Deprecate pki related options

check_revocations_for_cached and hash_algorithms are deprecated for
removel because of PKI token format is no longer supported.
Update warning message and add a release note.

Change-Id: Icd78fb502f2c4d3eaecdd8bbe78f42e12b74f937
Closes-Bug: #1804562
Closes-Bug: #1804720
This commit is contained in:
ZhongShengping 2018-11-22 11:31:57 +08:00
parent 07ed82e319
commit d41875954d
5 changed files with 60 additions and 54 deletions

View File

@ -63,12 +63,6 @@
# (Optional) Required if identity server requires client certificate # (Optional) Required if identity server requires client certificate
# Defaults to $::os_service_default. # Defaults to $::os_service_default.
# #
# [*check_revocations_for_cached*]
# (Optional) If true, the revocation list will be checked for cached tokens.
# This requires that PKI tokens are configured on the identity server.
# boolean value.
# Defaults to $::os_service_default.
#
# [*delay_auth_decision*] # [*delay_auth_decision*]
# (Optional) Do not handle authorization requests within the middleware, but # (Optional) Do not handle authorization requests within the middleware, but
# delegate the authorization decision to downstream WSGI components. Boolean # delegate the authorization decision to downstream WSGI components. Boolean
@ -85,17 +79,6 @@
# must be present in tokens. String value. # must be present in tokens. String value.
# Defaults to $::os_service_default. # Defaults to $::os_service_default.
# #
# [*hash_algorithms*]
# (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
# single algorithm or multiple. The algorithms are those supported by Python
# standard hashlib.new(). The hashes will be tried in the order given, so put
# the preferred one first for performance. The result of the first hash will
# be stored in the cache. This will typically be set to multiple values only
# while migrating from a less secure algorithm to a more secure one. Once all
# the old tokens are expired this option should be set to a single value for
# better performance. List value.
# Defaults to $::os_service_default.
#
# [*http_connect_timeout*] # [*http_connect_timeout*]
# (Optional) Request timeout value for communicating with Identity API # (Optional) Request timeout value for communicating with Identity API
# server. # server.
@ -184,6 +167,23 @@
# (Optional) Complete public Identity API endpoint. # (Optional) Complete public Identity API endpoint.
# Defaults to undef # Defaults to undef
# #
# [*check_revocations_for_cached*]
# (Optional) If true, the revocation list will be checked for cached tokens.
# This requires that PKI tokens are configured on the identity server.
# boolean value.
# Defaults to undef.
#
# [*hash_algorithms*]
# (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
# single algorithm or multiple. The algorithms are those supported by Python
# standard hashlib.new(). The hashes will be tried in the order given, so put
# the preferred one first for performance. The result of the first hash will
# be stored in the cache. This will typically be set to multiple values only
# while migrating from a less secure algorithm to a more secure one. Once all
# the old tokens are expired this option should be set to a single value for
# better performance. List value.
# Defaults to undef.
#
class ironic::api::authtoken( class ironic::api::authtoken(
