Browse Source

Deprecate pki related options

check_revocations_for_cached and hash_algorithms are deprecated for
removel because of PKI token format is no longer supported.
Update warning message and add a release note.

Change-Id: Ic25814ff5d8a3134de59876c38da2c245c50d7ca
Closes-Bug: #1804562
Closes-Bug: #1804720
tags/14.2.0
ZhongShengping 10 months ago
parent
commit
f8692c4d7c

+ 30
- 21
manifests/api/authtoken.pp View File

@@ -63,12 +63,6 @@
63 63
 #   (Optional) Required if identity server requires client certificate
64 64
 #   Defaults to $::os_service_default.
65 65
 #
66
-# [*check_revocations_for_cached*]
67
-#   (Optional) If true, the revocation list will be checked for cached tokens.
68
-#   This requires that PKI tokens are configured on the identity server.
69
-#   boolean value.
70
-#   Defaults to $::os_service_default.
71
-#
72 66
 # [*delay_auth_decision*]
73 67
 #   (Optional) Do not handle authorization requests within the middleware, but
74 68
 #   delegate the authorization decision to downstream WSGI components. Boolean
@@ -85,17 +79,6 @@
85 79
 #   must be present in tokens. String value.
86 80
 #   Defaults to $::os_service_default.
87 81
 #
88
-# [*hash_algorithms*]
89
-#   (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
90
-#   single algorithm or multiple. The algorithms are those supported by Python
91
-#   standard hashlib.new(). The hashes will be tried in the order given, so put
92
-#   the preferred one first for performance. The result of the first hash will
93
-#   be stored in the cache. This will typically be set to multiple values only
94
-#   while migrating from a less secure algorithm to a more secure one. Once all
95
-#   the old tokens are expired this option should be set to a single value for
96
-#   better performance. List value.
97
-#   Defaults to $::os_service_default.
98
-#
99 82
 # [*http_connect_timeout*]
100 83
 #   (Optional) Request timeout value for communicating with Identity API
101 84
 #   server.
@@ -178,6 +161,25 @@
178 161
 #   (in seconds). Set to -1 to disable caching completely. Integer value
179 162
 #   Defaults to $::os_service_default.
180 163
 #
164
+# DEPRECATED PARAMETERS
165
+#
166
+# [*check_revocations_for_cached*]
167
+#   (Optional) If true, the revocation list will be checked for cached tokens.
168
+#   This requires that PKI tokens are configured on the identity server.
169
+#   boolean value.
170
+#   Defaults to undef.
171
+#
172
+# [*hash_algorithms*]
173
+#   (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
174
+#   single algorithm or multiple. The algorithms are those supported by Python
175
+#   standard hashlib.new(). The hashes will be tried in the order given, so put
176
+#   the preferred one first for performance. The result of the first hash will
177
+#   be stored in the cache. This will typically be set to multiple values only
178
+#   while migrating from a less secure algorithm to a more secure one. Once all
179
+#   the old tokens are expired this option should be set to a single value for
180
+#   better performance. List value.
181
+#   Defaults to undef.
182
+#
181 183
 class glance::api::authtoken(
182 184
   $username                       = 'glance',
183 185
   $password                       = $::os_service_default,
@@ -193,10 +195,8 @@ class glance::api::authtoken(
193 195
   $cache                          = $::os_service_default,
194 196
   $cafile                         = $::os_service_default,
195 197
   $certfile                       = $::os_service_default,
196
-  $check_revocations_for_cached   = $::os_service_default,
197 198
   $delay_auth_decision            = $::os_service_default,
198 199
   $enforce_token_bind             = $::os_service_default,
199
-  $hash_algorithms                = $::os_service_default,
200 200
   $http_connect_timeout           = $::os_service_default,
201 201
   $http_request_max_retries       = $::os_service_default,
202 202
   $include_service_catalog        = $::os_service_default,
@@ -213,6 +213,9 @@ class glance::api::authtoken(
213 213
   $manage_memcache_package        = false,
214 214
   $region_name                    = $::os_service_default,
215 215
   $token_cache_time               = $::os_service_default,
216
+  # DEPRECATED PARAMETERS
217
+  $check_revocations_for_cached   = undef,
218
+  $hash_algorithms                = undef,
216 219
 ) {
217 220
 
218 221
   include ::glance::deps
@@ -221,6 +224,14 @@ class glance::api::authtoken(
221 224
     fail('Please set password for Glance service user')
222 225
   }
223 226
 
