            context, self.host)

nova/conf/workarounds.py

@@ -181,12 +181,6 @@
 token TTL of one hour, the operator may disable the flag, one hour after
 deploying the new code during an upgrade.
 
-.. note:: Cells v1 was not converted to use the database backend for
-  console token authorizations. Cells v1 console token authorizations will
-  continue to be supported by the ``nova-consoleauth`` service and use of
-  the ``[workarounds]/enable_consoleauth`` option does not apply to
-  Cells v1 users.
-
 Related options:
 
 * ``[consoleauth]/token_ttl``

nova/console/websocketproxy.py

@@ -150,26 +150,19 @@ def _get_connect_info_database(self, ctxt, token):
     def _get_connect_info(self, ctxt, token):
         """Validate the token and get the connect info."""
         connect_info = None
-        # NOTE(PaulMurray) if we are using cells v1, we use the old consoleauth
-        # way of doing things. The database backend is not supported for cells
-        # v1.
-        if CONF.cells.enable:
+
+        # NOTE(melwitt): If consoleauth is enabled to aid in transitioning
+        # to the database backend, check it first before falling back to
+        # the database. Tokens that existed pre-database-backend will
+        # reside in the consoleauth service storage.
+        if CONF.workarounds.enable_consoleauth:
             connect_info = self._get_connect_info_consoleauth(ctxt, token)
-            if not connect_info:
-                raise exception.InvalidToken(token='***')
-        else:
-            # NOTE(melwitt): If consoleauth is enabled to aid in transitioning
-            # to the database backend, check it first before falling back to
-            # the database. Tokens that existed pre-database-backend will
-            # reside in the consoleauth service storage.
-            if CONF.workarounds.enable_consoleauth:
-                connect_info = self._get_connect_info_consoleauth(ctxt, token)
-            # If consoleauth is enabled to aid in transitioning to the database
-            # backend and we didn't find a token in the consoleauth service
-            # storage, check the database for a token because it's probably a
-            # post-database-backend token, which are stored in the database.
-            if not connect_info:
-                connect_info = self._get_connect_info_database(ctxt, token)
+        # If consoleauth is enabled to aid in transitioning to the database
+        # backend and we didn't find a token in the consoleauth service
+        # storage, check the database for a token because it's probably a
+        # post-database-backend token, which are stored in the database.
+        if not connect_info:
+            connect_info = self._get_connect_info_database(ctxt, token)
 
         return connect_info
 

nova/consoleauth/manager.py

@@ -23,7 +23,6 @@
 from oslo_serialization import jsonutils
 
 from nova import cache_utils
-from nova.cells import rpcapi as cells_rpcapi
 from nova.compute import rpcapi as compute_rpcapi
 import nova.conf
 from nova import context as nova_context
@@ -47,7 +46,6 @@ def __init__(self, scheduler_driver=None, *args, **kwargs):
         self._mc = None
         self._mc_instance = None
         self.compute_rpcapi = compute_rpcapi.ComputeAPI()
-        self.cells_rpcapi = cells_rpcapi.CellsAPI()
 
     @property
     def mc(self):
@@ -109,13 +107,6 @@ def _validate_token(self, context, token):
         if instance_uuid is None:
             return False
 
-        # NOTE(comstud): consoleauth was meant to run in API cells.  So,
-        # if cells is enabled, we must call down to the child cell for
-        # the instance.
-        if CONF.cells.enable:
-            return self.cells_rpcapi.validate_console_port(context,
-                    instance_uuid, token['port'], token['console_type'])
-
         mapping = objects.InstanceMapping.get_by_instance_uuid(context,
                                                                instance_uuid)
         with nova_context.target_cell(context, mapping.cell_mapping) as cctxt:

nova/tests/unit/cmd/test_status.py

@@ -662,14 +662,6 @@ def _create_service_in_cell(ctxt, cell, binary, is_deleted=False,
 
         return service
 
-    def test_check_cells_v1_enabled(self):
-        """This is a 'success' case since the console auths check is
-        ignored when running cells v1.
-        """
-        self.flags(enable=True, group='cells')
-        result = self.cmd._check_console_auths()
-        self.assertEqual(upgradecheck.Code.SUCCESS, result.code)
-
     def test_check_workaround_enabled(self):
         """This is a 'success' case since the console auths check is
         ignored when the workaround is already enabled.

