Browse Source

Deprecate pki related options

check_revocations_for_cached and hash_algorithms are deprecated for
removel because of PKI token format is no longer supported.
Update warning message and add a release note.

Change-Id: I1ec9c946fb467e869df08a4697f89f9dd9a2b4db
Closes-Bug: #1804562
Closes-Bug: #1804720
tags/14.2.0
ZhongShengping 6 months ago
parent
commit
8d05dd00b5

+ 28
- 22
manifests/keystone/authtoken.pp View File

@@ -63,12 +63,6 @@
63 63
 #  (Optional) Required if identity server requires client certificate
64 64
 #  Defaults to $::os_service_default.
65 65
 #
66
-# [*check_revocations_for_cached*]
67
-#  (Optional) If true, the revocation list will be checked for cached tokens.
68
-#  This requires that PKI tokens are configured on the identity server.
69
-#  boolean value.
70
-#  Defaults to $::os_service_default.
71
-#
72 66
 # [*delay_auth_decision*]
73 67
 #  (Optional) Do not handle authorization requests within the middleware, but
74 68
 #  delegate the authorization decision to downstream WSGI components. Boolean
@@ -84,18 +78,6 @@
84 78
 #  binding is needed to be allowed. Finally the name of a binding method that
85 79
 #  Defaults to $::os_service_default.
86 80
 #
87
-# [*hash_algorithms*]
88
-#  (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
89
-#  single algorithm or multiple. The algorithms are those supported by Python
90
-#  must be present in tokens. String value.
91
-#  standard hashlib.new(). The hashes will be tried in the order given, so put
92
-#  the preferred one first for performance. The result of the first hash will
93
-#  be stored in the cache. This will typically be set to multiple values only
94
-#  while migrating from a less secure algorithm to a more secure one. Once all
95
-#  the old tokens are expired this option should be set to a single value for
96
-#  better performance. List value.
97
-#  Defaults to $::os_service_default.
98
-#
99 81
 # [*http_connect_timeout*]
100 82
 #  (Optional) Request timeout value for communicating with Identity API
101 83
 #  server.
@@ -189,6 +171,24 @@
189 171
 #   (Optional) Complete public Identity API endpoint.
190 172
 #   Defaults to undef
191 173
 #
174
+# [*check_revocations_for_cached*]
175
+#  (Optional) If true, the revocation list will be checked for cached tokens.
176
+#  This requires that PKI tokens are configured on the identity server.
177
+#  boolean value.
178
+#  Defaults to undef.
179
+#
180
+# [*hash_algorithms*]
181
+#  (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
182
+#  single algorithm or multiple. The algorithms are those supported by Python
183
+#  must be present in tokens. String value.
184
+#  standard hashlib.new(). The hashes will be tried in the order given, so put
185
+#  the preferred one first for performance. The result of the first hash will
186
+#  be stored in the cache. This will typically be set to multiple values only
187
+#  while migrating from a less secure algorithm to a more secure one. Once all
188
+#  the old tokens are expired this option should be set to a single value for
189
+#  better performance. List value.
190
+#  Defaults to undef.
191
+#
192 192
 class cinder::keystone::authtoken(
193 193
   $username                       = 'cinder',
194 194
   $password                       = $::os_service_default,
@@ -204,10 +204,8 @@ class cinder::keystone::authtoken(
204 204
   $cache                          = $::os_service_default,
205 205
   $cafile                         = $::os_service_default,
206 206
   $certfile                       = $::os_service_default,
207
-  $check_revocations_for_cached   = $::os_service_default,
208 207
   $delay_auth_decision            = $::os_service_default,
209 208
   $enforce_token_bind             = $::os_service_default,
210
-  $hash_algorithms                = $::os_service_default,
211 209
   $http_connect_timeout           = $::os_service_default,
212 210
   $http_request_max_retries       = $::os_service_default,
213 211
   $include_service_catalog        = $::os_service_default,
@@ -226,6 +224,8 @@ class cinder::keystone::authtoken(
226 224
   $token_cache_time               = $::os_service_default,
227 225
   # DEPRECATED PARAMETERS
228 226
   $auth_uri                       = undef,
227
+  $check_revocations_for_cached   = undef,
228
+  $hash_algorithms                = undef,
229 229
 ) {
230 230
 
231 231
   include ::cinder::deps
@@ -239,6 +239,14 @@ class cinder::keystone::authtoken(
239 239
   }
240 240
   $www_authenticate_uri_real = pick($auth_uri, $www_authenticate_uri)
241 241
 
