Browse Source

Deprecate pki related options

check_revocations_for_cached and hash_algorithms are deprecated for
removel because of PKI token format is no longer supported.
Update warning message and add a release note.

Change-Id: I98c88882d49d2d3f59535eef1c3b3d75af7f35f9
Closes-Bug: #1804562
Closes-Bug: #1804720
ZhongShengping 6 months ago
parent
commit
a4c362131b

+ 27
- 21
manifests/keystone/authtoken.pp View File

@@ -62,12 +62,6 @@
62 62
 #  (Optional) Required if identity server requires client certificate
63 63
 #  Defaults to $::os_service_default.
64 64
 #
65
-# [*check_revocations_for_cached*]
66
-#  (Optional) If true, the revocation list will be checked for cached tokens.
67
-#  This requires that PKI tokens are configured on the identity server.
68
-#  boolean value.
69
-#  Defaults to $::os_service_default.
70
-#
71 65
 # [*delay_auth_decision*]
72 66
 #  (Optional) Do not handle authorization requests within the middleware, but
73 67
 #  delegate the authorization decision to downstream WSGI components. Boolean
@@ -84,17 +78,6 @@
84 78
 #  must be present in tokens. String value.
85 79
 #  Defaults to $::os_service_default.
86 80
 #
87
-# [*hash_algorithms*]
88
-#  (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
89
-#  single algorithm or multiple. The algorithms are those supported by Python
90
-#  standard hashlib.new(). The hashes will be tried in the order given, so put
91
-#  the preferred one first for performance. The result of the first hash will
92
-#  be stored in the cache. This will typically be set to multiple values only
93
-#  while migrating from a less secure algorithm to a more secure one. Once all
94
-#  the old tokens are expired this option should be set to a single value for
95
-#  better performance. List value.
96
-#  Defaults to $::os_service_default.
97
-#
98 81
 # [*http_connect_timeout*]
99 82
 #  (Optional) Request timeout value for communicating with Identity API
100 83
 #  server.
@@ -188,6 +171,23 @@
188 171
 #   (Optional) Complete public Identity API endpoint.
189 172
 #   Defaults to undef
190 173
 #
174
+# [*check_revocations_for_cached*]
175
+#  (Optional) If true, the revocation list will be checked for cached tokens.
176
+#  This requires that PKI tokens are configured on the identity server.
177
+#  boolean value.
178
+#  Defaults to undef.
179
+#
180
+# [*hash_algorithms*]
181
+#  (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
182
+#  single algorithm or multiple. The algorithms are those supported by Python
183
+#  standard hashlib.new(). The hashes will be tried in the order given, so put
184
+#  the preferred one first for performance. The result of the first hash will
185
+#  be stored in the cache. This will typically be set to multiple values only
186
+#  while migrating from a less secure algorithm to a more secure one. Once all
187
+#  the old tokens are expired this option should be set to a single value for
188
+#  better performance. List value.
189
+#  Defaults to undef.
190
+#
191 191
 class panko::keystone::authtoken(
192 192
   $password,
193 193
   $username                       = 'panko',
@@ -203,10 +203,8 @@ class panko::keystone::authtoken(
203 203
   $cache                          = $::os_service_default,
204 204
   $cafile                         = $::os_service_default,
205 205
   $certfile                       = $::os_service_default,
206
-  $check_revocations_for_cached   = $::os_service_default,
207 206
   $delay_auth_decision            = $::os_service_default,
208 207
   $enforce_token_bind             = $::os_service_default,
209
-  $hash_algorithms                = $::os_service_default,
210 208
   $http_connect_timeout           = $::os_service_default,
211 209
   $http_request_max_retries       = $::os_service_default,
212 210
   $include_service_catalog        = $::os_service_default,
@@ -225,6 +223,8 @@ class panko::keystone::authtoken(
225 223
   $token_cache_time               = $::os_service_default,
226 224
   # DEPRECATED PARAMETERS
227 225
   $auth_uri                       = undef,
226
+  $check_revocations_for_cached   = undef,
227
+  $hash_algorithms                = undef,
228 228
 ) {
229 229
 
230 230
   include ::panko::deps
@@ -234,6 +234,14 @@ class panko::keystone::authtoken(
234 234
   }
235 235
   $www_authenticate_uri_real = pick($auth_uri, $www_authenticate_uri)
236 236
 
