Deprecate pki related options
check_revocations_for_cached and hash_algorithms are deprecated for removel because of PKI token format is no longer supported. Update warning message and add a release note. Change-Id: I0ad17b24278372f9f3648450f23957413a1f40d3 Closes-Bug: #1804562 Closes-Bug: #1804720
This commit is contained in:
parent
f3d970c454
commit
84c8ba02af
@ -63,12 +63,6 @@
|
|||||||
# (Optional) Required if identity server requires client certificate
|
# (Optional) Required if identity server requires client certificate
|
||||||
# Defaults to $::os_service_default.
|
# Defaults to $::os_service_default.
|
||||||
#
|
#
|
||||||
# [*check_revocations_for_cached*]
|
|
||||||
# (Optional) If true, the revocation list will be checked for cached tokens.
|
|
||||||
# This requires that PKI tokens are configured on the identity server.
|
|
||||||
# boolean value.
|
|
||||||
# Defaults to $::os_service_default.
|
|
||||||
#
|
|
||||||
# [*delay_auth_decision*]
|
# [*delay_auth_decision*]
|
||||||
# (Optional) Do not handle authorization requests within the middleware, but
|
# (Optional) Do not handle authorization requests within the middleware, but
|
||||||
# delegate the authorization decision to downstream WSGI components. Boolean
|
# delegate the authorization decision to downstream WSGI components. Boolean
|
||||||
@ -85,17 +79,6 @@
|
|||||||
# must be present in tokens. String value.
|
# must be present in tokens. String value.
|
||||||
# Defaults to $::os_service_default.
|
# Defaults to $::os_service_default.
|
||||||
#
|
#
|
||||||
# [*hash_algorithms*]
|
|
||||||
# (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
|
|
||||||
# single algorithm or multiple. The algorithms are those supported by Python
|
|
||||||
# standard hashlib.new(). The hashes will be tried in the order given, so put
|
|
||||||
# the preferred one first for performance. The result of the first hash will
|
|
||||||
# be stored in the cache. This will typically be set to multiple values only
|
|
||||||
# while migrating from a less secure algorithm to a more secure one. Once all
|
|
||||||
# the old tokens are expired this option should be set to a single value for
|
|
||||||
# better performance. List value.
|
|
||||||
# Defaults to $::os_service_default.
|
|
||||||
#
|
|
||||||
# [*http_connect_timeout*]
|
# [*http_connect_timeout*]
|
||||||
# (Optional) Request timeout value for communicating with Identity API
|
# (Optional) Request timeout value for communicating with Identity API
|
||||||
# server.
|
# server.
|
||||||
@ -184,6 +167,23 @@
|
|||||||
# (Optional) Complete public Identity API endpoint.
|
# (Optional) Complete public Identity API endpoint.
|
||||||
# Defaults to undef
|
# Defaults to undef
|
||||||
#
|
#
|
||||||
|
# [*check_revocations_for_cached*]
|
||||||
|
# (Optional) If true, the revocation list will be checked for cached tokens.
|
||||||
|
# This requires that PKI tokens are configured on the identity server.
|
||||||
|
# boolean value.
|
||||||
|
# Defaults to undef.
|
||||||
|
#
|
||||||
|
# [*hash_algorithms*]
|
||||||
|
# (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
|
||||||
|
# single algorithm or multiple. The algorithms are those supported by Python
|
||||||
|
# standard hashlib.new(). The hashes will be tried in the order given, so put
|
||||||
|
# the preferred one first for performance. The result of the first hash will
|
||||||
|
# be stored in the cache. This will typically be set to multiple values only
|
||||||
|
# while migrating from a less secure algorithm to a more secure one. Once all
|
||||||
|
# the old tokens are expired this option should be set to a single value for
|
||||||
|
# better performance. List value.
|
||||||
|
# Defaults to undef.
|
||||||
|
#
|
||||||
class zaqar::keystone::authtoken(
|
class zaqar::keystone::authtoken(
|
||||||
$username = 'zaqar',
|
$username = 'zaqar',
|
||||||
$password = $::os_service_default,
|
$password = $::os_service_default,
|
||||||
@ -199,10 +199,8 @@ class zaqar::keystone::authtoken(
|
|||||||
$cache = $::os_service_default,
|
$cache = $::os_service_default,
|
||||||
$cafile = $::os_service_default,
|
$cafile = $::os_service_default,
|
||||||
$certfile = $::os_service_default,
|
$certfile = $::os_service_default,
|
||||||
$check_revocations_for_cached = $::os_service_default,
|
|
||||||
$delay_auth_decision = $::os_service_default,
|
$delay_auth_decision = $::os_service_default,
|
||||||
$enforce_token_bind = $::os_service_default,
|
$enforce_token_bind = $::os_service_default,
|
||||||
$hash_algorithms = $::os_service_default,
|
|
||||||
$http_connect_timeout = $::os_service_default,
|
$http_connect_timeout = $::os_service_default,
|
||||||
$http_request_max_retries = $::os_service_default,
|
$http_request_max_retries = $::os_service_default,
|
||||||
$include_service_catalog = $::os_service_default,
|
$include_service_catalog = $::os_service_default,
|
||||||
@ -221,6 +219,8 @@ class zaqar::keystone::authtoken(
|
|||||||
$token_cache_time = $::os_service_default,
|
$token_cache_time = $::os_service_default,
|
||||||
# DEPRECATED PARAMETERS
|
# DEPRECATED PARAMETERS
|
||||||
$auth_uri = undef,
|
$auth_uri = undef,
|
||||||
|
$check_revocations_for_cached = undef,
|
||||||
|
$hash_algorithms = undef,
|
||||||
) {
|
) {
|
||||||
|
|
||||||
include ::zaqar::deps
|
include ::zaqar::deps
|
||||||
@ -234,6 +234,14 @@ class zaqar::keystone::authtoken(
|
|||||||
}
|
}
|
||||||
$www_authenticate_uri_real = pick($auth_uri, $www_authenticate_uri)
|
$www_authenticate_uri_real = pick($auth_uri, $www_authenticate_uri)
|
||||||
|
|
||||||
|
if $check_revocations_for_cached {
|
||||||
|
warning('check_revocations_for_cached parameter is deprecated, has no effect and will be removed in the future.')
|
||||||
|
}
|
||||||
|
|
||||||
|
if $hash_algorithms {
|
||||||
|
warning('hash_algorithms is deprecated, has no effect and will be removed in the future.')
|
||||||
|
}
|
||||||
|
|
||||||
keystone::resource::authtoken { 'zaqar_config':
|
keystone::resource::authtoken { 'zaqar_config':
|
||||||
username => $username,
|
username => $username,
|
||||||
password => $password,
|
password => $password,
|
||||||
@ -249,10 +257,8 @@ class zaqar::keystone::authtoken(
|
|||||||
cache => $cache,
|
cache => $cache,
|
||||||
cafile => $cafile,
|
cafile => $cafile,
|
||||||
certfile => $certfile,
|
certfile => $certfile,
|
||||||
check_revocations_for_cached => $check_revocations_for_cached,
|
|
||||||
delay_auth_decision => $delay_auth_decision,
|
delay_auth_decision => $delay_auth_decision,
|
||||||
enforce_token_bind => $enforce_token_bind,
|
enforce_token_bind => $enforce_token_bind,
|
||||||
hash_algorithms => $hash_algorithms,
|
|
||||||
http_connect_timeout => $http_connect_timeout,
|
http_connect_timeout => $http_connect_timeout,
|
||||||
http_request_max_retries => $http_request_max_retries,
|
http_request_max_retries => $http_request_max_retries,
|
||||||
include_service_catalog => $include_service_catalog,
|
include_service_catalog => $include_service_catalog,
|
||||||
|
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
deprecations:
|
||||||
|
- check_revocations_for_cached option is now deprecated for removal, the
|
||||||
|
parameter has no effect.
|
||||||
|
- hash_algorithms option is now deprecated for removal, the parameter
|
||||||
|
has no effect.