227
+  if $check_revocations_for_cached {
228
+    warning('check_revocations_for_cached parameter is deprecated, has no effect and will be removed in the future.')
229
+  }
230
+
231
+  if $hash_algorithms {
232
+    warning('hash_algorithms parameter is deprecated, has no effect and will be removed in the future.')
233
+  }
234
+
224 235
   keystone::resource::authtoken { 'glance_api_config':
225 236
       username                       => $username,
226 237
       password                       => $password,
@@ -236,10 +247,8 @@ class glance::api::authtoken(
236 247
       cache                          => $cache,
237 248
       cafile                         => $cafile,
238 249
       certfile                       => $certfile,
239
-      check_revocations_for_cached   => $check_revocations_for_cached,
240 250
       delay_auth_decision            => $delay_auth_decision,
241 251
       enforce_token_bind             => $enforce_token_bind,
242
-      hash_algorithms                => $hash_algorithms,
243 252
       http_connect_timeout           => $http_connect_timeout,
244 253
       http_request_max_retries       => $http_request_max_retries,
245 254
       include_service_catalog        => $include_service_catalog,

+ 30
- 21
manifests/registry/authtoken.pp View File

@@ -63,12 +63,6 @@
63 63
 #   (Optional) Required if identity server requires client certificate
64 64
 #   Defaults to $::os_service_default.
65 65
 #
66
-# [*check_revocations_for_cached*]
67
-#   (Optional) If true, the revocation list will be checked for cached tokens.
68
-#   This requires that PKI tokens are configured on the identity server.
69
-#   boolean value.
70
-#   Defaults to $::os_service_default.
71
-#
72 66
 # [*delay_auth_decision*]
73 67
 #   (Optional) Do not handle authorization requests within the middleware, but
74 68
 #   delegate the authorization decision to downstream WSGI components. Boolean
@@ -85,17 +79,6 @@
85 79
 #   must be present in tokens. String value.
86 80
 #   Defaults to $::os_service_default.
87 81
 #
88
-# [*hash_algorithms*]
89
-#   (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
90
-#   single algorithm or multiple. The algorithms are those supported by Python
91
-#   standard hashlib.new(). The hashes will be tried in the order given, so put
92
-#   the preferred one first for performance. The result of the first hash will
93
-#   be stored in the cache. This will typically be set to multiple values only
94
-#   while migrating from a less secure algorithm to a more secure one. Once all
95
-#   the old tokens are expired this option should be set to a single value for
96
-#   better performance. List value.
97
-#   Defaults to $::os_service_default.
98
-#
99 82
 # [*http_connect_timeout*]
100 83
 #   (Optional) Request timeout value for communicating with Identity API
101 84
 #   server.
@@ -178,6 +161,25 @@
178 161
 #   (in seconds). Set to -1 to disable caching completely. Integer value
179 162
 #   Defaults to $::os_service_default.
180 163
 #
164
+# DEPRECATED PARAMETERS
165
+#
166
+# [*check_revocations_for_cached*]
167
+#   (Optional) If true, the revocation list will be checked for cached tokens.
168
+#   This requires that PKI tokens are configured on the identity server.
169
+#   boolean value.
170
+#   Defaults to undef.
171
+#
172
+# [*hash_algorithms*]
173
+#   (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
174
+#   single algorithm or multiple. The algorithms are those supported by Python
175
+#   standard hashlib.new(). The hashes will be tried in the order given, so put
176
+#   the preferred one first for performance. The result of the first hash will
177
+#   be stored in the cache. This will typically be set to multiple values only
178
+#   while migrating from a less secure algorithm to a more secure one. Once all
179
+#   the old tokens are expired this option should be set to a single value for
180
+#   better performance. List value.
181
+#   Defaults to undef.
182
+#
181 183
 class glance::registry::authtoken(
182 184
   $username                       = 'glance',
183 185
   $password                       = $::os_service_default,
@@ -193,10 +195,8 @@ class glance::registry::authtoken(
193 195
   $cache                          = $::os_service_default,
194 196
   $cafile                         = $::os_service_default,
195 197
   $certfile                       = $::os_service_default,
196
-  $check_revocations_for_cached   = $::os_service_default,
197 198
   $delay_auth_decision            = $::os_service_default,
198 199
   $enforce_token_bind             = $::os_service_default,
199
-  $hash_algorithms                = $::os_service_default,
200 200
   $http_connect_timeout           = $::os_service_default,
201 201
   $http_request_max_retries       = $::os_service_default,
202 202
   $include_service_catalog        = $::os_service_default,
@@ -213,6 +213,9 @@ class glance::registry::authtoken(
213 213
   $manage_memcache_package        = false,
214 214
   $region_name                    = $::os_service_default,
215 215
   $token_cache_time               = $::os_service_default,
216
+  # DEPRECATED PARAMETERS
217
+  $check_revocations_for_cached   = undef,
218
+  $hash_algorithms                = undef,
216 219
 ) {
217 220
 