237
+  if $check_revocations_for_cached {
238
+    warning('check_revocations_for_cached parameter is deprecated, has no effect and will be removed in the future.')
239
+  }
240
+
241
+  if $hash_algorithms {
242
+    warning('hash_algorithms parameter is deprecated, has no effect and will be removed in the future.')
243
+  }
244
+
237 245
   keystone::resource::authtoken { 'panko_config':
238 246
     username                       => $username,
239 247
     password                       => $password,
@@ -249,10 +257,8 @@ class panko::keystone::authtoken(
249 257
     cache                          => $cache,
250 258
     cafile                         => $cafile,
251 259
     certfile                       => $certfile,
252
-    check_revocations_for_cached   => $check_revocations_for_cached,
253 260
     delay_auth_decision            => $delay_auth_decision,
254 261
     enforce_token_bind             => $enforce_token_bind,
255
-    hash_algorithms                => $hash_algorithms,
256 262
     http_connect_timeout           => $http_connect_timeout,
257 263
     http_request_max_retries       => $http_request_max_retries,
258 264
     include_service_catalog        => $include_service_catalog,

+ 6
- 0
releasenotes/notes/deprecate_pki_related_parameters-aeecfa846786582d.yaml View File

@@ -0,0 +1,6 @@
1
+---
2
+deprecations:
3
+  - check_revocations_for_cached option is now deprecated for removal, the
4
+    parameter has no effect.
5
+  - hash_algorithms option is now deprecated for removal, the parameter
6
+    has no effect.

+ 0
- 6
spec/classes/panko_keystone_authtoken_spec.rb View File

@@ -25,10 +25,8 @@ describe 'panko::keystone::authtoken' do
25 25
         is_expected.to contain_panko_config('keystone_authtoken/cache').with_value('<SERVICE DEFAULT>')
26 26
         is_expected.to contain_panko_config('keystone_authtoken/cafile').with_value('<SERVICE DEFAULT>')
27 27
         is_expected.to contain_panko_config('keystone_authtoken/certfile').with_value('<SERVICE DEFAULT>')
28
-        is_expected.to contain_panko_config('keystone_authtoken/check_revocations_for_cached').with_value('<SERVICE DEFAULT>')
29 28
         is_expected.to contain_panko_config('keystone_authtoken/delay_auth_decision').with_value('<SERVICE DEFAULT>')
30 29
         is_expected.to contain_panko_config('keystone_authtoken/enforce_token_bind').with_value('<SERVICE DEFAULT>')
31
-        is_expected.to contain_panko_config('keystone_authtoken/hash_algorithms').with_value('<SERVICE DEFAULT>')
32 30
         is_expected.to contain_panko_config('keystone_authtoken/http_connect_timeout').with_value('<SERVICE DEFAULT>')
33 31
         is_expected.to contain_panko_config('keystone_authtoken/http_request_max_retries').with_value('<SERVICE DEFAULT>')
34 32
         is_expected.to contain_panko_config('keystone_authtoken/include_service_catalog').with_value('<SERVICE DEFAULT>')
@@ -64,10 +62,8 @@ describe 'panko::keystone::authtoken' do
64 62
           :cache                                => 'somevalue',
65 63
           :cafile                               => '/opt/stack/data/cafile.pem',
66 64
           :certfile                             => 'certfile.crt',
67
-          :check_revocations_for_cached         => false,
68 65
           :delay_auth_decision                  => false,
69 66
           :enforce_token_bind                   => 'permissive',
70
-          :hash_algorithms                      => 'md5',
71 67
           :http_connect_timeout                 => '300',
72 68
           :http_request_max_retries             => '3',
73 69
           :include_service_catalog              => true,
@@ -102,10 +98,8 @@ describe 'panko::keystone::authtoken' do
102 98
         is_expected.to contain_panko_config('keystone_authtoken/cache').with_value(params[:cache])
103 99
         is_expected.to contain_panko_config('keystone_authtoken/cafile').with_value(params[:cafile])
104 100
         is_expected.to contain_panko_config('keystone_authtoken/certfile').with_value(params[:certfile])
105
-        is_expected.to contain_panko_config('keystone_authtoken/check_revocations_for_cached').with_value(params[:check_revocations_for_cached])
106 101
         is_expected.to contain_panko_config('keystone_authtoken/delay_auth_decision').with_value(params[:delay_auth_decision])
107 102
         is_expected.to contain_panko_config('keystone_authtoken/enforce_token_bind').with_value(params[:enforce_token_bind])
108
-        is_expected.to contain_panko_config('keystone_authtoken/hash_algorithms').with_value(params[:hash_algorithms])
109 103
         is_expected.to contain_panko_config('keystone_authtoken/http_connect_timeout').with_value(params[:http_connect_timeout])
110 104
         is_expected.to contain_panko_config('keystone_authtoken/http_request_max_retries').with_value(params[:http_request_max_retries])
111 105
         is_expected.to contain_panko_config('keystone_authtoken/include_service_catalog').with_value(params[:include_service_catalog])

Loading…
Cancel
Save