Browse Source

Deprecate pki related options

check_revocations_for_cached and hash_algorithms are deprecated for
removel because of PKI token format is no longer supported.
Update warning message and add a release note.

Change-Id: Ic2b1069d9a03d3a04e661c60b199309d2c572ae7
Closes-Bug: #1804562
Closes-Bug: #1804720
tags/14.2.0
ZhongShengping 10 months ago
parent
commit
ef4562d8b7

+ 27
- 21
manifests/keystone/authtoken.pp View File

@@ -62,12 +62,6 @@
62 62
 #   (Optional) Required if identity server requires client certificate
63 63
 #   Defaults to $::os_service_default.
64 64
 #
65
-# [*check_revocations_for_cached*]
66
-#   (Optional) If true, the revocation list will be checked for cached tokens.
67
-#   This requires that PKI tokens are configured on the identity server.
68
-#   boolean value.
69
-#   Defaults to $::os_service_default.
70
-#
71 65
 # [*delay_auth_decision*]
72 66
 #   (Optional) Do not handle authorization requests within the middleware, but
73 67
 #   delegate the authorization decision to downstream WSGI components. Boolean
@@ -84,17 +78,6 @@
84 78
 #   must be present in tokens. String value.
85 79
 #   Defaults to $::os_service_default.
86 80
 #
87
-# [*hash_algorithms*]
88
-#   (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
89
-#   single algorithm or multiple. The algorithms are those supported by Python
90
-#   standard hashlib.new(). The hashes will be tried in the order given, so put
91
-#   the preferred one first for performance. The result of the first hash will
92
-#   be stored in the cache. This will typically be set to multiple values only
93
-#   while migrating from a less secure algorithm to a more secure one. Once all
94
-#   the old tokens are expired this option should be set to a single value for
95
-#   better performance. List value.
96
-#   Defaults to $::os_service_default.
97
-#
98 81
 # [*http_connect_timeout*]
99 82
 #   (Optional) Request timeout value for communicating with Identity API
100 83
 #   server.
@@ -183,6 +166,23 @@
183 166
 #   (Optional) Complete public Identity API endpoint.
184 167
 #   Defaults to undef
185 168
 #
169
+# [*check_revocations_for_cached*]
170
+#   (Optional) If true, the revocation list will be checked for cached tokens.
171
+#   This requires that PKI tokens are configured on the identity server.
172
+#   boolean value.
173
+#   Defaults to undef.
174
+#
175
+# [*hash_algorithms*]
176
+#   (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
177
+#   single algorithm or multiple. The algorithms are those supported by Python
178
+#   standard hashlib.new(). The hashes will be tried in the order given, so put
179
+#   the preferred one first for performance. The result of the first hash will
180
+#   be stored in the cache. This will typically be set to multiple values only
181
+#   while migrating from a less secure algorithm to a more secure one. Once all
182
+#   the old tokens are expired this option should be set to a single value for
183
+#   better performance. List value.
184
+#   Defaults to undef
185
+#
186 186
 class tacker::keystone::authtoken(
187 187
   $password,
188 188
   $username                       = 'tacker',
@@ -198,10 +198,8 @@ class tacker::keystone::authtoken(
198 198
   $cache                          = $::os_service_default,
199 199
   $cafile                         = $::os_service_default,
200 200
   $certfile                       = $::os_service_default,
201
-  $check_revocations_for_cached   = $::os_service_default,
202 201
   $delay_auth_decision            = $::os_service_default,
203 202
   $enforce_token_bind             = $::os_service_default,
204
-  $hash_algorithms                = $::os_service_default,
205 203
   $http_connect_timeout           = $::os_service_default,
206 204
   $http_request_max_retries       = $::os_service_default,
207 205
   $include_service_catalog        = $::os_service_default,
@@ -220,6 +218,8 @@ class tacker::keystone::authtoken(
220 218
   $token_cache_time               = $::os_service_default,
221 219
   # DEPRECATED PARAMETERS
222 220
   $auth_uri                       = undef,
221
+  $check_revocations_for_cached   = undef,
222
+  $hash_algorithms                = undef,
223 223
 ) {
224 224
 
225 225
   include ::tacker::deps
@@ -229,6 +229,14 @@ class tacker::keystone::authtoken(
229 229
   }
230 230
   $www_authenticate_uri_real = pick($auth_uri, $www_authenticate_uri)
231 231
 
