From d6f9f2a860213352ff233585aa5e05dca4b479aa Mon Sep 17 00:00:00 2001 From: Brant Knudson Date: Sat, 12 Apr 2014 11:41:44 -0500 Subject: [PATCH] Deprecate admin_token option in auth_token The admin_token option shouldn't be used with the auth_token middleware. It's used to specify a token to be used to perform operations on the identity server, so would typically be set to the admin token. The admin token should only be used to initially set up the Keystone server, and then the admin token functionality should be disabled. If this recommended setup is used then the auth_token middleware shouldn't be using the admin token / auth_token. In preparing for removal of the admin_token option, the option is now deprecated. A warning will be logged if it's set. DocImpact Change-Id: I5bc4f4a6ad7984892151c8011ccd92f166aba4c2 Closes-Bug: #1306981 --- keystoneclient/middleware/auth_token.py | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/keystoneclient/middleware/auth_token.py b/keystoneclient/middleware/auth_token.py index dbee45b18..b02d11818 100644 --- a/keystoneclient/middleware/auth_token.py +++ b/keystoneclient/middleware/auth_token.py @@ -240,9 +240,12 @@ opts = [ ' communicating with Identity API Server.'), cfg.StrOpt('admin_token', secret=True, - help='Single shared secret with the Keystone configuration' + help='This option is deprecated and may be removed in a future' + ' release. Single shared secret with the Keystone configuration' ' used for bootstrapping a Keystone installation, or otherwise' - ' bypassing the normal authentication process.'), + ' bypassing the normal authentication process. This option' + ' should not be used, use `admin_user` and `admin_password`' + ' instead.'), cfg.StrOpt('admin_user', help='Keystone account username'), cfg.StrOpt('admin_password', @@ -479,6 +482,12 @@ class AuthProtocol(object): # Credentials used to verify this component with the Auth service since # validating tokens is a privileged call self.admin_token = self._conf_get('admin_token') + if self.admin_token: + self.LOG.warning( + "The admin_token option in the auth_token middleware is " + "deprecated and should not be used. The admin_user and " + "admin_password options should be used instead. The " + "admin_token option may be removed in a future release.") self.admin_token_expiry = None self.admin_user = self._conf_get('admin_user') self.admin_password = self._conf_get('admin_password')