Undeprecate options used for signing
The options were deprecated when PKI was deprecated. However, they are used not only for PKI. Revocation lists API uses it too. We cannot remove API without major version bump. Because of that, we have to stick with them. Undeprecate options used for signing. Remove mentions of PKI and describe that they are now used for signing responses of revocation lists API. Change-Id: Ib0e194fbafe83c467381283b555868a1fb02a512
This commit is contained in:
parent
cb2b548f6b
commit
7d56cb7a01
|
@ -11,7 +11,6 @@
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
from oslo_config import cfg
|
from oslo_config import cfg
|
||||||
from oslo_log import versionutils
|
|
||||||
|
|
||||||
from keystone.conf import constants
|
from keystone.conf import constants
|
||||||
from keystone.conf import utils
|
from keystone.conf import utils
|
||||||
|
@ -20,96 +19,71 @@ from keystone.conf import utils
|
||||||
certfile = cfg.StrOpt(
|
certfile = cfg.StrOpt(
|
||||||
'certfile',
|
'certfile',
|
||||||
default=constants._CERTFILE,
|
default=constants._CERTFILE,
|
||||||
deprecated_for_removal=True,
|
|
||||||
deprecated_reason=constants._DEPRECATE_PKI_MSG,
|
|
||||||
deprecated_since=versionutils.deprecated.MITAKA,
|
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
Absolute path to the public certificate file to use for signing PKI and PKIZ
|
Absolute path to the public certificate file to use for signing responses to
|
||||||
tokens. Set this together with `[signing] keyfile`. For non-production
|
revocation lists requests. Set this together with `[signing] keyfile`. For
|
||||||
environments, you may be interested in using `keystone-manage pki_setup` to
|
non-production environments, you may be interested in using `keystone-manage
|
||||||
generate self-signed certificates. There is no reason to set this option unless
|
pki_setup` to generate self-signed certificates.
|
||||||
you are using either a `pki` or `pkiz` `[token] provider`.
|
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
keyfile = cfg.StrOpt(
|
keyfile = cfg.StrOpt(
|
||||||
'keyfile',
|
'keyfile',
|
||||||
default=constants._KEYFILE,
|
default=constants._KEYFILE,
|
||||||
deprecated_for_removal=True,
|
|
||||||
deprecated_reason=constants._DEPRECATE_PKI_MSG,
|
|
||||||
deprecated_since=versionutils.deprecated.MITAKA,
|
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
Absolute path to the private key file to use for signing PKI and PKIZ tokens.
|
Absolute path to the private key file to use for signing responses to
|
||||||
Set this together with `[signing] certfile`. There is no reason to set this
|
revocation lists requests. Set this together with `[signing] certfile`.
|
||||||
option unless you are using either a `pki` or `pkiz` `[token] provider`.
|
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
ca_certs = cfg.StrOpt(
|
ca_certs = cfg.StrOpt(
|
||||||
'ca_certs',
|
'ca_certs',
|
||||||
deprecated_for_removal=True,
|
|
||||||
deprecated_reason=constants._DEPRECATE_PKI_MSG,
|
|
||||||
deprecated_since=versionutils.deprecated.MITAKA,
|
|
||||||
default='/etc/keystone/ssl/certs/ca.pem',
|
default='/etc/keystone/ssl/certs/ca.pem',
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
Absolute path to the public certificate authority (CA) file to use when
|
Absolute path to the public certificate authority (CA) file to use when
|
||||||
creating self-signed certificates with `keystone-manage pki_setup`. Set this
|
creating self-signed certificates with `keystone-manage pki_setup`. Set this
|
||||||
together with `[signing] ca_key`. There is no reason to set this option unless
|
together with `[signing] ca_key`. There is no reason to set this option unless
|
||||||
you are using a `pki` or `pkiz` `[token] provider` value in a non-production
|
you are requesting revocation lists in a non-production environment. Use a
|
||||||
environment. Use a `[signing] certfile` issued from a trusted certificate
|
`[signing] certfile` issued from a trusted certificate authority instead.
|
||||||
authority instead.
