New option default_authorization_ttl

Add new option default_authorization_ttl used for
federation to set validity of group memberships
coming from a mapping.

Closes-Bug: #1970388
Change-Id: I4a8dbc501e14d1201ceed27077554924c56e3abd
(cherry picked from commit f5d9b9ed40)

config.yaml

@@ -436,3 +436,9 @@ options:
       the charm, but it's possible that it may break things unexpectedly.
       Please ensure that the the README and relevant documentation is consulted
       before setting this configuration option.
+  default-authorization-ttl:
+    type: int
+    default: 0
+    description: |
+      Default time (in minutes) for the validity of group memberships carried
+      over from a federation mapping. Default is 0 which means disabled.

hooks/keystone_context.py

@@ -249,6 +249,8 @@ class KeystoneContext(context.OSContextGenerator):
             ctxt['log_config'] = ('/etc/keystone/logging.conf')
             ctxt['paste_config_file'] = '/etc/keystone/keystone-paste.ini'
 
+        ctxt['default_authorization_ttl'] = config('default-authorization-ttl')
+
         return ctxt
 
     ALLOWED_SECURITY_COMPLIANCE_SCHEMA = {

templates/parts/section-federation

@@ -3,6 +3,7 @@
 {% for dashboard_url in trusted_dashboards -%}
 trusted_dashboard = {{ dashboard_url }}
 {% endfor -%}
+default_authorization_ttl = {{ default_authorization_ttl }}
 {% endif %}
 {% for sp in fid_sps -%}
 [{{ sp['protocol-name'] }}]