From 7d56cb7a0144afc280e4a294c264d10424122b09 Mon Sep 17 00:00:00 2001 From: Boris Bobrov Date: Thu, 22 Sep 2016 23:56:23 +0300 Subject: [PATCH] Undeprecate options used for signing The options were deprecated when PKI was deprecated. However, they are used not only for PKI. Revocation lists API uses it too. We cannot remove API without major version bump. Because of that, we have to stick with them. Undeprecate options used for signing. Remove mentions of PKI and describe that they are now used for signing responses of revocation lists API. Change-Id: Ib0e194fbafe83c467381283b555868a1fb02a512 --- keystone/conf/signing.py | 62 ++++++++++++---------------------------- 1 file changed, 18 insertions(+), 44 deletions(-) diff --git a/keystone/conf/signing.py b/keystone/conf/signing.py index b9bdfd4d90..6195fd8d39 100644 --- a/keystone/conf/signing.py +++ b/keystone/conf/signing.py @@ -11,7 +11,6 @@ # under the License. from oslo_config import cfg -from oslo_log import versionutils from keystone.conf import constants from keystone.conf import utils @@ -20,96 +19,71 @@ from keystone.conf import utils certfile = cfg.StrOpt( 'certfile', default=constants._CERTFILE, - deprecated_for_removal=True, - deprecated_reason=constants._DEPRECATE_PKI_MSG, - deprecated_since=versionutils.deprecated.MITAKA, help=utils.fmt(""" -Absolute path to the public certificate file to use for signing PKI and PKIZ -tokens. Set this together with `[signing] keyfile`. For non-production -environments, you may be interested in using `keystone-manage pki_setup` to -generate self-signed certificates. There is no reason to set this option unless -you are using either a `pki` or `pkiz` `[token] provider`. +Absolute path to the public certificate file to use for signing responses to +revocation lists requests. Set this together with `[signing] keyfile`. For +non-production environments, you may be interested in using `keystone-manage +pki_setup` to generate self-signed certificates. """)) keyfile = cfg.StrOpt( 'keyfile', default=constants._KEYFILE, - deprecated_for_removal=True, - deprecated_reason=constants._DEPRECATE_PKI_MSG, - deprecated_since=versionutils.deprecated.MITAKA, help=utils.fmt(""" -Absolute path to the private key file to use for signing PKI and PKIZ tokens. -Set this together with `[signing] certfile`. There is no reason to set this -option unless you are using either a `pki` or `pkiz` `[token] provider`. +Absolute path to the private key file to use for signing responses to +revocation lists requests. Set this together with `[signing] certfile`. """)) ca_certs = cfg.StrOpt( 'ca_certs', - deprecated_for_removal=True, - deprecated_reason=constants._DEPRECATE_PKI_MSG, - deprecated_since=versionutils.deprecated.MITAKA, default='/etc/keystone/ssl/certs/ca.pem', help=utils.fmt(""" Absolute path to the public certificate authority (CA) file to use when creating self-signed certificates with `keystone-manage pki_setup`. Set this together with `[signing] ca_key`. There is no reason to set this option unless -you are using a `pki` or `pkiz` `[token] provider` value in a non-production -environment. Use a `[signing] certfile` issued from a trusted certificate -authority instead. +you are requesting revocation lists in a non-production environment. Use a +`[signing] certfile` issued from a trusted certificate authority instead. """)) ca_key = cfg.StrOpt( 'ca_key', default='/etc/keystone/ssl/private/cakey.pem', - deprecated_for_removal=True, - deprecated_reason=constants._DEPRECATE_PKI_MSG, - deprecated_since=versionutils.deprecated.MITAKA, help=utils.fmt(""" Absolute path to the private certificate authority (CA) key file to use when creating self-signed certificates with `keystone-manage pki_setup`. Set this together with `[signing] ca_certs`. There is no reason to set this option -unless you are using a `pki` or `pkiz` `[token] provider` value in a -non-production environment. Use a `[signing] certfile` issued from a trusted -certificate authority instead. +unless you are requesting revocation lists in a non-production environment. +Use a `[signing] certfile` issued from a trusted certificate authority instead. """)) key_size = cfg.IntOpt( 'key_size', default=2048, min=1024, - deprecated_for_removal=True, - deprecated_reason=constants._DEPRECATE_PKI_MSG, - deprecated_since=versionutils.deprecated.MITAKA, help=utils.fmt(""" Key size (in bits) to use when generating a self-signed token signing -certificate. There is no reason to set this option unless you are using a `pki` -or `pkiz` `[token] provider` value in a non-production environment. Use a -`[signing] certfile` issued from a trusted certificate authority instead. +certificate. There is no reason to set this option unless you are requesting +revocation lists in a non-production environment. Use a `[signing] certfile` +issued from a trusted certificate authority instead. """)) valid_days = cfg.IntOpt( 'valid_days', default=3650, - deprecated_for_removal=True, - deprecated_reason=constants._DEPRECATE_PKI_MSG, - deprecated_since=versionutils.deprecated.MITAKA, help=utils.fmt(""" The validity period (in days) to use when generating a self-signed token -signing certificate. There is no reason to set this option unless you are using -a `pki` or `pkiz` `[token] provider` value in a non-production environment. Use -a `[signing] certfile` issued from a trusted certificate authority instead. +signing certificate. There is no reason to set this option unless you are +requesting revocation lists in a non-production environment. Use a +`[signing] certfile` issued from a trusted certificate authority instead. """)) cert_subject = cfg.StrOpt( 'cert_subject', - deprecated_for_removal=True, - deprecated_reason=constants._DEPRECATE_PKI_MSG, - deprecated_since=versionutils.deprecated.MITAKA, default=('/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com'), help=utils.fmt(""" The certificate subject to use when generating a self-signed token signing -certificate. There is no reason to set this option unless you are using a `pki` -or `pkiz` `[token] provider` value in a non-production environment. Use a +certificate. There is no reason to set this option unless you are requesting +revocation lists in a non-production environment. Use a `[signing] certfile` issued from a trusted certificate authority instead. """))