From 0ad7c85c386b72af1c34a4e33223204c68856ade Mon Sep 17 00:00:00 2001 From: Edward Hope-Morley Date: Mon, 30 Mar 2015 19:57:24 +0100 Subject: [PATCH 1/6] [hopem,r=] Refactor credentials creation code. --- hooks/keystone_utils.py | 69 +++++++++++++++++++++++++++++++---------- 1 file changed, 53 insertions(+), 16 deletions(-) diff --git a/hooks/keystone_utils.py b/hooks/keystone_utils.py index 16487624..61e30113 100644 --- a/hooks/keystone_utils.py +++ b/hooks/keystone_utils.py @@ -633,10 +633,10 @@ def ensure_initial_admin(config): 'ldap' and config('ldap-readonly')): passwd = get_admin_passwd() if passwd: - create_user(config('admin-user'), passwd, tenant='admin') - update_user_password(config('admin-user'), passwd) - create_role(config('admin-role'), config('admin-user'), - 'admin') + create_credentials(config('admin-user'), 'admin', + new_roles=[config('admin-role')], + passwd=passwd) + create_service_entry("keystone", "identity", "Keystone Identity Service") @@ -1230,6 +1230,52 @@ def relation_list(rid): return result +def create_credentials(user, tenant, new_roles=None, grants=None, passwd=None): + """Create user credentials. + + Optinally adds user to config(admin-role) and create new roles. + + If a password is provided, it is used to update/replace any existing + password for the given user. + """ + log("Creating service credentials for '%s'" % user, level=DEBUG) + if passwd: + update_user_password(user, passwd) + else: + passwd = get_service_password(user) + + create_user(user, passwd, tenant) + # Typically admin role + if grants: + for role in grants: + grant_role(user, role, tenant) + else: + log("No role grants requested for user '%s'" % (user), level=DEBUG) + + if new_roles: + # Allow the remote service to request creation of any additional roles. + # Currently used by Swift and Ceilometer. + for role in new_roles: + log("Creating requested role '%s'" % role, level=DEBUG) + create_role(role, user, tenant) + + return passwd + + +def create_service_credentials(user, new_roles=None): + """Create credentials for service with given username. + + Services are given a user under config('service-tenant') and are given the + config('admin-role') role. + """ + tenant = config('service-tenant') + if not tenant: + raise Exception("No service tenant provided in config") + + return create_credentials(user, tenant, new_roles=new_roles, + grants=[config('admin-role')]) + + def add_service_to_keystone(relation_id=None, remote_unit=None): import manager manager = manager.KeystoneManager(endpoint=get_local_endpoint(), @@ -1360,18 +1406,9 @@ def add_service_to_keystone(relation_id=None, remote_unit=None): return token = get_admin_token() - log("Creating service credentials for '%s'" % service_username) - - service_password = get_service_password(service_username) - create_user(service_username, service_password, config('service-tenant')) - grant_role(service_username, config('admin-role'), - config('service-tenant')) - - # Allow the remote service to request creation of any additional roles. - # Currently used by Swift and Ceilometer. - for role in get_requested_roles(settings): - log("Creating requested role: %s" % role) - create_role(role, service_username, config('service-tenant')) + roles = get_requested_roles(settings) + service_password = create_service_credentials(service_username, + new_roles=roles) # As of https://review.openstack.org/#change,4675, all nodes hosting # an endpoint(s) needs a service username and password assigned to From e7f1cf2e61a95385d97d102e4ed41782df8fb23b Mon Sep 17 00:00:00 2001 From: Edward Hope-Morley Date: Mon, 30 Mar 2015 20:01:54 +0100 Subject: [PATCH 2/6] set DEBIG log levels --- hooks/keystone_utils.py | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/hooks/keystone_utils.py b/hooks/keystone_utils.py index 61e30113..88035c55 100644 --- a/hooks/keystone_utils.py +++ b/hooks/keystone_utils.py @@ -442,12 +442,14 @@ def create_service_entry(service_name, service_type, service_desc, owner=None): token=get_admin_token()) for service in [s._info for s in manager.api.services.list()]: if service['name'] == service_name: - log("Service