openstack
/
keystone
Code Issues Proposed changes

Undeprecate options used for signing 

The options were deprecated when PKI was deprecated. However, they are
used not only for PKI. Revocation lists API uses it too. We cannot
remove API without major version bump. Because of that, we have to stick
with them.

Undeprecate options used for signing. Remove mentions of PKI and
describe that they are now used for signing responses of revocation
lists API.

Change-Id: Ib0e194fbafe83c467381283b555868a1fb02a512
This commit is contained in:
Boris Bobrov 2016-09-22 23:56:23 +03:00 committed by Steve Martinelli
parent cb2b548f6b
commit 7d56cb7a01
1 changed files with 18 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
keystone/conf/signing.py
View File

@ -11,7 +11,6 @@
# under the License. # under the License.
from oslo_config import cfg from oslo_config import cfg
from oslo_log import versionutils
from keystone.conf import constants from keystone.conf import constants
from keystone.conf import utils from keystone.conf import utils
@ -20,96 +19,71 @@ from keystone.conf import utils
certfile = cfg.StrOpt( certfile = cfg.StrOpt(
'certfile', 'certfile',
default=constants._CERTFILE, default=constants._CERTFILE,
deprecated_for_removal=True,
deprecated_reason=constants._DEPRECATE_PKI_MSG,
deprecated_since=versionutils.deprecated.MITAKA,
help=utils.fmt(""" help=utils.fmt("""
Absolute path to the public certificate file to use for signing PKI and PKIZ Absolute path to the public certificate file to use for signing responses to
tokens. Set this together with `[signing] keyfile`. For non-production revocation lists requests. Set this together with `[signing] keyfile`. For
environments, you may be interested in using `keystone-manage pki_setup` to non-production environments, you may be interested in using `keystone-manage
generate self-signed certificates. There is no reason to set this option unless pki_setup` to generate self-signed certificates.
you are using either a `pki` or `pkiz` `[token] provider`.
""")) """))
keyfile = cfg.StrOpt( keyfile = cfg.StrOpt(
'keyfile', 'keyfile',
default=constants._KEYFILE, default=constants._KEYFILE,
deprecated_for_removal=True,
deprecated_reason=constants._DEPRECATE_PKI_MSG,
deprecated_since=versionutils.deprecated.MITAKA,
help=utils.fmt(""" help=utils.fmt("""
Absolute path to the private key file to use for signing PKI and PKIZ tokens. Absolute path to the private key file to use for signing responses to
Set this together with `[signing] certfile`. There is no reason to set this revocation lists requests. Set this together with `[signing] certfile`.
option unless you are using either a `pki` or `pkiz` `[token] provider`.
""")) """))
ca_certs = cfg.StrOpt( ca_certs = cfg.StrOpt(
'ca_certs', 'ca_certs',
deprecated_for_removal=True,
deprecated_reason=constants._DEPRECATE_PKI_MSG,
deprecated_since=versionutils.deprecated.MITAKA,
default='/etc/keystone/ssl/certs/ca.pem', default='/etc/keystone/ssl/certs/ca.pem',
help=utils.fmt(""" help=utils.fmt("""
Absolute path to the public certificate authority (CA) file to use when Absolute path to the public certificate authority (CA) file to use when
creating self-signed certificates with `keystone-manage pki_setup`. Set this creating self-signed certificates with `keystone-manage pki_setup`. Set this
together with `[signing] ca_key`. There is no reason to set this option unless together with `[signing] ca_key`. There is no reason to set this option unless
you are using a `pki` or `pkiz` `[token] provider` value in a non-production you are requesting revocation lists in a non-production environment. Use a
environment. Use a `[signing] certfile` issued from a trusted certificate `[signing] certfile` issued from a trusted certificate authority instead.
authority instead.
""")) """))
ca_key = cfg.StrOpt( ca_key = cfg.StrOpt(
'ca_key', 'ca_key',
default='/etc/keystone/ssl/private/cakey.pem', default='/etc/keystone/ssl/private/cakey.pem',
deprecated_for_removal=True,
deprecated_reason=constants._DEPRECATE_PKI_MSG,
deprecated_since=versionutils.deprecated.MITAKA,
help=utils.fmt(""" help=utils.fmt("""
Absolute path to the private certificate authority (CA) key file to use when Absolute path to the private certificate authority (CA) key file to use when
creating self-signed certificates with `keystone-manage pki_setup`. Set this creating self-signed certificates with `keystone-manage pki_setup`. Set this
together with `[signing] ca_certs`. There is no reason to set this option together with `[signing] ca_certs`. There is no reason to set this option
unless you are using a `pki` or `pkiz` `[token] provider` value in a unless you are requesting revocation lists in a non-production environment.
non-production environment. Use a `[signing] certfile` issued from a trusted Use a `[signing] certfile` issued from a trusted certificate authority instead.
certificate authority instead.
""")) """))
key_size = cfg.IntOpt( key_size = cfg.IntOpt(
'key_size', 'key_size',
default=2048, default=2048,
min=1024, min=1024,
deprecated_for_removal=True,
deprecated_reason=constants._DEPRECATE_PKI_MSG,
deprecated_since=versionutils.deprecated.MITAKA,
help=utils.fmt(""" help=utils.fmt("""
Key size (in bits) to use when generating a self-signed token signing Key size (in bits) to use when generating a self-signed token signing
certificate. There is no reason to set this option unless you are using a `pki` certificate. There is no reason to set this option unless you are requesting
or `pkiz` `[token] provider` value in a non-production environment. Use a revocation lists in a non-production environment. Use a `[signing] certfile`
`[signing] certfile` issued from a trusted certificate authority instead. issued from a trusted certificate authority instead.
""")) """))
valid_days = cfg.IntOpt( valid_days = cfg.IntOpt(
'valid_days', 'valid_days',
default=3650, default=3650,
deprecated_for_removal=True,
deprecated_reason=constants._DEPRECATE_PKI_MSG,
deprecated_since=versionutils.deprecated.MITAKA,
help=utils.fmt(""" help=utils.fmt("""
The validity period (in days) to use when generating a self-signed token The validity period (in days) to use when generating a self-signed token
signing certificate. There is no reason to set this option unless you are using signing certificate. There is no reason to set this option unless you are
a `pki` or `pkiz` `[token] provider` value in a non-production environment. Use requesting revocation lists in a non-production environment. Use a
a `[signing] certfile` issued from a trusted certificate authority instead. `[signing] certfile` issued from a trusted certificate authority instead.
""")) """))
cert_subject = cfg.StrOpt( cert_subject = cfg.StrOpt(
'cert_subject', 'cert_subject',
deprecated_for_removal=True,
deprecated_reason=constants._DEPRECATE_PKI_MSG,
deprecated_since=versionutils.deprecated.MITAKA,
default=('/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com'), default=('/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com'),
help=utils.fmt(""" help=utils.fmt("""
The certificate subject to use when generating a self-signed token signing The certificate subject to use when generating a self-signed token signing
certificate. There is no reason to set this option unless you are using a `pki` certificate. There is no reason to set this option unless you are requesting
or `pkiz` `[token] provider` value in a non-production environment. Use a revocation lists in a non-production environment. Use a
`[signing] certfile` issued from a trusted certificate authority instead. `[signing] certfile` issued from a trusted certificate authority instead.
""")) """))