This is the first step of several to remove PKI token support in
keystone. A large issue in removing PKI support is support for the
revocation list must be maintained.
This patch removes support for the token format, it's surrounding tests
and examples that are generated. Additionally, some wording has been
changed around the CLI and config options to make the distinction
between keys and certs used for PKI tokens and those used for getting
the revocation list (a list of tokens that are revoked, which is signed).
Future patches will:
- Remove the keystone-manage commands for generating certs
- Modify the revocation list (at /auth/tokens/OS-PKI/revoked) to return
a 403 if pki is not configured (instead of raising a 500). We cannot
remove the API as that would break an API contract.
- Options to configure PKI will be marked as deprecated
- If PKI is configured a normal signed list will be returned (same
behavior as today)
- Follow up patch to keystonemiddleware will make sure auth_token does
not rely on the revocation api at all.
Related-Bug: 1626778
Related-Bug: 1626779
Co-Authored-By: Boris Bobrov <bbobrov@mirantis.com>
bp removed-as-of-ocata
Change-Id: Icf1ebced44a675c88fb66a6c0431208ff5181574
Now that bash8 is available on PyPI we can use it to clean up the bash
scripts in Keystone. This also uses bash8 in tox. For now we can add
files to the tox check manually as we make them compliant.
Change-Id: I87a7478949114163f0614b1a6d8b249e14afe0df
- use only double quotes
- remove trailing commas for last element
- add trailing newline
Change-Id: I3f47a25cdac429d95319ca80c6622b9cb1460446
Closes-Bug: #1249117
In https://review.openstack.org/#/c/31374/ the PKI defaults
were changed but the example PKI not updated. Update it now.
Change-Id: Ie65f27ab586e05a3c43a589499c115b56e734e07
Extend RSA keylength to 2048 bits by default,
as the previous default of 1024 bit is considered
weak since 12/31/2010.
Also unify the message_md to the openssl builtin default.
Fixes bug 1103002
Change-Id: I70e90b7696f8a56073c3d6bdc9ed5d30cfa3401f