$username = 'ironic', $username = 'ironic',
$password = $::os_service_default, $password = $::os_service_default,
@ -199,10 +199,8 @@ class ironic::api::authtoken(
$cache = $::os_service_default, $cache = $::os_service_default,
$cafile = $::os_service_default, $cafile = $::os_service_default,
$certfile = $::os_service_default, $certfile = $::os_service_default,
$check_revocations_for_cached = $::os_service_default,
$delay_auth_decision = $::os_service_default, $delay_auth_decision = $::os_service_default,
$enforce_token_bind = $::os_service_default, $enforce_token_bind = $::os_service_default,
$hash_algorithms = $::os_service_default,
$http_connect_timeout = $::os_service_default, $http_connect_timeout = $::os_service_default,
$http_request_max_retries = $::os_service_default, $http_request_max_retries = $::os_service_default,
$include_service_catalog = $::os_service_default, $include_service_catalog = $::os_service_default,
@ -221,6 +219,8 @@ class ironic::api::authtoken(
$token_cache_time = $::os_service_default, $token_cache_time = $::os_service_default,
# DEPRECATED PARAMETERS # DEPRECATED PARAMETERS
$auth_uri = undef, $auth_uri = undef,
$check_revocations_for_cached = undef,
$hash_algorithms = undef,
) { ) {
include ::ironic::deps include ::ironic::deps
@ -234,6 +234,14 @@ class ironic::api::authtoken(
} }
$www_authenticate_uri_real = pick($auth_uri, $www_authenticate_uri) $www_authenticate_uri_real = pick($auth_uri, $www_authenticate_uri)
if $check_revocations_for_cached {
warning('check_revocations_for_cached parameter is deprecated, has no effect and will be removed in the future.')
}
if $hash_algorithms {
warning('hash_algorithms parameter is deprecated, has no effect and will be removed in the future.')
}
keystone::resource::authtoken { 'ironic_config': keystone::resource::authtoken { 'ironic_config':
username => $username, username => $username,
password => $password, password => $password,
@ -249,10 +257,8 @@ class ironic::api::authtoken(
cache => $cache, cache => $cache,
cafile => $cafile, cafile => $cafile,
certfile => $certfile, certfile => $certfile,
check_revocations_for_cached => $check_revocations_for_cached,
delay_auth_decision => $delay_auth_decision, delay_auth_decision => $delay_auth_decision,
enforce_token_bind => $enforce_token_bind, enforce_token_bind => $enforce_token_bind,
hash_algorithms => $hash_algorithms,
http_connect_timeout => $http_connect_timeout, http_connect_timeout => $http_connect_timeout,
http_request_max_retries => $http_request_max_retries, http_request_max_retries => $http_request_max_retries,
include_service_catalog => $include_service_catalog, include_service_catalog => $include_service_catalog,

