deprecate pki related options

check_revocations_for_cached and hash_algorithms are deprecated for
removel because of PKI token format is no longer supported.
Update warning message and add a release note.

Change-Id: Idb200319b86062f0d145cd1650349dd8337a953d
Closes-Bug: #1804562
Closes-Bug: #1804720

diff --git a/manifests/keystone/authtoken.pp b/manifests/keystone/authtoken.pp
index cc4e75016df2c893f4c709a574faced17ab5b1b0..c894227029e55099e4743d6cb7c5f2c2a28fc439 100644 (file)
--- a/manifests/keystone/authtoken.pp
+++ b/manifests/keystone/authtoken.pp
@@ -63,12 +63,6 @@
 #   (Optional) Required if identity server requires client certificate
 #   Defaults to $::os_service_default.
 #
-# [*check_revocations_for_cached*]
-#   (Optional) If true, the revocation list will be checked for cached tokens.
-#   This requires that PKI tokens are configured on the identity server.
-#   boolean value.
-#   Defaults to $::os_service_default.
-#
 # [*delay_auth_decision*]
 #   (Optional) Do not handle authorization requests within the middleware, but
 #   delegate the authorization decision to downstream WSGI components. Boolean
@@ -85,17 +79,6 @@
 #   must be present in tokens. String value.
 #   Defaults to $::os_service_default.
 #
-# [*hash_algorithms*]
-#   (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
-#   single algorithm or multiple. The algorithms are those supported by Python
-#   standard hashlib.new(). The hashes will be tried in the order given, so put
-#   the preferred one first for performance. The result of the first hash will
-#   be stored in the cache. This will typically be set to multiple values only
-#   while migrating from a less secure algorithm to a more secure one. Once all
-#   the old tokens are expired this option should be set to a single value for
-#   better performance. List value.
-#   Defaults to $::os_service_default.
-#
 # [*http_connect_timeout*]
 #   (Optional) Request timeout value for communicating with Identity API
 #   server.
@@ -184,6 +167,23 @@
 #   (Optional) Complete public Identity API endpoint.
 #   Defaults to undef
 #
+# [*check_revocations_for_cached*]
+#   (Optional) If true, the revocation list will be checked for cached tokens.
+#   This requires that PKI tokens are configured on the identity server.
+#   boolean value.
+#   Defaults to undef.
+#
+# [*hash_algorithms*]
+#   (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
+#   single algorithm or multiple. The algorithms are those supported by Python
+#   standard hashlib.new(). The hashes will be tried in the order given, so put
+#   the preferred one first for performance. The result of the first hash will
+#   be stored in the cache. This will typically be set to multiple values only
+#   while migrating from a less secure algorithm to a more secure one. Once all
+#   the old tokens are expired this option should be set to a single value for
+#   better performance. List value.
+#   Defaults to undef.
+#
 class ceilometer::keystone::authtoken(
   $username                       = 'ceilometer',
   $password                       = $::os_service_default,
@@ -199,10 +199,8 @@ class ceilometer::keystone::authtoken(
   $cache                          = $::os_service_default,
   $cafile                         = $::os_service_default,
   $certfile                       = $::os_service_default,
-  $check_revocations_for_cached   = $::os_service_default,
   $delay_auth_decision            = $::os_service_default,
   $enforce_token_bind             = $::os_service_default,
-  $hash_algorithms                = $::os_service_default,
   $http_connect_timeout           = $::os_service_default,
   $http_request_max_retries       = $::os_service_default,
   $include_service_catalog        = $::os_service_default,
@@ -221,6 +219,8 @@ class ceilometer::keystone::authtoken(
   $token_cache_time               = $::os_service_default,
   # DEPRECATED PARAMETERS
   $auth_uri                       = undef,
+  $check_revocations_for_cached   = undef,
+  $hash_algorithms                = undef,
 ) {
 
   include ::ceilometer::deps
@@ -234,6 +234,14 @@ class ceilometer::keystone::authtoken(
   }
   $www_authenticate_uri_real = pick($auth_uri, $www_authenticate_uri)
 