232
+  if $check_revocations_for_cached {
233
+    warning('check_revocations_for_cached parameter is deprecated, has no effect and will be removed in the future.')
234
+  }
235
+
236
+  if $hash_algorithms {
237
+    warning('hash_algorithms parameter is deprecated, has no effect and will be removed in the future.')
238
+  }
239
+
232 240
   keystone::resource::authtoken { 'tacker_config':
233 241
     username                       => $username,
234 242
     password                       => $password,
@@ -244,10 +252,8 @@ class tacker::keystone::authtoken(
244 252
     cache                          => $cache,
245 253
     cafile                         => $cafile,
246 254
     certfile                       => $certfile,
247
-    check_revocations_for_cached   => $check_revocations_for_cached,
248 255
     delay_auth_decision            => $delay_auth_decision,
249 256
     enforce_token_bind             => $enforce_token_bind,
250
-    hash_algorithms                => $hash_algorithms,
251 257
     http_connect_timeout           => $http_connect_timeout,
252 258
     http_request_max_retries       => $http_request_max_retries,
253 259
     include_service_catalog        => $include_service_catalog,

+ 6
- 0
releasenotes/notes/deprecate_pki_related_parameters-9b491ae5f6bc9e9f.yaml View File

@@ -0,0 +1,6 @@
1
+---
2
+deprecations:
3
+  - check_revocations_for_cached option is now deprecated for removal, the
4
+    parameter has no effect.
5
+  - hash_algorithms option is now deprecated for removal, the parameter
6
+    has no effect.

+ 0
- 6
spec/classes/tacker_keystone_authtoken_spec.rb View File

@@ -30,10 +30,8 @@ describe 'tacker::keystone::authtoken' do
30 30
         is_expected.to contain_tacker_config('keystone_authtoken/cache').with_value('<SERVICE DEFAULT>')
31 31
         is_expected.to contain_tacker_config('keystone_authtoken/cafile').with_value('<SERVICE DEFAULT>')
32 32
         is_expected.to contain_tacker_config('keystone_authtoken/certfile').with_value('<SERVICE DEFAULT>')
33
-        is_expected.to contain_tacker_config('keystone_authtoken/check_revocations_for_cached').with_value('<SERVICE DEFAULT>')
34 33
         is_expected.to contain_tacker_config('keystone_authtoken/delay_auth_decision').with_value('<SERVICE DEFAULT>')
35 34
         is_expected.to contain_tacker_config('keystone_authtoken/enforce_token_bind').with_value('<SERVICE DEFAULT>')
36
-        is_expected.to contain_tacker_config('keystone_authtoken/hash_algorithms').with_value('<SERVICE DEFAULT>')
37 35
         is_expected.to contain_tacker_config('keystone_authtoken/http_connect_timeout').with_value('<SERVICE DEFAULT>')
38 36
         is_expected.to contain_tacker_config('keystone_authtoken/http_request_max_retries').with_value('<SERVICE DEFAULT>')
39 37
         is_expected.to contain_tacker_config('keystone_authtoken/include_service_catalog').with_value('<SERVICE DEFAULT>')
@@ -69,10 +67,8 @@ describe 'tacker::keystone::authtoken' do
69 67
           :cache                                => 'somevalue',
70 68
           :cafile                               => '/opt/stack/data/cafile.pem',
71 69
           :certfile                             => 'certfile.crt',
72
-          :check_revocations_for_cached         => false,
73 70
           :delay_auth_decision                  => false,
74 71
           :enforce_token_bind                   => 'permissive',
75
-          :hash_algorithms                      => 'md5',
76 72
           :http_connect_timeout                 => '300',
77 73
           :http_request_max_retries             => '3',
78 74
           :include_service_catalog              => true,
@@ -107,10 +103,8 @@ describe 'tacker::keystone::authtoken' do
107 103
         is_expected.to contain_tacker_config('keystone_authtoken/cache').with_value(params[:cache])
108 104
         is_expected.to contain_tacker_config('keystone_authtoken/cafile').with_value(params[:cafile])
109 105
         is_expected.to contain_tacker_config('keystone_authtoken/certfile').with_value(params[:certfile])
110
-        is_expected.to contain_tacker_config('keystone_authtoken/check_revocations_for_cached').with_value(params[:check_revocations_for_cached])
111 106
         is_expected.to contain_tacker_config('keystone_authtoken/delay_auth_decision').with_value(params[:delay_auth_decision])
112 107
         is_expected.to contain_tacker_config('keystone_authtoken/enforce_token_bind').with_value(params[:enforce_token_bind])
113
-        is_expected.to contain_tacker_config('keystone_authtoken/hash_algorithms').with_value(params[:hash_algorithms])
114 108
         is_expected.to contain_tacker_config('keystone_authtoken/http_connect_timeout').with_value(params[:http_connect_timeout])
115 109
         is_expected.to contain_tacker_config('keystone_authtoken/http_request_max_retries').with_value(params[:http_request_max_retries])
116 110
         is_expected.to contain_tacker_config('keystone_authtoken/include_service_catalog').with_value(params[:include_service_catalog])

Loading…
Cancel
Save