Deprecate Saml2 auth plugin

Since the keystone.auth.plugins.saml2:Saml2 plugin is just a wrapper for keystone.auth.plugins.mapped:Mapped there is no need for it (log deprecation for now). Change-Id: If82554f1e132c92c6fc707da6bdecba11e35620e bp: deprecated-as-of-mitaka
2016-02-02 17:14:08 -06:00 · 2016-02-02 17:14:08 -06:00 · d988de1004
commit d988de1004
parent ec5e5f1707
3 changed files with 18 additions and 6 deletions
--- a/doc/source/configure_federation.rst
+++ b/doc/source/configure_federation.rst
@ -90,14 +90,19 @@ configure ``federation``.
 Configure authentication drivers in ``keystone.conf``
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+.. NOTE::
+    ``saml2`` has been deprecated as of the Mitaka release. Support for the
+    ``saml2`` wrapper will be removed as of the "O" release. The recommended authentication method
+    is ``mapped``, which supports ``saml2``.
+
 Add the authentication methods to the ``[auth]`` section in ``keystone.conf``.
 Names should be equal to protocol names added via Identity API v3. Here we use
-examples ``saml2`` and ``openid``.
+examples ``mapped`` and ``openid``.

 .. code-block:: bash

       [auth]
-       methods = external,password,token,saml2,openid
+       methods = external,password,token,mapped,openid

 Create keystone groups and assign roles
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@ -251,7 +256,7 @@ Example cURL

 .. code-block:: bash

-    $ curl -X POST -H "Content-Type: application/json" -d '{"auth":{"identity":{"methods":["saml2"],"saml2":{"id":"<unscoped_token_id>"}},"scope":{"project":{"domain": {"name": "Default"},"name":"service"}}}}' -D - http://localhost:5000/v3/auth/tokens
+    $ curl -X POST -H "Content-Type: application/json" -d '{"auth":{"identity":{"methods":["mapped"],"saml2":{"id":"<unscoped_token_id>"}},"scope":{"project":{"domain": {"name": "Default"},"name":"service"}}}}' -D - http://localhost:5000/v3/auth/tokens

 --------------------------------------
 Keystone as an Identity Provider (IdP)
--- a/keystone/auth/plugins/saml2.py
+++ b/keystone/auth/plugins/saml2.py
@ -10,9 +10,16 @@
 # License for the specific language governing permissions and limitations
 # under the License.

+from oslo_log import versionutils
+
 from keystone.auth.plugins import mapped


+@versionutils.deprecated(
+    versionutils.deprecated.MITAKA,
+    what='keystone.auth.plugins.saml2.Saml2',
+    in_favor_of='keystone.auth.plugins.mapped.Mapped',
+    remove_in=+2)
 class Saml2(mapped.Mapped):
    """Provide an entry point to authenticate with SAML2.

--- a/releasenotes/notes/deprecated-as-of-mitaka-8534e43fa40c1d09.yaml
+++ b/releasenotes/notes/deprecated-as-of-mitaka-8534e43fa40c1d09.yaml
@ -16,6 +16,6 @@ deprecations:
    removed in the 'O' release.
  - >
    [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]
-    As of the Mitaka release, the simple_cert_extension is deprecated since it
-    is only used in support of the PKI and PKIz token formats.  It will be
-    removed in the 'O' release.
+    As of the Mitaka release, the auth plugin ``keystone.auth.plugins.saml2.Saml2``
+    has been deprecated. It is recommended to use ``keystone.auth.plugins.mapped.Mapped``
+    instead. The ``saml2`` plugin will be removed in the 'O' release.