Merge "Re-enable and undeprecate admin_token_auth"

etc/keystone-paste.ini

@@ -54,17 +54,17 @@ use = egg:keystone#admin_service
 [pipeline:public_api]
 # The last item in this pipeline must be public_service or an equivalent
 # application. It cannot be a filter.
-pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service
+pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension public_service
 
 [pipeline:admin_api]
 # The last item in this pipeline must be admin_service or an equivalent
 # application. It cannot be a filter.
-pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service
+pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension s3_extension admin_service
 
 [pipeline:api_v3]
 # The last item in this pipeline must be service_v3 or an equivalent
 # application. It cannot be a filter.
-pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3
+pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension service_v3
 
 [app:public_version_service]
 use = egg:keystone#public_version_service

keystone/middleware/core.py

@@ -14,12 +14,11 @@
 
 from oslo_config import cfg
 from oslo_log import log
-from oslo_log import versionutils
 from oslo_serialization import jsonutils
 
 from keystone.common import wsgi
 from keystone import exception
-from keystone.i18n import _
+from keystone.i18n import _LW
 
 
 CONF = cfg.CONF
@@ -61,13 +60,11 @@ class AdminTokenAuthMiddleware(wsgi.Middleware):
 
     def __init__(self, application):
         super(AdminTokenAuthMiddleware, self).__init__(application)
-        msg = _("Remove admin_token_auth from the paste-ini file, the "
-                "admin_token_auth middleware has been deprecated in favor of "
-                "using keystone-manage bootstrap and real users after "
-                "bootstrap process. Update the [pipeline:api_v3], "
-                "[pipeline:admin_api], and [pipeline:public_api] sections "
-                "accordingly, as it will be removed in the O release.")
-        versionutils.report_deprecated_feature(LOG, msg)
+        LOG.warning(_LW("The admin_token_auth middleware presents a security "
+                        "risk and should be removed from the "
+                        "[pipeline:api_v3], [pipeline:admin_api], and "
+                        "[pipeline:public_api] sections of your paste ini "
+                        "file."))
 
     def process_request(self, request):
         token = request.headers.get(AUTH_TOKEN_HEADER)

releasenotes/notes/deprecated-as-of-mitaka-8534e43fa40c1d09.yaml

@@ -1,12 +1,4 @@
 ---
-upgrade:
-  - >
-    The ``keystone-paste.ini`` file must be updated to remove middleware filters
-    and their use in ``[pipeline:api_v3]``, ``[pipeline:public_api]``,
-    and ``[pipeline:admin_api]``. Remove ``[filter:admin_token_auth]``. See the
-    sample `keystone-paste.ini
-    <https://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone-paste.ini>`_
-    file for guidance.
 deprecations:
   - >
     [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]
@@ -32,8 +24,3 @@ deprecations:
     As of the Mitaka release, the simple_cert_extension is deprecated since it
     is only used in support of the PKI and PKIz token formats.  It will be
     removed in the 'O' release.
-  - >
-    [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]
-    As of the Mitaka release, the use of ``admin_token_auth`` is deprecated in favor
-    of using the ``keystone-manage bootstrap`` CLI. It will be removed in the
-    'O' release.