summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZhongShengping <chdzsp@163.com>2018-11-22 11:31:56 +0800
committerZhongShengping <chdzsp@163.com>2018-11-23 10:22:42 +0800
commitd8e1123122e767f64a42c859015eb99eef1eef6c (patch)
tree288c28efdd66412bca048b2417ebe33ca1e209a2
parent46df6599021890b91afeaa92a287b67f1e6e5afa (diff)
Deprecate pki related options
check_revocations_for_cached and hash_algorithms are deprecated for removel because of PKI token format is no longer supported. Update warning message and add a release note. Change-Id: I6ed03f77f4a13bab4593b7669b331fc35a68854c Closes-Bug: #1804562 Closes-Bug: #1804720
Notes
Notes (review): Code-Review+2: Tobias Urdin <tobias.urdin@binero.se> Code-Review+2: Alex Schultz <aschultz@redhat.com> Workflow+1: Alex Schultz <aschultz@redhat.com> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Tue, 27 Nov 2018 19:12:15 +0000 Reviewed-on: https://review.openstack.org/619411 Project: openstack/puppet-heat Branch: refs/heads/master
-rw-r--r--manifests/keystone/authtoken.pp48
-rw-r--r--releasenotes/notes/deprecate_pki_related_parameters-8f80007864cd1733.yaml6
-rw-r--r--spec/classes/heat_keystone_authtoken_spec.rb6
3 files changed, 33 insertions, 27 deletions
diff --git a/manifests/keystone/authtoken.pp b/manifests/keystone/authtoken.pp
index 5806f34..ff217aa 100644
--- a/manifests/keystone/authtoken.pp
+++ b/manifests/keystone/authtoken.pp
@@ -63,12 +63,6 @@
63# (Optional) Required if identity server requires client certificate 63# (Optional) Required if identity server requires client certificate
64# Defaults to $::os_service_default. 64# Defaults to $::os_service_default.
65# 65#
66# [*check_revocations_for_cached*]
67# (Optional) If true, the revocation list will be checked for cached tokens.
68# This requires that PKI tokens are configured on the identity server.
69# boolean value.
70# Defaults to $::os_service_default.
71#
72# [*delay_auth_decision*] 66# [*delay_auth_decision*]
73# (Optional) Do not handle authorization requests within the middleware, but 67# (Optional) Do not handle authorization requests within the middleware, but
74# delegate the authorization decision to downstream WSGI components. Boolean 68# delegate the authorization decision to downstream WSGI components. Boolean
@@ -85,17 +79,6 @@
85# must be present in tokens. String value. 79# must be present in tokens. String value.
86# Defaults to $::os_service_default. 80# Defaults to $::os_service_default.
87# 81#
88# [*hash_algorithms*]
89# (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
90# single algorithm or multiple. The algorithms are those supported by Python
91# standard hashlib.new(). The hashes will be tried in the order given, so put
92# the preferred one first for performance. The result of the first hash will
93# be stored in the cache. This will typically be set to multiple values only
94# while migrating from a less secure algorithm to a more secure one. Once all
95# the old tokens are expired this option should be set to a single value for
96# better performance. List value.
97# Defaults to $::os_service_default.
98#
99# [*http_connect_timeout*] 82# [*http_connect_timeout*]
100# (Optional) Request timeout value for communicating with Identity API 83# (Optional) Request timeout value for communicating with Identity API
101# server. 84# server.
@@ -184,6 +167,23 @@
184# (Optional) Complete public Identity API endpoint. 167# (Optional) Complete public Identity API endpoint.
185# Defaults to undef 168# Defaults to undef
186# 169#
170# [*check_revocations_for_cached*]
171# (Optional) If true, the revocation list will be checked for cached tokens.
172# This requires that PKI tokens are configured on the identity server.
173# boolean value.
174# Defaults to undef.
175#
176# [*hash_algorithms*]
177# (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
178# single algorithm or multiple. The algorithms are those supported by Python
179# standard hashlib.new(). The hashes will be tried in the order given, so put
180# the preferred one first for performance. The result of the first hash will
181# be stored in the cache. This will typically be set to multiple values only
182# while migrating from a less secure algorithm to a more secure one. Once all
183# the old tokens are expired this option should be set to a single value for
184# better performance. List value.
185# Defaults to undef.
