openstack/puppet-keystone
Code Issues Proposed changes

Remove deprecated PKI

Browse Source 
Removes deprecated PKI parameters.

Depends-On: https://review.openstack.org/#/c/619475/
Change-Id: I2f6b919934b423c05372717a20e7af0c8ec5dab4
This commit is contained in:
Tobias Urdin 2018-11-22 00:48:26 +01:00
parent a2a6d22e39
commit a25e8ee970
5 changed files with 55 additions and 289 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

128
manifests/init.pp
View File

@ -49,7 +49,7 @@
# [*token_provider*]
# (optional) Format keystone uses for tokens.
# Defaults to 'fernet'
# Supports pki, pkiz, fernet, and uuid.
# Supports fernet or uuid.
#
# [*token_driver*]
# (optional) Driver to use for managing tokens.
@ -79,11 +79,6 @@
# other than KVS, which stores events in memory.
# Defaults to true.
#
# [*cache_dir*]
# (optional) Directory created when token_provider is pki. This folder is not
# created unless enable_pki_setup is set to True.
# Defaults to /var/cache/keystone.
#
# [*cache_backend*]
# (optional) Dogpile.cache backend module. It is recommended that Memcache with pooling
# (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in production.
@ -555,48 +550,16 @@
#
# === DEPRECATED PARAMETERS
#
# [*enable_pki_setup*]
# (optional) Deprecated. Enable call to pki_setup to generate the cert for signing pki tokens and
# revocation lists if it doesn't already exist. This generates a cert and key stored in file
# locations based on the signing_certfile and signing_keyfile paramters below. If you are
# providing your own signing cert, make this false.
# Default to undef.
#
# [*signing_certfile*]
# (optional) Deprecated. Location of the cert file for signing pki tokens and revocation lists.
# Note that if this file already exists (i.e. you are providing your own signing cert),
# the file will not be overwritten, even if enable_pki_setup is set to true.
# Defaults to $::os_service_default
#
# [*signing_keyfile*]
# (optional) Deprecated. Location of the key file for signing pki tokens and revocation lists.
# Note that if this file already exists (i.e. you are providing your own signing cert), the file
# will not be overwritten, even if enable_pki_setup is set to true.
# Defaults to $::os_service_default
#
# [*signing_ca_certs*]
# (optional) Deprecated. Use this CA certs file along with signing_certfile/signing_keyfile for
# signing pki tokens and revocation lists.
# Defaults to $::os_service_default
#
# [*signing_ca_key*]
# (optional) Deprecated. Use this CA key file along with signing_certfile/signing_keyfile for signing
# pki tokens and revocation lists.
# Defaults to $::os_service_default
#
# [*signing_cert_subject*]
# (optional) Deprecated. Certificate subject (auto generated certificate) for token signing.
# Defaults to $::os_service_default
#
# [*signing_key_size*]
# (optional) Deprecated. Key size (in bits) for token signing cert (auto generated certificate)
# Defaults to $::os_service_default
#
# [*paste_config*]
# (optional) Name of the paste configuration file that defines the
# available pipelines. (string value)
# Defaults to undef
#
# [*cache_dir*]
# (optional) Directory created when token_provider is pki. This folder is not
# created unless enable_pki_setup is set to True.
# Defaults to undef
#
# == Dependencies
# None
#
@ -654,7 +617,6 @@ class keystone(
$ssl_ca_certs = '/etc/keystone/ssl/certs/ca.pem',
$ssl_ca_key = '/etc/keystone/ssl/private/cakey.pem',
$ssl_cert_subject = '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost',
