@ -62,12 +62,6 @@
# (Optional) Required if identity server requires client certificate
# Defaults to $::os_service_default.
#
# [*check_revocations_for_cached*]
# (Optional) If true, the revocation list will be checked for cached tokens.
# This requires that PKI tokens are configured on the identity server.
# boolean value.
# Defaults to $::os_service_default.
#
# [*delay_auth_decision*]
# (Optional) Do not handle authorization requests within the middleware, but
# delegate the authorization decision to downstream WSGI components. Boolean
@ -84,17 +78,6 @@
# must be present in tokens. String value.
# Defaults to $::os_service_default.
#
# [*hash_algorithms*]
# (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
# single algorithm or multiple. The algorithms are those supported by Python
# standard hashlib.new(). The hashes will be tried in the order given, so put
# the preferred one first for performance. The result of the first hash will
# be stored in the cache. This will typically be set to multiple values only
# while migrating from a less secure algorithm to a more secure one. Once all
# the old tokens are expired this option should be set to a single value for
# better performance. List value.
# Defaults to $::os_service_default.
#
# [*http_connect_timeout*]
# (Optional) Request timeout value for communicating with Identity API
# server.
@ -188,6 +171,23 @@
# (Optional) Complete public Identity API endpoint.
# Defaults to undef
#
# [*check_revocations_for_cached*]
# (Optional) If true, the revocation list will be checked for cached tokens.
# This requires that PKI tokens are configured on the identity server.
# boolean value.
# Defaults to undef.
#
# [*hash_algorithms*]
# (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
# single algorithm or multiple. The algorithms are those supported by Python
# standard hashlib.new(). The hashes will be tried in the order given, so put
# the preferred one first for performance. The result of the first hash will
# be stored in the cache. This will typically be set to multiple values only
# while migrating from a less secure algorithm to a more secure one. Once all
# the old tokens are expired this option should be set to a single value for
# better performance. List value.
# Defaults to undef.
#
class panko : : keystone : : authtoken (
$password,
$username = 'panko' ,
@ -203,10 +203,8 @@ class panko::keystone::authtoken(
$cache = $::os_service_default,
$cafile = $::os_service_default,
$certfile = $::os_service_default,
$check_revocations_for_cached = $::os_service_default,
$delay_auth_decision = $::os_service_default,
$enforce_token_bind = $::os_service_default,
$hash_algorithms = $::os_service_default,
$http_connect_timeout = $::os_service_default,
$http_request_max_retries = $::os_service_default,
$include_service_catalog = $::os_service_default,
@ -225,6 +223,8 @@ class panko::keystone::authtoken(
$token_cache_time = $::os_service_default,
# DEPRECATED PARAMETERS
$auth_uri = undef ,
$check_revocations_for_cached = undef ,
$hash_algorithms = undef ,
) {
include : : panko : : deps
@ -234,6 +234,14 @@ class panko::keystone::authtoken(
}
$www_authenticate_uri_real = pick ( $auth_uri, $www_authenticate_uri)
if $check_revocations_for_cached {
warning ( 'check_revocations_for_cached parameter is deprecated, has no effect and will be removed in the future.' )
}
if $hash_algorithms {
warning ( 'hash_algorithms parameter is deprecated, has no effect and will be removed in the future.' )
}
keystone : : resource : : authtoken { 'panko_config' :
username => $username,
password => $password,
@ -249,10 +257,8 @@ class panko::keystone::authtoken(
cache => $cache,
cafile => $cafile,
certfile => $certfile,
check_revocations_for_cached => $check_revocations_for_cached,
delay_auth_decision => $delay_auth_decision,
enforce_token_bind => $enforce_token_bind,
hash_algorithms => $hash_algorithms,
http_connect_timeout => $http_connect_timeout,
http_request_max_retries => $http_request_max_retries,
include_service_catalog => $include_service_catalog,
ZhongShengping
4 years ago