Deprecate (and slate for removal) UUID tokens

Deprecate UUID token provider. With fernet tokens being made the default, the UUID tokens are much like PKI tokens, an aging relic of Keystone-Times-Past. Keystone is consolidating token issuance and validation to the most effective form. This also deprecates the following: * token-bind capabilities, as that is a feature that was at best partially implemented in UUID and PKI tokens, with explicit non-support in Fernet. * token-persistence driver and explicit token persistence code. Change-Id: I724169a49ce12d8dd514471c34ac2b752eb98c8a bp: deprecated-as-of-pike
2017-02-02 11:26:56 -08:00 · 2017-02-02 11:26:56 -08:00 · 5896d841df
commit 5896d841df
parent 9c474958b1
3 changed files with 26 additions and 0 deletions
--- a/keystone/conf/token.py
+++ b/keystone/conf/token.py
@ -13,6 +13,7 @@
 import sys

 from oslo_config import cfg
+from oslo_log import versionutils

 from keystone.conf import utils

@ -30,6 +31,8 @@ enforce_token_bind = cfg.StrOpt(
    'enforce_token_bind',
    default='permissive',
    choices=['disabled', 'permissive', 'strict', 'required'],
+    deprecated_since=versionutils.deprecated.PIKE,
+    deprecated_for_removal=True,
    help=utils.fmt("""
 This controls the token binding enforcement policy on tokens presented to
 keystone with token binding metadata (as specified by the `[token] bind`
@ -74,6 +77,8 @@ command).
 driver = cfg.StrOpt(
    'driver',
    default='sql',
+    deprecated_since=versionutils.deprecated.PIKE,
+    deprecated_for_removal=True,
    help=utils.fmt("""
 Entry point for the token persistence backend driver in the
 `keystone.token.persistence` namespace. Keystone provides the `sql`
--- a/keystone/token/providers/uuid.py
+++ b/keystone/token/providers/uuid.py
@ -16,6 +16,8 @@

 from __future__ import absolute_import

+from oslo_log import versionutils
+
 import uuid

 from keystone.token.providers import common
@ -23,6 +25,14 @@ from keystone.token.providers import common

 class Provider(common.BaseProvider):

+    @versionutils.deprecated(
+        as_of=versionutils.deprecated.PIKE,
+        what='UUID Token Provider "[token] provider=uuid"',
+        in_favor_of='Fernet token Provider "[token] provider=fernet"',
+        remove_in=+2)
+    def __init__(self, *args, **kwargs):
+        super(Provider, self).__init__(*args, **kwargs)
+
    def _get_token_id(self, token_data):
        return uuid.uuid4().hex

--- a/releasenotes/notes/deprecated-as-of-pike-506f9aca91674550.yaml
+++ b/releasenotes/notes/deprecated-as-of-pike-506f9aca91674550.yaml
@ -0,0 +1,11 @@
+---
+deprecations:
+  - |
+    * UUID token provider ``[token] provider=uuid`` has been deprecated in
+      favor of Fernet tokens ``[token] provider=fernet``. With Fernet tokens
+      becoming the default UUID tokens can be slated for removal in the R
+      release. This also deprecates token-bind support as it was never
+      implemented for fernet.
+
+    * Token persistence driver/code (SQL) is deprecated with this patch since
+      it is only used by the UUID token provider..