Browse Source

Deprecate pki related options

check_revocations_for_cached and hash_algorithms are deprecated for
removel because of PKI token format is no longer supported.
Update warning message and add a release note.

Change-Id: I019a4738d1b3a386e81c04511d5a9bb629283d7d
Closes-Bug: #1804562
Closes-Bug: #1804720
ZhongShengping 5 months ago
parent
commit
9d98a5968f

+ 27
- 21
manifests/keystone/authtoken.pp View File

@@ -60,12 +60,6 @@
60 60
 #   (Optional) Required if identity server requires client certificate
61 61
 #   Defaults to $::os_service_default.
62 62
 #
63
-# [*check_revocations_for_cached*]
64
-#   (Optional) If true, the revocation list will be checked for cached tokens.
65
-#   This requires that PKI tokens are configured on the identity server.
66
-#   boolean value.
67
-#   Defaults to $::os_service_default.
68
-#
69 63
 # [*delay_auth_decision*]
70 64
 #   (Optional) Do not handle authorization requests within the middleware, but
71 65
 #   delegate the authorization decision to downstream WSGI components.
@@ -82,17 +76,6 @@
82 76
 #   must be present in tokens. String value.
83 77
 #   Defaults to $::os_service_default.
84 78
 #
85
-# [*hash_algorithms*]
86
-#   (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
87
-#   single algorithm or multiple. The algorithms are those supported by Python
88
-#   standard hashlib.new(). The hashes will be tried in the order given, so put
89
-#   the preferred one first for performance. The result of the first hash will
90
-#   be stored in the cache. This will typically be set to multiple values only
91
-#   while migrating from a less secure algorithm to a more secure one. Once all
92
-#   the old tokens are expired this option should be set to a single value for
93
-#   better performance. List value.
94
-#   Defaults to $::os_service_default.
95
-#
96 79
 # [*http_connect_timeout*]
97 80
 #   (Optional) Request timeout value for communicating with Identity API server.
98 81
 #   Defaults to $::os_service_default.
@@ -180,6 +163,23 @@
180 163
 #   (Optional) Complete public Identity API endpoint.
181 164
 #   Defaults to undef
182 165
 #
166
+# [*check_revocations_for_cached*]
167
+#   (Optional) If true, the revocation list will be checked for cached tokens.
168
+#   This requires that PKI tokens are configured on the identity server.
169
+#   boolean value.
170
+#   Defaults to undef.
171
+#
172
+# [*hash_algorithms*]
173
+#   (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
174
+#   single algorithm or multiple. The algorithms are those supported by Python
175
+#   standard hashlib.new(). The hashes will be tried in the order given, so put
176
+#   the preferred one first for performance. The result of the first hash will
177
+#   be stored in the cache. This will typically be set to multiple values only
178
+#   while migrating from a less secure algorithm to a more secure one. Once all
179
+#   the old tokens are expired this option should be set to a single value for
180
+#   better performance. List value.
181
+#   Defaults to undef.
182
+#
183 183
 class magnum::keystone::authtoken(
184 184
   $password,
185 185
   $username                       = 'magnum',
@@ -195,10 +195,8 @@ class magnum::keystone::authtoken(
195 195
   $cache                          = $::os_service_default,
196 196
   $cafile                         = $::os_service_default,
197 197
   $certfile                       = $::os_service_default,
198
-  $check_revocations_for_cached   = $::os_service_default,
199 198
   $delay_auth_decision            = $::os_service_default,
200 199
   $enforce_token_bind             = $::os_service_default,
201
-  $hash_algorithms                = $::os_service_default,
202 200
   $http_connect_timeout           = $::os_service_default,
203 201
   $http_request_max_retries       = $::os_service_default,
204 202
   $include_service_catalog        = $::os_service_default,
@@ -217,6 +215,8 @@ class magnum::keystone::authtoken(
217 215
   $token_cache_time               = $::os_service_default,
218 216
   # DEPRECATED PARAMETERS
219 217
   $auth_uri                       = undef,
218
+  $check_revocations_for_cached   = undef,
219
+  $hash_algorithms                = undef,
220 220
 ) {
221 221
 
222 222
   include ::magnum::deps
@@ -226,6 +226,14 @@ class magnum::keystone::authtoken(
226 226
   }
227 227
   $www_authenticate_uri_real = pick($auth_uri, $www_authenticate_uri)
228 228
 