+  if $check_revocations_for_cached {
+    warning('check_revocations_for_cached parameter is deprecated, has no effect and will be removed in the future.')
+  }
+
+  if $hash_algorithms {
+    warning('hash_algorithms parameter is deprecated, has no effect and will be removed in the future.')
+  }
+
   keystone::resource::authtoken { 'ceilometer_config':
     username                       => $username,
     password                       => $password,
@@ -249,10 +257,8 @@ class ceilometer::keystone::authtoken(
     cache                          => $cache,
     cafile                         => $cafile,
     certfile                       => $certfile,
-    check_revocations_for_cached   => $check_revocations_for_cached,
     delay_auth_decision            => $delay_auth_decision,
     enforce_token_bind             => $enforce_token_bind,
-    hash_algorithms                => $hash_algorithms,
     http_connect_timeout           => $http_connect_timeout,
     http_request_max_retries       => $http_request_max_retries,
     include_service_catalog        => $include_service_catalog,

diff --git a/releasenotes/notes/deprecate_pki_related_parameters-8935812c56ec2750.yaml b/releasenotes/notes/deprecate_pki_related_parameters-8935812c56ec2750.yaml
new file mode 100644 (file)
index 0000000..7aa4e60
--- /dev/null
+++ b/releasenotes/notes/deprecate_pki_related_parameters-8935812c56ec2750.yaml
@@ -0,0 +1,6 @@
+---
+deprecations:
+  - check_revocations_for_cached option is now deprecated for removal, the
+    parameter has no effect.
+  - hash_algorithms option is now deprecated for removal, the parameter
+    has no effect.

diff --git a/spec/classes/ceilometer_keystone_authtoken_spec.rb b/spec/classes/ceilometer_keystone_authtoken_spec.rb
index 96ff88140422ec998a289c7a57b79af514eb11bd..fa6b274148c6a316f77a8d80e58bcb0e7ed1cff2 100644 (file)
--- a/spec/classes/ceilometer_keystone_authtoken_spec.rb
+++ b/spec/classes/ceilometer_keystone_authtoken_spec.rb
@@ -25,10 +25,8 @@ describe 'ceilometer::keystone::authtoken' do
         is_expected.to contain_ceilometer_config('keystone_authtoken/cache').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_ceilometer_config('keystone_authtoken/cafile').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_ceilometer_config('keystone_authtoken/certfile').with_value('<SERVICE DEFAULT>')
-        is_expected.to contain_ceilometer_config('keystone_authtoken/check_revocations_for_cached').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_ceilometer_config('keystone_authtoken/delay_auth_decision').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_ceilometer_config('keystone_authtoken/enforce_token_bind').with_value('<SERVICE DEFAULT>')
-        is_expected.to contain_ceilometer_config('keystone_authtoken/hash_algorithms').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_ceilometer_config('keystone_authtoken/http_connect_timeout').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_ceilometer_config('keystone_authtoken/http_request_max_retries').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_ceilometer_config('keystone_authtoken/include_service_catalog').with_value('<SERVICE DEFAULT>')
@@ -64,10 +62,8 @@ describe 'ceilometer::keystone::authtoken' do
           :cache                                => 'somevalue',
           :cafile                               => '/opt/stack/data/cafile.pem',
           :certfile                             => 'certfile.crt',
-          :check_revocations_for_cached         => false,
           :delay_auth_decision                  => false,
           :enforce_token_bind                   => 'permissive',
-          :hash_algorithms                      => 'md5',
           :http_connect_timeout                 => '300',
           :http_request_max_retries             => '3',
           :include_service_catalog              => true,
@@ -102,10 +98,8 @@ describe 'ceilometer::keystone::authtoken' do
         is_expected.to contain_ceilometer_config('keystone_authtoken/cache').with_value(params[:cache])
         is_expected.to contain_ceilometer_config('keystone_authtoken/cafile').with_value(params[:cafile])
         is_expected.to contain_ceilometer_config('keystone_authtoken/certfile').with_value(params[:certfile])
-        is_expected.to contain_ceilometer_config('keystone_authtoken/check_revocations_for_cached').with_value(params[:check_revocations_for_cached])
         is_expected.to contain_ceilometer_config('keystone_authtoken/delay_auth_decision').with_value(params[:delay_auth_decision])
         is_expected.to contain_ceilometer_config('keystone_authtoken/enforce_token_bind').with_value(params[:enforce_token_bind])
-        is_expected.to contain_ceilometer_config('keystone_authtoken/hash_algorithms').with_value(params[:hash_algorithms])
         is_expected.to contain_ceilometer_config('keystone_authtoken/http_connect_timeout').with_value(params[:http_connect_timeout])
         is_expected.to contain_ceilometer_config('keystone_authtoken/http_request_max_retries').with_value(params[:http_request_max_retries])
         is_expected.to contain_ceilometer_config('keystone_authtoken/include_service_catalog').with_value(params[:include_service_catalog])