nova/tests/unit/compute/test_compute.py

@@ -10178,7 +10178,7 @@ def test_vnc_console(self, enable_consoleauth, mock_auth, mock_get):
         mock_get.assert_called_once_with(
                 self.context, instance=fake_instance,
                 console_type=fake_console_type)
-        if enable_consoleauth or CONF.cells.enable:
+        if enable_consoleauth:
             mock_auth.assert_called_once_with(
                 self.context, 'fake_token', fake_console_type,
                 'fake_console_host', 'fake_console_port', 'fake_access_path',
@@ -10222,7 +10222,7 @@ def test_spice_console(self, enable_consoleauth, mock_spice, mock_auth):
         mock_spice.assert_called_once_with(self.context,
                                            instance=fake_instance,
                                            console_type=fake_console_type)
-        if enable_consoleauth or CONF.cells.enable:
+        if enable_consoleauth:
             mock_auth.assert_called_once_with(
                 self.context, 'fake_token', fake_console_type,
                 'fake_console_host', 'fake_console_port', 'fake_access_path',
@@ -10283,7 +10283,7 @@ def test_rdp_console(self, enable_consoleauth, mock_rdp, mock_auth):
         self.assertEqual(console, {'url': 'fake_console_url'})
         mock_rdp.assert_called_once_with(self.context, instance=fake_instance,
                                          console_type=fake_console_type)
-        if enable_consoleauth or CONF.cells.enable:
+        if enable_consoleauth:
             mock_auth.assert_called_once_with(
                 self.context, 'fake_token', fake_console_type,
                 'fake_console_host', 'fake_console_port', 'fake_access_path',
@@ -11416,7 +11416,7 @@ def do_test(record_action_start, get_by_instance_uuid,
                 disk_over_commit=True,
                 request_spec=fake_spec, async_=False)
 
-            if CONF.workarounds.enable_consoleauth or CONF.cells.enable:
+            if CONF.workarounds.enable_consoleauth:
                 delete_tokens_for_instance.assert_called_once_with(
                     self.context, instance.uuid)
             else:

nova/tests/unit/compute/test_compute_api.py

@@ -1202,8 +1202,7 @@ def _reset_task_state(context, instance, migration, src_host,
                 mock_terminate.assert_called_once_with(
                     self.context, inst, [], delete_type=delete_type)
 
-        if ((self.cell_type is None and CONF.workarounds.enable_consoleauth)
-                or self.cell_type == 'api'):
+        if CONF.workarounds.enable_consoleauth:
             mock_del_token.assert_called_once_with(self.context, instance_uuid)
         else:
             mock_del_token.assert_not_called()

nova/tests/unit/compute/test_compute_cells.py

@@ -19,6 +19,7 @@
 import functools
 import inspect
 
+import ddt
 import mock
 from oslo_utils.fixture import uuidsentinel as uuids
 from oslo_utils import timeutils
@@ -110,6 +111,7 @@ def deploy_stubs(stubs, api, original_instance=None):
     stubs.Set(api, '_cast_to_cells', cast)
 
 
+@ddt.ddt
 class CellsComputeAPITestCase(test_compute.ComputeAPITestCase):
     def setUp(self):
         self.flags(use_neutron=False)
@@ -520,6 +522,18 @@ def test_multi_instance_display_name(self):
         super(CellsComputeAPITestCase,
               self).test_multi_instance_display_name(cells_enabled=True)
 