229
+  if $check_revocations_for_cached {
230
+    warning('check_revocations_for_cached parameter is deprecated, has no effect and will be removed in the future.')
231
+  }
232
+
233
+  if $hash_algorithms {
234
+    warning('hash_algorithms parameter is deprecated, has no effect and will be removed in the future.')
235
+  }
236
+
229 237
   keystone::resource::authtoken { 'magnum_config':
230 238
     username                       => $username,
231 239
     password                       => $password,
@@ -238,10 +246,8 @@ class magnum::keystone::authtoken(
238 246
     user_domain_name               => $user_domain_name,
239 247
     project_domain_name            => $project_domain_name,
240 248
     cache                          => $cache,
241
-    check_revocations_for_cached   => $check_revocations_for_cached,
242 249
     delay_auth_decision            => $delay_auth_decision,
243 250
     enforce_token_bind             => $enforce_token_bind,
244
-    hash_algorithms                => $hash_algorithms,
245 251
     http_connect_timeout           => $http_connect_timeout,
246 252
     http_request_max_retries       => $http_request_max_retries,
247 253
     include_service_catalog        => $include_service_catalog,

+ 6
- 0
releasenotes/notes/deprecate_pki_related_parameters-a6c5d3240241af9b.yaml View File

@@ -0,0 +1,6 @@
1
+---
2
+deprecations:
3
+  - check_revocations_for_cached option is now deprecated for removal, the
4
+    parameter has no effect.
5
+  - hash_algorithms option is now deprecated for removal, the parameter
6
+    has no effect.

+ 0
- 6
spec/classes/magnum_keystone_authtoken_spec.rb View File

@@ -29,10 +29,8 @@ describe 'magnum::keystone::authtoken' do
29 29
         is_expected.to contain_magnum_config('keystone_authtoken/www_authenticate_uri').with_value('http://localhost:5000')
30 30
         is_expected.to contain_magnum_config('keystone_authtoken/auth_version').with_value('<SERVICE DEFAULT>')
31 31
         is_expected.to contain_magnum_config('keystone_authtoken/cache').with_value('<SERVICE DEFAULT>')
32
-        is_expected.to contain_magnum_config('keystone_authtoken/check_revocations_for_cached').with_value('<SERVICE DEFAULT>')
33 32
         is_expected.to contain_magnum_config('keystone_authtoken/delay_auth_decision').with_value('<SERVICE DEFAULT>')
34 33
         is_expected.to contain_magnum_config('keystone_authtoken/enforce_token_bind').with_value('<SERVICE DEFAULT>')
35
-        is_expected.to contain_magnum_config('keystone_authtoken/hash_algorithms').with_value('<SERVICE DEFAULT>')
36 34
         is_expected.to contain_magnum_config('keystone_authtoken/http_connect_timeout').with_value('<SERVICE DEFAULT>')
37 35
         is_expected.to contain_magnum_config('keystone_authtoken/http_request_max_retries').with_value('<SERVICE DEFAULT>')
38 36
         is_expected.to contain_magnum_config('keystone_authtoken/include_service_catalog').with_value('<SERVICE DEFAULT>')
@@ -71,10 +69,8 @@ describe 'magnum::keystone::authtoken' do
71 69
           :cache                                => 'somevalue',
72 70
           :cafile                               => '/opt/stack/data/cafile.pem',
73 71
           :certfile                             => 'certfile.crt',
74
-          :check_revocations_for_cached         => false,
75 72
           :delay_auth_decision                  => false,
76 73
           :enforce_token_bind                   => 'permissive',
77
-          :hash_algorithms                      => 'md5',
78 74
           :http_connect_timeout                 => '300',
79 75
           :http_request_max_retries             => '3',
80 76
           :include_service_catalog              => true,
@@ -109,10 +105,8 @@ describe 'magnum::keystone::authtoken' do
109 105
         is_expected.to contain_magnum_config('keystone_authtoken/auth_type').with_value(params[:auth_type])
110 106
         is_expected.to contain_magnum_config('keystone_authtoken/auth_version').with_value(params[:auth_version])
111 107
         is_expected.to contain_magnum_config('keystone_authtoken/cache').with_value(params[:cache])
112
-        is_expected.to contain_magnum_config('keystone_authtoken/check_revocations_for_cached').with_value(params[:check_revocations_for_cached])
113 108
         is_expected.to contain_magnum_config('keystone_authtoken/delay_auth_decision').with_value(params[:delay_auth_decision])
114 109
         is_expected.to contain_magnum_config('keystone_authtoken/enforce_token_bind').with_value(params[:enforce_token_bind])
115
-        is_expected.to contain_magnum_config('keystone_authtoken/hash_algorithms').with_value(params[:hash_algorithms])
116 110
         is_expected.to contain_magnum_config('keystone_authtoken/http_connect_timeout').with_value(params[:http_connect_timeout])
117 111
         is_expected.to contain_magnum_config('keystone_authtoken/http_request_max_retries').with_value(params[:http_request_max_retries])
118 112
         is_expected.to contain_magnum_config('keystone_authtoken/include_service_catalog').with_value(params[:include_service_catalog])

Loading…
Cancel
Save