New option default_authorization_ttl

Add new option default_authorization_ttl used for
federation to set validity of group memberships
coming from a mapping.

Closes-Bug: #1970388
Change-Id: I4a8dbc501e14d1201ceed27077554924c56e3abd
(cherry picked from commit f5d9b9ed40)

config.yaml

@@ -436,3 +436,9 @@ options:
       the charm, but it's possible that it may break things unexpectedly.
       Please ensure that the the README and relevant documentation is consulted
       before setting this configuration option.
+  default-authorization-ttl:
+    type: int
+    default: 0
+    description: |
+      Default time (in minutes) for the validity of group memberships carried
+      over from a federation mapping. Default is 0 which means disabled.

hooks/keystone_context.py

@@ -249,6 +249,8 @@ class KeystoneContext(context.OSContextGenerator):
             ctxt['log_config'] = ('/etc/keystone/logging.conf')
             ctxt['paste_config_file'] = '/etc/keystone/keystone-paste.ini'
 
+        ctxt['default_authorization_ttl'] = config('default-authorization-ttl')
+
         return ctxt
 
     ALLOWED_SECURITY_COMPLIANCE_SCHEMA = {

templates/parts/section-federation

@@ -3,6 +3,7 @@
 {% for dashboard_url in trusted_dashboards -%}
 trusted_dashboard = {{ dashboard_url }}
 {% endfor -%}
+default_authorization_ttl = {{ default_authorization_ttl }}
 {% endif %}
 {% for sp in fid_sps -%}
 [{{ sp['protocol-name'] }}]

test-requirements.txt

@@ -42,7 +42,8 @@ git+https://github.com/openstack-charmers/zaza.git@stable/victoria#egg=zaza
 git+https://github.com/openstack-charmers/zaza-openstack-tests.git@stable/victoria#egg=zaza.openstack
 
 # Needed for charm-glance:
-git+https://opendev.org/openstack/tempest.git#egg=tempest;python_version>='3.6'
+git+https://opendev.org/openstack/tempest.git#egg=tempest;python_version>='3.8'
+tempest<31.0.0;python_version<'3.8'
 tempest<24.0.0;python_version<'3.6'
 
 croniter            # needed for charm-rabbitmq-server unit tests