+    @ddt.data(True, False)
+    def test_rdp_console(self, enabled_consoleauth):
+        self.skipTest("Removing cells v1")
+
+    @ddt.data(True, False)
+    def test_spice_console(self, enabled_consoleauth):
+        self.skipTest("Removing cells v1")
+
+    @ddt.data(True, False)
+    def test_vnc_console(self, enabled_consoleauth):
+        self.skipTest("Removing cells v1")
+
 
 class CellsShelveComputeAPITestCase(test_shelve.ShelveComputeAPITestCase):
     def setUp(self):

nova/tests/unit/compute/test_compute_mgr.py

@@ -4605,8 +4605,6 @@ def test_delete_scheduler_instance_info(self, mock_delete):
                 'clean_console_auths_for_instance')
     def test_clean_instance_console_tokens(self, g1, g2, g3, g4, g5,
                                            mock_clean):
-        # Make sure cells v1 is disabled
-        self.flags(enable=False, group='cells')
         # Enable one of each of the console types and disable the rest
         self.flags(enabled=True, group=g1)
         for g in [g2, g3, g4, g5]:
@@ -4625,30 +4623,12 @@ def test_clean_instance_console_tokens_no_consoles_enabled(self,
         self.compute._clean_instance_console_tokens(self.context, instance)
         mock_clean.assert_not_called()
 
-    @mock.patch('nova.objects.ConsoleAuthToken.'
-                'clean_console_auths_for_instance')
-    def test_clean_instance_console_tokens_cells_v1_enabled(self, mock_clean):
-        # Enable cells v1
-        self.flags(enable=True, group='cells')
-        self.flags(enabled=True, group='vnc')
-        instance = objects.Instance(uuid=uuids.instance)
-        self.compute._clean_instance_console_tokens(self.context, instance)
-        mock_clean.assert_not_called()
-
     @mock.patch('nova.objects.ConsoleAuthToken.'
                 'clean_expired_console_auths_for_host')
     def test_cleanup_expired_console_auth_tokens(self, mock_clean):
-        # Make sure cells v1 is disabled
-        self.flags(enable=False, group='cells')
         self.compute._cleanup_expired_console_auth_tokens(self.context)
         mock_clean.assert_called_once_with(self.context, self.compute.host)
 
-        # Enable cells v1
-        mock_clean.reset_mock()
-        self.flags(enable=True, group='cells')
-        self.compute._cleanup_expired_console_auth_tokens(self.context)
-        mock_clean.assert_not_called()
-
     @mock.patch.object(nova.context.RequestContext, 'elevated')
     @mock.patch.object(nova.objects.InstanceList, 'get_by_host')
     @mock.patch.object(nova.scheduler.client.query.SchedulerQueryClient,

nova/tests/unit/console/test_websocketproxy.py

@@ -197,26 +197,6 @@ def setUp(self):
         'Host': 'example.net:6080',
     }
 
-    @mock.patch('nova.consoleauth.rpcapi.ConsoleAuthAPI.check_token')
-    def test_new_websocket_client_with_server_with_cells(self, check_token):
-        # this test cells enabled, so consoleauth should be used
-        CONF.set_override('enable', True, group='cells')
-        check_token.return_value = {
-            'host': 'node1',
-            'port': '10000',
-            'console_type': 'novnc',
-            'access_url': 'https://example.net:6080'
-        }
-        self.wh.socket.return_value = '<socket>'
-        self.wh.path = "http://127.0.0.1/?token=123-456-789"
-        self.wh.headers = self.fake_header
-
-        self.wh.new_websocket_client()
-
-        check_token.assert_called_with(mock.ANY, token="123-456-789")
-        self.wh.socket.assert_called_with('node1', 10000, connect=True)
-        self.wh.do_proxy.assert_called_with('<socket>')
-
     @mock.patch('nova.consoleauth.rpcapi.ConsoleAuthAPI.check_token')
     def test_new_websocket_client_enable_consoleauth(self, check_token):
         self.flags(enable_consoleauth=True, group='workarounds')

nova/tests/unit/consoleauth/test_consoleauth.py

@@ -238,14 +238,3 @@ def test_delete_tokens_for_instance_encoding(self):
             mock_instance_get.assert_has_calls([mock.call(b'instance')])
             mock_instance_delete.assert_has_calls([mock.call(b'instance')])
             mock_delete_multi.assert_has_calls([mock.call([b'token'])])
-
-
-class CellsConsoleauthTestCase(ConsoleauthTestCase):
-    """Test Case for consoleauth w/ cells enabled."""
-
-    rpcapi = 'nova.cells.rpcapi.CellsAPI.'
-
-    def setUp(self):
-        super(CellsConsoleauthTestCase, self).setUp()
-        self.flags(enable=True, group='cells')
-        self.is_cells = True