218 221
   include ::glance::deps
@@ -221,6 +224,14 @@ class glance::registry::authtoken(
221 224
     fail('Please set password for Glance service user')
222 225
   }
223 226
 
227
+  if $check_revocations_for_cached {
228
+    warning('check_revocations_for_cached parameter is deprecated, has no effect and will be removed in the future.')
229
+  }
230
+
231
+  if $hash_algorithms {
232
+    warning('hash_algorithms parameter is deprecated, has no effect and will be removed in the future.')
233
+  }
234
+
224 235
   keystone::resource::authtoken { 'glance_registry_config':
225 236
       username                       => $username,
226 237
       password                       => $password,
@@ -236,10 +247,8 @@ class glance::registry::authtoken(
236 247
       cache                          => $cache,
237 248
       cafile                         => $cafile,
238 249
       certfile                       => $certfile,
239
-      check_revocations_for_cached   => $check_revocations_for_cached,
240 250
       delay_auth_decision            => $delay_auth_decision,
241 251
       enforce_token_bind             => $enforce_token_bind,
242
-      hash_algorithms                => $hash_algorithms,
243 252
       http_connect_timeout           => $http_connect_timeout,
244 253
       http_request_max_retries       => $http_request_max_retries,
245 254
       include_service_catalog        => $include_service_catalog,

+ 6
- 0
releasenotes/notes/deprecate_pki_related_parameters-aaee1a6471dd7e46.yaml View File

@@ -0,0 +1,6 @@
1
+---
2
+deprecations:
3
+  - check_revocations_for_cached option is now deprecated for removal, the
4
+    parameter has no effect.
5
+  - hash_algorithms option is now deprecated for removal, the parameter
6
+    has no effect.

+ 0
- 6
spec/classes/glance_api_authtoken_spec.rb View File

@@ -25,10 +25,8 @@ describe 'glance::api::authtoken' do
25 25
         is_expected.to contain_glance_api_config('keystone_authtoken/cache').with_value('<SERVICE DEFAULT>')
26 26
         is_expected.to contain_glance_api_config('keystone_authtoken/cafile').with_value('<SERVICE DEFAULT>')
27 27
         is_expected.to contain_glance_api_config('keystone_authtoken/certfile').with_value('<SERVICE DEFAULT>')
28
-        is_expected.to contain_glance_api_config('keystone_authtoken/check_revocations_for_cached').with_value('<SERVICE DEFAULT>')
29 28
         is_expected.to contain_glance_api_config('keystone_authtoken/delay_auth_decision').with_value('<SERVICE DEFAULT>')
30 29
         is_expected.to contain_glance_api_config('keystone_authtoken/enforce_token_bind').with_value('<SERVICE DEFAULT>')
31
-        is_expected.to contain_glance_api_config('keystone_authtoken/hash_algorithms').with_value('<SERVICE DEFAULT>')
32 30
         is_expected.to contain_glance_api_config('keystone_authtoken/http_connect_timeout').with_value('<SERVICE DEFAULT>')
33 31
         is_expected.to contain_glance_api_config('keystone_authtoken/http_request_max_retries').with_value('<SERVICE DEFAULT>')
34 32
         is_expected.to contain_glance_api_config('keystone_authtoken/include_service_catalog').with_value('<SERVICE DEFAULT>')
@@ -64,10 +62,8 @@ describe 'glance::api::authtoken' do
64 62
           :cache                                => 'somevalue',
65 63
           :cafile                               => '/opt/stack/data/cafile.pem',
66 64
           :certfile                             => 'certfile.crt',
67
-          :check_revocations_for_cached         => false,
68 65
           :delay_auth_decision                  => false,
69 66
           :enforce_token_bind                   => 'permissive',
70
-          :hash_algorithms                      => 'md5',
71 67
           :http_connect_timeout                 => '300',
72 68
           :http_request_max_retries             => '3',
73 69
           :include_service_catalog              => true,
@@ -102,10 +98,8 @@ describe 'glance::api::authtoken' do
102 98
         is_expected.to contain_glance_api_config('keystone_authtoken/cache').with_value(params[:cache])
103 99
         is_expected.to contain_glance_api_config('keystone_authtoken/cafile').with_value(params[:cafile])
104 100
         is_expected.to contain_glance_api_config('keystone_authtoken/certfile').with_value(params[:certfile])
105
-        is_expected.to contain_glance_api_config('keystone_authtoken/check_revocations_for_cached').with_value(params[:check_revocations_for_cached])
106 101
         is_expected.to contain_glance_api_config('keystone_authtoken/delay_auth_decision').with_value(params[:delay_auth_decision])
107 102
         is_expected.to contain_glance_api_config('keystone_authtoken/enforce_token_bind').with_value(params[:enforce_token_bind])
108
-        is_expected.to contain_glance_api_config('keystone_authtoken/hash_algorithms').with_value(params[:hash_algorithms])
109 103
         is_expected.to contain_glance_api_config('keystone_authtoken/http_connect_timeout').with_value(params[:http_connect_timeout])
110 104
         is_expected.to contain_glance_api_config('keystone_authtoken/http_request_max_retries').with_value(params[:http_request_max_retries])
111 105
         is_expected.to contain_glance_api_config('keystone_authtoken/include_service_catalog').with_value(params[:include_service_catalog])

