Deprecate (and slate for removal) UUID tokens
Deprecate UUID token provider. With fernet tokens being made the default, the UUID tokens are much like PKI tokens, an aging relic of Keystone-Times-Past. Keystone is consolidating token issuance and validation to the most effective form. This also deprecates the following: * token-bind capabilities, as that is a feature that was at best partially implemented in UUID and PKI tokens, with explicit non-support in Fernet. * token-persistence driver and explicit token persistence code. Change-Id: I724169a49ce12d8dd514471c34ac2b752eb98c8a bp: deprecated-as-of-pike
This commit is contained in:
parent
9c474958b1
commit
5896d841df
|
@ -13,6 +13,7 @@
|
||||||
import sys
|
import sys
|
||||||
|
|
||||||
from oslo_config import cfg
|
from oslo_config import cfg
|
||||||
|
from oslo_log import versionutils
|
||||||
|
|
||||||
from keystone.conf import utils
|
from keystone.conf import utils
|
||||||
|
|
||||||
|
@ -30,6 +31,8 @@ enforce_token_bind = cfg.StrOpt(
|
||||||
'enforce_token_bind',
|
'enforce_token_bind',
|
||||||
default='permissive',
|
default='permissive',
|
||||||
choices=['disabled', 'permissive', 'strict', 'required'],
|
choices=['disabled', 'permissive', 'strict', 'required'],
|
||||||
|
deprecated_since=versionutils.deprecated.PIKE,
|
||||||
|
deprecated_for_removal=True,
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
This controls the token binding enforcement policy on tokens presented to
|
This controls the token binding enforcement policy on tokens presented to
|
||||||
keystone with token binding metadata (as specified by the `[token] bind`
|
keystone with token binding metadata (as specified by the `[token] bind`
|
||||||
|
@ -74,6 +77,8 @@ command).
|
||||||
driver = cfg.StrOpt(
|
driver = cfg.StrOpt(
|
||||||
'driver',
|
'driver',
|
||||||
default='sql',
|
default='sql',
|
||||||
|
deprecated_since=versionutils.deprecated.PIKE,
|
||||||
|
deprecated_for_removal=True,
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
Entry point for the token persistence backend driver in the
|
Entry point for the token persistence backend driver in the
|
||||||
`keystone.token.persistence` namespace. Keystone provides the `sql`
|
`keystone.token.persistence` namespace. Keystone provides the `sql`
|
||||||
|
|
|
@ -16,6 +16,8 @@
|
||||||
|
|
||||||
from __future__ import absolute_import
|
from __future__ import absolute_import
|
||||||
|
|
||||||
|
from oslo_log import versionutils
|
||||||
|
|
||||||
import uuid
|
import uuid
|
||||||
|
|
||||||
from keystone.token.providers import common
|
from keystone.token.providers import common
|
||||||
|
@ -23,6 +25,14 @@ from keystone.token.providers import common
|
||||||
|
|
||||||
class Provider(common.BaseProvider):
|
class Provider(common.BaseProvider):
|
||||||
|
|
||||||
|
@versionutils.deprecated(
|
||||||
|
as_of=versionutils.deprecated.PIKE,
|
||||||
|
what='UUID Token Provider "[token] provider=uuid"',
|
||||||
|
in_favor_of='Fernet token Provider "[token] provider=fernet"',
|
||||||
|
remove_in=+2)
|
||||||
|
def __init__(self, *args, **kwargs):
|
||||||
|
super(Provider, self).__init__(*args, **kwargs)
|
||||||
|
|
||||||
def _get_token_id(self, token_data):
|
def _get_token_id(self, token_data):
|
||||||
return uuid.uuid4().hex
|
return uuid.uuid4().hex
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,11 @@
|
||||||
|
---
|
||||||
|
deprecations:
|
||||||
|
- |
|
||||||
|
* UUID token provider ``[token] provider=uuid`` has been deprecated in
|
||||||
|
favor of Fernet tokens ``[token] provider=fernet``. With Fernet tokens
|
||||||
|
becoming the default UUID tokens can be slated for removal in the R
|
||||||
|
release. This also deprecates token-bind support as it was never
|
||||||
|
implemented for fernet.
|
||||||
|
|
||||||
|
* Token persistence driver/code (SQL) is deprecated with this patch since
|
||||||
|
it is only used by the UUID token provider..
|
Loading…
Reference in New Issue