Skip to content

[Deprecation] certificate-authority.certificate-status client-whitelist / authorization-required Settings #209

New issue
New issue
Open
Open
[Deprecation] certificate-authority.certificate-status client-whitelist / authorization-required Settings#209
Labels
deprecationThis issue pertains to an item/topic which has been deprecated
@silug

Description

@silug
silug
opened on Feb 24, 2026

Summary

client-whitelist and authorization-required in certificate-authority.certificate-status are explicitly deprecated and marked for future removal.

Evidence

  • src/clj/puppetlabs/puppetserver/certificate_authority.clj:905 warns settings are deprecated and will be removed.
  • src/clj/puppetlabs/puppetserver/certificate_authority.clj:909 repeats warning and indicates settings may be ignored in certain values.

Proposed OpenVox Server 9 Change

  • Remove these certificate-status access-control settings.
  • Require authorization through conf.d/auth.conf only.

Compatibility / Risk

  • Medium to high risk if CA status workflows still depend on these section-level settings.
  • Clear migration documentation required.

Implementation Notes

  • Remove deprecated settings from CA validation and access-control paths.
  • Update CA docs and configuration templates.

Acceptance Criteria

  • Deprecated CA certificate-status whitelist settings are no longer accepted.
  • Authorization behavior comes only from authorization service/rules.
  • Deprecated warning code paths are removed.

Suggested Tests

  • Config parsing tests for removed keys.
  • CA certificate-status endpoint authorization integration tests.

Metadata

Metadata

Assignees

No one assigned

    Labels

    deprecationThis issue pertains to an item/topic which has been deprecated

    Type

    No type

    Projects

    OpenVox Platform Deprecation Schedule

    Status

    Deprecated

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions