From df982016ddd50fde11d32d428c041f320123130f Mon Sep 17 00:00:00 2001 From: Vishakha Agarwal Date: Mon, 29 Oct 2018 17:14:20 +0530 Subject: [PATCH] Remove deprecated "bind" in token The 'bind' option was deprecated and is in no use now, thus removing it. Also removing its rst file. bp:removed-as-of-stein Change-Id: Ie355733dc031b3c4908fdc4e44f8f1220cff456c --- doc/source/admin/identity-token-binding.rst | 67 ------------------- doc/source/admin/index.rst | 1 - doc/source/admin/token-support-matrix.ini | 8 --- keystone/conf/token.py | 14 ---- keystone/tests/unit/test_v3.py | 12 +--- .../removed-as-of-stein-5eb23253b72ab54e.yaml | 5 +- 6 files changed, 5 insertions(+), 102 deletions(-) delete mode 100644 doc/source/admin/identity-token-binding.rst diff --git a/doc/source/admin/identity-token-binding.rst b/doc/source/admin/identity-token-binding.rst deleted file mode 100644 index 34dbc2f919..0000000000 --- a/doc/source/admin/identity-token-binding.rst +++ /dev/null @@ -1,67 +0,0 @@ -============================================ -Configure Identity service for token binding -============================================ - -Token binding embeds information from an external authentication -mechanism, such as a Kerberos server or X.509 certificate, inside a -token. By using token binding, a client can enforce the use of a -specified external authentication mechanism with the token. This -additional security mechanism ensures that if a token is stolen, for -example, it is not usable without external authentication. - -You configure the authentication types for a token binding in the -``/etc/keystone/keystone.conf`` file: - -.. code-block:: ini - - [token] - bind = kerberos - -or - -.. code-block:: ini - - [token] - bind = x509 - -Currently ``kerberos`` and ``x509`` are supported. - -To enforce checking of token binding, set the ``enforce_token_bind`` -option to one of these modes: - -- ``disabled`` - Disables token bind checking. - -- ``permissive`` - Enables bind checking. If a token is bound to an unknown - authentication mechanism, the server ignores it. The default is this - mode. - -- ``strict`` - Enables bind checking. If a token is bound to an unknown - authentication mechanism, the server rejects it. - -- ``required`` - Enables bind checking. Requires use of at least authentication - mechanism for tokens. - -- ``kerberos`` - Enables bind checking. Requires use of kerberos as the authentication - mechanism for tokens: - - .. code-block:: ini - - [token] - enforce_token_bind = kerberos - -- ``x509`` - Enables bind checking. Requires use of X.509 as the authentication - mechanism for tokens: - - .. code-block:: ini - - [token] - enforce_token_bind = x509 - -*Do not* set ``enforce_token_bind = named`` as there is not an authentication -mechanism called ``named``. \ No newline at end of file diff --git a/doc/source/admin/index.rst b/doc/source/admin/index.rst index 795c68e131..ac7ad48450 100644 --- a/doc/source/admin/index.rst +++ b/doc/source/admin/index.rst @@ -25,7 +25,6 @@ command-line client. identity-integrate-with-ldap.rst identity-upgrading.rst identity-tokens.rst - identity-token-binding.rst identity-fernet-token-faq.rst identity-use-trusts.rst identity-caching-layer.rst diff --git a/doc/source/admin/token-support-matrix.ini b/doc/source/admin/token-support-matrix.ini index 608ae18d63..4c87bb838b 100644 --- a/doc/source/admin/token-support-matrix.ini +++ b/doc/source/admin/token-support-matrix.ini @@ -108,14 +108,6 @@ notes=OAuth access tokens can be exchanged for keystone tokens. cli= driver-impl-fernet=complete -[operation.create_token_with_bind] -title=Create a token with a bind attribute -status=optional -notes=Tokens can express a binding to an additional authentication method, such - as kerberos or x509. -cli= -driver-impl-fernet=missing - [operation.revoke_token] title=Revoke a token status=optional diff --git a/keystone/conf/token.py b/keystone/conf/token.py index 33010aff20..9bdc8b975e 100644 --- a/keystone/conf/token.py +++ b/keystone/conf/token.py @@ -17,20 +17,6 @@ from oslo_log import versionutils from keystone.conf import utils -bind = cfg.ListOpt( - 'bind', - default=[], - deprecated_since=versionutils.deprecated.PIKE, - deprecated_for_removal=True, - help=utils.fmt(""" -This is a list of external authentication mechanisms which should add token -binding metadata to tokens, such as `kerberos` or `x509`. Note that this option -is deprecated as keystone no longer supports binding metadata to tokens -directly. This option is silently ignored and will be removed in the future. -This option no longer has any impact on the behavior of tokens and can be -removed. -""")) - expiration = cfg.IntOpt( 'expiration', default=3600, diff --git a/keystone/tests/unit/test_v3.py b/keystone/tests/unit/test_v3.py index 2ba8336da5..31d553a50a 100644 --- a/keystone/tests/unit/test_v3.py +++ b/keystone/tests/unit/test_v3.py @@ -69,16 +69,6 @@ class RestfulTestCase(unit.SQLDriverOverrides, rest.RestfulTestCase, 'minItems': 1, 'maxItems': 2, }, - 'bind': { - 'type': 'object', - 'properties': { - 'kerberos': { - 'type': 'string', - }, - }, - 'required': ['kerberos'], - 'additionalProperties': False, - }, 'expires_at': { 'type': 'string', 'pattern': unit.TIME_FORMAT_REGEX, @@ -172,7 +162,7 @@ class RestfulTestCase(unit.SQLDriverOverrides, rest.RestfulTestCase, 'properties': properties, 'required': ['audit_ids', 'expires_at', 'issued_at', 'methods', 'user'], - 'optional': ['bind'], + 'optional': [], 'additionalProperties': False } diff --git a/releasenotes/notes/removed-as-of-stein-5eb23253b72ab54e.yaml b/releasenotes/notes/removed-as-of-stein-5eb23253b72ab54e.yaml index dfe48f7f12..5171789ec5 100644 --- a/releasenotes/notes/removed-as-of-stein-5eb23253b72ab54e.yaml +++ b/releasenotes/notes/removed-as-of-stein-5eb23253b72ab54e.yaml @@ -6,4 +6,7 @@ other: deprecated in Queens and only used for V2 are removed now. - > [`blueprint removed-as-of-stein `_] - The deprecated token_flush is removed now. \ No newline at end of file + The deprecated token_flush is removed now. + - > + [`blueprint removed-as-of-stein `_] + The deprecated config option `bind` is removed now. \ No newline at end of file