diff --git a/etc/keystone-paste.ini b/etc/keystone-paste.ini index a2aa06f1d3..be5285342e 100644 --- a/etc/keystone-paste.ini +++ b/etc/keystone-paste.ini @@ -54,17 +54,17 @@ use = egg:keystone#admin_service [pipeline:public_api] # The last item in this pipeline must be public_service or an equivalent # application. It cannot be a filter. -pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service +pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension public_service [pipeline:admin_api] # The last item in this pipeline must be admin_service or an equivalent # application. It cannot be a filter. -pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service +pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension s3_extension admin_service [pipeline:api_v3] # The last item in this pipeline must be service_v3 or an equivalent # application. It cannot be a filter. -pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3 +pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension service_v3 [app:public_version_service] use = egg:keystone#public_version_service diff --git a/keystone/middleware/core.py b/keystone/middleware/core.py index 589d263bbf..60e27799b7 100644 --- a/keystone/middleware/core.py +++ b/keystone/middleware/core.py @@ -14,12 +14,11 @@ from oslo_config import cfg from oslo_log import log -from oslo_log import versionutils from oslo_serialization import jsonutils from keystone.common import wsgi from keystone import exception -from keystone.i18n import _ +from keystone.i18n import _LW CONF = cfg.CONF @@ -61,13 +60,11 @@ class AdminTokenAuthMiddleware(wsgi.Middleware): def __init__(self, application): super(AdminTokenAuthMiddleware, self).__init__(application) - msg = _("Remove admin_token_auth from the paste-ini file, the " - "admin_token_auth middleware has been deprecated in favor of " - "using keystone-manage bootstrap and real users after " - "bootstrap process. Update the [pipeline:api_v3], " - "[pipeline:admin_api], and [pipeline:public_api] sections " - "accordingly, as it will be removed in the O release.") - versionutils.report_deprecated_feature(LOG, msg) + LOG.warning(_LW("The admin_token_auth middleware presents a security " + "risk and should be removed from the " + "[pipeline:api_v3], [pipeline:admin_api], and " + "[pipeline:public_api] sections of your paste ini " + "file.")) def process_request(self, request): token = request.headers.get(AUTH_TOKEN_HEADER) diff --git a/releasenotes/notes/deprecated-as-of-mitaka-8534e43fa40c1d09.yaml b/releasenotes/notes/deprecated-as-of-mitaka-8534e43fa40c1d09.yaml index d8aecb3734..3b7e481ae9 100644 --- a/releasenotes/notes/deprecated-as-of-mitaka-8534e43fa40c1d09.yaml +++ b/releasenotes/notes/deprecated-as-of-mitaka-8534e43fa40c1d09.yaml @@ -1,12 +1,4 @@ --- -upgrade: - - > - The ``keystone-paste.ini`` file must be updated to remove middleware filters - and their use in ``[pipeline:api_v3]``, ``[pipeline:public_api]``, - and ``[pipeline:admin_api]``. Remove ``[filter:admin_token_auth]``. See the - sample `keystone-paste.ini - `_ - file for guidance. deprecations: - > [`blueprint deprecated-as-of-mitaka `_] @@ -32,8 +24,3 @@ deprecations: As of the Mitaka release, the simple_cert_extension is deprecated since it is only used in support of the PKI and PKIz token formats. It will be removed in the 'O' release. - - > - [`blueprint deprecated-as-of-mitaka `_] - As of the Mitaka release, the use of ``admin_token_auth`` is deprecated in favor - of using the ``keystone-manage bootstrap`` CLI. It will be removed in the - 'O' release.