View File

@ -63,12 +63,6 @@
# (Optional) Required if identity server requires client certificate # (Optional) Required if identity server requires client certificate
# Defaults to $::os_service_default. # Defaults to $::os_service_default.
# #
# [*check_revocations_for_cached*]
# (Optional) If true, the revocation list will be checked for cached tokens.
# This requires that PKI tokens are configured on the identity server.
# boolean value.
# Defaults to $::os_service_default.
#
# [*delay_auth_decision*] # [*delay_auth_decision*]
# (Optional) Do not handle authorization requests within the middleware, but # (Optional) Do not handle authorization requests within the middleware, but
# delegate the authorization decision to downstream WSGI components. Boolean # delegate the authorization decision to downstream WSGI components. Boolean
@ -85,17 +79,6 @@
# must be present in tokens. String value. # must be present in tokens. String value.
# Defaults to $::os_service_default. # Defaults to $::os_service_default.
# #
# [*hash_algorithms*]
# (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
# single algorithm or multiple. The algorithms are those supported by Python
# standard hashlib.new(). The hashes will be tried in the order given, so put
# the preferred one first for performance. The result of the first hash will
# be stored in the cache. This will typically be set to multiple values only
# while migrating from a less secure algorithm to a more secure one. Once all
# the old tokens are expired this option should be set to a single value for
# better performance. List value.
# Defaults to $::os_service_default.
#
# [*http_connect_timeout*] # [*http_connect_timeout*]
# (Optional) Request timeout value for communicating with Identity API # (Optional) Request timeout value for communicating with Identity API
# server. # server.
@ -184,6 +167,23 @@
# (Optional) Complete public Identity API endpoint. # (Optional) Complete public Identity API endpoint.
# Defaults to undef # Defaults to undef
# #
# [*check_revocations_for_cached*]
# (Optional) If true, the revocation list will be checked for cached tokens.
# This requires that PKI tokens are configured on the identity server.
# boolean value.
# Defaults to undef.
#
# [*hash_algorithms*]
# (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
# single algorithm or multiple. The algorithms are those supported by Python
# standard hashlib.new(). The hashes will be tried in the order given, so put
# the preferred one first for performance. The result of the first hash will
# be stored in the cache. This will typically be set to multiple values only
# while migrating from a less secure algorithm to a more secure one. Once all
# the old tokens are expired this option should be set to a single value for
# better performance. List value.
# Defaults to undef.
#
class ironic::inspector::authtoken( class ironic::inspector::authtoken(
$username = 'ironic', $username = 'ironic',
$password = $::os_service_default, $password = $::os_service_default,
@ -199,10 +199,8 @@ class ironic::inspector::authtoken(
$cache = $::os_service_default, $cache = $::os_service_default,
$cafile = $::os_service_default, $cafile = $::os_service_default,
$certfile = $::os_service_default, $certfile = $::os_service_default,
$check_revocations_for_cached = $::os_service_default,
$delay_auth_decision = $::os_service_default, $delay_auth_decision = $::os_service_default,
$enforce_token_bind = $::os_service_default, $enforce_token_bind = $::os_service_default,
$hash_algorithms = $::os_service_default,
$http_connect_timeout = $::os_service_default, $http_connect_timeout = $::os_service_default,
$http_request_max_retries = $::os_service_default, $http_request_max_retries = $::os_service_default,
$include_service_catalog = $::os_service_default, $include_service_catalog = $::os_service_default,
@ -221,6 +219,8 @@ class ironic::inspector::authtoken(
$token_cache_time = $::os_service_default, $token_cache_time = $::os_service_default,
# DEPRECATED PARAMETERS # DEPRECATED PARAMETERS
$auth_uri = undef, $auth_uri = undef,
$check_revocations_for_cached = undef,
$hash_algorithms = undef,
) { ) {
include ::ironic::deps include ::ironic::deps
@ -234,6 +234,14 @@ class ironic::inspector::authtoken(
} }
$www_authenticate_uri_real = pick($auth_uri, $www_authenticate_uri) $www_authenticate_uri_real = pick($auth_uri, $www_authenticate_uri)
if $check_revocations_for_cached {
warning('check_revocations_for_cached parameter is deprecated, has no effect and will be removed in the future.')
}
if $hash_algorithms {
warning('hash_algorithms parameter is deprecated, has no effect and will be removed in the future.')
}
keystone::resource::authtoken { 'ironic_inspector_config': keystone::resource::authtoken { 'ironic_inspector_config':
username => $username, username => $username,
password => $password, password => $password,
@ -249,10 +257,8 @@ class ironic::inspector::authtoken(
cache => $cache, cache => $cache,
cafile => $cafile, cafile => $cafile,
certfile => $certfile, certfile => $certfile,
check_revocations_for_cached => $check_revocations_for_cached,
delay_auth_decision => $delay_auth_decision, delay_auth_decision => $delay_auth_decision,
enforce_token_bind => $enforce_token_bind, enforce_token_bind => $enforce_token_bind,
hash_algorithms => $hash_algorithms,
http_connect_timeout => $http_connect_timeout, http_connect_timeout => $http_connect_timeout,
http_request_max_retries => $http_request_max_retries, http_request_max_retries => $http_request_max_retries,
include_service_catalog => $include_service_catalog, include_service_catalog => $include_service_catalog,

View File

@ -0,0 +1,6 @@
---
deprecations:
- check_revocations_for_cached option is now deprecated for removal, the
parameter has no effect.
- hash_algorithms option is now deprecated for removal, the parameter
has no effect.

