Deprecate PKI signing related parameter
PKI token support has been deprecated in the M release and will be removed in the O release, fernet or UUID tokens are recommended. Therefore, warning to deprecated PKI signing related parameters(signing_certfile, signing_keyfile, signing_ca_certs, signing_ca_key, signing_cert_subject, signing_key_size). Change-Id: I6c481abce0b917a5d16e207b51b15337f150c908
This commit is contained in:
ZhongShengping
parent
e16782d699
commit
617fa98dcc
|
|
@ -187,43 +187,6 @@
|
|||
# (optional) If set, use this value for max_overflow with sqlalchemy.
|
||||
# Defaults to: undef
|
||||
#
|
||||
# [*enable_pki_setup*]
|
||||
# (optional) Enable call to pki_setup to generate the cert for signing pki tokens and
|
||||
# revocation lists if it doesn't already exist. This generates a cert and key stored in file
|
||||
# locations based on the signing_certfile and signing_keyfile paramters below. If you are
|
||||
# providing your own signing cert, make this false.
|
||||
# Default to false.
|
||||
#
|
||||
# [*signing_certfile*]
|
||||
# (optional) Location of the cert file for signing pki tokens and revocation lists.
|
||||
# Note that if this file already exists (i.e. you are providing your own signing cert),
|
||||
# the file will not be overwritten, even if enable_pki_setup is set to true.
|
||||
# Default: /etc/keystone/ssl/certs/signing_cert.pem
|
||||
#
|
||||
# [*signing_keyfile*]
|
||||
# (optional) Location of the key file for signing pki tokens and revocation lists.
|
||||
# Note that if this file already exists (i.e. you are providing your own signing cert), the file
|
||||
# will not be overwritten, even if enable_pki_setup is set to true.
|
||||
# Default: /etc/keystone/ssl/private/signing_key.pem
|
||||
#
|
||||
# [*signing_ca_certs*]
|
||||
# (optional) Use this CA certs file along with signing_certfile/signing_keyfile for
|
||||
# signing pki tokens and revocation lists.
|
||||
# Default: /etc/keystone/ssl/certs/ca.pem
|
||||
#
|
||||
# [*signing_ca_key*]
|
||||
# (optional) Use this CA key file along with signing_certfile/signing_keyfile for signing
|
||||
# pki tokens and revocation lists.
|
||||
# Default: /etc/keystone/ssl/private/cakey.pem
|
||||
#
|
||||
# [*signing_cert_subject*]
|
||||
# (optional) Certificate subject (auto generated certificate) for token signing.
|
||||
# Defaults to '/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com'
|
||||
#
|
||||
# [*signing_key_size*]
|
||||
# (optional) Key size (in bits) for token signing cert (auto generated certificate)
|
||||
# Defaults to 2048
|
||||
#
|
||||
# [*rabbit_host*]
|
||||
# (optional) Location of rabbitmq installation.
|
||||
# Defaults to $::os_service_default
|
||||
|
|
@ -541,12 +504,49 @@
|
|||
# DEPRECATED PARAMETERS
|
||||
#
|
||||
# [*service_provider*]
|
||||
# (optional) DEPRECATED. Provider, that can be used for keystone service.
|
||||
# (optional) Deprecated. Provider, that can be used for keystone service.
|
||||
#
|
||||
# [*verbose*]
|
||||
# (optional) DEPRECATED. Rather keystone should log at verbose level.
|
||||
# (optional) Deprecated. Rather keystone should log at verbose level.
|
||||
# Defaults to undef.
|
||||
#
|
||||
# [*enable_pki_setup*]
|
||||
# (optional) Deprecated. Enable call to pki_setup to generate the cert for signing pki tokens and
|
||||
# revocation lists if it doesn't already exist. This generates a cert and key stored in file
|
||||
# locations based on the signing_certfile and signing_keyfile paramters below. If you are
|
||||
# providing your own signing cert, make this false.
|
||||
# Default to undef.
|
||||
#
|
||||
# [*signing_certfile*]
|
||||
# (optional) Deprecated. Location of the cert file for signing pki tokens and revocation lists.
|
||||
# Note that if this file already exists (i.e. you are providing your own signing cert),
|
||||
# the file will not be overwritten, even if enable_pki_setup is set to true.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*signing_keyfile*]
|
||||
# (optional) Deprecated. Location of the key file for signing pki tokens and revocation lists.
|
||||
# Note that if this file already exists (i.e. you are providing your own signing cert), the file
|
||||
# will not be overwritten, even if enable_pki_setup is set to true.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*signing_ca_certs*]
|
||||
# (optional) Deprecated. Use this CA certs file along with signing_certfile/signing_keyfile for
|
||||
# signing pki tokens and revocation lists.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*signing_ca_key*]
|
||||
# (optional) Deprecated. Use this CA key file along with signing_certfile/signing_keyfile for signing
|
||||
# pki tokens and revocation lists.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*signing_cert_subject*]
|
||||
# (optional) Deprecated. Certificate subject (auto generated certificate) for token signing.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*signing_key_size*]
|
||||
# (optional) Deprecated. Key size (in bits) for token signing cert (auto generated certificate)
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# == Dependencies
|
||||
# None
|
||||
#
|
||||
|
|
@ -625,13 +625,6 @@ class keystone(
|
|||
$database_min_pool_size = undef,
|
||||
$database_max_pool_size = undef,
|
||||
$database_max_overflow = undef,
|
||||
$enable_pki_setup = false,
|
||||
$signing_certfile = '/etc/keystone/ssl/certs/signing_cert.pem',
|
||||
$signing_keyfile = '/etc/keystone/ssl/private/signing_key.pem',
|
||||
$signing_ca_certs = '/etc/keystone/ssl/certs/ca.pem',
|
||||
$signing_ca_key = '/etc/keystone/ssl/private/cakey.pem',
|
||||
$signing_cert_subject = '/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com',
|
||||
$signing_key_size = 2048,
|
||||
$rabbit_host = $::os_service_default,
|
||||
$rabbit_hosts = $::os_service_default,
|
||||
$rabbit_password = $::os_service_default,
|
||||
|
|
@ -683,6 +676,13 @@ class keystone(
|
|||
$public_workers = max($::processorcount, 2),
|
||||
$service_provider = undef,
|
||||
$verbose = undef,
|
||||
$enable_pki_setup = undef,
|
||||
$signing_certfile = $::os_service_default,
|
||||
$signing_keyfile = $::os_service_default,
|
||||
$signing_ca_certs = $::os_service_default,
|
||||
$signing_ca_key = $::os_service_default,
|
||||
$signing_cert_subject = $::os_service_default,
|
||||
$signing_key_size = $::os_service_default,
|
||||
) inherits keystone::params {
|
||||
|
||||
include ::keystone::deps
|
||||
|
|
@ -842,6 +842,30 @@ class keystone(
|
|||
}
|
||||
|
||||
# Set the signing key/cert configuration values.
|
||||
if (!is_service_default($signing_certfile)) {
|
||||
warning('PKI token support has been deprecated in the M release and will be removed in the O release. Fernet or UUID tokens are recommended.')
|
||||
}
|
||||
|
||||
if (!is_service_default($signing_keyfile)) {
|
||||
warning('PKI token support has been deprecated in the M release and will be removed in the O release. Fernet or UUID tokens are recommended.')
|
||||
}
|
||||
|
||||
if (!is_service_default($signing_ca_certs)) {
|
||||
warning('PKI token support has been deprecated in the M release and will be removed in the O release. Fernet or UUID tokens are recommended.')
|
||||
}
|
||||
|
||||
if (!is_service_default($signing_ca_key)) {
|
||||
warning('PKI token support has been deprecated in the M release and will be removed in the O release. Fernet or UUID tokens are recommended.')
|
||||
}
|
||||
|
||||
if (!is_service_default($signing_cert_subject)) {
|
||||
warning('PKI token support has been deprecated in the M release and will be removed in the O release. Fernet or UUID tokens are recommended.')
|
||||
}
|
||||
|
||||
if (!is_service_default($signing_key_size)) {
|
||||
warning('PKI token support has been deprecated in the M release and will be removed in the O release. Fernet or UUID tokens are recommended.')
|
||||
}
|
||||
|
||||
keystone_config {
|
||||
'signing/certfile': value => $signing_certfile;
|
||||
'signing/keyfile': value => $signing_keyfile;
|
||||
|
|
@ -854,20 +878,25 @@ class keystone(
|
|||
# Only do pki_setup if we were asked to do so. This is needed
|
||||
# regardless of the token provider since token revocation lists
|
||||
# are always signed.
|
||||
if $enable_pki_setup {
|
||||
# Create cache directory used for signing.
|
||||
file { $cache_dir:
|
||||
ensure => directory,
|
||||
}
|
||||
if $enable_pki_setup == true {
|
||||
|
||||
exec { 'keystone-manage pki_setup':
|
||||
command => "keystone-manage pki_setup --keystone-user ${keystone_user} --keystone-group ${keystone_group}",
|
||||
path => '/usr/bin',
|
||||
refreshonly => true,
|
||||
creates => $signing_keyfile,
|
||||
notify => Anchor['keystone::service::begin'],
|
||||
subscribe => [Anchor['keystone::install::end'], Anchor['keystone::config::end']],
|
||||
tag => 'keystone-exec',
|
||||
if is_service_default($signing_keyfile) {
|
||||
fail('Please specify path to key file')
|
||||
} else {
|
||||
# Create cache directory used for signing.
|
||||
file { $cache_dir:
|
||||
ensure => directory,
|
||||
}
|
||||
|
||||
exec { 'keystone-manage pki_setup':
|
||||
command => "keystone-manage pki_setup --keystone-user ${keystone_user} --keystone-group ${keystone_group}",
|
||||
path => '/usr/bin',
|
||||
refreshonly => true,
|
||||
creates => $signing_keyfile,
|
||||
notify => Anchor['keystone::service::begin'],
|
||||
subscribe => [Anchor['keystone::install::end'], Anchor['keystone::config::end']],
|
||||
tag => 'keystone-exec',
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
deprecations:
|
||||
- Deprecate PKI signing related parameters.
|
||||
|
|
@ -51,11 +51,12 @@ describe 'keystone' do
|
|||
'manage_service' => true,
|
||||
'database_connection' => 'sqlite:////var/lib/keystone/keystone.db',
|
||||
'database_idle_timeout' => '200',
|
||||
'enable_pki_setup' => false,
|
||||
'signing_certfile' => '/etc/keystone/ssl/certs/signing_cert.pem',
|
||||
'signing_keyfile' => '/etc/keystone/ssl/private/signing_key.pem',
|
||||
'signing_ca_certs' => '/etc/keystone/ssl/certs/ca.pem',
|
||||
'signing_ca_key' => '/etc/keystone/ssl/private/cakey.pem',
|
||||
'signing_certfile' => '<SERVICE DEFAULT>',
|
||||
'signing_keyfile' => '<SERVICE DEFAULT>',
|
||||
'signing_ca_certs' => '<SERVICE DEFAULT>',
|
||||
'signing_ca_key' => '<SERVICE DEFAULT>',
|
||||
'signing_cert_subject' => '<SERVICE DEFAULT>',
|
||||
'signing_key_size' => '<SERVICE DEFAULT>',
|
||||
'rabbit_host' => '<SERVICE DEFAULT>',
|
||||
'rabbit_password' => '<SERVICE DEFAULT>',
|
||||
'rabbit_userid' => '<SERVICE DEFAULT>',
|
||||
|
|
@ -100,6 +101,8 @@ describe 'keystone' do
|
|||
'signing_keyfile' => '/etc/keystone/ssl/private/signing_key.pem',
|
||||
'signing_ca_certs' => '/etc/keystone/ssl/certs/ca.pem',
|
||||
'signing_ca_key' => '/etc/keystone/ssl/private/cakey.pem',
|
||||
'signing_cert_subject' => '/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com',
|
||||
'signing_key_size' => 2048,
|
||||
'rabbit_host' => '127.0.0.1',
|
||||
'rabbit_password' => 'openstack',
|
||||
'rabbit_userid' => 'admin',
|
||||
|
|
@ -367,9 +370,15 @@ describe 'keystone' do
|
|||
describe 'when configuring as PKI' do
|
||||
let :params do
|
||||
{
|
||||
'enable_pki_setup' => true,
|
||||
'admin_token' => 'service_token',
|
||||
'token_provider' => 'pki'
|
||||
'enable_pki_setup' => true,
|
||||
'admin_token' => 'service_token',
|
||||
'token_provider' => 'pki',
|
||||
'signing_certfile' => '/etc/keystone/ssl/certs/signing_cert.pem',
|
||||
'signing_keyfile' => '/etc/keystone/ssl/private/signing_key.pem',
|
||||
'signing_ca_certs' => '/etc/keystone/ssl/certs/ca.pem',
|
||||
'signing_ca_key' => '/etc/keystone/ssl/private/cakey.pem',
|
||||
'signing_cert_subject' => '/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com',
|
||||
'signing_key_size' => 2048
|
||||
}
|
||||
end
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue