diff --git a/manifests/api/authtoken.pp b/manifests/api/authtoken.pp index 58ed84cd..acabba28 100644 --- a/manifests/api/authtoken.pp +++ b/manifests/api/authtoken.pp @@ -63,12 +63,6 @@ # (Optional) Required if identity server requires client certificate # Defaults to $::os_service_default. # -# [*check_revocations_for_cached*] -# (Optional) If true, the revocation list will be checked for cached tokens. -# This requires that PKI tokens are configured on the identity server. -# boolean value. -# Defaults to $::os_service_default. -# # [*delay_auth_decision*] # (Optional) Do not handle authorization requests within the middleware, but # delegate the authorization decision to downstream WSGI components. Boolean @@ -85,17 +79,6 @@ # must be present in tokens. String value. # Defaults to $::os_service_default. # -# [*hash_algorithms*] -# (Optional) Hash algorithms to use for hashing PKI tokens. This may be a -# single algorithm or multiple. The algorithms are those supported by Python -# standard hashlib.new(). The hashes will be tried in the order given, so put -# the preferred one first for performance. The result of the first hash will -# be stored in the cache. This will typically be set to multiple values only -# while migrating from a less secure algorithm to a more secure one. Once all -# the old tokens are expired this option should be set to a single value for -# better performance. List value. -# Defaults to $::os_service_default. -# # [*http_connect_timeout*] # (Optional) Request timeout value for communicating with Identity API # server. @@ -178,6 +161,25 @@ # (in seconds). Set to -1 to disable caching completely. Integer value # Defaults to $::os_service_default. # +# DEPRECATED PARAMETERS +# +# [*check_revocations_for_cached*] +# (Optional) If true, the revocation list will be checked for cached tokens. +# This requires that PKI tokens are configured on the identity server. +# boolean value. +# Defaults to undef. +# +# [*hash_algorithms*] +# (Optional) Hash algorithms to use for hashing PKI tokens. This may be a +# single algorithm or multiple. The algorithms are those supported by Python +# standard hashlib.new(). The hashes will be tried in the order given, so put +# the preferred one first for performance. The result of the first hash will +# be stored in the cache. This will typically be set to multiple values only +# while migrating from a less secure algorithm to a more secure one. Once all +# the old tokens are expired this option should be set to a single value for +# better performance. List value. +# Defaults to undef. +# class glance::api::authtoken( $username = 'glance', $password = $::os_service_default, @@ -193,10 +195,8 @@ class glance::api::authtoken( $cache = $::os_service_default, $cafile = $::os_service_default, $certfile = $::os_service_default, - $check_revocations_for_cached = $::os_service_default, $delay_auth_decision = $::os_service_default, $enforce_token_bind = $::os_service_default, - $hash_algorithms = $::os_service_default, $http_connect_timeout = $::os_service_default, $http_request_max_retries = $::os_service_default, $include_service_catalog = $::os_service_default, @@ -213,6 +213,9 @@ class glance::api::authtoken( $manage_memcache_package = false, $region_name = $::os_service_default, $token_cache_time = $::os_service_default, + # DEPRECATED PARAMETERS + $check_revocations_for_cached = undef, + $hash_algorithms = undef, ) { include ::glance::deps @@ -221,6 +224,14 @@ class glance::api::authtoken( fail('Please set password for Glance service user') } + if $check_revocations_for_cached { + warning('check_revocations_for_cached parameter is deprecated, has no effect and will be removed in the future.') + } + + if $hash_algorithms { + warning('hash_algorithms parameter is deprecated, has no effect and will be removed in the future.') + } + keystone::resource::authtoken { 'glance_api_config': username => $username, password => $password, @@ -236,10 +247,8 @@ class glance::api::authtoken( cache => $cache, cafile => $cafile, certfile => $certfile, - check_revocations_for_cached => $check_revocations_for_cached, delay_auth_decision => $delay_auth_decision, enforce_token_bind => $enforce_token_bind, - hash_algorithms => $hash_algorithms, http_connect_timeout => $http_connect_timeout, http_request_max_retries => $http_request_max_retries, include_service_catalog => $include_service_catalog, diff --git a/manifests/registry/authtoken.pp b/manifests/registry/authtoken.pp index 05d39df5..37876611 100644 --- a/manifests/registry/authtoken.pp +++ b/manifests/registry/authtoken.pp @@ -63,12 +63,6 @@ # (Optional) Required if identity server requires client certificate # Defaults to $::os_service_default. # -# [*check_revocations_for_cached*] -# (Optional) If true, the revocation list will be checked for cached tokens. -# This requires that PKI tokens are configured on the identity server. -# boolean value. -# Defaults to $::os_service_default. -# # [*delay_auth_decision*] # (Optional) Do not handle authorization requests within the middleware, but # delegate the authorization