|
@ -25,10 +25,8 @@ describe 'zaqar::keystone::authtoken' do
|
|||||||
is_expected.to contain_zaqar_config('keystone_authtoken/cache').with_value('<SERVICE DEFAULT>')
|
is_expected.to contain_zaqar_config('keystone_authtoken/cache').with_value('<SERVICE DEFAULT>')
|
||||||
is_expected.to contain_zaqar_config('keystone_authtoken/cafile').with_value('<SERVICE DEFAULT>')
|
is_expected.to contain_zaqar_config('keystone_authtoken/cafile').with_value('<SERVICE DEFAULT>')
|
||||||
is_expected.to contain_zaqar_config('keystone_authtoken/certfile').with_value('<SERVICE DEFAULT>')
|
is_expected.to contain_zaqar_config('keystone_authtoken/certfile').with_value('<SERVICE DEFAULT>')
|
||||||
is_expected.to contain_zaqar_config('keystone_authtoken/check_revocations_for_cached').with_value('<SERVICE DEFAULT>')
|
|
||||||
is_expected.to contain_zaqar_config('keystone_authtoken/delay_auth_decision').with_value('<SERVICE DEFAULT>')
|
is_expected.to contain_zaqar_config('keystone_authtoken/delay_auth_decision').with_value('<SERVICE DEFAULT>')
|
||||||
is_expected.to contain_zaqar_config('keystone_authtoken/enforce_token_bind').with_value('<SERVICE DEFAULT>')
|
is_expected.to contain_zaqar_config('keystone_authtoken/enforce_token_bind').with_value('<SERVICE DEFAULT>')
|
||||||
is_expected.to contain_zaqar_config('keystone_authtoken/hash_algorithms').with_value('<SERVICE DEFAULT>')
|
|
||||||
is_expected.to contain_zaqar_config('keystone_authtoken/http_connect_timeout').with_value('<SERVICE DEFAULT>')
|
is_expected.to contain_zaqar_config('keystone_authtoken/http_connect_timeout').with_value('<SERVICE DEFAULT>')
|
||||||
is_expected.to contain_zaqar_config('keystone_authtoken/http_request_max_retries').with_value('<SERVICE DEFAULT>')
|
is_expected.to contain_zaqar_config('keystone_authtoken/http_request_max_retries').with_value('<SERVICE DEFAULT>')
|
||||||
is_expected.to contain_zaqar_config('keystone_authtoken/include_service_catalog').with_value('<SERVICE DEFAULT>')
|
is_expected.to contain_zaqar_config('keystone_authtoken/include_service_catalog').with_value('<SERVICE DEFAULT>')
|
||||||
@ -64,10 +62,8 @@ describe 'zaqar::keystone::authtoken' do
|
|||||||
:cache => 'somevalue',
|
:cache => 'somevalue',
|
||||||
:cafile => '/opt/stack/data/cafile.pem',
|
:cafile => '/opt/stack/data/cafile.pem',
|
||||||
:certfile => 'certfile.crt',
|
:certfile => 'certfile.crt',
|
||||||
:check_revocations_for_cached => false,
|
|
||||||
:delay_auth_decision => false,
|
:delay_auth_decision => false,
|
||||||
:enforce_token_bind => 'permissive',
|
:enforce_token_bind => 'permissive',
|
||||||
:hash_algorithms => 'md5',
|
|
||||||
:http_connect_timeout => '300',
|
:http_connect_timeout => '300',
|
||||||
:http_request_max_retries => '3',
|
:http_request_max_retries => '3',
|
||||||
:include_service_catalog => true,
|
:include_service_catalog => true,
|
||||||
@ -102,10 +98,8 @@ describe 'zaqar::keystone::authtoken' do
|
|||||||
is_expected.to contain_zaqar_config('keystone_authtoken/cache').with_value(params[:cache])
|
is_expected.to contain_zaqar_config('keystone_authtoken/cache').with_value(params[:cache])
|
||||||
is_expected.to contain_zaqar_config('keystone_authtoken/cafile').with_value(params[:cafile])
|
is_expected.to contain_zaqar_config('keystone_authtoken/cafile').with_value(params[:cafile])
|
||||||
is_expected.to contain_zaqar_config('keystone_authtoken/certfile').with_value(params[:certfile])
|
is_expected.to contain_zaqar_config('keystone_authtoken/certfile').with_value(params[:certfile])
|
||||||
is_expected.to contain_zaqar_config('keystone_authtoken/check_revocations_for_cached').with_value(params[:check_revocations_for_cached])
|
|
||||||
is_expected.to contain_zaqar_config('keystone_authtoken/delay_auth_decision').with_value(params[:delay_auth_decision])
|
is_expected.to contain_zaqar_config('keystone_authtoken/delay_auth_decision').with_value(params[:delay_auth_decision])
|
||||||
is_expected.to contain_zaqar_config('keystone_authtoken/enforce_token_bind').with_value(params[:enforce_token_bind])
|
is_expected.to contain_zaqar_config('keystone_authtoken/enforce_token_bind').with_value(params[:enforce_token_bind])
|
||||||
is_expected.to contain_zaqar_config('keystone_authtoken/hash_algorithms').with_value(params[:hash_algorithms])
|
|
||||||
is_expected.to contain_zaqar_config('keystone_authtoken/http_connect_timeout').with_value(params[:http_connect_timeout])
|
is_expected.to contain_zaqar_config('keystone_authtoken/http_connect_timeout').with_value(params[:http_connect_timeout])
|
||||||
is_expected.to contain_zaqar_config('keystone_authtoken/http_request_max_retries').with_value(params[:http_request_max_retries])
|
is_expected.to contain_zaqar_config('keystone_authtoken/http_request_max_retries').with_value(params[:http_request_max_retries])
|
||||||
is_expected.to contain_zaqar_config('keystone_authtoken/include_service_catalog').with_value(params[:include_service_catalog])
|
is_expected.to contain_zaqar_config('keystone_authtoken/include_service_catalog').with_value(params[:include_service_catalog])
|
||||||
|
Loading…
Reference in New Issue
Block a user