diff --git a/manifests/init.pp b/manifests/init.pp index 4fa0b10f2..6177abdb3 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -49,7 +49,7 @@ # [*token_provider*] # (optional) Format keystone uses for tokens. # Defaults to 'fernet' -# Supports pki, pkiz, fernet, and uuid. +# Supports fernet or uuid. # # [*token_driver*] # (optional) Driver to use for managing tokens. @@ -79,11 +79,6 @@ # other than KVS, which stores events in memory. # Defaults to true. # -# [*cache_dir*] -# (optional) Directory created when token_provider is pki. This folder is not -# created unless enable_pki_setup is set to True. -# Defaults to /var/cache/keystone. -# # [*cache_backend*] # (optional) Dogpile.cache backend module. It is recommended that Memcache with pooling # (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in production. @@ -555,48 +550,16 @@ # # === DEPRECATED PARAMETERS # -# [*enable_pki_setup*] -# (optional) Deprecated. Enable call to pki_setup to generate the cert for signing pki tokens and -# revocation lists if it doesn't already exist. This generates a cert and key stored in file -# locations based on the signing_certfile and signing_keyfile paramters below. If you are -# providing your own signing cert, make this false. -# Default to undef. -# -# [*signing_certfile*] -# (optional) Deprecated. Location of the cert file for signing pki tokens and revocation lists. -# Note that if this file already exists (i.e. you are providing your own signing cert), -# the file will not be overwritten, even if enable_pki_setup is set to true. -# Defaults to $::os_service_default -# -# [*signing_keyfile*] -# (optional) Deprecated. Location of the key file for signing pki tokens and revocation lists. -# Note that if this file already exists (i.e. you are providing your own signing cert), the file -# will not be overwritten, even if enable_pki_setup is set to true. -# Defaults to $::os_service_default -# -# [*signing_ca_certs*] -# (optional) Deprecated. Use this CA certs file along with signing_certfile/signing_keyfile for -# signing pki tokens and revocation lists. -# Defaults to $::os_service_default -# -# [*signing_ca_key*] -# (optional) Deprecated. Use this CA key file along with signing_certfile/signing_keyfile for signing -# pki tokens and revocation lists. -# Defaults to $::os_service_default -# -# [*signing_cert_subject*] -# (optional) Deprecated. Certificate subject (auto generated certificate) for token signing. -# Defaults to $::os_service_default -# -# [*signing_key_size*] -# (optional) Deprecated. Key size (in bits) for token signing cert (auto generated certificate) -# Defaults to $::os_service_default -# # [*paste_config*] # (optional) Name of the paste configuration file that defines the # available pipelines. (string value) # Defaults to undef # +# [*cache_dir*] +# (optional) Directory created when token_provider is pki. This folder is not +# created unless enable_pki_setup is set to True. +# Defaults to undef +# # == Dependencies # None # @@ -654,7 +617,6 @@ class keystone( $ssl_ca_certs = '/etc/keystone/ssl/certs/ca.pem', $ssl_ca_key = '/etc/keystone/ssl/private/cakey.pem', $ssl_cert_subject = '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost', - $cache_dir = '/var/cache/keystone', $manage_service = true, $cache_backend = $::os_service_default, $cache_backend_argument = $::os_service_default, @@ -728,14 +690,8 @@ class keystone( # DEPRECATED PARAMETERS $admin_workers = $::os_workers, $public_workers = $::os_workers, - $enable_pki_setup = undef, - $signing_certfile = $::os_service_default, - $signing_keyfile = $::os_service_default, - $signing_ca_certs = $::os_service_default, - $signing_ca_key = $::os_service_default, - $signing_cert_subject = $::os_service_default, - $signing_key_size = $::os_service_default, $paste_config = undef, + $cache_dir = undef, ) inherits keystone::params { include ::keystone::deps @@ -747,6 +703,10 @@ class keystone( warning('keystone::paste_config is deprecated, has no effect and will be removed in a later release') } + if $cache_dir { + warning('keystone::cache_dir is deprecated, has no effect and will be removed in a later release') + } + if ! $catalog_driver { validate_re($catalog_type, 'template|sql') } @@ -908,72 +868,6 @@ admin_token will be removed in a later release") 'catalog/template_file': value => $catalog_template_file; } - # Set the signing key/cert configuration values. - if (!is_service_default($signing_certfile)) { - warning("PKI token support has been deprecated in the M release and will be removed in the O release. \ -Fernet or UUID tokens are recommended.") - } - - if (!is_service_default($signing_keyfile)) { - warning("PKI token support has been deprecated in the M release and will be removed in the O release. \ -Fernet or UUID tokens are recommended.") - } - - if (!is_service_default($signing_ca_certs)) { - warning("PKI token support has been deprecated in the M release and will be removed in the O release. \ -Fernet or UUID tokens are recommended.") - } - - if (!is_service_default($signing_ca_key)) { - warning("PKI token support has been deprecated in the M release and will be removed in the O release. \ -Fernet or UUID tokens are recommended.") - } - - if (!is_service_default($signing_cert_subject)) { - warning("PKI token support has been deprecated in the M release and will be removed in the O release. \ -Fernet or UUID tokens are recommended.") - } - - if (!is_service_default($signing_key_size)) { - warning("PKI token support has been deprecated in the M release and will be removed in the O release. \ -Fernet or UUID tokens are recommended.") - } - - keystone_config { - 'signing/certfile': value => $signing_certfile; - 'signing/keyfile': value => $signing_keyfile; - 'signing/ca_certs': value => $signing_ca_certs; - 'signing/ca_key': value => $signing_ca_key; - 'signing/cert_subject': value => $signing_cert_subject; - 'signing/key_size': value => $signing_key_size; - } - - # Only do pki_setup if we were asked to do so. This is needed - # regardless of the token provider since token revocation lists - # are always signed. - if $enable_pki_setup == true { - - if is_service_default($signing_keyfile) { - fail('Please specify path to key file') - } else { - # Create cache directory used for signing. - file { $cache_dir: - ensure => directory, - } - - exec { 'keystone-manage pki_setup': - command => "keystone-manage pki_setup --keystone-user ${keystone_user} --keystone-group ${keystone_group}", - path => '/usr/bin', - user => $keystone_user, - refreshonly => true, - creates => $signing_keyfile, - notify => Anchor['keystone::service::begin'], - subscribe => [Anchor['keystone::install::end'], Anchor['keystone::config::end']], - tag => 'keystone-exec', - } - } - } - keystone_config { 'token/provider': value => $token_provider; 'DEFAULT/max_token_size': value => $max_token_size; diff --git a/manifests/resource/authtoken.pp b/manifests/resource/authtoken.pp index 0d2be7d08..30b3aef51 100644 --- a/manifests/resource/authtoken.pp +++ b/manifests/resource/authtoken.pp @@ -96,12 +96,6 @@ # (Optional) Required if identity server requires client certificate # Defaults to $::os_service_default. # -# [*check_revocations_for_cached*] -# (Optional) If true, the revocation list will be checked for cached tokens. -# This requires that PKI tokens are configured on the identity server. -# boolean value. -# Defaults to $::os_service_default. -# # [*collect_timing*] # (Optional) If true, collect per-method timing information for each API call. # Defaults to $::os_service_default. @@ -121,17 +115,6 @@ # must be present in tokens. String value. # Defaults to $::os_service_default. # -# [*hash_algorithms*] -# (Optional) Hash algorithms to use for hashing PKI tokens. This may be a -# single algorithm or multiple. The algorithms are those supported by Python -# standard hashlib.new(). The hashes will be tried in the order given, so put -# the preferred one first for performance. The result of the first hash will -# be stored in the cache. This will typically be set to multiple values only -# while migrating from a less secure algorithm to a more secure one. Once all -# the old tokens are expired this option should be set to a single value for -# better performance. List value. -# Defaults to $::os_service_default. -# # [*http_connect_timeout*] # (Optional) Request timeout value for communicating with Identity API server. # Defaults to $::os_service_default. @@ -225,6 +208,23 @@ # (Optional) Complete public Identity API endpoint. # Defaults to undef # +# [*check_revocations_for_cached*] +# (Optional) If true, the revocation list will be checked for cached tokens. +# This requires that PKI tokens are configured on the identity server. +# boolean value. +# Defaults to undef +# +# [*hash_algorithms*] +# (Optional) Hash algorithms to use for hashing PKI tokens. This may be a +# single