186#
187class heat::keystone::authtoken( 187class heat::keystone::authtoken(
188 $password = $::os_service_default, 188 $password = $::os_service_default,
189 $username = 'heat', 189 $username = 'heat',
@@ -199,10 +199,8 @@ class heat::keystone::authtoken(
199 $cache = $::os_service_default, 199 $cache = $::os_service_default,
200 $cafile = $::os_service_default, 200 $cafile = $::os_service_default,
201 $certfile = $::os_service_default, 201 $certfile = $::os_service_default,
202 $check_revocations_for_cached = $::os_service_default,
203 $delay_auth_decision = $::os_service_default, 202 $delay_auth_decision = $::os_service_default,
204 $enforce_token_bind = $::os_service_default, 203 $enforce_token_bind = $::os_service_default,
205 $hash_algorithms = $::os_service_default,
206 $http_connect_timeout = $::os_service_default, 204 $http_connect_timeout = $::os_service_default,
207 $http_request_max_retries = $::os_service_default, 205 $http_request_max_retries = $::os_service_default,
208 $include_service_catalog = $::os_service_default, 206 $include_service_catalog = $::os_service_default,
@@ -221,6 +219,8 @@ class heat::keystone::authtoken(
221 $token_cache_time = $::os_service_default, 219 $token_cache_time = $::os_service_default,
222 # DEPRECATED PARAMETERS 220 # DEPRECATED PARAMETERS
223 $auth_uri = undef, 221 $auth_uri = undef,
222 $check_revocations_for_cached = undef,
223 $hash_algorithms = undef,
224) { 224) {
225 225
226 include ::heat::deps 226 include ::heat::deps
@@ -234,6 +234,14 @@ class heat::keystone::authtoken(
234 } 234 }
235 $www_authenticate_uri_real = pick($auth_uri, $www_authenticate_uri) 235 $www_authenticate_uri_real = pick($auth_uri, $www_authenticate_uri)
236 236
237 if $check_revocations_for_cached {
238 warning('check_revocations_for_cached parameter is deprecated, has no effect and will be removed in the future.')
239 }
240
241 if $hash_algorithms {
242 warning('hash_algorithms parameter is deprecated, has no effect and will be removed in the future.')
243 }
244
237 keystone::resource::authtoken { 'heat_config': 245 keystone::resource::authtoken { 'heat_config':
238 username => $username, 246 username => $username,
239 password => $password, 247 password => $password,
@@ -249,10 +257,8 @@ class heat::keystone::authtoken(
249 cache => $cache, 257 cache => $cache,
250 cafile => $cafile, 258 cafile => $cafile,
251 certfile => $certfile, 259 certfile => $certfile,
252 check_revocations_for_cached => $check_revocations_for_cached,
253 delay_auth_decision => $delay_auth_decision, 260 delay_auth_decision => $delay_auth_decision,
254 enforce_token_bind => $enforce_token_bind, 261 enforce_token_bind => $enforce_token_bind,
255 hash_algorithms => $hash_algorithms,
256 http_connect_timeout => $http_connect_timeout, 262 http_connect_timeout => $http_connect_timeout,
257 http_request_max_retries => $http_request_max_retries, 263 http_request_max_retries => $http_request_max_retries,
258 include_service_catalog => $include_service_catalog, 264 include_service_catalog => $include_service_catalog,
diff --git a/releasenotes/notes/deprecate_pki_related_parameters-8f80007864cd1733.yaml b/releasenotes/notes/deprecate_pki_related_parameters-8f80007864cd1733.yaml
new file mode 100644
index 0000000..7aa4e60
--- /dev/null
+++ b/releasenotes/notes/deprecate_pki_related_parameters-8f80007864cd1733.yaml
@@ -0,0 +1,6 @@
1---
2deprecations:
3 - check_revocations_for_cached option is now deprecated for removal, the
4 parameter has no effect.
5 - hash_algorithms option is now deprecated for removal, the parameter
6 has no effect.
diff --git a/spec/classes/heat_keystone_authtoken_spec.rb b/spec/classes/heat_keystone_authtoken_spec.rb
index 45d4b5f..e7548c1 100644
--- a/spec/classes/heat_keystone_authtoken_spec.rb
+++ b/spec/classes/heat_keystone_authtoken_spec.rb
@@ -25,10 +25,8 @@ describe 'heat::keystone::authtoken' do
25 is_expected.to contain_heat_config('keystone_authtoken/cache').with_value('<SERVICE DEFAULT>') 25 is_expected.to contain_heat_config('keystone_authtoken/cache').with_value('<SERVICE DEFAULT>')
26 is_expected.to contain_heat_config('keystone_authtoken/cafile').with_value('<SERVICE DEFAULT>') 26 is_expected.to contain_heat_config('keystone_authtoken/cafile').with_value('<SERVICE DEFAULT>')
27 is_expected.to contain_heat_config('keystone_authtoken/certfile').with_value('<SERVICE DEFAULT>') 27 is_expected.to contain_heat_config('keystone_authtoken/certfile').with_value('<SERVICE DEFAULT>')
28 is_expected.to contain_heat_config('keystone_authtoken/check_revocations_for_cached').with_value('<SERVICE DEFAULT>')
29 is_expected.to contain_heat_config('keystone_authtoken/delay_auth_decision').with_value('<SERVICE DEFAULT>') 28 is_expected.to contain_heat_config('keystone_authtoken/delay_auth_decision').with_value('<SERVICE DEFAULT>')
30 is_expected.to contain_heat_config('keystone_authtoken/enforce_token_bind').with_value('<SERVICE DEFAULT>') 29 is_expected.to contain_heat_config('keystone_authtoken/enforce_token_bind').with_value('<SERVICE DEFAULT>')
31 is_expected.to contain_heat_config('keystone_authtoken/hash_algorithms').with_value('<SERVICE DEFAULT>')
32 is_expected.to contain_heat_config('keystone_authtoken/http_connect_timeout').with_value('<SERVICE DEFAULT>') 30 is_expected.to contain_heat_config('keystone_authtoken/http_connect_timeout').with_value('<SERVICE DEFAULT>')
33 is_expected.to contain_heat_config('keystone_authtoken/http_request_max_retries').with_value('<SERVICE DEFAULT>') 31 is_expected.to contain_heat_config('keystone_authtoken/http_request_max_retries').with_value('<SERVICE DEFAULT>')
34 is_expected.to contain_heat_config('keystone_authtoken/include_service_catalog').with_value('<SERVICE DEFAULT>') 32 is_expected.to contain_heat_config('keystone_authtoken/include_service_catalog').with_value('<SERVICE DEFAULT>')
@@ -64,10 +62,8 @@ describe 'heat::keystone::authtoken' do
64 :cache => 'somevalue', 62 :cache => 'somevalue',
65 :cafile => '/opt/stack/data/cafile.pem', 63 :cafile => '/opt/stack/data/cafile.pem',
66 :certfile => 'certfile.crt', 64 :certfile => 'certfile.crt',
67 :check_revocations_for_cached => false,
68 :delay_auth_decision => false, 65 :delay_auth_decision => false,
69 :enforce_token_bind => 'permissive', 66 :enforce_token_bind => 'permissive',
70 :hash_algorithms => 'md5',
71 :http_connect_timeout => '300', 67 :http_connect_timeout => '300',
72 :http_request_max_retries => '3', 68 :http_request_max_retries => '3',
73 :include_service_catalog => true, 69 :include_service_catalog => true,
@@ -102,10 +98,8 @@ describe 'heat::keystone::authtoken' do
102 is_expected.to contain_heat_config('keystone_authtoken/cache').with_value(params[:cache]) 98 is_expected.to contain_heat_config('keystone_authtoken/cache').with_value(params[:cache])
103 is_expected.to contain_heat_config('keystone_authtoken/cafile').with_value(params[:cafile]) 99 is_expected.to contain_heat_config('keystone_authtoken/cafile').with_value(params[:cafile])
104 is_expected.to contain_heat_config('keystone_authtoken/certfile').with_value(params[:certfile]) 100 is_expected.to contain_heat_config('keystone_authtoken/certfile').with_value(params[:certfile])
105 is_expected.to contain_heat_config('keystone_authtoken/check_revocations_for_cached').with_value(params[:check_revocations_for_cached])
106 is_expected.to contain_heat_config('keystone_authtoken/delay_auth_decision').with_value(params[:delay_auth_decision]) 101 is_expected.to contain_heat_config('keystone_authtoken/delay_auth_decision').with_value(params[:delay_auth_decision])
107 is_expected.to contain_heat_config('keystone_authtoken/enforce_token_bind').with_value(params[:enforce_token_bind]) 102 is_expected.to contain_heat_config('keystone_authtoken/enforce_token_bind').with_value(params[:enforce_token_bind])
108 is_expected.to contain_heat_config('keystone_authtoken/hash_algorithms').with_value(params[:hash_algorithms])
109 is_expected.to contain_heat_config('keystone_authtoken/http_connect_timeout').with_value(params[:http_connect_timeout]) 103 is_expected.to contain_heat_config('keystone_authtoken/http_connect_timeout').with_value(params[:http_connect_timeout])
110 is_expected.to contain_heat_config('keystone_authtoken/http_request_max_retries').with_value(params[:http_request_max_retries]) 104 is_expected.to contain_heat_config('keystone_authtoken/http_request_max_retries').with_value(params[:http_request_max_retries])
111 is_expected.to contain_heat_config('keystone_authtoken/include_service_catalog').with_value(params[:include_service_catalog]) 105 is_expected.to contain_heat_config('keystone_authtoken/include_service_catalog').with_value(params[:include_service_catalog])