Support service tokens

Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.

Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_gnocchi/+/846347
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: I883d84859811714362c5b58f33dfae808317bfdc

defaults/main.yml

@@ -102,7 +102,12 @@ aodh_wsgi_processes_max: 16
 aodh_wsgi_processes: "{{ [[(ansible_facts['processor_vcpus']//ansible_facts['processor_threads_per_core'])|default(1), 1] | max * 2, aodh_wsgi_processes_max] | min }}"
 
 #Aodh services info
-aodh_role_name: admin
+aodh_service_role_names:
+  - admin
+  - service
+aodh_service_token_roles:
+  - service
+aodh_service_token_roles_required: "{{ openstack_service_token_roles_required | default(True) }}"
 
 ## Service Type and Data
 aodh_service_region: "{{ service_region | default('RegionOne') }}"

tasks/main.yml

@@ -157,7 +157,7 @@
     _service_users:
       - name: "{{ aodh_service_user_name }}"
         password: "{{ aodh_service_password }}"
-        role: "{{ aodh_role_name }}"
+        role: "{{ aodh_service_role_names }}"
     _service_endpoints:
       - service: "{{ aodh_service_name }}"
         interface: "public"

templates/aodh.conf.j2

@@ -33,6 +33,11 @@ username = {{ aodh_service_user_name }}
 password = {{ aodh_service_password }}
 region_name = {{ keystone_service_region }}
 
+
+service_token_roles_required = {{ aodh_service_token_roles_required | bool }}
+service_token_roles = {{ aodh_service_token_roles | join(',') }}
+service_type = {{ aodh_service_type }}
+
 memcached_servers = {{ aodh_memcached_servers }}
 
 token_cache_time = 300