Make fernet the default token provider

Fernet tokens have been the default provider for keystone for some time and we deprecated them in Newton. This change switches to use fernet tokens as the default for the keystone class. Change-Id: I15504f694c0ce5d35907585a8d5d61893cfe95ee
2016-10-20 13:06:12 -06:00 · 2016-10-20 13:06:12 -06:00 · 453f766213
parent 0f8ef09dfb
commit 453f766213
3 changed files with 10 additions and 9 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -64,7 +64,7 @@
 #
 # [*token_provider*]
 #   (optional) Format keystone uses for tokens.
-#   Defaults to 'uuid'
+#   Defaults to 'fernet'
 #   Supports pki, pkiz, fernet, and uuid.
 #
 # [*token_driver*]
@ -403,7 +403,7 @@
 #   run on a single node, then the keys are replicated to the other nodes
 #   in a cluster. You would typically also pair this with a fernet token
 #   provider setting.
-#   Defaults to false
+#   Defaults to true
 #
 # [*fernet_key_repository*]
 #   (Optional) Location for the fernet key repository. This value must
@ -664,7 +664,7 @@ class keystone(
  $catalog_type                         = 'sql',
  $catalog_driver                       = false,
  $catalog_template_file                = '/etc/keystone/default_catalog.templates',
-  $token_provider                       = 'uuid',
+  $token_provider                       = 'fernet',
  $token_driver                         = 'sql',
  $token_expiration                     = 3600,
  $revoke_driver                        = $::os_service_default,
@ -721,7 +721,7 @@ class keystone(
  $service_name                         = $::keystone::params::service_name,
  $max_token_size                       = $::os_service_default,
  $sync_db                              = true,
-  $enable_fernet_setup                  = false,
+  $enable_fernet_setup                  = true,
  $fernet_key_repository                = '/etc/keystone/fernet-keys',
  $fernet_max_active_keys               = $::os_service_default,
  $fernet_keys                          = false,
@ -767,10 +767,6 @@ class keystone(
  include ::keystone::deps
  include ::keystone::logging

-  if $token_provider == 'uuid' {
-    warning("Fernet token is recommended in Mitaka release. The default for token_provider will be changed to 'fernet' in O release.")
-  }
-
  if $service_provider {
    warning("service_provider is deprecated, does nothing and will be removed in a future release, \
 use a Puppet resource collector if you want to modify the service provider.")
--- a/releasenotes/notes/fernet_token_provider-700f0feb36e0e168.yaml
+++ b/releasenotes/notes/fernet_token_provider-700f0feb36e0e168.yaml
@ -0,0 +1,5 @@
+---
+upgrade:
+  - Fernet token is now the default token provider for keystone.
+  - keystone::enable_fernet_setup is now true by default to ensure fernet tokens
+    work out of the box.
--- a/spec/classes/keystone_init_spec.rb
+++ b/spec/classes/keystone_init_spec.rb
@ -30,7 +30,7 @@ describe 'keystone' do
      'use_stderr'                         => true,
      'catalog_type'                       => 'sql',
      'catalog_driver'                     => false,
-      'token_provider'                     => 'uuid',
+      'token_provider'                     => 'fernet',
      'token_driver'                       => 'sql',
      'revoke_driver'                      => 'sql',
      'revoke_by_id'                       => true,