entry for '%s' already exists." % service_name) + log("Service entry for '%s' already exists." % service_name, + level=DEBUG) return + manager.api.services.create(name=service_name, service_type=service_type, description=service_desc) - log("Created new service entry '%s'" % service_name) + log("Created new service entry '%s'" % service_name, level=DEBUG) def create_endpoint_template(region, service, publicurl, adminurl, @@ -480,7 +482,8 @@ def create_endpoint_template(region, service, publicurl, adminurl, publicurl=publicurl, adminurl=adminurl, internalurl=internalurl) - log("Created new endpoint template for '%s' in '%s'" % (region, service)) + log("Created new endpoint template for '%s' in '%s'" % (region, service), + level=DEBUG) def create_tenant(name): @@ -492,9 +495,10 @@ def create_tenant(name): if not tenants or name not in [t['name'] for t in tenants]: manager.api.tenants.create(tenant_name=name, description='Created by Juju') - log("Created new tenant: %s" % name) + log("Created new tenant: %s" % name, level=DEBUG) return - log("Tenant '%s' already exists." % name) + + log("Tenant '%s' already exists." % name, level=DEBUG) def create_user(name, password, tenant): @@ -507,13 +511,16 @@ def create_user(name, password, tenant): tenant_id = manager.resolve_tenant_id(tenant) if not tenant_id: error_out('Could not resolve tenant_id for tenant %s' % tenant) + manager.api.users.create(name=name, password=password, email='juju@localhost', tenant_id=tenant_id) - log("Created new user '%s' tenant: %s" % (name, tenant_id)) + log("Created new user '%s' tenant: %s" % (name, tenant_id), + level=DEBUG) return - log("A user named '%s' already exists" % name) + + log("A user named '%s' already exists" % name, level=DEBUG) def create_role(name, user=None, tenant=None): @@ -524,9 +531,9 @@ def create_role(name, user=None, tenant=None): roles = [r._info for r in manager.api.roles.list()] if not roles or name not in [r['name'] for r in roles]: manager.api.roles.create(name=name) - log("Created new role '%s'" % name) + log("Created new role '%s'" % name, level=DEBUG) else: - log("A role named '%s' already exists" % name) + log("A role named '%s' already exists" % name, level=DEBUG) if not user and not tenant: return @@ -560,10 +567,10 @@ def grant_role(user, role, tenant): role=role_id, tenant=tenant_id) log("Granted user '%s' role '%s' on tenant '%s'" % - (user, role, tenant)) + (user, role, tenant), level=DEBUG) else: log("User '%s' already has role '%s' on tenant '%s'" % - (user, role, tenant)) + (user, role, tenant), level=DEBUG) def store_admin_passwd(passwd): From c1c05464fa40c2a8d013fb9f5f379feb4de3580e Mon Sep 17 00:00:00 2001 From: Edward Hope-Morley Date: Mon, 30 Mar 2015 20:17:16 +0100 Subject: [PATCH 3/6] Added unit tests --- unit_tests/test_keystone_utils.py | 35 +++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/unit_tests/test_keystone_utils.py b/unit_tests/test_keystone_utils.py index 7bffa379..958c98d4 100644 --- a/unit_tests/test_keystone_utils.py +++ b/unit_tests/test_keystone_utils.py @@ -283,6 +283,41 @@ class TestKeystoneUtils(CharmTestCase): adminurl='10.0.0.2', internalurl='192.168.1.2') + @patch.object(utils, 'get_service_password') + @patch.object(utils, 'grant_role') + @patch.object(utils, 'create_role') + @patch.object(utils, 'create_user') + def test_create_credentials_no_roles(self, mock_create_user, + mock_create_role, + mock_grant_role, + mock_get_service_password): + mock_get_service_password.return_value = 'passA' + utils.create_credentials('userA', 'tenantA') + mock_create_user.assert_has_calls([call('userA', 'passA', 'tenantA')]) + mock_create_role.assert_has_calls([]) + mock_grant_role.assert_has_calls([]) + + @patch.object(utils, 'get_service_password') + @patch.object(utils, 'grant_role') + @patch.object(utils, 'create_role') + @patch.object(utils, 'create_user') + def test_create_credentials(self, mock_create_user, mock_create_role, + mock_grant_role, mock_get_service_password): + mock_get_service_password.return_value = 'passA' + utils.create_credentials('userA', 'tenantA', grants=['roleA'], + new_roles=['roleB']) + mock_create_user.assert_has_calls([call('userA', 