View File

@ -25,10 +25,8 @@ describe 'ironic::api::authtoken' do
is_expected.to contain_ironic_config('keystone_authtoken/cache').with_value('<SERVICE DEFAULT>') is_expected.to contain_ironic_config('keystone_authtoken/cache').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/cafile').with_value('<SERVICE DEFAULT>') is_expected.to contain_ironic_config('keystone_authtoken/cafile').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/certfile').with_value('<SERVICE DEFAULT>') is_expected.to contain_ironic_config('keystone_authtoken/certfile').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/check_revocations_for_cached').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/delay_auth_decision').with_value('<SERVICE DEFAULT>') is_expected.to contain_ironic_config('keystone_authtoken/delay_auth_decision').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/enforce_token_bind').with_value('<SERVICE DEFAULT>') is_expected.to contain_ironic_config('keystone_authtoken/enforce_token_bind').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/hash_algorithms').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/http_connect_timeout').with_value('<SERVICE DEFAULT>') is_expected.to contain_ironic_config('keystone_authtoken/http_connect_timeout').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/http_request_max_retries').with_value('<SERVICE DEFAULT>') is_expected.to contain_ironic_config('keystone_authtoken/http_request_max_retries').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_config('keystone_authtoken/include_service_catalog').with_value('<SERVICE DEFAULT>') is_expected.to contain_ironic_config('keystone_authtoken/include_service_catalog').with_value('<SERVICE DEFAULT>')
@ -64,10 +62,8 @@ describe 'ironic::api::authtoken' do
:cache => 'somevalue', :cache => 'somevalue',
:cafile => '/opt/stack/data/cafile.pem', :cafile => '/opt/stack/data/cafile.pem',
:certfile => 'certfile.crt', :certfile => 'certfile.crt',
:check_revocations_for_cached => false,
:delay_auth_decision => false, :delay_auth_decision => false,
:enforce_token_bind => 'permissive', :enforce_token_bind => 'permissive',
:hash_algorithms => 'md5',
:http_connect_timeout => '300', :http_connect_timeout => '300',
:http_request_max_retries => '3', :http_request_max_retries => '3',
:include_service_catalog => true, :include_service_catalog => true,
@ -102,10 +98,8 @@ describe 'ironic::api::authtoken' do
is_expected.to contain_ironic_config('keystone_authtoken/cache').with_value(params[:cache]) is_expected.to contain_ironic_config('keystone_authtoken/cache').with_value(params[:cache])
is_expected.to contain_ironic_config('keystone_authtoken/cafile').with_value(params[:cafile]) is_expected.to contain_ironic_config('keystone_authtoken/cafile').with_value(params[:cafile])
is_expected.to contain_ironic_config('keystone_authtoken/certfile').with_value(params[:certfile]) is_expected.to contain_ironic_config('keystone_authtoken/certfile').with_value(params[:certfile])
is_expected.to contain_ironic_config('keystone_authtoken/check_revocations_for_cached').with_value(params[:check_revocations_for_cached])
is_expected.to contain_ironic_config('keystone_authtoken/delay_auth_decision').with_value(params[:delay_auth_decision]) is_expected.to contain_ironic_config('keystone_authtoken/delay_auth_decision').with_value(params[:delay_auth_decision])
is_expected.to contain_ironic_config('keystone_authtoken/enforce_token_bind').with_value(params[:enforce_token_bind]) is_expected.to contain_ironic_config('keystone_authtoken/enforce_token_bind').with_value(params[:enforce_token_bind])
is_expected.to contain_ironic_config('keystone_authtoken/hash_algorithms').with_value(params[:hash_algorithms])
is_expected.to contain_ironic_config('keystone_authtoken/http_connect_timeout').with_value(params[:http_connect_timeout]) is_expected.to contain_ironic_config('keystone_authtoken/http_connect_timeout').with_value(params[:http_connect_timeout])
is_expected.to contain_ironic_config('keystone_authtoken/http_request_max_retries').with_value(params[:http_request_max_retries]) is_expected.to contain_ironic_config('keystone_authtoken/http_request_max_retries').with_value(params[:http_request_max_retries])
is_expected.to contain_ironic_config('keystone_authtoken/include_service_catalog').with_value(params[:include_service_catalog]) is_expected.to contain_ironic_config('keystone_authtoken/include_service_catalog').with_value(params[:include_service_catalog])