decision to downstream WSGI components. Boolean @@ -85,17 +79,6 @@ # must be present in tokens. String value. # Defaults to $::os_service_default. # -# [*hash_algorithms*] -# (Optional) Hash algorithms to use for hashing PKI tokens. This may be a -# single algorithm or multiple. The algorithms are those supported by Python -# standard hashlib.new(). The hashes will be tried in the order given, so put -# the preferred one first for performance. The result of the first hash will -# be stored in the cache. This will typically be set to multiple values only -# while migrating from a less secure algorithm to a more secure one. Once all -# the old tokens are expired this option should be set to a single value for -# better performance. List value. -# Defaults to $::os_service_default. -# # [*http_connect_timeout*] # (Optional) Request timeout value for communicating with Identity API # server. @@ -178,6 +161,25 @@ # (in seconds). Set to -1 to disable caching completely. Integer value # Defaults to $::os_service_default. # +# DEPRECATED PARAMETERS +# +# [*check_revocations_for_cached*] +# (Optional) If true, the revocation list will be checked for cached tokens. +# This requires that PKI tokens are configured on the identity server. +# boolean value. +# Defaults to undef. +# +# [*hash_algorithms*] +# (Optional) Hash algorithms to use for hashing PKI tokens. This may be a +# single algorithm or multiple. The algorithms are those supported by Python +# standard hashlib.new(). The hashes will be tried in the order given, so put +# the preferred one first for performance. The result of the first hash will +# be stored in the cache. This will typically be set to multiple values only +# while migrating from a less secure algorithm to a more secure one. Once all +# the old tokens are expired this option should be set to a single value for +# better performance. List value. +# Defaults to undef. +# class glance::registry::authtoken( $username = 'glance', $password = $::os_service_default, @@ -193,10 +195,8 @@ class glance::registry::authtoken( $cache = $::os_service_default, $cafile = $::os_service_default, $certfile = $::os_service_default, - $check_revocations_for_cached = $::os_service_default, $delay_auth_decision = $::os_service_default, $enforce_token_bind = $::os_service_default, - $hash_algorithms = $::os_service_default, $http_connect_timeout = $::os_service_default, $http_request_max_retries = $::os_service_default, $include_service_catalog = $::os_service_default, @@ -213,6 +213,9 @@ class glance::registry::authtoken( $manage_memcache_package = false, $region_name = $::os_service_default, $token_cache_time = $::os_service_default, + # DEPRECATED PARAMETERS + $check_revocations_for_cached = undef, + $hash_algorithms = undef, ) { include ::glance::deps @@ -221,6 +224,14 @@ class glance::registry::authtoken( fail('Please set password for Glance service user') } + if $check_revocations_for_cached { + warning('check_revocations_for_cached parameter is deprecated, has no effect and will be removed in the future.') + } + + if $hash_algorithms { + warning('hash_algorithms parameter is deprecated, has no effect and will be removed in the future.') + } + keystone::resource::authtoken { 'glance_registry_config': username => $username, password => $password, @@ -236,10 +247,8 @@ class glance::registry::authtoken( cache => $cache, cafile => $cafile, certfile => $certfile, - check_revocations_for_cached => $check_revocations_for_cached, delay_auth_decision => $delay_auth_decision, enforce_token_bind => $enforce_token_bind, - hash_algorithms => $hash_algorithms, http_connect_timeout => $http_connect_timeout, http_request_max_retries => $http_request_max_retries, include_service_catalog => $include_service_catalog, diff --git a/releasenotes/notes/deprecate_pki_related_parameters-aaee1a6471dd7e46.yaml b/releasenotes/notes/deprecate_pki_related_parameters-aaee1a6471dd7e46.yaml new file mode 100644 index 00000000..7aa4e60a --- /dev/null +++ b/releasenotes/notes/deprecate_pki_related_parameters-aaee1a6471dd7e46.yaml @@ -0,0 +1,6 @@ +--- +deprecations: + - check_revocations_for_cached option is now deprecated for removal, the + parameter has no effect. + - hash_algorithms option is now deprecated for removal, the parameter + has no effect. diff --git a/spec/classes/glance_api_authtoken_spec.rb b/spec/classes/glance_api_authtoken_spec.rb index bf8417f8..d7bb59f0 100644 --- a/spec/classes/glance_api_authtoken_spec.rb +++ b/spec/classes/glance_api_authtoken_spec.rb @@ -25,10 +25,8 @@ describe 'glance::api::authtoken' do is_expected.to contain_glance_api_config('keystone_authtoken/cache').with_value('') is_expected.to contain_glance_api_config('keystone_authtoken/cafile').with_value('') is_expected.to contain_glance_api_config('keystone_authtoken/certfile').with_value('') - is_expected.to contain_glance_api_config('keystone_authtoken/check_revocations_for_cached').with_value('') is_expected.to contain_glance_api_config('keystone_authtoken/delay_auth_decision').with_value('') is_expected.to