algorithm or multiple. The algorithms are those supported by Python +# standard hashlib.new(). The hashes will be tried in the order given, so put +# the preferred one first for performance. The result of the first hash will +# be stored in the cache. This will typically be set to multiple values only +# while migrating from a less secure algorithm to a more secure one. Once all +# the old tokens are expired this option should be set to a single value for +# better performance. List value. +# Defaults to undef +# define keystone::resource::authtoken( $username, $password, @@ -240,11 +240,9 @@ define keystone::resource::authtoken( $cache = $::os_service_default, $cafile = $::os_service_default, $certfile = $::os_service_default, - $check_revocations_for_cached = $::os_service_default, $collect_timing = $::os_service_default, $delay_auth_decision = $::os_service_default, $enforce_token_bind = $::os_service_default, - $hash_algorithms = $::os_service_default, $http_connect_timeout = $::os_service_default, $http_request_max_retries = $::os_service_default, $include_service_catalog = $::os_service_default, @@ -264,6 +262,8 @@ define keystone::resource::authtoken( $service_token_roles_required = $::os_service_default, # DEPRECATED PARAMETERS $auth_uri = undef, + $check_revocations_for_cached = undef, + $hash_algorithms = undef, ) { include ::keystone::params @@ -274,8 +274,12 @@ define keystone::resource::authtoken( } $www_authenticate_uri_real = pick($auth_uri, $www_authenticate_uri) - if !is_service_default($check_revocations_for_cached) { - validate_bool($check_revocations_for_cached) + if $check_revocations_for_cached { + warning('keystone::resource::authtoken::check_revocations_for_cached is deprecated and will be removed') + } + + if $hash_algorithms { + warning('keystone::resource::authtoken::hash_algorithms is deprecated and will be removed') } if !is_service_default($include_service_catalog) { @@ -321,11 +325,9 @@ define keystone::resource::authtoken( 'keystone_authtoken/cache' => {'value' => $cache}, 'keystone_authtoken/cafile' => {'value' => $cafile}, 'keystone_authtoken/certfile' => {'value' => $certfile}, - 'keystone_authtoken/check_revocations_for_cached' => {'value' => $check_revocations_for_cached}, 'keystone_authtoken/collect_timing' => {'value' => $collect_timing}, 'keystone_authtoken/delay_auth_decision' => {'value' => $delay_auth_decision}, 'keystone_authtoken/enforce_token_bind' => {'value' => $enforce_token_bind}, - 'keystone_authtoken/hash_algorithms' => {'value' => $hash_algorithms}, 'keystone_authtoken/http_connect_timeout' => {'value' => $http_connect_timeout}, 'keystone_authtoken/http_request_max_retries' => {'value' => $http_request_max_retries}, 'keystone_authtoken/include_service_catalog' => {'value' => $include_service_catalog}, diff --git a/releasenotes/notes/remove-deprecated-pki-9a1c242be81e5104.yaml b/releasenotes/notes/remove-deprecated-pki-9a1c242be81e5104.yaml new file mode 100644 index 000000000..3064adf2a --- /dev/null +++ b/releasenotes/notes/remove-deprecated-pki-9a1c242be81e5104.yaml @@ -0,0 +1,19 @@ +--- +upgrade: + - | + The deprecated params keystone::enable_pki_setup, signing_certfile, + signing_keyfile, signing_ca_certs, signing_ca_key, signing_cert_subject + and signing_key_size is now removed. +deprecations: + - | + The keystone::cache_dir parameter is now deprecated and will be removed + in a future release. It has no effect since it was only related to PKI + which is removed. + - | + The parameter keystone::resource::authtoken::check_revocations_for_cached + is deprecated and will be removed in a future release. It was related + to PKI which is removed. + - | + The parameter keystone::resource::authtoken::hash_algorithms is deprecated + and will be removed in a future release. It was related to PKI which is + removed. diff --git a/spec/classes/keystone_init_spec.rb b/spec/classes/keystone_init_spec.rb index 8dc8467bd..ab814fb5e 100644 --- a/spec/classes/keystone_init_spec.rb +++ b/spec/classes/keystone_init_spec.rb @@ -35,7 +35,6 @@ describe 'keystone' do 'password_hash_rounds' => '', 'revoke_driver' => 'sql', 'revoke_by_id' => true, - 'cache_dir' => '/var/cache/keystone', 'cache_backend' => '', 'cache_backend_argument' => '', 'cache_enabled' => '', @@ -50,12 +49,6 @@ describe 'keystone' do 'manage_service' => true, 'database_connection' => 'sqlite:////var/lib/keystone/keystone.db', 'database_idle_timeout' => '200', - 