Default to PKIZ tokens
Changes the default token format to PKIZ from PKI. Blueprint: compress-tokens DocImpact Changes the default Token Provider to PKIZ If only token_format=UUID is set, Keystone will not start with a warning about provider mismatch Change-Id: Idf14ab6c6dd3a3cab42c35771416d9096ea4d900
This commit is contained in:
parent
d9193cecc6
commit
21bf6c7fda
@ -726,31 +726,9 @@ class TestTokenProvider(tests.TestCase):
|
|||||||
self.token_provider_api.get_token_version,
|
self.token_provider_api.get_token_version,
|
||||||
'bogus')
|
'bogus')
|
||||||
|
|
||||||
def test_token_format_provider_mismatch(self):
|
|
||||||
self.config_fixture.config(group='signing', token_format='UUID')
|
|
||||||
self.config_fixture.config(group='token',
|
|
||||||
provider=token.provider.PKI_PROVIDER)
|
|
||||||
self.assertRaises(exception.UnexpectedError, token.provider.Manager)
|
|
||||||
|
|
||||||
self.config_fixture.config(group='signing', token_format='PKI')
|
|
||||||
self.config_fixture.config(group='token',
|
|
||||||
provider=token.provider.UUID_PROVIDER)
|
|
||||||
self.assertRaises(exception.UnexpectedError, token.provider.Manager)
|
|
||||||
|
|
||||||
# should be OK as token_format and provider aligns
|
|
||||||
self.config_fixture.config(group='signing', token_format='PKI')
|
|
||||||
self.config_fixture.config(group='token',
|
|
||||||
provider=token.provider.PKI_PROVIDER)
|
|
||||||
token.provider.Manager()
|
|
||||||
|
|
||||||
self.config_fixture.config(group='signing', token_format='UUID')
|
|
||||||
self.config_fixture.config(group='token',
|
|
||||||
provider=token.provider.UUID_PROVIDER)
|
|
||||||
token.provider.Manager()
|
|
||||||
|
|
||||||
def test_default_token_format(self):
|
def test_default_token_format(self):
|
||||||
self.assertEqual(token.provider.Manager.get_token_provider(),
|
self.assertEqual(token.provider.Manager.get_token_provider(),
|
||||||
token.provider.PKI_PROVIDER)
|
token.provider.PKIZ_PROVIDER)
|
||||||
|
|
||||||
def test_uuid_token_format_and_no_provider(self):
|
def test_uuid_token_format_and_no_provider(self):
|
||||||
self.config_fixture.config(group='signing', token_format='UUID')
|
self.config_fixture.config(group='signing', token_format='UUID')
|
||||||
@ -766,6 +744,10 @@ class TestTokenProvider(tests.TestCase):
|
|||||||
provider=token.provider.PKI_PROVIDER)
|
provider=token.provider.PKI_PROVIDER)
|
||||||
token.provider.Manager()
|
token.provider.Manager()
|
||||||
|
|
||||||
|
self.config_fixture.config(group='token',
|
||||||
|
provider=token.provider.PKIZ_PROVIDER)
|
||||||
|
token.provider.Manager()
|
||||||
|
|
||||||
def test_unsupported_token_format(self):
|
def test_unsupported_token_format(self):
|
||||||
self.config_fixture.config(group='signing', token_format='CUSTOM')
|
self.config_fixture.config(group='signing', token_format='CUSTOM')
|
||||||
self.assertRaises(exception.UnexpectedError,
|
self.assertRaises(exception.UnexpectedError,
|
||||||
@ -799,8 +781,8 @@ class TestTokenProvider(tests.TestCase):
|
|||||||
self.config_fixture.config(group='signing', token_format='CUSTOM')
|
self.config_fixture.config(group='signing', token_format='CUSTOM')
|
||||||
self.config_fixture.config(group='token',
|
self.config_fixture.config(group='token',
|
||||||
provider='my.package.MyProvider')
|
provider='my.package.MyProvider')
|
||||||
self.assertEqual(token.provider.Manager.get_token_provider(),
|
self.assertRaises(exception.UnexpectedError,
|
||||||
'my.package.MyProvider')
|
token.provider.Manager.get_token_provider)
|
||||||
|
|
||||||
def test_provider_token_expiration_validation(self):
|
def test_provider_token_expiration_validation(self):
|
||||||
self.assertRaises(exception.TokenNotFound,
|
self.assertRaises(exception.TokenNotFound,
|
||||||
@ -836,10 +818,11 @@ class TestTokenProviderOAuth1(tests.TestCase):
|
|||||||
self.user_foo['id'], ['oauth1'])
|
self.user_foo['id'], ['oauth1'])
|
||||||
|
|
||||||
|
|
||||||
class TestPKIProvider(object):
|
# NOTE(ayoung): renamed to avoid automatic test detection
|
||||||
|
class PKIProviderTests(object):
|
||||||
|
|
||||||
def setUp(self):
|
def setUp(self):
|
||||||
super(TestPKIProvider, self).setUp()
|
super(PKIProviderTests, self).setUp()
|
||||||
|
|
||||||
from keystoneclient.common import cms
|
from keystoneclient.common import cms
|
||||||
self.cms = cms
|
self.cms = cms
|
||||||
@ -870,7 +853,7 @@ class TestPKIProvider(object):
|
|||||||
token_data)
|
token_data)
|
||||||
|
|
||||||
|
|
||||||
class TestPKIProviderWithEventlet(TestPKIProvider, tests.TestCase):
|
class TestPKIProviderWithEventlet(PKIProviderTests, tests.TestCase):
|
||||||
|
|
||||||
def setUp(self):
|
def setUp(self):
|
||||||
# force keystoneclient.common.cms to use eventlet's subprocess
|
# force keystoneclient.common.cms to use eventlet's subprocess
|
||||||
@ -880,7 +863,7 @@ class TestPKIProviderWithEventlet(TestPKIProvider, tests.TestCase):
|
|||||||
super(TestPKIProviderWithEventlet, self).setUp()
|
super(TestPKIProviderWithEventlet, self).setUp()
|
||||||
|
|
||||||
|
|
||||||
class TestPKIProviderWithStdlib(TestPKIProvider, tests.TestCase):
|
class TestPKIProviderWithStdlib(PKIProviderTests, tests.TestCase):
|
||||||
|
|
||||||
def setUp(self):
|
def setUp(self):
|
||||||
# force keystoneclient.common.cms to use the stdlib subprocess
|
# force keystoneclient.common.cms to use the stdlib subprocess
|
||||||
|
@ -43,8 +43,16 @@ VERSIONS = frozenset([V2, V3])
|
|||||||
|
|
||||||
# default token providers
|
# default token providers
|
||||||
PKI_PROVIDER = 'keystone.token.providers.pki.Provider'
|
PKI_PROVIDER = 'keystone.token.providers.pki.Provider'
|
||||||
|
PKIZ_PROVIDER = 'keystone.token.providers.pkiz.Provider'
|
||||||
UUID_PROVIDER = 'keystone.token.providers.uuid.Provider'
|
UUID_PROVIDER = 'keystone.token.providers.uuid.Provider'
|
||||||
|
|
||||||
|
_FORMAT_TO_PROVIDER = {
|
||||||
|
'PKI': PKI_PROVIDER,
|
||||||
|
# should not support new options, but PKIZ keeps the option consistent
|
||||||
|
'PKIZ': PKIZ_PROVIDER,
|
||||||
|
'UUID': UUID_PROVIDER
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
class UnsupportedTokenVersionException(Exception):
|
class UnsupportedTokenVersionException(Exception):
|
||||||
"""Token version is unrecognizable or unsupported."""
|
"""Token version is unrecognizable or unsupported."""
|
||||||
@ -75,36 +83,24 @@ class Manager(manager.Manager):
|
|||||||
``provider`` instead.
|
``provider`` instead.
|
||||||
|
|
||||||
"""
|
"""
|
||||||
if CONF.token.provider is not None:
|
|
||||||
# NOTE(gyee): we are deprecating CONF.signing.token_format. This
|
|
||||||
# code is to ensure the token provider configuration agrees with
|
|
||||||
# CONF.signing.token_format.
|
|
||||||
if (CONF.signing.token_format and
|
|
||||||
((CONF.token.provider == PKI_PROVIDER and
|
|
||||||
CONF.signing.token_format != 'PKI') or
|
|
||||||
(CONF.token.provider == UUID_PROVIDER and
|
|
||||||
CONF.signing.token_format != 'UUID'))):
|
|
||||||
raise exception.UnexpectedError(
|
|
||||||
_('keystone.conf [signing] token_format (deprecated) '
|
|
||||||
'conflicts with keystone.conf [token] provider'))
|
|
||||||
return CONF.token.provider
|
|
||||||
else:
|
|
||||||
if not CONF.signing.token_format:
|
|
||||||
# No token provider and no format, so use default (PKI)
|
|
||||||
return PKI_PROVIDER
|
|
||||||
|
|
||||||
msg = _('keystone.conf [signing] token_format is deprecated in '
|
if CONF.signing.token_format:
|
||||||
'favor of keystone.conf [token] provider')
|
LOG.warn(_('[signing] token_format is deprecated. '
|
||||||
if CONF.signing.token_format == 'PKI':
|
'Please change to setting the [token] provider '
|
||||||
LOG.warning(msg)
|
'configuration value instead'))
|
||||||
return PKI_PROVIDER
|
try:
|
||||||
elif CONF.signing.token_format == 'UUID':
|
|
||||||
LOG.warning(msg)
|
mapped = _FORMAT_TO_PROVIDER[CONF.signing.token_format]
|
||||||
return UUID_PROVIDER
|
except KeyError:
|
||||||
else:
|
|
||||||
raise exception.UnexpectedError(
|
raise exception.UnexpectedError(
|
||||||
_('Unrecognized keystone.conf [signing] token_format: '
|
_('Unrecognized keystone.conf [signing] token_format: '
|
||||||
'expected either \'UUID\' or \'PKI\''))
|
'expected either \'UUID\' or \'PKI\''))
|
||||||
|
return mapped
|
||||||
|
|
||||||
|
if CONF.token.provider is None:
|
||||||
|
return PKIZ_PROVIDER
|
||||||
|
else:
|
||||||
|
return CONF.token.provider
|
||||||
|
|
||||||
def __init__(self):
|
def __init__(self):
|
||||||
super(Manager, self).__init__(self.get_token_provider())
|
super(Manager, self).__init__(self.get_token_provider())
|
||||||
|
Loading…
Reference in New Issue
Block a user