View File

@ -25,10 +25,8 @@ describe 'ironic::inspector::authtoken' do
is_expected.to contain_ironic_inspector_config('keystone_authtoken/cache').with_value('<SERVICE DEFAULT>') is_expected.to contain_ironic_inspector_config('keystone_authtoken/cache').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/cafile').with_value('<SERVICE DEFAULT>') is_expected.to contain_ironic_inspector_config('keystone_authtoken/cafile').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/certfile').with_value('<SERVICE DEFAULT>') is_expected.to contain_ironic_inspector_config('keystone_authtoken/certfile').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/check_revocations_for_cached').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/delay_auth_decision').with_value('<SERVICE DEFAULT>') is_expected.to contain_ironic_inspector_config('keystone_authtoken/delay_auth_decision').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/enforce_token_bind').with_value('<SERVICE DEFAULT>') is_expected.to contain_ironic_inspector_config('keystone_authtoken/enforce_token_bind').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/hash_algorithms').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/http_connect_timeout').with_value('<SERVICE DEFAULT>') is_expected.to contain_ironic_inspector_config('keystone_authtoken/http_connect_timeout').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/http_request_max_retries').with_value('<SERVICE DEFAULT>') is_expected.to contain_ironic_inspector_config('keystone_authtoken/http_request_max_retries').with_value('<SERVICE DEFAULT>')
is_expected.to contain_ironic_inspector_config('keystone_authtoken/include_service_catalog').with_value('<SERVICE DEFAULT>') is_expected.to contain_ironic_inspector_config('keystone_authtoken/include_service_catalog').with_value('<SERVICE DEFAULT>')
@ -64,10 +62,8 @@ describe 'ironic::inspector::authtoken' do
:cache => 'somevalue', :cache => 'somevalue',
:cafile => '/opt/stack/data/cafile.pem', :cafile => '/opt/stack/data/cafile.pem',
:certfile => 'certfile.crt', :certfile => 'certfile.crt',
:check_revocations_for_cached => false,
:delay_auth_decision => false, :delay_auth_decision => false,
:enforce_token_bind => 'permissive', :enforce_token_bind => 'permissive',
:hash_algorithms => 'md5',
:http_connect_timeout => '300', :http_connect_timeout => '300',
:http_request_max_retries => '3', :http_request_max_retries => '3',
:include_service_catalog => true, :include_service_catalog => true,
@ -102,10 +98,8 @@ describe 'ironic::inspector::authtoken' do
is_expected.to contain_ironic_inspector_config('keystone_authtoken/cache').with_value(params[:cache]) is_expected.to contain_ironic_inspector_config('keystone_authtoken/cache').with_value(params[:cache])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/cafile').with_value(params[:cafile]) is_expected.to contain_ironic_inspector_config('keystone_authtoken/cafile').with_value(params[:cafile])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/certfile').with_value(params[:certfile]) is_expected.to contain_ironic_inspector_config('keystone_authtoken/certfile').with_value(params[:certfile])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/check_revocations_for_cached').with_value(params[:check_revocations_for_cached])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/delay_auth_decision').with_value(params[:delay_auth_decision]) is_expected.to contain_ironic_inspector_config('keystone_authtoken/delay_auth_decision').with_value(params[:delay_auth_decision])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/enforce_token_bind').with_value(params[:enforce_token_bind]) is_expected.to contain_ironic_inspector_config('keystone_authtoken/enforce_token_bind').with_value(params[:enforce_token_bind])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/hash_algorithms').with_value(params[:hash_algorithms])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/http_connect_timeout').with_value(params[:http_connect_timeout]) is_expected.to contain_ironic_inspector_config('keystone_authtoken/http_connect_timeout').with_value(params[:http_connect_timeout])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/http_request_max_retries').with_value(params[:http_request_max_retries]) is_expected.to contain_ironic_inspector_config('keystone_authtoken/http_request_max_retries').with_value(params[:http_request_max_retries])
is_expected.to contain_ironic_inspector_config('keystone_authtoken/include_service_catalog').with_value(params[:include_service_catalog]) is_expected.to contain_ironic_inspector_config('keystone_authtoken/include_service_catalog').with_value(params[:include_service_catalog])