pki: conditional enablement of signing section

Only enable the [signing] section of the keystone configuration if PKI token format is in use; other token formats don't have support for token revocation retrieval. Note that PKI format tokens are no longer supported >= Pike. Change-Id: I8179ecc5d37d866588147f639ebc77a870408dfe Closes-Bug: 1709189
2017-08-10 15:22:50 +01:00 · 2017-08-10 15:22:50 +01:00 · ee45612e7c
parent e3fd7b2087
commit ee45612e7c
2 changed files with 16 additions and 8 deletions
--- a/hooks/keystone_context.py
+++ b/hooks/keystone_context.py
@ -247,13 +247,19 @@ class KeystoneContext(context.OSContextGenerator):
            log("Enabling PKI", level=DEBUG)
            ctxt['token_provider'] = 'pki'

-        ensure_pki_cert_paths()
-        certs = os.path.join(PKI_CERTS_DIR, 'certs')
-        privates = os.path.join(PKI_CERTS_DIR, 'privates')
-        ctxt.update({'certfile': os.path.join(certs, 'signing_cert.pem'),
-                     'keyfile': os.path.join(privates, 'signing_key.pem'),
-                     'ca_certs': os.path.join(certs, 'ca.pem'),
-                     'ca_key': os.path.join(certs, 'ca_key.pem')})
+            # NOTE(jamespage): Only check PKI configuration if the PKI
+            #                  token format is in use, which has been
+            #                  removed as of OpenStack Ocata.
+            ensure_pki_cert_paths()
+            certs = os.path.join(PKI_CERTS_DIR, 'certs')
+            privates = os.path.join(PKI_CERTS_DIR, 'privates')
+            ctxt['enable_signing'] = True
+            ctxt.update({'certfile': os.path.join(certs, 'signing_cert.pem'),
+                         'keyfile': os.path.join(privates, 'signing_key.pem'),
+                         'ca_certs': os.path.join(certs, 'ca.pem'),
+                         'ca_key': os.path.join(certs, 'ca_key.pem')})
+        else:
+            ctxt['enable_signing'] = False

        # Base endpoint URL's which are used in keystone responses
        # to unauthenticated requests to redirect clients to the
--- a/templates/parts/section-signing
+++ b/templates/parts/section-signing
@ -1,3 +1,4 @@
+{% if enable_signing -%}
 [signing]
 {% if certfile -%}
 certfile = {{ certfile }}
@ -10,4 +11,5 @@ ca_certs = {{ ca_certs }}
 {% endif -%}
 {% if ca_key -%}
 ca_key = {{ ca_key }}
-{% endif -%} 
+{% endif -%}
+{% endif -%}