From 5896d841dfa1e8ab2e3179991b1b5c70f54f2ed1 Mon Sep 17 00:00:00 2001 From: Morgan Fainberg Date: Thu, 2 Feb 2017 11:26:56 -0800 Subject: [PATCH] Deprecate (and slate for removal) UUID tokens Deprecate UUID token provider. With fernet tokens being made the default, the UUID tokens are much like PKI tokens, an aging relic of Keystone-Times-Past. Keystone is consolidating token issuance and validation to the most effective form. This also deprecates the following: * token-bind capabilities, as that is a feature that was at best partially implemented in UUID and PKI tokens, with explicit non-support in Fernet. * token-persistence driver and explicit token persistence code. Change-Id: I724169a49ce12d8dd514471c34ac2b752eb98c8a bp: deprecated-as-of-pike --- keystone/conf/token.py | 5 +++++ keystone/token/providers/uuid.py | 10 ++++++++++ .../notes/deprecated-as-of-pike-506f9aca91674550.yaml | 11 +++++++++++ 3 files changed, 26 insertions(+) create mode 100644 releasenotes/notes/deprecated-as-of-pike-506f9aca91674550.yaml diff --git a/keystone/conf/token.py b/keystone/conf/token.py index 92b96e34b3..91d2c55b1b 100644 --- a/keystone/conf/token.py +++ b/keystone/conf/token.py @@ -13,6 +13,7 @@ import sys from oslo_config import cfg +from oslo_log import versionutils from keystone.conf import utils @@ -30,6 +31,8 @@ enforce_token_bind = cfg.StrOpt( 'enforce_token_bind', default='permissive', choices=['disabled', 'permissive', 'strict', 'required'], + deprecated_since=versionutils.deprecated.PIKE, + deprecated_for_removal=True, help=utils.fmt(""" This controls the token binding enforcement policy on tokens presented to keystone with token binding metadata (as specified by the `[token] bind` @@ -74,6 +77,8 @@ command). driver = cfg.StrOpt( 'driver', default='sql', + deprecated_since=versionutils.deprecated.PIKE, + deprecated_for_removal=True, help=utils.fmt(""" Entry point for the token persistence backend driver in the `keystone.token.persistence` namespace. Keystone provides the `sql` diff --git a/keystone/token/providers/uuid.py b/keystone/token/providers/uuid.py index 84af399925..4652f7a877 100644 --- a/keystone/token/providers/uuid.py +++ b/keystone/token/providers/uuid.py @@ -16,6 +16,8 @@ from __future__ import absolute_import +from oslo_log import versionutils + import uuid from keystone.token.providers import common @@ -23,6 +25,14 @@ from keystone.token.providers import common class Provider(common.BaseProvider): + @versionutils.deprecated( + as_of=versionutils.deprecated.PIKE, + what='UUID Token Provider "[token] provider=uuid"', + in_favor_of='Fernet token Provider "[token] provider=fernet"', + remove_in=+2) + def __init__(self, *args, **kwargs): + super(Provider, self).__init__(*args, **kwargs) + def _get_token_id(self, token_data): return uuid.uuid4().hex diff --git a/releasenotes/notes/deprecated-as-of-pike-506f9aca91674550.yaml b/releasenotes/notes/deprecated-as-of-pike-506f9aca91674550.yaml new file mode 100644 index 0000000000..95c0008f7a --- /dev/null +++ b/releasenotes/notes/deprecated-as-of-pike-506f9aca91674550.yaml @@ -0,0 +1,11 @@ +--- +deprecations: + - | + * UUID token provider ``[token] provider=uuid`` has been deprecated in + favor of Fernet tokens ``[token] provider=fernet``. With Fernet tokens + becoming the default UUID tokens can be slated for removal in the R + release. This also deprecates token-bind support as it was never + implemented for fernet. + + * Token persistence driver/code (SQL) is deprecated with this patch since + it is only used by the UUID token provider..