|
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
ca_key = cfg.StrOpt(
|
ca_key = cfg.StrOpt(
|
||||||
'ca_key',
|
'ca_key',
|
||||||
default='/etc/keystone/ssl/private/cakey.pem',
|
default='/etc/keystone/ssl/private/cakey.pem',
|
||||||
deprecated_for_removal=True,
|
|
||||||
deprecated_reason=constants._DEPRECATE_PKI_MSG,
|
|
||||||
deprecated_since=versionutils.deprecated.MITAKA,
|
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
Absolute path to the private certificate authority (CA) key file to use when
|
Absolute path to the private certificate authority (CA) key file to use when
|
||||||
creating self-signed certificates with `keystone-manage pki_setup`. Set this
|
creating self-signed certificates with `keystone-manage pki_setup`. Set this
|
||||||
together with `[signing] ca_certs`. There is no reason to set this option
|
together with `[signing] ca_certs`. There is no reason to set this option
|
||||||
unless you are using a `pki` or `pkiz` `[token] provider` value in a
|
unless you are requesting revocation lists in a non-production environment.
|
||||||
non-production environment. Use a `[signing] certfile` issued from a trusted
|
Use a `[signing] certfile` issued from a trusted certificate authority instead.
|
||||||
certificate authority instead.
|
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
key_size = cfg.IntOpt(
|
key_size = cfg.IntOpt(
|
||||||
'key_size',
|
'key_size',
|
||||||
default=2048,
|
default=2048,
|
||||||
min=1024,
|
min=1024,
|
||||||
deprecated_for_removal=True,
|
|
||||||
deprecated_reason=constants._DEPRECATE_PKI_MSG,
|
|
||||||
deprecated_since=versionutils.deprecated.MITAKA,
|
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
Key size (in bits) to use when generating a self-signed token signing
|
Key size (in bits) to use when generating a self-signed token signing
|
||||||
certificate. There is no reason to set this option unless you are using a `pki`
|
certificate. There is no reason to set this option unless you are requesting
|
||||||
or `pkiz` `[token] provider` value in a non-production environment. Use a
|
revocation lists in a non-production environment. Use a `[signing] certfile`
|
||||||
`[signing] certfile` issued from a trusted certificate authority instead.
|
issued from a trusted certificate authority instead.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
valid_days = cfg.IntOpt(
|
valid_days = cfg.IntOpt(
|
||||||
'valid_days',
|
'valid_days',
|
||||||
default=3650,
|
default=3650,
|
||||||
deprecated_for_removal=True,
|
|
||||||
deprecated_reason=constants._DEPRECATE_PKI_MSG,
|
|
||||||
deprecated_since=versionutils.deprecated.MITAKA,
|
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
The validity period (in days) to use when generating a self-signed token
|
The validity period (in days) to use when generating a self-signed token
|
||||||
signing certificate. There is no reason to set this option unless you are using
|
signing certificate. There is no reason to set this option unless you are
|
||||||
a `pki` or `pkiz` `[token] provider` value in a non-production environment. Use
|
requesting revocation lists in a non-production environment. Use a
|
||||||
a `[signing] certfile` issued from a trusted certificate authority instead.
|
`[signing] certfile` issued from a trusted certificate authority instead.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
cert_subject = cfg.StrOpt(
|
cert_subject = cfg.StrOpt(
|
||||||
'cert_subject',
|
'cert_subject',
|
||||||
deprecated_for_removal=True,
|
|
||||||
deprecated_reason=constants._DEPRECATE_PKI_MSG,
|
|
||||||
deprecated_since=versionutils.deprecated.MITAKA,
|
|
||||||
default=('/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com'),
|
default=('/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com'),
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
The certificate subject to use when generating a self-signed token signing
|
The certificate subject to use when generating a self-signed token signing
|
||||||
certificate. There is no reason to set this option unless you are using a `pki`
|
certificate. There is no reason to set this option unless you are requesting
|
||||||
or `pkiz` `[token] provider` value in a non-production environment. Use a
|
revocation lists in a non-production environment. Use a
|
||||||
`[signing] certfile` issued from a trusted certificate authority instead.
|
`[signing] certfile` issued from a trusted certificate authority instead.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue