Deprecate (and slate for removal) UUID tokens

Deprecate UUID token provider. With fernet tokens being made the default, the UUID tokens are much like PKI tokens, an aging relic of Keystone-Times-Past. Keystone is consolidating token issuance and validation to the most effective form. This also deprecates the following: * token-bind capabilities, as that is a feature that was at best partially implemented in UUID and PKI tokens, with explicit non-support in Fernet. * token-persistence driver and explicit token persistence code. Change-Id: I724169a49ce12d8dd514471c34ac2b752eb98c8a bp: deprecated-as-of-pike
openstack · Feb 11, 2017 · 5896d84 · 5896d84
1 parent 9c47495
commit 5896d84
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 0 deletions.
diff --git a/keystone/conf/token.py b/keystone/conf/token.py
@@ -13,6 +13,7 @@
 import sys
 
 from oslo_config import cfg
+from oslo_log import versionutils
 
 from keystone.conf import utils
 
@@ -30,6 +31,8 @@
     'enforce_token_bind',
     default='permissive',
     choices=['disabled', 'permissive', 'strict', 'required'],
+    deprecated_since=versionutils.deprecated.PIKE,
+    deprecated_for_removal=True,
     help=utils.fmt("""
 This controls the token binding enforcement policy on tokens presented to
 keystone with token binding metadata (as specified by the `[token] bind`
@@ -74,6 +77,8 @@
 driver = cfg.StrOpt(
     'driver',
     default='sql',
+    deprecated_since=versionutils.deprecated.PIKE,
+    deprecated_for_removal=True,
     help=utils.fmt("""
 Entry point for the token persistence backend driver in the
 `keystone.token.persistence` namespace. Keystone provides the `sql`

diff --git a/keystone/token/providers/uuid.py b/keystone/token/providers/uuid.py
@@ -16,13 +16,23 @@
 
 from __future__ import absolute_import
 
+from oslo_log import versionutils
+
 import uuid
 
 from keystone.token.providers import common
 
 
 class Provider(common.BaseProvider):
 
+    @versionutils.deprecated(
+        as_of=versionutils.deprecated.PIKE,
+        what='UUID Token Provider "[token] provider=uuid"',
+        in_favor_of='Fernet token Provider "[token] provider=fernet"',
+        remove_in=+2)
+    def __init__(self, *args, **kwargs):
+        super(Provider, self).__init__(*args, **kwargs)
+
     def _get_token_id(self, token_data):
         return uuid.uuid4().hex
 

diff --git a/releasenotes/notes/deprecated-as-of-pike-506f9aca91674550.yaml b/releasenotes/notes/deprecated-as-of-pike-506f9aca91674550.yaml
@@ -0,0 +1,11 @@
+---
+deprecations:
+  - |
+    * UUID token provider ``[token] provider=uuid`` has been deprecated in
+      favor of Fernet tokens ``[token] provider=fernet``. With Fernet tokens
+      becoming the default UUID tokens can be slated for removal in the R
+      release. This also deprecates token-bind support as it was never
+      implemented for fernet.
+
+    * Token persistence driver/code (SQL) is deprecated with this patch since
+      it is only used by the UUID token provider..