Deprecate admin_token option in auth_token

The admin_token option shouldn't be used with the auth_token middleware. It's used to specify a token to be used to perform operations on the identity server, so would typically be set to the admin token. The admin token should only be used to initially set up the Keystone server, and then the admin token functionality should be disabled. If this recommended setup is used then the auth_token middleware shouldn't be using the admin token / auth_token. In preparing for removal of the admin_token option, the option is now deprecated. A warning will be logged if it's set. DocImpact Change-Id: I5bc4f4a6ad7984892151c8011ccd92f166aba4c2 Closes-Bug: #1306981
2014-04-12 11:41:44 -05:00
parent 02572377fa
commit d6f9f2a860
1 changed files with 11 additions and 2 deletions
--- a/keystoneclient/middleware/auth_token.py
+++ b/keystoneclient/middleware/auth_token.py
@@ -240,9 +240,12 @@ opts = [
               ' communicating with Identity API Server.'),
    cfg.StrOpt('admin_token',
               secret=True,
-               help='Single shared secret with the Keystone configuration'
+               help='This option is deprecated and may be removed in a future'
+               ' release. Single shared secret with the Keystone configuration'
               ' used for bootstrapping a Keystone installation, or otherwise'
-               ' bypassing the normal authentication process.'),
+               ' bypassing the normal authentication process. This option'
+               ' should not be used, use `admin_user` and `admin_password`'
+               ' instead.'),
    cfg.StrOpt('admin_user',
               help='Keystone account username'),
    cfg.StrOpt('admin_password',
@@ -479,6 +482,12 @@ class AuthProtocol(object):
        # Credentials used to verify this component with the Auth service since
        # validating tokens is a privileged call
        self.admin_token = self._conf_get('admin_token')
+        if self.admin_token:
+            self.LOG.warning(
+                "The admin_token option in the auth_token middleware is "
+                "deprecated and should not be used. The admin_user and "
+                "admin_password options should be used instead. The "
+                "admin_token option may be removed in a future release.")
        self.admin_token_expiry = None
        self.admin_user = self._conf_get('admin_user')
        self.admin_password = self._conf_get('admin_password')