242
+  if $check_revocations_for_cached {
243
+    warning('check_revocations_for_cached parameter is deprecated, has no effect and will be removed in the future.')
244
+  }
245
+
246
+  if $hash_algorithms {
247
+    warning('hash_algorithms parameter is deprecated, has no effect and will be removed in the future.')
248
+  }
249
+
242 250
   keystone::resource::authtoken { 'cinder_config':
243 251
     username                       => $username,
244 252
     password                       => $password,
@@ -254,10 +262,8 @@ class cinder::keystone::authtoken(
254 262
     cache                          => $cache,
255 263
     cafile                         => $cafile,
256 264
     certfile                       => $certfile,
257
-    check_revocations_for_cached   => $check_revocations_for_cached,
258 265
     delay_auth_decision            => $delay_auth_decision,
259 266
     enforce_token_bind             => $enforce_token_bind,
260
-    hash_algorithms                => $hash_algorithms,
261 267
     http_connect_timeout           => $http_connect_timeout,
262 268
     http_request_max_retries       => $http_request_max_retries,
263 269
     include_service_catalog        => $include_service_catalog,

+ 6
- 0
releasenotes/notes/deprecate_pki_related_parameters-b09c74b4d98224c2.yaml View File

@@ -0,0 +1,6 @@
1
+---
2
+deprecations:
3
+  - check_revocations_for_cached option is now deprecated for removal, the
4
+    parameter has no effect.
5
+  - hash_algorithms option is now deprecated for removal, the parameter
6
+    has no effect.

+ 0
- 6
spec/classes/cinder_keystone_authtoken_spec.rb View File

@@ -24,10 +24,8 @@ describe 'cinder::keystone::authtoken' do
24 24
         is_expected.to contain_cinder_config('keystone_authtoken/cache').with_value('<SERVICE DEFAULT>')
25 25
         is_expected.to contain_cinder_config('keystone_authtoken/cafile').with_value('<SERVICE DEFAULT>')
26 26
         is_expected.to contain_cinder_config('keystone_authtoken/certfile').with_value('<SERVICE DEFAULT>')
27
-        is_expected.to contain_cinder_config('keystone_authtoken/check_revocations_for_cached').with_value('<SERVICE DEFAULT>')
28 27
         is_expected.to contain_cinder_config('keystone_authtoken/delay_auth_decision').with_value('<SERVICE DEFAULT>')
29 28
         is_expected.to contain_cinder_config('keystone_authtoken/enforce_token_bind').with_value('<SERVICE DEFAULT>')
30
-        is_expected.to contain_cinder_config('keystone_authtoken/hash_algorithms').with_value('<SERVICE DEFAULT>')
31 29
         is_expected.to contain_cinder_config('keystone_authtoken/http_connect_timeout').with_value('<SERVICE DEFAULT>')
32 30
         is_expected.to contain_cinder_config('keystone_authtoken/http_request_max_retries').with_value('<SERVICE DEFAULT>')
33 31
         is_expected.to contain_cinder_config('keystone_authtoken/include_service_catalog').with_value('<SERVICE DEFAULT>')
@@ -63,10 +61,8 @@ describe 'cinder::keystone::authtoken' do
63 61
           :cache                                => 'somevalue',
64 62
           :cafile                               => '/opt/stack/data/cafile.pem',
65 63
           :certfile                             => 'certfile.crt',
66
-          :check_revocations_for_cached         => false,
67 64
           :delay_auth_decision                  => false,
68 65
           :enforce_token_bind                   => 'permissive',
69
-          :hash_algorithms                      => 'md5',
70 66
           :http_connect_timeout                 => '300',
71 67
           :http_request_max_retries             => '3',
72 68
           :include_service_catalog              => true,
@@ -101,10 +97,8 @@ describe 'cinder::keystone::authtoken' do
101 97
         is_expected.to contain_cinder_config('keystone_authtoken/cache').with_value(params[:cache])
102 98
         is_expected.to contain_cinder_config('keystone_authtoken/cafile').with_value(params[:cafile])
103 99
         is_expected.to contain_cinder_config('keystone_authtoken/certfile').with_value(params[:certfile])
104
-        is_expected.to contain_cinder_config('keystone_authtoken/check_revocations_for_cached').with_value(params[:check_revocations_for_cached])
105 100
         is_expected.to contain_cinder_config('keystone_authtoken/delay_auth_decision').with_value(params[:delay_auth_decision])
106 101
         is_expected.to contain_cinder_config('keystone_authtoken/enforce_token_bind').with_value(params[:enforce_token_bind])
107
-        is_expected.to contain_cinder_config('keystone_authtoken/hash_algorithms').with_value(params[:hash_algorithms])
108 102
         is_expected.to contain_cinder_config('keystone_authtoken/http_connect_timeout').with_value(params[:http_connect_timeout])
109 103
         is_expected.to contain_cinder_config('keystone_authtoken/http_request_max_retries').with_value(params[:http_request_max_retries])
110 104
         is_expected.to contain_cinder_config('keystone_authtoken/include_service_catalog').with_value(params[:include_service_catalog])

Loading…
Cancel
Save