+ 0
- 6
spec/classes/glance_registry_authtoken_spec.rb View File

@@ -25,10 +25,8 @@ describe 'glance::registry::authtoken' do
25 25
         is_expected.to contain_glance_registry_config('keystone_authtoken/cache').with_value('<SERVICE DEFAULT>')
26 26
         is_expected.to contain_glance_registry_config('keystone_authtoken/cafile').with_value('<SERVICE DEFAULT>')
27 27
         is_expected.to contain_glance_registry_config('keystone_authtoken/certfile').with_value('<SERVICE DEFAULT>')
28
-        is_expected.to contain_glance_registry_config('keystone_authtoken/check_revocations_for_cached').with_value('<SERVICE DEFAULT>')
29 28
         is_expected.to contain_glance_registry_config('keystone_authtoken/delay_auth_decision').with_value('<SERVICE DEFAULT>')
30 29
         is_expected.to contain_glance_registry_config('keystone_authtoken/enforce_token_bind').with_value('<SERVICE DEFAULT>')
31
-        is_expected.to contain_glance_registry_config('keystone_authtoken/hash_algorithms').with_value('<SERVICE DEFAULT>')
32 30
         is_expected.to contain_glance_registry_config('keystone_authtoken/http_connect_timeout').with_value('<SERVICE DEFAULT>')
33 31
         is_expected.to contain_glance_registry_config('keystone_authtoken/http_request_max_retries').with_value('<SERVICE DEFAULT>')
34 32
         is_expected.to contain_glance_registry_config('keystone_authtoken/include_service_catalog').with_value('<SERVICE DEFAULT>')
@@ -64,10 +62,8 @@ describe 'glance::registry::authtoken' do
64 62
           :cache                                => 'somevalue',
65 63
           :cafile                               => '/opt/stack/data/cafile.pem',
66 64
           :certfile                             => 'certfile.crt',
67
-          :check_revocations_for_cached         => false,
68 65
           :delay_auth_decision                  => false,
69 66
           :enforce_token_bind                   => 'permissive',
70
-          :hash_algorithms                      => 'md5',
71 67
           :http_connect_timeout                 => '300',
72 68
           :http_request_max_retries             => '3',
73 69
           :include_service_catalog              => true,
@@ -102,10 +98,8 @@ describe 'glance::registry::authtoken' do
102 98
         is_expected.to contain_glance_registry_config('keystone_authtoken/cache').with_value(params[:cache])
103 99
         is_expected.to contain_glance_registry_config('keystone_authtoken/cafile').with_value(params[:cafile])
104 100
         is_expected.to contain_glance_registry_config('keystone_authtoken/certfile').with_value(params[:certfile])
105
-        is_expected.to contain_glance_registry_config('keystone_authtoken/check_revocations_for_cached').with_value(params[:check_revocations_for_cached])
106 101
         is_expected.to contain_glance_registry_config('keystone_authtoken/delay_auth_decision').with_value(params[:delay_auth_decision])
107 102
         is_expected.to contain_glance_registry_config('keystone_authtoken/enforce_token_bind').with_value(params[:enforce_token_bind])
108
-        is_expected.to contain_glance_registry_config('keystone_authtoken/hash_algorithms').with_value(params[:hash_algorithms])
109 103
         is_expected.to contain_glance_registry_config('keystone_authtoken/http_connect_timeout').with_value(params[:http_connect_timeout])
110 104
         is_expected.to contain_glance_registry_config('keystone_authtoken/http_request_max_retries').with_value(params[:http_request_max_retries])
111 105
         is_expected.to contain_glance_registry_config('keystone_authtoken/include_service_catalog').with_value(params[:include_service_catalog])

Loading…
Cancel
Save