Set default token provider to UUID
This changes the default token provider to UUID, which affords a much better deployer experience (no external dependencies and no additional setup complexity) for deployers. It also provides a better end-user experience (smaller, more manageable tokens) and appears to be the more popular deployment option today, despite the current default to PKI. DocImpact Closes-Bug: 1350000 Change-Id: I7fb2b191cce7a9762c33fee09e7e8d48a71a297b
This commit is contained in:
parent
5017993c36
commit
60dc036b88
|
@ -277,11 +277,11 @@ Token Provider
|
|||
|
||||
Keystone supports customizable token provider and it is specified in the
|
||||
``[token]`` section of the configuration file. Keystone provides both UUID and
|
||||
PKI token providers, with PKI token provider enabled as default. However, users
|
||||
may register their own token provider by configuring the following property.
|
||||
PKI token providers. However, users may register their own token provider by
|
||||
configuring the following property.
|
||||
|
||||
* ``provider`` - token provider driver. Defaults to
|
||||
``keystone.token.providers.pki.Provider``
|
||||
``keystone.token.providers.uuid.Provider``
|
||||
|
||||
Note that ``token_format`` in the ``[signing]`` section is deprecated but still
|
||||
being supported for backward compatibility. Therefore, if ``provider`` is set
|
||||
|
@ -316,8 +316,7 @@ additional attributes.
|
|||
|
||||
The current architectural approaches for both UUID- and PKI-based tokens have
|
||||
pain points exposed by environments under heavy load (search bugs and
|
||||
blueprints for the latest details and potential solutions), although PKI tokens
|
||||
became the default configuration option in the Grizzly release.
|
||||
blueprints for the latest details and potential solutions).
|
||||
|
||||
Caching Layer
|
||||
-------------
|
||||
|
|
|
@ -236,7 +236,7 @@ FILE_OPTIONS = {
|
|||
help='Controls the token construction, validation, and '
|
||||
'revocation operations. Core providers are '
|
||||
'"keystone.token.providers.[pkiz|pki|uuid].'
|
||||
'Provider". The default provider is pkiz.'),
|
||||
'Provider". The default provider is uuid.'),
|
||||
cfg.StrOpt('driver',
|
||||
default='keystone.token.persistence.backends.sql.Token',
|
||||
help='Token persistence backend driver.'),
|
||||
|
|
|
@ -62,6 +62,9 @@ class CertSetupTestCase(rest.RestfulTestCase):
|
|||
ca_key=ca_key,
|
||||
certfile=os.path.join(CERTDIR, 'keystone.pem'),
|
||||
keyfile=os.path.join(KEYDIR, 'keystonekey.pem'))
|
||||
self.config_fixture.config(
|
||||
group='token',
|
||||
provider='keystone.token.providers.pkiz.Provider')
|
||||
|
||||
def test_can_handle_missing_certs(self):
|
||||
controller = token.controllers.Auth()
|
||||
|
|
|
@ -727,7 +727,7 @@ class TestTokenProvider(tests.TestCase):
|
|||
'bogus')
|
||||
|
||||
def test_default_token_format(self):
|
||||
self.assertEqual(token.provider.PKIZ_PROVIDER,
|
||||
self.assertEqual(token.provider.UUID_PROVIDER,
|
||||
token.provider.Manager.get_token_provider())
|
||||
|
||||
def test_uuid_token_format_and_no_provider(self):
|
||||
|
|
|
@ -111,7 +111,7 @@ class Manager(manager.Manager):
|
|||
return mapped
|
||||
|
||||
if CONF.token.provider is None:
|
||||
return PKIZ_PROVIDER
|
||||
return UUID_PROVIDER
|
||||
else:
|
||||
return CONF.token.provider
|
||||
|
||||
|
|
Loading…
Reference in New Issue