Deprecate pki related options

check_revocations_for_cached and hash_algorithms are deprecated for removel because of PKI token format is no longer supported. Change-Id: I562e075f54721ced6c2c83805cce415d1a2a25c0 Closes-Bug: #1804562 Closes-Bug: #1804720
2018-11-22 11:31:59 +08:00 · 2018-11-22 11:31:59 +08:00 · 8d66fb4d3d
commit 8d66fb4d3d
parent 8e66836fb2
2 changed files with 0 additions and 27 deletions
--- a/puppet-{{cookiecutter.project_name}}/manifests/keystone/authtoken.pp
+++ b/puppet-{{cookiecutter.project_name}}/manifests/keystone/authtoken.pp
@ -62,12 +62,6 @@
 #   (Optional) Required if identity server requires client certificate
 #   Defaults to $::os_service_default.
 #
-# [*check_revocations_for_cached*]
-#   (Optional) If true, the revocation list will be checked for cached tokens.
-#   This requires that PKI tokens are configured on the identity server.
-#   boolean value.
-#   Defaults to $::os_service_default.
-#
 # [*delay_auth_decision*]
 #   (Optional) Do not handle authorization requests within the middleware, but
 #   delegate the authorization decision to downstream WSGI components. Boolean
@ -84,17 +78,6 @@
 #   must be present in tokens. String value.
 #   Defaults to $::os_service_default.
 #
-# [*hash_algorithms*]
-#   (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
-#   single algorithm or multiple. The algorithms are those supported by Python
-#   standard hashlib.new(). The hashes will be tried in the order given, so put
-#   the preferred one first for performance. The result of the first hash will
-#   be stored in the cache. This will typically be set to multiple values only
-#   while migrating from a less secure algorithm to a more secure one. Once all
-#   the old tokens are expired this option should be set to a single value for
-#   better performance. List value.
-#   Defaults to $::os_service_default.
-#
 # [*http_connect_timeout*]
 #   (Optional) Request timeout value for communicating with Identity API
 #   server.
@ -192,10 +175,8 @@ class {{cookiecutter.project_name}}::keystone::authtoken(
  $cache                          = $::os_service_default,
  $cafile                         = $::os_service_default,
  $certfile                       = $::os_service_default,
-  $check_revocations_for_cached   = $::os_service_default,
  $delay_auth_decision            = $::os_service_default,
  $enforce_token_bind             = $::os_service_default,
-  $hash_algorithms                = $::os_service_default,
  $http_connect_timeout           = $::os_service_default,
  $http_request_max_retries       = $::os_service_default,
  $include_service_catalog        = $::os_service_default,
@ -231,10 +212,8 @@ class {{cookiecutter.project_name}}::keystone::authtoken(
    cache                          => $cache,
    cafile                         => $cafile,
    certfile                       => $certfile,
-    check_revocations_for_cached   => $check_revocations_for_cached,
    delay_auth_decision            => $delay_auth_decision,
    enforce_token_bind             => $enforce_token_bind,
-    hash_algorithms                => $hash_algorithms,
    http_connect_timeout           => $http_connect_timeout,
    http_request_max_retries       => $http_request_max_retries,
    include_service_catalog        => $include_service_catalog,
--- a/puppet-{{cookiecutter.project_name}}/spec/classes/{{cookiecutter.project_name}}_keystone_authtoken_spec.rb
+++ b/puppet-{{cookiecutter.project_name}}/spec/classes/{{cookiecutter.project_name}}_keystone_authtoken_spec.rb
@ -24,10 +24,8 @@ describe '{{cookiecutter.project_name}}::keystone::authtoken' do
        should contain_{{cookiecutter.project_name}}_config('keystone_authtoken/cache').with_value('<SERVICE DEFAULT>')
        should contain_{{cookiecutter.project_name}}_config('keystone_authtoken/cafile').with_value('<SERVICE DEFAULT>')
        should contain_{{cookiecutter.project_name}}_config('keystone_authtoken/certfile').with_value('<SERVICE DEFAULT>')
-        should contain_{{cookiecutter.project_name}}_config('keystone_authtoken/check_revocations_for_cached').with_value('<SERVICE DEFAULT>')
        should contain_{{cookiecutter.project_name}}_config('keystone_authtoken/delay_auth_decision').with_value('<SERVICE DEFAULT>')
        should contain_{{cookiecutter.project_name}}_config('keystone_authtoken/enforce_token_bind').with_value('<SERVICE DEFAULT>')
-        should contain_{{cookiecutter.project_name}}_config('keystone_authtoken/hash_algorithms').with_value('<SERVICE DEFAULT>')
        should contain_{{cookiecutter.project_name}}_config('keystone_authtoken/http_connect_timeout').with_value('<SERVICE DEFAULT>')
        should contain_{{cookiecutter.project_name}}_config('keystone_authtoken/http_request_max_retries').with_value('<SERVICE DEFAULT>')
        should contain_{{cookiecutter.project_name}}_config('keystone_authtoken/include_service_catalog').with_value('<SERVICE DEFAULT>')
@ -63,10 +61,8 @@ describe '{{cookiecutter.project_name}}::keystone::authtoken' do
          :cache                          => 'somevalue',
          :cafile                         => '/opt/stack/data/cafile.pem',
          :certfile                       => 'certfile.crt',
-          :check_revocations_for_cached   => false,
          :delay_auth_decision            => false,
          :enforce_token_bind             => 'permissive',
-          :hash_algorithms                => 'md5',
          :http_connect_timeout           => '300',
          :http_request_max_retries       => '3',
          :include_service_catalog        => true,
@ -101,10 +97,8 @@ describe '{{cookiecutter.project_name}}::keystone::authtoken' do
        should contain_{{cookiecutter.project_name}}_config('keystone_authtoken/cache').with_value(params[:cache])
        should contain_{{cookiecutter.project_name}}_config('keystone_authtoken/cafile').with_value(params[:cafile])
        should contain_{{cookiecutter.project_name}}_config('keystone_authtoken/certfile').with_value(params[:certfile])
-        should contain_{{cookiecutter.project_name}}_config('keystone_authtoken/check_revocations_for_cached').with_value(params[:check_revocations_for_cached])
        should contain_{{cookiecutter.project_name}}_config('keystone_authtoken/delay_auth_decision').with_value(params[:delay_auth_decision])
        should contain_{{cookiecutter.project_name}}_config('keystone_authtoken/enforce_token_bind').with_value(params[:enforce_token_bind])
-        should contain_{{cookiecutter.project_name}}_config('keystone_authtoken/hash_algorithms').with_value(params[:hash_algorithms])
        should contain_{{cookiecutter.project_name}}_config('keystone_authtoken/http_connect_timeout').with_value(params[:http_connect_timeout])
        should contain_{{cookiecutter.project_name}}_config('keystone_authtoken/http_request_max_retries').with_value(params[:http_request_max_retries])
        should contain_{{cookiecutter.project_name}}_config('keystone_authtoken/include_service_catalog').with_value(params[:include_service_catalog])