'passA', 'tenantA')]) + mock_create_role.assert_has_calls([call('roleB', 'userA', 'tenantA')]) + mock_grant_role.assert_has_calls([call('userA', 'roleA', 'tenantA')]) + + @patch.object(utils, 'create_credentials') + def test_create_service_credentials(self, mock_create_credentials): + cfg = {'service-tenant': 'tenantA', 'admin-role': 'Admin'} + self.config.side_effect = lambda key: cfg.get(key, None) + calls = [call('serviceA', 'tenantA', grants=['Admin'], new_roles=None)] + utils.create_service_credentials('serviceA') + mock_create_credentials.assert_has_calls(calls) + def test_ensure_valid_service_incorrect(self): utils.ensure_valid_service('fakeservice') self.log.assert_called_with("Invalid service requested: 'fakeservice'") From a546537888b7a5d779119efae7273652534efabe Mon Sep 17 00:00:00 2001 From: Edward Hope-Morley Date: Mon, 30 Mar 2015 21:06:31 +0100 Subject: [PATCH 4/6] fixed update_password logic --- hooks/keystone_utils.py | 57 ++++++++++++++++++------------- unit_tests/test_keystone_utils.py | 42 +++++++++++++++++------ 2 files changed, 65 insertions(+), 34 deletions(-) diff --git a/hooks/keystone_utils.py b/hooks/keystone_utils.py index 88035c55..0e51e33e 100644 --- a/hooks/keystone_utils.py +++ b/hooks/keystone_utils.py @@ -501,26 +501,36 @@ def create_tenant(name): log("Tenant '%s' already exists." % name, level=DEBUG) -def create_user(name, password, tenant): - """Creates a user if it doesn't already exist, as a member of tenant""" +def user_exists(name): import manager manager = manager.KeystoneManager(endpoint=get_local_endpoint(), token=get_admin_token()) users = [u._info for u in manager.api.users.list()] if not users or name not in [u['name'] for u in users]: - tenant_id = manager.resolve_tenant_id(tenant) - if not tenant_id: - error_out('Could not resolve tenant_id for tenant %s' % tenant) + return False - manager.api.users.create(name=name, - password=password, - email='juju@localhost', - tenant_id=tenant_id) - log("Created new user '%s' tenant: %s" % (name, tenant_id), - level=DEBUG) - return + return True - log("A user named '%s' already exists" % name, level=DEBUG) + +def create_user(name, password, tenant): + """Creates a user if it doesn't already exist, as a member of tenant""" + import manager + manager = manager.KeystoneManager(endpoint=get_local_endpoint(), + token=get_admin_token()) + if user_exists(name): + log("A user named '%s' already exists" % name, level=DEBUG) + return + + tenant_id = manager.resolve_tenant_id(tenant) + if not tenant_id: + error_out('Could not resolve tenant_id for tenant %s' % tenant) + + manager.api.users.create(name=name, + password=password, + email='juju@localhost', + tenant_id=tenant_id) + log("Created new user '%s' tenant: %s" % (name, tenant_id), + level=DEBUG) def create_role(name, user=None, tenant=None): @@ -640,9 +650,8 @@ def ensure_initial_admin(config): 'ldap' and config('ldap-readonly')): passwd = get_admin_passwd() if passwd: - create_credentials(config('admin-user'), 'admin', - new_roles=[config('admin-role')], - passwd=passwd) + create_credentials(config('admin-user'), 'admin', passwd, + new_roles=[config('admin-role')]) create_service_entry("keystone", "identity", "Keystone Identity Service") @@ -1237,7 +1246,7 @@ def relation_list(rid): return result -def create_credentials(user, tenant, new_roles=None, grants=None, passwd=None): +def create_credentials(user, tenant, passwd, new_roles=None, grants=None): """Create user credentials. Optinally adds user to config(admin-role) and create new roles. @@ -1246,13 +1255,14 @@ def create_credentials(user, tenant, new_roles=None, grants=None, passwd=None): password for the given user. """ log("Creating service credentials for '%s'" % user, level=DEBUG) - if passwd: - update_user_password(user, passwd) + if user_exists(user): + log("User '%s' already exists" % (user), level=DEBUG) + if passwd: + log("Updating user '%s' password" % (user), level=DEBUG) + update_user_password(user, passwd) else: - passwd = get_service_password(user) + create_user(user, passwd, tenant) - create_user(user, passwd, tenant) - # Typically