'signing_certfile' => '', - 'signing_keyfile' => '', - 'signing_ca_certs' => '', - 'signing_ca_key' => '', - 'signing_cert_subject' => '', - 'signing_key_size' => '', 'default_transport_url' => '', 'notification_transport_url' => '', 'rabbit_heartbeat_timeout_threshold' => '', @@ -99,13 +92,6 @@ describe 'keystone' do 'manage_service' => true, 'database_connection' => 'mysql://a:b@c/d', 'database_idle_timeout' => '300', - 'enable_pki_setup' => true, - 'signing_certfile' => '/etc/keystone/ssl/certs/signing_cert.pem', - 'signing_keyfile' => '/etc/keystone/ssl/private/signing_key.pem', - 'signing_ca_certs' => '/etc/keystone/ssl/certs/ca.pem', - 'signing_ca_key' => '/etc/keystone/ssl/private/cakey.pem', - 'signing_cert_subject' => '/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com', - 'signing_key_size' => 2048, 'default_transport_url' => 'rabbit://user:pass@host:1234/virt', 'notification_transport_url' => 'rabbit://user:pass@host:1234/virt', 'rabbit_heartbeat_timeout_threshold' => '60', @@ -366,135 +352,6 @@ describe 'keystone' do 'token_provider' => 'keystone.token.providers.uuid.Provider' } end - - describe 'pki_setup is disabled by default' do - it { is_expected.to_not contain_exec('keystone-manage pki_setup') } - it { is_expected.to_not contain_file('/var/cache/keystone').with_ensure('directory') } - end - end - - describe 'when configuring as PKI' do - let :params do - { - 'enable_pki_setup' => true, - 'admin_token' => 'service_token', - 'token_provider' => 'pki', - 'signing_certfile' => '/etc/keystone/ssl/certs/signing_cert.pem', - 'signing_keyfile' => '/etc/keystone/ssl/private/signing_key.pem', - 'signing_ca_certs' => '/etc/keystone/ssl/certs/ca.pem', - 'signing_ca_key' => '/etc/keystone/ssl/private/cakey.pem', - 'signing_cert_subject' => '/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com', - 'signing_key_size' => 2048, - 'keystone_user' => 'keystone', - 'keystone_group' => 'keystone', - } - end - - it { is_expected.to contain_file('/var/cache/keystone').with_ensure('directory') } - - describe 'when overriding the cache dir' do - before do - params.merge!(:cache_dir => '/var/lib/cache/keystone') - end - it { is_expected.to contain_file('/var/lib/cache/keystone') } - end - - it { is_expected.to contain_exec('keystone-manage pki_setup').with( - :command => "keystone-manage pki_setup --keystone-user #{params['keystone_user']} --keystone-group #{params['keystone_group']}", - :creates => '/etc/keystone/ssl/private/signing_key.pem' - ) } - it { is_expected.to contain_file('/var/cache/keystone').with_ensure('directory') } - - describe 'when overriding the cache dir' do - before do - params.merge!(:cache_dir => '/var/lib/cache/keystone') - end - it { is_expected.to contain_file('/var/lib/cache/keystone') } - end - end - - describe 'when configuring PKI signing cert paths with UUID and with pki_setup disabled' do - let :params do - { - 'admin_token' => 'service_token', - 'token_provider' => 'uuid', - 'enable_pki_setup' => false, - 'signing_certfile' => 'signing_certfile', - 'signing_keyfile' => 'signing_keyfile', - 'signing_ca_certs' => 'signing_ca_certs', - 'signing_ca_key' => 'signing_ca_key', - 'signing_cert_subject' => 'signing_cert_subject', - 'signing_key_size' => 2048 - } - end - - it { is_expected.to_not contain_exec('keystone-manage pki_setup') } - - it 'should contain correct PKI certfile config' do - is_expected.to contain_keystone_config('signing/certfile').with_value('signing_certfile') - end - - it 'should contain correct PKI keyfile config' do - is_expected.to contain_keystone_config('signing/keyfile').with_value('signing_keyfile') - end - - it 'should contain correct PKI ca_certs config' do - is_expected.to contain_keystone_config('signing/ca_certs').with_value('signing_ca_certs') - end - - it 'should contain correct PKI ca_key config' do - is_expected.to contain_keystone_config('signing/ca_key').with_value('signing_ca_key') - end - - it 'should contain correct PKI cert_subject config' do - is_expected.to contain_keystone_config('signing/cert_subject').with_value('signing_cert_subject') - end - - it 'should contain correct PKI key_size config' do - is_expected.to contain_keystone_config('signing/key_size').with_value('2048') - end - end - - describe 'when configuring PKI signing cert paths with pki_setup disabled' do - let :params do - { - 'admin_token' => 'service_token', - 'token_provider' => 'pki', - 