$cache_dir = '/var/cache/keystone',
$manage_service = true,
$cache_backend = $::os_service_default,
$cache_backend_argument = $::os_service_default,
@ -728,14 +690,8 @@ class keystone(
# DEPRECATED PARAMETERS
$admin_workers = $::os_workers,
$public_workers = $::os_workers,
$enable_pki_setup = undef,
$signing_certfile = $::os_service_default,
$signing_keyfile = $::os_service_default,
$signing_ca_certs = $::os_service_default,
$signing_ca_key = $::os_service_default,
$signing_cert_subject = $::os_service_default,
$signing_key_size = $::os_service_default,
$paste_config = undef,
$cache_dir = undef,
) inherits keystone::params {
include ::keystone::deps
@ -747,6 +703,10 @@ class keystone(
warning('keystone::paste_config is deprecated, has no effect and will be removed in a later release')
}
if $cache_dir {
warning('keystone::cache_dir is deprecated, has no effect and will be removed in a later release')
}
if ! $catalog_driver {
validate_re($catalog_type, 'template|sql')
}
@ -908,72 +868,6 @@ admin_token will be removed in a later release")
'catalog/template_file': value => $catalog_template_file;
}
# Set the signing key/cert configuration values.
if (!is_service_default($signing_certfile)) {
warning("PKI token support has been deprecated in the M release and will be removed in the O release. \
Fernet or UUID tokens are recommended.")
}
if (!is_service_default($signing_keyfile)) {
warning("PKI token support has been deprecated in the M release and will be removed in the O release. \
Fernet or UUID tokens are recommended.")
}
if (!is_service_default($signing_ca_certs)) {
warning("PKI token support has been deprecated in the M release and will be removed in the O release. \
Fernet or UUID tokens are recommended.")
}
if (!is_service_default($signing_ca_key)) {
warning("PKI token support has been deprecated in the M release and will be removed in the O release. \
Fernet or UUID tokens are recommended.")
}
if (!is_service_default($signing_cert_subject)) {
warning("PKI token support has been deprecated in the M release and will be removed in the O release. \
Fernet or UUID tokens are recommended.")
}
if (!is_service_default($signing_key_size)) {
warning("PKI token support has been deprecated in the M release and will be removed in the O release. \
Fernet or UUID tokens are recommended.")
}
keystone_config {
'signing/certfile': value => $signing_certfile;
'signing/keyfile': value => $signing_keyfile;
'signing/ca_certs': value => $signing_ca_certs;
'signing/ca_key': value => $signing_ca_key;
'signing/cert_subject': value => $signing_cert_subject;
'signing/key_size': value => $signing_key_size;
}
# Only do pki_setup if we were asked to do so. This is needed
# regardless of the token provider since token revocation lists
# are always signed.
if $enable_pki_setup == true {
if is_service_default($signing_keyfile) {
fail('Please specify path to key file')
} else {
# Create cache directory used for signing.
file { $cache_dir:
ensure => directory,
}
exec { 'keystone-manage pki_setup':
command => "keystone-manage pki_setup --keystone-user ${keystone_user} --keystone-group ${keystone_group}",
path => '/usr/bin',
user => $keystone_user,
refreshonly => true,
creates => $signing_keyfile,
notify => Anchor['keystone::service::begin'],
subscribe => [Anchor['keystone::install::end'], Anchor['keystone::config::end']],
tag => 'keystone-exec',
}
}
}
keystone_config {
'token/provider': value => $token_provider;
'DEFAULT/max_token_size': value => $max_token_size;

48
manifests/resource/authtoken.pp
View File

@ -96,12 +96,6 @@
# (Optional) Required if identity server requires client certificate
# Defaults to $::os_service_default.
#
# [*check_revocations_for_cached*]
# (Optional) If true, the revocation list will be checked for cached tokens.
# This requires that PKI tokens are configured on the identity server.
# boolean value.
# Defaults to $::os_service_default.
#
# [*collect_timing*]
# (Optional) If true, collect per-method timing information for each API call.
# Defaults to $::os_service_default.
@ -121,17 +115,6 @@
# must be present in tokens. String value.
# Defaults to $::os_service_default.
#
# [*hash_algorithms*]
# (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
# single algorithm or multiple. The algorithms are those supported by Python
# standard hashlib.new(). The hashes will be tried in the order given, so put
# the preferred one first for performance. The result of the first hash will
# be stored in the cache. This will typically be set to multiple values only
# while migrating from a less secure algorithm to a more secure one. Once all
# the old tokens are expired this option should be set to a single value for
# better performance. List value.
# Defaults to $::os_service_default.
#
# [*http_connect_timeout*]
# (Optional) Request timeout value for communicating with Identity API server.
# Defaults to $::os_service_default.
@ -225,6 +208,23 @@
# (Optional) Complete public Identity API endpoint.
# Defaults to undef
#
# [*check_revocations_for_cached*]
# (Optional) If true, the revocation list will be checked for cached tokens.
# This requires that PKI tokens are configured on the identity server.
# boolean value.
# Defaults to undef
#
# [*hash_algorithms*]
# (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
# single algorithm or multiple. The algorithms are those supported by Python
# standard hashlib.new(). The hashes will be tried in the order given, so put
# the preferred one first for performance. The result of the first hash will
# be stored in the cache. This will typically be set to multiple values only
# while migrating from a less secure algorithm to a more secure one. Once all
# the old tokens are expired this option should be set to a single value for
# better performance. List value.
# Defaults to undef
#
define keystone::resource::authtoken(
$username,
$password,
@ -240,11 +240,9 @@ define keystone::resource::authtoken(
$cache = $::os_service_default,
$cafile = $::os_service_default,
$certfile = $::os_service_default,
$check_revocations_for_cached = $::os_service_default,
$collect_timing = $::os_service_default,
$delay_auth_decision = $::os_service_default,
$enforce_token_bind = $::os_service_default,
$hash_algorithms = $::os_service_default,
$http_connect_timeout = $::os_service_default,
$http_request_max_retries = $::os_service_default,
$include_service_catalog = $::os_service_default,
@ -264,6 +262,8 @@ define keystone::resource::authtoken(
$service_token_roles_required = $::os_service_default,
# DEPRECATED PARAMETERS
$auth_uri = undef,
$check_revocations_for_cached = undef,
$hash_algorithms = undef,
) {
include ::keystone::params
@ -274,8 +274,12 @@ define keystone::resource::authtoken(
}
$www_authenticate_uri_real = pick($auth_uri, $www_authenticate_uri)
if !is_service_default($check_revocations_for_cached) {
validate_bool($check_revocations_for_cached)
if $check_revocations_for_cached {
warning('keystone::resource::authtoken::check_revocations_for_cached is deprecated and will be removed')
}
if $hash_algorithms {
warning('keystone::resource::authtoken::hash_algorithms is deprecated and will be removed')
}
if !is_service_default($include_service_catalog) {
@ -321,11 +325,9 @@ define keystone::resource::authtoken(
'keystone_authtoken/cache' => {'value' => $cache},
'keystone_authtoken/cafile' => {'value' => $cafile},
'keystone_authtoken/certfile' => {'value' => $certfile},
'keystone_authtoken/check_revocations_for_cached' => {'value' => $check_revocations_for_cached},
'keystone_authtoken/collect_timing' => {'value' => $collect_timing},
'keystone_authtoken/delay_auth_decision' => {'value' => $delay_auth_decision},
'keystone_authtoken/enforce_token_bind' => {'value' => $enforce_token_bind},
'keystone_authtoken/hash_algorithms' => {'value' => $hash_algorithms},
'keystone_authtoken/http_connect_timeout' => {'value' => $http_connect_timeout},
'keystone_authtoken/http_request_max_retries' => {'value' => $http_request_max_retries},
'keystone_authtoken/include_service_catalog' => {'value' => $include_service_catalog},

19
releasenotes/notes/remove-deprecated-pki-9a1c242be81e5104.yaml Normal file
View File

@ -0,0 +1,19 @@
---
upgrade:
- |
The deprecated params keystone::enable_pki_setup, signing_certfile,
signing_keyfile, signing_ca_certs, signing_ca_key, signing_cert_subject
and signing_key_size is now removed.
deprecations:
- |
The keystone::cache_dir parameter is now deprecated and will be removed
in a future release. It has no effect since it was only related to PKI
which is removed.
- |
The parameter keystone::resource::authtoken::check_revocations_for_cached
is deprecated and will be removed in a future release. It was related
to PKI which is removed.
- |
The parameter keystone::resource::authtoken::hash_algorithms is deprecated
and will be removed in a future release. It was related to PKI which is
removed.

143
spec/classes/keystone_init_spec.rb
View File

@ -35,7 +35,6 @@ describe 'keystone' do
'password_hash_rounds' => '<SERVICE DEFAULT>',
'revoke_driver' => 'sql',
'revoke_by_id' => true,
'cache_dir' => '/var/cache/keystone',
'cache_backend' => '<SERVICE DEFAULT>',
'cache_backend_argument' => '<SERVICE DEFAULT>',
'cache_enabled' => '<SERVICE DEFAULT>',
@ -50,12 +49,6 @@ describe 'keystone' do
'manage_service' => true,
'database_connection' => 'sqlite:////var/lib/keystone/keystone.db',
'database_idle_timeout' => '200',
'signing_certfile' => '<SERVICE DEFAULT>',
'signing_keyfile' => '<SERVICE DEFAULT>',
'signing_ca_certs' => '<SERVICE DEFAULT>',
'signing_ca_key' => '<SERVICE DEFAULT>',
'signing_cert_subject' => '<SERVICE DEFAULT>',
'signing_key_size' => '<SERVICE DEFAULT>',
'default_transport_url' => '<SERVICE DEFAULT>',
'notification_transport_url' => '<SERVICE DEFAULT>',
'rabbit_heartbeat_timeout_threshold' => '<SERVICE DEFAULT>',
@ -99,13 +92,6 @@ describe 'keystone' do
'manage_service' => true,
'database_connection' => 'mysql://a:b@c/d',
'database_idle_timeout' => '300',
'enable_pki_setup' => true,
'signing_certfile' => '/etc/keystone/ssl/certs/signing_cert.pem',
'signing_keyfile' => '/etc/keystone/ssl/private/signing_key.pem',
'signing_ca_certs' => '/etc/keystone/ssl/certs/ca.pem',
'signing_ca_key' => '/etc/keystone/ssl/private/cakey.pem',
'signing_cert_subject' => '/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com',
'signing_key_size' => 2048,
'default_transport_url' => 'rabbit://user:pass@host:1234/virt',
'notification_transport_url' => 'rabbit://user:pass@host:1234/virt',
'rabbit_heartbeat_timeout_threshold' => '60',
@ -366,135 +352,6 @@ describe 'keystone' do
'token_provider' => 'keystone.token.providers.uuid.Provider'
}
end
describe 'pki_setup is disabled by default' do
it { is_expected.to_not contain_exec('keystone-manage pki_setup') }
it { is_expected.to_not contain_file('/var/cache/keystone').with_ensure('directory') }
end
end
describe 'when configuring as PKI' do
let :params do
{
'enable_pki_setup' => true,
'admin_token' => 'service_token',
'token_provider' => 'pki',
'signing_certfile' => '/etc/keystone/ssl/certs/signing_cert.pem',
'signing_keyfile' => '/etc/keystone/ssl/private/signing_key.pem',
'signing_ca_certs' => '/etc/keystone/ssl/certs/ca.pem',
'signing_ca_key' => '/etc/keystone/ssl/private/cakey.pem',
'signing_cert_subject' => '/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com',
'signing_key_size' => 2048,
'keystone_user' => 'keystone',
'keystone_group' => 'keystone',
}
end
it { is_expected.to contain_file('/var/cache/keystone').with_ensure('directory') }
describe 'when overriding the cache dir' do
before do
params.merge!(:cache_dir => '/var/lib/cache/keystone')
end
it { is_expected.to contain_file('/var/lib/cache/keystone') }
end
it { is_expected.to contain_exec('keystone-manage pki_setup').with(
:command => "keystone-manage pki_setup --keystone-user #{params['keystone_user']} --keystone-group #{params['keystone_group']}",
:creates => '/etc/keystone/ssl/private/signing_key.pem'
) }
it { is_expected.to contain_file('/var/cache/keystone').with_ensure('directory') }
describe 'when overriding the cache dir' do
before do
params.merge!(:cache_dir => '/var/lib/cache/keystone')
end
it { is_expected.to contain_file('/var/lib/cache/keystone') }
end
end
describe 'when configuring PKI signing cert paths with UUID and with pki_setup disabled' do
let :params do
{
'admin_token' => 'service_token',
'token_provider' => 'uuid',
'enable_pki_setup' => false,
'signing_certfile' => 'signing_certfile',
'signing_keyfile' => 'signing_keyfile',
'signing_ca_certs' => 'signing_ca_certs',
'signing_ca_key' => 'signing_ca_key',
'signing_cert_subject' => 'signing_cert_subject',
'signing_key_size' => 2048
}
end
it { is_expected.to_not contain_exec('keystone-manage pki_setup') }
it 'should contain correct PKI certfile config' do
is_expected.to contain_keystone_config('signing/certfile').with_value('signing_certfile')
end
it 'should contain correct PKI keyfile config' do
is_expected.to contain_keystone_config('signing/keyfile').with_value('signing_keyfile')
end
it 'should contain correct PKI ca_certs config' do
is_expected.to contain_keystone_config('signing/ca_certs').with_value('signing_ca_certs')
end
it 'should contain correct PKI ca_key config' do
is_expected.to contain_keystone_config('signing/ca_key').with_value('signing_ca_key')
end
it 'should contain correct PKI cert_subject config' do
is_expected.to contain_keystone_config('signing/cert_subject').with_value('signing_cert_subject')
end
it 'should contain correct PKI key_size config' do
is_expected.to contain_keystone_config('signing/key_size').with_value('2048')
end
end
describe 'when configuring PKI signing cert paths with pki_setup disabled' do
let :params do
{
'admin_token' => 'service_token',
'token_provider' => 'pki',
'enable_pki_setup' => false,
'signing_certfile' => 'signing_certfile',
'signing_keyfile' => 'signing_keyfile',
'signing_ca_certs' => 'signing_ca_certs',
'signing_ca_key' => 'signing_ca_key',
'signing_cert_subject' => 'signing_cert_subject',
'signing_key_size' => 2048
}
end
it { is_expected.to_not contain_exec('keystone-manage pki_setup') }
it 'should contain correct PKI certfile config' do
is_expected.to contain_keystone_config('signing/certfile').with_value('signing_certfile')
end
it 'should contain correct PKI keyfile config' do
is_expected.to contain_keystone_config('signing/keyfile').with_value('signing_keyfile')
end
it 'should contain correct PKI ca_certs config' do
is_expected.to contain_keystone_config('signing/ca_certs').with_value('signing_ca_certs')
end
it 'should contain correct PKI ca_key config' do
is_expected.to contain_keystone_config('signing/ca_key').with_value('signing_ca_key')
end
it 'should contain correct PKI cert_subject config' do
is_expected.to contain_keystone_config('signing/cert_subject').with_value('signing_cert_subject')
end
it 'should contain correct PKI key_size config' do
is_expected.to contain_keystone_config('signing/key_size').with_value('2048')
end
end
describe 'with invalid catalog_type' do

6
spec/defines/keystone_resource_authtoken_spec.rb
View File

@ -28,11 +28,9 @@ describe 'keystone::resource::authtoken' do
is_expected.to contain_keystone_config('keystone_authtoken/cache').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/cafile').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/certfile').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/check_revocations_for_cached').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/collect_timing').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/delay_auth_decision').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/enforce_token_bind').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/hash_algorithms').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/http_connect_timeout').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/http_request_max_retries').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/include_service_catalog').with_value('<SERVICE DEFAULT>')
@ -69,11 +67,9 @@ describe 'keystone::resource::authtoken' do
:cache => 'somevalue',
:cafile => 'cafile.pem',
:certfile => 'certfile.crt',
:check_revocations_for_cached => true,
:collect_timing => true,
:delay_auth_decision => true,
:enforce_token_bind => 'strict',
:hash_algorithms => 'sha1',
:http_connect_timeout => '120',
:http_request_max_retries => '5',
:include_service_catalog => false,
@ -95,11 +91,9 @@ describe 'keystone::resource::authtoken' do
is_expected.to contain_keystone_config('keystone_authtoken/www_authenticate_uri').with_value(params[:www_authenticate_uri])
is_expected.to contain_keystone_config('keystone_authtoken/auth_version').with_value(params[:auth_version])
is_expected.to contain_keystone_config('keystone_authtoken/cache').with_value(params[:cache])
is_expected.to contain_keystone_config('keystone_authtoken/check_revocations_for_cached').with_value(params[:check_revocations_for_cached])
is_expected.to contain_keystone_config('keystone_authtoken/collect_timing').with_value(params[:collect_timing])
is_expected.to contain_keystone_config('keystone_authtoken/delay_auth_decision').with_value(params[:delay_auth_decision])
is_expected.to contain_keystone_config('keystone_authtoken/enforce_token_bind').with_value(params[:enforce_token_bind])
is_expected.to contain_keystone_config('keystone_authtoken/hash_algorithms').with_value(params[:hash_algorithms])
is_expected.to contain_keystone_config('keystone_authtoken/http_connect_timeout').with_value(params[:http_connect_timeout])
is_expected.to contain_keystone_config('keystone_authtoken/http_request_max_retries').with_value(params[:http_request_max_retries])
is_expected.to contain_keystone_config('keystone_authtoken/include_service_catalog').with_value(params[:include_service_catalog])