Browse Source

Deprecate pki related options

check_revocations_for_cached and hash_algorithms are deprecated for
removel because of PKI token format is no longer supported.
Update warning message and add a release note.

Change-Id: I4f2437e426785368c7de20b092dc9ee5ab6b9345
Closes-Bug: #1804562
Closes-Bug: #1804720
tags/14.2.0
ZhongShengping 11 months ago
parent
commit
ace6dbba01

+ 27
- 21
manifests/keystone/authtoken.pp View File

@@ -63,12 +63,6 @@
63 63
 #   (Optional) Required if identity server requires client certificate
64 64
 #   Defaults to $::os_service_default.
65 65
 #
66
-# [*check_revocations_for_cached*]
67
-#   (Optional) If true, the revocation list will be checked for cached tokens.
68
-#   This requires that PKI tokens are configured on the identity server.
69
-#   boolean value.
70
-#   Defaults to $::os_service_default.
71
-#
72 66
 # [*delay_auth_decision*]
73 67
 #   (Optional) Do not handle authorization requests within the middleware, but
74 68
 #   delegate the authorization decision to downstream WSGI components. Boolean
@@ -85,17 +79,6 @@
85 79
 #   must be present in tokens. String value.
86 80
 #   Defaults to $::os_service_default.
87 81
 #
88
-# [*hash_algorithms*]
89
-#   (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
90
-#   single algorithm or multiple. The algorithms are those supported by Python
91
-#   standard hashlib.new(). The hashes will be tried in the order given, so put
92
-#   the preferred one first for performance. The result of the first hash will
93
-#   be stored in the cache. This will typically be set to multiple values only
94
-#   while migrating from a less secure algorithm to a more secure one. Once all
95
-#   the old tokens are expired this option should be set to a single value for
96
-#   better performance. List value.
97
-#   Defaults to $::os_service_default.
98
-#
99 82
 # [*http_connect_timeout*]
100 83
 #   (Optional) Request timeout value for communicating with Identity API
101 84
 #   server.
@@ -184,6 +167,23 @@
184 167
 #   (Optional) Complete public Identity API endpoint.
185 168
 #   Defaults to undef
186 169
 #
170
+# [*check_revocations_for_cached*]
171
+#   (Optional) If true, the revocation list will be checked for cached tokens.
172
+#   This requires that PKI tokens are configured on the identity server.
173
+#   boolean value.
174
+#   Defaults to undef.
175
+#
176
+# [*hash_algorithms*]
177
+#   (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
178
+#   single algorithm or multiple. The algorithms are those supported by Python
179
+#   standard hashlib.new(). The hashes will be tried in the order given, so put
180
+#   the preferred one first for performance. The result of the first hash will
181
+#   be stored in the cache. This will typically be set to multiple values only
182
+#   while migrating from a less secure algorithm to a more secure one. Once all
183
+#   the old tokens are expired this option should be set to a single value for
184
+#   better performance. List value.
185
+#   Defaults to undef.
186
+#
187 187
 class sahara::keystone::authtoken(
188 188
   $username                       = 'sahara',
189 189
   $password                       = $::os_service_default,
@@ -199,10 +199,8 @@ class sahara::keystone::authtoken(
199 199
   $cache                          = $::os_service_default,
200 200
   $cafile                         = $::os_service_default,
201 201
   $certfile                       = $::os_service_default,
202
-  $check_revocations_for_cached   = $::os_service_default,
203 202
   $delay_auth_decision            = $::os_service_default,
204 203
   $enforce_token_bind             = $::os_service_default,
205
-  $hash_algorithms                = $::os_service_default,
206 204
   $http_connect_timeout           = $::os_service_default,
207 205
   $http_request_max_retries       = $::os_service_default,
208 206
   $include_service_catalog        = $::os_service_default,
@@ -221,6 +219,8 @@ class sahara::keystone::authtoken(
221 219
   $token_cache_time               = $::os_service_default,
222 220
   # DEPRECATED PARAMETERS
223 221
   $auth_uri                       = undef,
222
+  $check_revocations_for_cached   = undef,
223
+  $hash_algorithms                = undef,
224 224
 ) {
225 225
 
226 226
   include ::sahara::deps
@@ -229,6 +229,14 @@ class sahara::keystone::authtoken(
229 229
     warning('The auth_uri parameter is deprecated. Please use www_authenticate_uri instead.')
230 230
   }
231 231
 
232
+  if $check_revocations_for_cached {
233
+    warning('check_revocations_for_cached parameter is deprecated, has no effect and will be removed in the future.')
234
+  }
235
+
236
+  if $hash_algorithms {
237
+    warning('hash_algorithms parameter is deprecated, has no effect and will be removed in the future.')
238
+  }
239
+
232 240
   #NOTE(emilien): Use pick to keep backward compatibility
233 241
   $username_real = pick($::sahara::admin_user,$username)
234 242
   $password_real = pick($::sahara::admin_password,$password)
@@ -252,10 +260,8 @@ class sahara::keystone::authtoken(
252 260
     cache                          => $cache,
253 261
     cafile                         => $cafile,
254 262
     certfile                       => $certfile,
255
-    check_revocations_for_cached   => $check_revocations_for_cached,
256 263
     delay_auth_decision            => $delay_auth_decision,
257 264
     enforce_token_bind             => $enforce_token_bind,
258
-    hash_algorithms                => $hash_algorithms,
259 265
     http_connect_timeout           => $http_connect_timeout,
260 266
     http_request_max_retries       => $http_request_max_retries,
261 267
     include_service_catalog        => $include_service_catalog,

+ 6
- 0
releasenotes/notes/deprecate_pki_related_parameters-bad17553aa076f9d.yaml View File

@@ -0,0 +1,6 @@
1
+---
2
+deprecations:
3
+  - check_revocations_for_cached option is now deprecated for removal, the
4
+    parameter has no effect.
5
+  - hash_algorithms option is now deprecated for removal, the parameter
6
+    has no effect.

+ 0
- 6
spec/classes/sahara_keystone_authtoken_spec.rb View File

@@ -25,10 +25,8 @@ describe 'sahara::keystone::authtoken' do
25 25
         is_expected.to contain_sahara_config('keystone_authtoken/cache').with_value('<SERVICE DEFAULT>')
26 26
         is_expected.to contain_sahara_config('keystone_authtoken/cafile').with_value('<SERVICE DEFAULT>')
27 27
         is_expected.to contain_sahara_config('keystone_authtoken/certfile').with_value('<SERVICE DEFAULT>')
28
-        is_expected.to contain_sahara_config('keystone_authtoken/check_revocations_for_cached').with_value('<SERVICE DEFAULT>')
29 28
         is_expected.to contain_sahara_config('keystone_authtoken/delay_auth_decision').with_value('<SERVICE DEFAULT>')
30 29
         is_expected.to contain_sahara_config('keystone_authtoken/enforce_token_bind').with_value('<SERVICE DEFAULT>')
31
-        is_expected.to contain_sahara_config('keystone_authtoken/hash_algorithms').with_value('<SERVICE DEFAULT>')
32 30
         is_expected.to contain_sahara_config('keystone_authtoken/http_connect_timeout').with_value('<SERVICE DEFAULT>')
33 31
         is_expected.to contain_sahara_config('keystone_authtoken/http_request_max_retries').with_value('<SERVICE DEFAULT>')
34 32
         is_expected.to contain_sahara_config('keystone_authtoken/include_service_catalog').with_value('<SERVICE DEFAULT>')
@@ -65,10 +63,8 @@ describe 'sahara::keystone::authtoken' do
65 63
           :cafile                               =>
66 64
 '/opt/stack/data/cafile.pem',
67 65
           :certfile                             => 'certfile.crt',
68
-          :check_revocations_for_cached         => false,
69 66
           :delay_auth_decision                  => false,
70 67
           :enforce_token_bind                   => 'permissive',
71
-          :hash_algorithms                      => 'md5',
72 68
           :http_connect_timeout                 => '300',
73 69
           :http_request_max_retries             => '3',
74 70
           :include_service_catalog              => true,
@@ -104,10 +100,8 @@ describe 'sahara::keystone::authtoken' do
104 100
         is_expected.to contain_sahara_config('keystone_authtoken/cache').with_value(params[:cache])
105 101
         is_expected.to contain_sahara_config('keystone_authtoken/cafile').with_value(params[:cafile])
106 102
         is_expected.to contain_sahara_config('keystone_authtoken/certfile').with_value(params[:certfile])
107
-        is_expected.to contain_sahara_config('keystone_authtoken/check_revocations_for_cached').with_value(params[:check_revocations_for_cached])
108 103
         is_expected.to contain_sahara_config('keystone_authtoken/delay_auth_decision').with_value(params[:delay_auth_decision])
109 104
         is_expected.to contain_sahara_config('keystone_authtoken/enforce_token_bind').with_value(params[:enforce_token_bind])
110
-        is_expected.to contain_sahara_config('keystone_authtoken/hash_algorithms').with_value(params[:hash_algorithms])
111 105
         is_expected.to contain_sahara_config('keystone_authtoken/http_connect_timeout').with_value(params[:http_connect_timeout])
112 106
         is_expected.to contain_sahara_config('keystone_authtoken/http_request_max_retries').with_value(params[:http_request_max_retries])
113 107
         is_expected.to contain_sahara_config('keystone_authtoken/include_service_catalog').with_value(params[:include_service_catalog])

Loading…
Cancel
Save