contain_glance_api_config('keystone_authtoken/enforce_token_bind').with_value('') - is_expected.to contain_glance_api_config('keystone_authtoken/hash_algorithms').with_value('') is_expected.to contain_glance_api_config('keystone_authtoken/http_connect_timeout').with_value('') is_expected.to contain_glance_api_config('keystone_authtoken/http_request_max_retries').with_value('') is_expected.to contain_glance_api_config('keystone_authtoken/include_service_catalog').with_value('') @@ -64,10 +62,8 @@ describe 'glance::api::authtoken' do :cache => 'somevalue', :cafile => '/opt/stack/data/cafile.pem', :certfile => 'certfile.crt', - :check_revocations_for_cached => false, :delay_auth_decision => false, :enforce_token_bind => 'permissive', - :hash_algorithms => 'md5', :http_connect_timeout => '300', :http_request_max_retries => '3', :include_service_catalog => true, @@ -102,10 +98,8 @@ describe 'glance::api::authtoken' do is_expected.to contain_glance_api_config('keystone_authtoken/cache').with_value(params[:cache]) is_expected.to contain_glance_api_config('keystone_authtoken/cafile').with_value(params[:cafile]) is_expected.to contain_glance_api_config('keystone_authtoken/certfile').with_value(params[:certfile]) - is_expected.to contain_glance_api_config('keystone_authtoken/check_revocations_for_cached').with_value(params[:check_revocations_for_cached]) is_expected.to contain_glance_api_config('keystone_authtoken/delay_auth_decision').with_value(params[:delay_auth_decision]) is_expected.to contain_glance_api_config('keystone_authtoken/enforce_token_bind').with_value(params[:enforce_token_bind]) - is_expected.to contain_glance_api_config('keystone_authtoken/hash_algorithms').with_value(params[:hash_algorithms]) is_expected.to contain_glance_api_config('keystone_authtoken/http_connect_timeout').with_value(params[:http_connect_timeout]) is_expected.to contain_glance_api_config('keystone_authtoken/http_request_max_retries').with_value(params[:http_request_max_retries]) is_expected.to contain_glance_api_config('keystone_authtoken/include_service_catalog').with_value(params[:include_service_catalog]) diff --git a/spec/classes/glance_registry_authtoken_spec.rb b/spec/classes/glance_registry_authtoken_spec.rb index f964f903..266c8711 100644 --- a/spec/classes/glance_registry_authtoken_spec.rb +++ b/spec/classes/glance_registry_authtoken_spec.rb @@ -25,10 +25,8 @@ describe 'glance::registry::authtoken' do is_expected.to contain_glance_registry_config('keystone_authtoken/cache').with_value('') is_expected.to contain_glance_registry_config('keystone_authtoken/cafile').with_value('') is_expected.to contain_glance_registry_config('keystone_authtoken/certfile').with_value('') - is_expected.to contain_glance_registry_config('keystone_authtoken/check_revocations_for_cached').with_value('') is_expected.to contain_glance_registry_config('keystone_authtoken/delay_auth_decision').with_value('') is_expected.to contain_glance_registry_config('keystone_authtoken/enforce_token_bind').with_value('') - is_expected.to contain_glance_registry_config('keystone_authtoken/hash_algorithms').with_value('') is_expected.to contain_glance_registry_config('keystone_authtoken/http_connect_timeout').with_value('') is_expected.to contain_glance_registry_config('keystone_authtoken/http_request_max_retries').with_value('') is_expected.to contain_glance_registry_config('keystone_authtoken/include_service_catalog').with_value('') @@ -64,10 +62,8 @@ describe 'glance::registry::authtoken' do :cache => 'somevalue', :cafile => '/opt/stack/data/cafile.pem', :certfile => 'certfile.crt', - :check_revocations_for_cached => false, :delay_auth_decision => false, :enforce_token_bind => 'permissive', - :hash_algorithms => 'md5', :http_connect_timeout => '300', :http_request_max_retries => '3', :include_service_catalog => true, @@ -102,10 +98,8 @@ describe 'glance::registry::authtoken' do is_expected.to contain_glance_registry_config('keystone_authtoken/cache').with_value(params[:cache]) is_expected.to contain_glance_registry_config('keystone_authtoken/cafile').with_value(params[:cafile]) is_expected.to contain_glance_registry_config('keystone_authtoken/certfile').with_value(params[:certfile]) - is_expected.to contain_glance_registry_config('keystone_authtoken/check_revocations_for_cached').with_value(params[:check_revocations_for_cached]) is_expected.to contain_glance_registry_config('keystone_authtoken/delay_auth_decision').with_value(params[:delay_auth_decision]) is_expected.to contain_glance_registry_config('keystone_authtoken/enforce_token_bind').with_value(params[:enforce_token_bind]) - is_expected.to contain_glance_registry_config('keystone_authtoken/hash_algorithms').with_value(params[:hash_algorithms]) is_expected.to contain_glance_registry_config('keystone_authtoken/http_connect_timeout').with_value(params[:http_connect_timeout]) is_expected.to contain_glance_registry_config('keystone_authtoken/http_request_max_retries').with_value(params[:http_request_max_retries]) is_expected.to contain_glance_registry_config('keystone_authtoken/include_service_catalog').with_value(params[:include_service_catalog])