'enable_pki_setup' => false, - 'signing_certfile' => 'signing_certfile', - 'signing_keyfile' => 'signing_keyfile', - 'signing_ca_certs' => 'signing_ca_certs', - 'signing_ca_key' => 'signing_ca_key', - 'signing_cert_subject' => 'signing_cert_subject', - 'signing_key_size' => 2048 - } - end - - it { is_expected.to_not contain_exec('keystone-manage pki_setup') } - - it 'should contain correct PKI certfile config' do - is_expected.to contain_keystone_config('signing/certfile').with_value('signing_certfile') - end - - it 'should contain correct PKI keyfile config' do - is_expected.to contain_keystone_config('signing/keyfile').with_value('signing_keyfile') - end - - it 'should contain correct PKI ca_certs config' do - is_expected.to contain_keystone_config('signing/ca_certs').with_value('signing_ca_certs') - end - - it 'should contain correct PKI ca_key config' do - is_expected.to contain_keystone_config('signing/ca_key').with_value('signing_ca_key') - end - - it 'should contain correct PKI cert_subject config' do - is_expected.to contain_keystone_config('signing/cert_subject').with_value('signing_cert_subject') - end - - it 'should contain correct PKI key_size config' do - is_expected.to contain_keystone_config('signing/key_size').with_value('2048') - end end describe 'with invalid catalog_type' do diff --git a/spec/defines/keystone_resource_authtoken_spec.rb b/spec/defines/keystone_resource_authtoken_spec.rb index 9fea20ddb..85f46411f 100644 --- a/spec/defines/keystone_resource_authtoken_spec.rb +++ b/spec/defines/keystone_resource_authtoken_spec.rb @@ -28,11 +28,9 @@ describe 'keystone::resource::authtoken' do is_expected.to contain_keystone_config('keystone_authtoken/cache').with_value('') is_expected.to contain_keystone_config('keystone_authtoken/cafile').with_value('') is_expected.to contain_keystone_config('keystone_authtoken/certfile').with_value('') - is_expected.to contain_keystone_config('keystone_authtoken/check_revocations_for_cached').with_value('') is_expected.to contain_keystone_config('keystone_authtoken/collect_timing').with_value('') is_expected.to contain_keystone_config('keystone_authtoken/delay_auth_decision').with_value('') is_expected.to contain_keystone_config('keystone_authtoken/enforce_token_bind').with_value('') - is_expected.to contain_keystone_config('keystone_authtoken/hash_algorithms').with_value('') is_expected.to contain_keystone_config('keystone_authtoken/http_connect_timeout').with_value('') is_expected.to contain_keystone_config('keystone_authtoken/http_request_max_retries').with_value('') is_expected.to contain_keystone_config('keystone_authtoken/include_service_catalog').with_value('') @@ -69,11 +67,9 @@ describe 'keystone::resource::authtoken' do :cache => 'somevalue', :cafile => 'cafile.pem', :certfile => 'certfile.crt', - :check_revocations_for_cached => true, :collect_timing => true, :delay_auth_decision => true, :enforce_token_bind => 'strict', - :hash_algorithms => 'sha1', :http_connect_timeout => '120', :http_request_max_retries => '5', :include_service_catalog => false, @@ -95,11 +91,9 @@ describe 'keystone::resource::authtoken' do is_expected.to contain_keystone_config('keystone_authtoken/www_authenticate_uri').with_value(params[:www_authenticate_uri]) is_expected.to contain_keystone_config('keystone_authtoken/auth_version').with_value(params[:auth_version]) is_expected.to contain_keystone_config('keystone_authtoken/cache').with_value(params[:cache]) - is_expected.to contain_keystone_config('keystone_authtoken/check_revocations_for_cached').with_value(params[:check_revocations_for_cached]) is_expected.to contain_keystone_config('keystone_authtoken/collect_timing').with_value(params[:collect_timing]) is_expected.to contain_keystone_config('keystone_authtoken/delay_auth_decision').with_value(params[:delay_auth_decision]) is_expected.to contain_keystone_config('keystone_authtoken/enforce_token_bind').with_value(params[:enforce_token_bind]) - is_expected.to contain_keystone_config('keystone_authtoken/hash_algorithms').with_value(params[:hash_algorithms]) is_expected.to contain_keystone_config('keystone_authtoken/http_connect_timeout').with_value(params[:http_connect_timeout]) is_expected.to contain_keystone_config('keystone_authtoken/http_request_max_retries').with_value(params[:http_request_max_retries]) is_expected.to contain_keystone_config('keystone_authtoken/include_service_catalog').with_value(params[:include_service_catalog])