Support service tokens

Implement support for service_tokens. For that we convert role_name to be a list along with renaming corresponding variable. Additionally service_type is defined now for keystone_authtoken which enables to validate tokens with restricted access rules Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690 Change-Id: I6a5e16a4fc2a81dedc4bc459f13ac7781292f5a8
2022-06-15 17:40:02 +02:00 · 2022-06-15 17:40:02 +02:00 · cb6c38ab92
parent e5e1a59e05
commit cb6c38ab92
4 changed files with 13 additions and 19 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -121,6 +121,10 @@ barbican_default_role_names:
 barbican_service_role_names:
  - admin
  - creator
+  - service
+barbican_service_token_roles:
+  - service
+barbican_service_token_roles_required: "{{ openstack_service_token_roles_required | default(True) }}"
 barbican_service_region: "{{ service_region | default('RegionOne') }}"
 barbican_service_host: "{{ openstack_service_bind_address | default('0.0.0.0') }}"
 barbican_service_port: 9311
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -149,7 +149,11 @@
    _service_in_ldap: "{{ barbican_service_in_ldap }}"
    _service_project_name: "{{ barbican_service_project_name }}"
    _service_region: "{{ barbican_service_region }}"
-    _service_users: "{{ barbican_service_users }}"
+    _service_users:
+      - name: "{{ barbican_service_user_name }}"
+        password: "{{ barbican_service_password }}"
+        role: "{{ barbican_service_role_names }}"
+      - role: "{{ barbican_default_role_names }}"
    _service_endpoints:
      - service: "{{ barbican_service_name }}"
        interface: "public"
--- a/templates/barbican.conf.j2
+++ b/templates/barbican.conf.j2
@ -42,6 +42,10 @@ username = {{ barbican_service_user_name }}
 password = {{ barbican_service_password }}
 region_name = {{ keystone_service_region }}

+service_token_roles_required = {{ barbican_service_token_roles_required | bool }}
+service_token_roles = {{ barbican_service_token_roles | join(',') }}
+service_type = {{ barbican_service_type }}
+
 memcached_servers = {{ barbican_memcached_servers }}

 token_cache_time = 300
--- a/vars/main.yml
+++ b/vars/main.yml
@ -63,21 +63,3 @@ uwsgi_barbican_services: |-
  {%   endif %}
  {% endfor %}
  {{ services }}
-
-barbican_service_users: |-
-  {% set users = [{
-    'name': barbican_service_user_name,
-    'password': barbican_service_password
-    }]
-  %}
-  {% for role in barbican_default_role_names %}
-  {%   set _ = users.append({'role': role}) %}
-  {% endfor %}
-  {% for user_role in barbican_service_role_names %}
-  {%   set _ = users.append({
-         'name': barbican_service_user_name,
-         'role': user_role
-       })
-  %}
-  {% endfor %}
-  {{ users }}