admin role if grants: for role in grants: grant_role(user, role, tenant) @@ -1279,7 +1289,8 @@ def create_service_credentials(user, new_roles=None): if not tenant: raise Exception("No service tenant provided in config") - return create_credentials(user, tenant, new_roles=new_roles, + return create_credentials(user, tenant, get_service_password(user), + new_roles=new_roles, grants=[config('admin-role')]) diff --git a/unit_tests/test_keystone_utils.py b/unit_tests/test_keystone_utils.py index 958c98d4..265e7bf4 100644 --- a/unit_tests/test_keystone_utils.py +++ b/unit_tests/test_keystone_utils.py @@ -283,38 +283,58 @@ class TestKeystoneUtils(CharmTestCase): adminurl='10.0.0.2', internalurl='192.168.1.2') - @patch.object(utils, 'get_service_password') + @patch.object(utils, 'user_exists') @patch.object(utils, 'grant_role') @patch.object(utils, 'create_role') @patch.object(utils, 'create_user') def test_create_credentials_no_roles(self, mock_create_user, mock_create_role, - mock_grant_role, - mock_get_service_password): - mock_get_service_password.return_value = 'passA' - utils.create_credentials('userA', 'tenantA') + mock_grant_role, mock_user_exists): + mock_user_exists.return_value = False + utils.create_credentials('userA', 'tenantA', 'passA') mock_create_user.assert_has_calls([call('userA', 'passA', 'tenantA')]) mock_create_role.assert_has_calls([]) mock_grant_role.assert_has_calls([]) - @patch.object(utils, 'get_service_password') + @patch.object(utils, 'user_exists') @patch.object(utils, 'grant_role') @patch.object(utils, 'create_role') @patch.object(utils, 'create_user') def test_create_credentials(self, mock_create_user, mock_create_role, - mock_grant_role, mock_get_service_password): - mock_get_service_password.return_value = 'passA' - utils.create_credentials('userA', 'tenantA', grants=['roleA'], + mock_grant_role, mock_user_exists): + mock_user_exists.return_value = False + utils.create_credentials('userA', 'tenantA', 'passA', grants=['roleA'], new_roles=['roleB']) mock_create_user.assert_has_calls([call('userA', 'passA', 'tenantA')]) mock_create_role.assert_has_calls([call('roleB', 'userA', 'tenantA')]) mock_grant_role.assert_has_calls([call('userA', 'roleA', 'tenantA')]) + @patch.object(utils, 'update_user_password') + @patch.object(utils, 'user_exists') + @patch.object(utils, 'grant_role') + @patch.object(utils, 'create_role') + @patch.object(utils, 'create_user') + def test_create_credentials_user_exists(self, mock_create_user, + mock_create_role, mock_grant_role, + mock_user_exists, + mock_update_user_password): + mock_user_exists.return_value = True + utils.create_credentials('userA', 'tenantA', 'passA', grants=['roleA'], + new_roles=['roleB']) + mock_create_user.assert_has_calls([]) + mock_create_role.assert_has_calls([call('roleB', 'userA', 'tenantA')]) + mock_grant_role.assert_has_calls([call('userA', 'roleA', 'tenantA')]) + mock_update_user_password.assert_has_calls([call('userA', 'passA')]) + + @patch.object(utils, 'get_service_password') @patch.object(utils, 'create_credentials') - def test_create_service_credentials(self, mock_create_credentials): + def test_create_service_credentials(self, mock_create_credentials, + mock_get_service_password): + mock_get_service_password.return_value = 'passA' cfg = {'service-tenant': 'tenantA', 'admin-role': 'Admin'} self.config.side_effect = lambda key: cfg.get(key, None) - calls = [call('serviceA', 'tenantA', grants=['Admin'], new_roles=None)] + calls = [call('serviceA', 'tenantA', 'passA', grants=['Admin'], + new_roles=None)] utils.create_service_credentials('serviceA') mock_create_credentials.assert_has_calls(calls) From a3e980e76b56940ac20ed5d206eb4b082dd1cdef Mon Sep 17 00:00:00 2001 From: Edward Hope-Morley Date: Mon, 30 Mar 2015 21:42:39 +0100 Subject: [PATCH 5/6] cleanup --- hooks/keystone_utils.py | 30 +++++++++++--------------- unit_tests/test_keystone_utils.py | 36 ++++++++++++++++--------------- 2 files changed, 32 insertions(+), 34 deletions(-) diff --git a/hooks/keystone_utils.py b/hooks/keystone_utils.py index 0e51e33e..02139e7d 100644 --- a/hooks/keystone_utils.py +++ b/hooks/keystone_utils.py @@ -519,8 +519,8 @@ def create_user(name, password, tenant): token=get_admin_token()) if user_exists(name): log("A user named '%s' already exists" % name, level=DEBUG) - return - + return + tenant_id = manager.resolve_tenant_id(tenant) if not tenant_id: error_out('Could not resolve tenant_id for tenant %s' % tenant) @@ -650,8 +650,8 @@ def ensure_initial_admin(config): 'ldap' and config('ldap-readonly')): passwd = get_admin_passwd() if passwd: - create_credentials(config('admin-user'), 'admin', passwd, - new_roles=[config('admin-role')]) + create_user_credentials(config('admin-user'), 'admin', passwd, + new_roles=[config('admin-role')]) create_service_entry("keystone", "identity", "Keystone Identity Service") @@ -1246,20 +1246,16 @@ def relation_list(rid): return result -def create_credentials(user, tenant, passwd, new_roles=None, grants=None): +def create_user_credentials(user, tenant, passwd, new_roles=None, grants=None): """Create user credentials. - Optinally adds user to config(admin-role) and create new roles. - - If a password is provided, it is used to update/replace any existing - password for the given user. + Optionally adds role grants to user and/or creates new roles. """ log("Creating service credentials for '%s'" % user, level=DEBUG) if user_exists(user): - log("User '%s' already exists" % (user), level=DEBUG) - if passwd: - log("Updating user '%s' password" % (user), level=DEBUG) - update_user_password(user, passwd) + log("User '%s' already exists - updating password" % (user), + level=DEBUG) + update_user_password(user, passwd) else: create_user(user, passwd, tenant) @@ -1283,15 +1279,15 @@ def create_service_credentials(user, new_roles=None): """Create credentials for service with given username. Services are given a user under config('service-tenant') and are given the - config('admin-role') role. + config('admin-role') role. Tenant is assumed to already exist, """ tenant = config('service-tenant') if not tenant: raise Exception("No service tenant provided in config") - return create_credentials(user, tenant, get_service_password(user), - new_roles=new_roles, - grants=[config('admin-role')]) + return create_user_credentials(user, tenant, get_service_password(user), + new_roles=new_roles, + grants=[config('admin-role')]) def add_service_to_keystone(relation_id=None, remote_unit=None): diff --git a/unit_tests/test_keystone_utils.py b/unit_tests/test_keystone_utils.py index 265e7bf4..a89e4375 100644 --- a/unit_tests/test_keystone_utils.py +++ b/unit_tests/test_keystone_utils.py @@ -287,11 +287,12 @@ class TestKeystoneUtils(CharmTestCase): @patch.object(utils, 'grant_role') @patch.object(utils, 'create_role') @patch.object(utils, 'create_user') - def test_create_credentials_no_roles(self, mock_create_user, - mock_create_role, - mock_grant_role, mock_user_exists): + def test_create_user_credentials_no_roles(self, mock_create_user, + mock_create_role, + mock_grant_role, + mock_user_exists): mock_user_exists.return_value = False - utils.create_credentials('userA', 'tenantA', 'passA') + utils.create_user_credentials('userA', 'tenantA', 'passA') mock_create_user.assert_has_calls([call('userA', 'passA', 'tenantA')]) mock_create_role.assert_has_calls([]) mock_grant_role.assert_has_calls([]) @@ -300,11 +301,11 @@ class TestKeystoneUtils(CharmTestCase): @patch.object(utils, 'grant_role') @patch.object(utils, 'create_role') @patch.object(utils, 'create_user') - def test_create_credentials(self, mock_create_user, mock_create_role, - mock_grant_role, mock_user_exists): + def test_create_user_credentials(self, mock_create_user, mock_create_role, + mock_grant_role, mock_user_exists): mock_user_exists.return_value = False - utils.create_credentials('userA', 'tenantA', 'passA', grants=['roleA'], - new_roles=['roleB']) + utils.create_user_credentials('userA', 'tenantA', 'passA', + grants=['roleA'], new_roles=['roleB']) mock_create_user.assert_has_calls([call('userA', 'passA', 'tenantA')]) mock_create_role.assert_has_calls([call('roleB', 'userA', 'tenantA')]) mock_grant_role.assert_has_calls([call('userA', 'roleA', 'tenantA')]) @@ -314,21 +315,22 @@ class TestKeystoneUtils(CharmTestCase): @patch.object(utils, 'grant_role') @patch.object(utils, 'create_role') @patch.object(utils, 'create_user') - def test_create_credentials_user_exists(self, mock_create_user, - mock_create_role, mock_grant_role, - mock_user_exists, - mock_update_user_password): + def test_create_user_credentials_user_exists(self, mock_create_user, + mock_create_role, + mock_grant_role, + mock_user_exists, + mock_update_user_password): mock_user_exists.return_value = True - utils.create_credentials('userA', 'tenantA', 'passA', grants=['roleA'], - new_roles=['roleB']) + utils.create_user_credentials('userA', 'tenantA', 'passA', + grants=['roleA'], new_roles=['roleB']) mock_create_user.assert_has_calls([]) mock_create_role.assert_has_calls([call('roleB', 'userA', 'tenantA')]) mock_grant_role.assert_has_calls([call('userA', 'roleA', 'tenantA')]) mock_update_user_password.assert_has_calls([call('userA', 'passA')]) @patch.object(utils, 'get_service_password') - @patch.object(utils, 'create_credentials') - def test_create_service_credentials(self, mock_create_credentials, + @patch.object(utils, 'create_user_credentials') + def test_create_service_credentials(self, mock_create_user_credentials, mock_get_service_password): mock_get_service_password.return_value = 'passA' cfg = {'service-tenant': 'tenantA', 'admin-role': 'Admin'} @@ -336,7 +338,7 @@ class TestKeystoneUtils(CharmTestCase): calls = [call('serviceA', 'tenantA', 'passA', grants=['Admin'], new_roles=None)] utils.create_service_credentials('serviceA') - mock_create_credentials.assert_has_calls(calls) + mock_create_user_credentials.assert_has_calls(calls) def test_ensure_valid_service_incorrect(self): utils.ensure_valid_service('fakeservice') From ac8914c1461862c60bebf07fa5f315828a15b09d Mon Sep 17 00:00:00 2001 From: Liam Young Date: Wed, 1 Apr 2015 07:55:04 +0100 Subject: [PATCH 6/6] Add token-expiration to allow the time a token should remain valid (in seconds) to be set. Remove token-expiry which seems unused --- config.yaml | 8 ++++---- hooks/keystone_context.py | 1 + templates/icehouse/keystone.conf | 3 ++- templates/kilo/keystone.conf | 1 + 4 files changed, 8 insertions(+), 5 deletions(-) diff --git a/config.yaml b/config.yaml index b0ce3732..df521e6a 100644 --- a/config.yaml +++ b/config.yaml @@ -62,10 +62,10 @@ options: default: 'Admin' type: string description: 'Admin role to be associated with admin and service users' - token-expiry: - default: "2017-02-05T00:00" - type: string - description: "Expiration date of generated admin tokens" + token-expiration: + default: 3600 + type: int + description: "Amount of time a token should remain valid (in seconds)." service-tenant: default: "services" type: string diff --git a/hooks/keystone_context.py b/hooks/keystone_context.py index dbbc237b..0c023688 100644 --- a/hooks/keystone_context.py +++ b/hooks/keystone_context.py @@ -202,6 +202,7 @@ class KeystoneContext(context.OSContextGenerator): ctxt['debug'] = debug and bool_from_string(debug) verbose = config('verbose') ctxt['verbose'] = verbose and bool_from_string(verbose) + ctxt['token_expiration'] = config('token-expiration') ctxt['identity_backend'] = config('identity-backend') ctxt['assignment_backend'] = config('assignment-backend') diff --git a/templates/icehouse/keystone.conf b/templates/icehouse/keystone.conf index 5ef7fe35..b51edb0f 100644 --- a/templates/icehouse/keystone.conf +++ b/templates/icehouse/keystone.conf @@ -49,7 +49,8 @@ provider = keystone.token.providers.pki.Provider provider = keystone.token.providers.pkiz.Provider {% else -%} provider = keystone.token.providers.uuid.Provider -{% endif %} +{% endif -%} +expiration = {{ token_expiration }} {% include "parts/section-signing" %} diff --git a/templates/kilo/keystone.conf b/templates/kilo/keystone.conf index 499caa4c..0c057959 100644 --- a/templates/kilo/keystone.conf +++ b/templates/kilo/keystone.conf @@ -46,6 +46,7 @@ driver = keystone.catalog.backends.sql.Catalog [token] driver = keystone.token.persistence.backends.sql.Token provider = keystone.token.providers.uuid.Provider +expiration = {{ token_expiration }} [cache]