Merge "Remove deprecated "bind" in token"

2018-11-09 11:21:12 +00:00 · 2018-11-09 11:21:12 +00:00 · 649e058e3c
parent 9775419f8e df982016dd
commit 649e058e3c
6 changed files with 5 additions and 102 deletions
--- a/doc/source/admin/identity-token-binding.rst
+++ b/doc/source/admin/identity-token-binding.rst
@ -1,67 +0,0 @@
-============================================
-Configure Identity service for token binding
-============================================
-
-Token binding embeds information from an external authentication
-mechanism, such as a Kerberos server or X.509 certificate, inside a
-token. By using token binding, a client can enforce the use of a
-specified external authentication mechanism with the token. This
-additional security mechanism ensures that if a token is stolen, for
-example, it is not usable without external authentication.
-
-You configure the authentication types for a token binding in the
-``/etc/keystone/keystone.conf`` file:
-
-.. code-block:: ini
-
-   [token]
-   bind = kerberos
-
-or
-
-.. code-block:: ini
-
-   [token]
-   bind = x509
-
-Currently ``kerberos`` and ``x509`` are supported.
-
-To enforce checking of token binding, set the ``enforce_token_bind``
-option to one of these modes:
-
- ``disabled``
-    Disables token bind checking.
-
- ``permissive``
-    Enables bind checking. If a token is bound to an unknown
-    authentication mechanism, the server ignores it. The default is this
-    mode.
-
- ``strict``
-    Enables bind checking. If a token is bound to an unknown
-    authentication mechanism, the server rejects it.
-
- ``required``
-    Enables bind checking. Requires use of at least authentication
-    mechanism for tokens.
-
- ``kerberos``
-    Enables bind checking. Requires use of kerberos as the authentication
-    mechanism for tokens:
-
-    .. code-block:: ini
-
-       [token]
-       enforce_token_bind = kerberos
-
- ``x509``
-    Enables bind checking. Requires use of X.509 as the authentication
-    mechanism for tokens:
-
-    .. code-block:: ini
-
-       [token]
-       enforce_token_bind = x509
-
-*Do not* set ``enforce_token_bind = named`` as there is not an authentication
-mechanism called ``named``.
--- a/doc/source/admin/index.rst
+++ b/doc/source/admin/index.rst
@ -25,7 +25,6 @@ command-line client.
   identity-integrate-with-ldap.rst
   identity-upgrading.rst
   identity-tokens.rst
-   identity-token-binding.rst
   identity-fernet-token-faq.rst
   identity-use-trusts.rst
   identity-caching-layer.rst
--- a/doc/source/admin/token-support-matrix.ini
+++ b/doc/source/admin/token-support-matrix.ini
@ -108,14 +108,6 @@ notes=OAuth access tokens can be exchanged for keystone tokens.
 cli=
 driver-impl-fernet=complete

-[operation.create_token_with_bind]
-title=Create a token with a bind attribute
-status=optional
-notes=Tokens can express a binding to an additional authentication method, such
-  as kerberos or x509.
-cli=
-driver-impl-fernet=missing
-
 [operation.revoke_token]
 title=Revoke a token
 status=optional
--- a/keystone/conf/token.py
+++ b/keystone/conf/token.py
@ -17,20 +17,6 @@ from oslo_log import versionutils

 from keystone.conf import utils

-bind = cfg.ListOpt(
-    'bind',
-    default=[],
-    deprecated_since=versionutils.deprecated.PIKE,
-    deprecated_for_removal=True,
-    help=utils.fmt("""
-This is a list of external authentication mechanisms which should add token
-binding metadata to tokens, such as `kerberos` or `x509`. Note that this option
-is deprecated as keystone no longer supports binding metadata to tokens
-directly. This option is silently ignored and will be removed in the future.
-This option no longer has any impact on the behavior of tokens and can be
-removed.
-"""))
-
 expiration = cfg.IntOpt(
    'expiration',
    default=3600,
--- a/keystone/tests/unit/test_v3.py
+++ b/keystone/tests/unit/test_v3.py
@ -69,16 +69,6 @@ class RestfulTestCase(unit.SQLDriverOverrides, rest.RestfulTestCase,
                'minItems': 1,
                'maxItems': 2,
            },
-            'bind': {
-                'type': 'object',
-                'properties': {
-                    'kerberos': {
-                        'type': 'string',
-                    },
-                },
-                'required': ['kerberos'],
-                'additionalProperties': False,
-            },
            'expires_at': {
                'type': 'string',
                'pattern': unit.TIME_FORMAT_REGEX,
@ -172,7 +162,7 @@ class RestfulTestCase(unit.SQLDriverOverrides, rest.RestfulTestCase,
            'properties': properties,
            'required': ['audit_ids', 'expires_at', 'issued_at', 'methods',
                         'user'],
-            'optional': ['bind'],
+            'optional': [],
            'additionalProperties': False
        }

--- a/releasenotes/notes/removed-as-of-stein-5eb23253b72ab54e.yaml
+++ b/releasenotes/notes/removed-as-of-stein-5eb23253b72ab54e.yaml
@ -6,4 +6,7 @@ other:
    deprecated in Queens and only used for V2 are removed now.
  - >
    [`blueprint removed-as-of-stein <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-stein>`_]
-    The deprecated token_flush is removed now.
+    The deprecated token_flush is removed now.
+  - >
+    [`blueprint removed-as-of-stein <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-stein>`_]
+    The deprecated config option `bind` is removed now.