openstack/keystone
Code Issues Proposed changes

Remove support for generating ssl certs

Browse Source 
these config options and it's supporting command are only useful
when deploying keystone under eventlet, with that removed these
are redundant.

Change-Id: I7c602805bba2c658d3280811ed8919f78ed3aa0d
implements: bp removed-as-of-newton
This commit is contained in:
Steve Martinelli 2016-04-17 01:56:08 -04:00 committed by Samuel de Medeiros Queiroz
parent 23bb657369
commit 20b851b240
6 changed files with 5 additions and 125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
doc/source/configuration.rst
View File

@ -87,7 +87,6 @@ The primary configuration file is organized into the following sections:
* ``[role]`` - Role system driver configuration
* ``[saml]`` - SAML configuration options
* ``[signing]`` - Cryptographic signatures for PKI based tokens
* ``[ssl]`` - SSL certificate generation configuration
* ``[token]`` - Token driver & token provider configuration
* ``[trust]`` - Trust configuration
@ -901,81 +900,8 @@ choosing the output levels and formats.
SSL
---
Keystone may be configured to support SSL and 2-way SSL out-of-the-box. The
X509 certificates used by Keystone can be generated by ``keystone-manage``
or obtained externally and configured for use with Keystone as described in
this section. Here is the description of each of them and their purpose:
.. WARNING::
The SSL configuration options available to the eventlet server
(``keystone-all``) described here are severely limited. A secure
deployment should have Keystone running in a web server (such as Apache
httpd), or behind an SSL terminator. When running Keystone in a web server
or behind an SSL terminator the options described in this section have no
effect and SSL is configured in the web server or SSL terminator.
Types of certificates
^^^^^^^^^^^^^^^^^^^^^
* ``cacert.pem``: Certificate Authority chain to validate against.
* ``ssl_cert.pem``: Public certificate for Keystone server.
* ``middleware.pem``: Public and private certificate for Keystone
middleware/client.
* ``cakey.pem``: Private key for the CA.
* ``ssl_key.pem``: Private key for the Keystone server.
Note that you may choose whatever names you want for these certificates, or
combine the public/private keys in the same file if you wish. These
certificates are just provided as an example.
Configuration
^^^^^^^^^^^^^
To enable SSL a deployment should configure a web server (such as Apache) to
use SSL. Keystone is able to generate SSL certificates by modifying the
``[ssl]`` section in the ``etc/keystone.conf`` file. The following is an SSL
configuration example using the included sample certificates:
.. code-block:: ini
[ssl]
ca_key = <path to cakey.pem>
key_size = 1024
valid_days=3650
cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost
When generating SSL certificates the following values are read
* ``key_size``: Key size to create. Defaults to 1024.
* ``valid_days``: How long the certificate is valid for. Defaults to 3650
(10 years).
* ``ca_key``: The private key for the CA. Defaults to
``/etc/keystone/ssl/certs/cakey.pem``.
* ``cert_subject``: The subject to set in the certificate. Defaults to
``/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost``. When setting the subject it
is important to set CN to be the address of the server so client validation
will succeed. This generally means having the subject be at least
``/CN=<keystone ip>``
Generating SSL certificates
^^^^^^^^^^^^^^^^^^^^^^^^^^^
Certificates for encrypted HTTP communication can be generated by:
.. code-block:: bash
$ keystone-manage ssl_setup
This will create a private key, a public key and a certificate that will be
used to encrypt communications with keystone. In the event that a Certificate
Authority is not given a testing one will be created.
It is likely in a production environment that these certificates will be
created and provided externally. Note that ``ssl_setup`` is a development tool
and is only recommended for developments environment. We do not recommend using
``ssl_setup`` for production environments.
A secure deployment should have Keystone running in a web server (such as
Apache httpd), or behind an SSL terminator.
User CRUD additions for the V2.0 API
------------------------------------
@ -1388,7 +1314,6 @@ through the normal REST API. At the moment, the following calls are supported:
* ``mapping_purge``: Purge the identity mapping table.
* ``pki_setup``: Initialize the certificates used to sign tokens.
* ``saml_idp_metadata``: Generate identity provider metadata.
* ``ssl_setup``: Generate certificates for SSL.
* ``token_flush``: Purge expired tokens
Invoking ``keystone-manage`` by itself will give you additional usage

1
doc/source/man/keystone-manage.rst
View File

@ -50,7 +50,6 @@ Available commands:
* ``mapping_engine``: Test your federation mapping rules.
* ``pki_setup``: Initialize the certificates used to sign tokens. **deprecated**
* ``saml_idp_metadata``: Generate identity provider metadata.
* ``ssl_setup``: Generate certificates for SSL.
* ``token_flush``: Purge expired tokens.
OPTIONS

20
keystone/cmd/cli.py
View File

@ -463,25 +463,6 @@ class PKISetup(BaseCertificateSetup):
conf_pki.run()
class SSLSetup(BaseCertificateSetup):
"""Create key pairs and certificates for HTTPS connections.
This is NOT intended for production use, see Keystone Configuration
documentation for details.
"""
name = 'ssl_setup'
@classmethod
def main(cls):
LOG.warning(_LW('keystone-manage ssl_setup is not recommended for '
'production use.'))
keystone_user_id, keystone_group_id = cls.get_user_group()
conf_ssl = openssl.ConfigureSSL(keystone_user_id, keystone_group_id,
rebuild=CONF.command.rebuild)
conf_ssl.run()
class FernetSetup(BasePermissionsSetup):
"""Setup a key repository for Fernet tokens.
@ -938,7 +919,6 @@ CMDS = [
MappingEngineTester,
PKISetup,
SamlIdentityProviderMetadata,
SSLSetup,
TokenFlush,
]

15
keystone/common/config.py
View File

@ -365,21 +365,6 @@ FILE_OPTIONS = {
deprecated_opts=[cfg.DeprecatedOpt(
'revocation_cache_time', group='token')]),
],
'ssl': [
cfg.StrOpt('ca_key',
default='/etc/keystone/ssl/private/cakey.pem',
help='Path of the CA key file for SSL.'),
cfg.IntOpt('key_size', default=1024, min=1024,
help='SSL key length (in bits) (auto generated '
'certificate).'),
cfg.IntOpt('valid_days', default=3650,
help='Days the certificate is valid for once signed '
'(auto generated certificate).'),
cfg.StrOpt('cert_subject',
default='/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost',
help='SSL certificate subject (auto generated '
'certificate).'),
],
'signing': [
cfg.StrOpt('certfile',
default=_CERTFILE,

12
keystone/common/openssl.py
View File

@ -253,18 +253,6 @@ class ConfigurePKI(BaseCertificateConfigure):
keystone_group, rebuild=rebuild)
class ConfigureSSL(BaseCertificateConfigure):
"""Generate files for HTTPS using OpenSSL.
Creates a public/private key and certificates. If a CA is not given
one will be generated using provided arguments.
"""
def __init__(self, keystone_user, keystone_group, rebuild=False):
super(ConfigureSSL, self).__init__(CONF.ssl, keystone_user,
keystone_group, rebuild=rebuild)
BaseCertificateConfigure.sslconfig = """
# OpenSSL configuration file.
#

3
releasenotes/notes/removed-as-of-newton-721c06b5dcb1b34a.yaml
View File

@ -13,3 +13,6 @@ other:
[`blueprint removed-as-of-newton <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-newton>`_]
Removed support for running keystone under eventlet. It is recommended to
run keystone in an HTTP server.
- >
[`blueprint removed-as-of-newton <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-newton>`_]
Removed support for generating SSL certificates.