Set default token provider to UUID

This changes the default token provider to UUID, which affords a much better deployer experience (no external dependencies and no additional setup complexity) for deployers. It also provides a better end-user experience (smaller, more manageable tokens) and appears to be the more popular deployment option today, despite the current default to PKI. DocImpact Closes-Bug: 1350000 Change-Id: I7fb2b191cce7a9762c33fee09e7e8d48a71a297b
2014-07-29 16:57:57 -05:00 · 2014-07-29 16:57:57 -05:00 · 60dc036b88
parent 5017993c36
commit 60dc036b88
5 changed files with 10 additions and 8 deletions
--- a/doc/source/configuration.rst
+++ b/doc/source/configuration.rst
@ -277,11 +277,11 @@ Token Provider

 Keystone supports customizable token provider and it is specified in the
 ``[token]`` section of the configuration file. Keystone provides both UUID and
-PKI token providers, with PKI token provider enabled as default. However, users
-may register their own token provider by configuring the following property.
+PKI token providers. However, users may register their own token provider by
+configuring the following property.

 * ``provider`` - token provider driver. Defaults to
-  ``keystone.token.providers.pki.Provider``
+  ``keystone.token.providers.uuid.Provider``

 Note that ``token_format`` in the ``[signing]`` section is deprecated but still
 being supported for backward compatibility. Therefore, if ``provider`` is set
@ -316,8 +316,7 @@ additional attributes.

 The current architectural approaches for both UUID- and PKI-based tokens have
 pain points exposed by environments under heavy load (search bugs and
-blueprints for the latest details and potential solutions), although PKI tokens
-became the default configuration option in the Grizzly release.
+blueprints for the latest details and potential solutions).

 Caching Layer
 -------------
--- a/keystone/common/config.py
+++ b/keystone/common/config.py
@ -236,7 +236,7 @@ FILE_OPTIONS = {
                   help='Controls the token construction, validation, and '
                        'revocation operations. Core providers are '
                        '"keystone.token.providers.[pkiz|pki|uuid].'
-                        'Provider". The default provider is pkiz.'),
+                        'Provider". The default provider is uuid.'),
        cfg.StrOpt('driver',
                   default='keystone.token.persistence.backends.sql.Token',
                   help='Token persistence backend driver.'),
--- a/keystone/tests/test_cert_setup.py
+++ b/keystone/tests/test_cert_setup.py
@ -62,6 +62,9 @@ class CertSetupTestCase(rest.RestfulTestCase):
            ca_key=ca_key,
            certfile=os.path.join(CERTDIR, 'keystone.pem'),
            keyfile=os.path.join(KEYDIR, 'keystonekey.pem'))
+        self.config_fixture.config(
+            group='token',
+            provider='keystone.token.providers.pkiz.Provider')

    def test_can_handle_missing_certs(self):
        controller = token.controllers.Auth()
--- a/keystone/tests/test_token_provider.py
+++ b/keystone/tests/test_token_provider.py
@ -727,7 +727,7 @@ class TestTokenProvider(tests.TestCase):
                          'bogus')

    def test_default_token_format(self):
-        self.assertEqual(token.provider.PKIZ_PROVIDER,
+        self.assertEqual(token.provider.UUID_PROVIDER,
                         token.provider.Manager.get_token_provider())

    def test_uuid_token_format_and_no_provider(self):
--- a/keystone/token/provider.py
+++ b/keystone/token/provider.py
@ -111,7 +111,7 @@ class Manager(manager.Manager):
            return mapped

        if CONF.token.provider is None:
-            return PKIZ_PROVIDER
+            return UUID_PROVIDER
        else:
            return CONF.token.provider