openstack/openstack-ansible-os_barbican
Code Issues Proposed changes

Support service tokens

Browse Source 
Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.

Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: I6a5e16a4fc2a81dedc4bc459f13ac7781292f5a8
This commit is contained in:
Dmitriy Rabotyagov 2022-06-15 17:40:02 +02:00
parent e5e1a59e05
commit cb6c38ab92
4 changed files with 13 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
defaults/main.yml
View File

@ -121,6 +121,10 @@ barbican_default_role_names:
barbican_service_role_names:
- admin
- creator
- service
barbican_service_token_roles:
- service
barbican_service_token_roles_required: "{{ openstack_service_token_roles_required | default(True) }}"
barbican_service_region: "{{ service_region | default('RegionOne') }}"
barbican_service_host: "{{ openstack_service_bind_address | default('0.0.0.0') }}"
barbican_service_port: 9311

6
tasks/main.yml
View File

@ -149,7 +149,11 @@
_service_in_ldap: "{{ barbican_service_in_ldap }}"
_service_project_name: "{{ barbican_service_project_name }}"
_service_region: "{{ barbican_service_region }}"
_service_users: "{{ barbican_service_users }}"
_service_users:
- name: "{{ barbican_service_user_name }}"
password: "{{ barbican_service_password }}"
role: "{{ barbican_service_role_names }}"
- role: "{{ barbican_default_role_names }}"
_service_endpoints:
- service: "{{ barbican_service_name }}"
interface: "public"

4
templates/barbican.conf.j2
View File

@ -42,6 +42,10 @@ username = {{ barbican_service_user_name }}
password = {{ barbican_service_password }}
region_name = {{ keystone_service_region }}
service_token_roles_required = {{ barbican_service_token_roles_required | bool }}
service_token_roles = {{ barbican_service_token_roles | join(',') }}
service_type = {{ barbican_service_type }}
memcached_servers = {{ barbican_memcached_servers }}
token_cache_time = 300

18
vars/main.yml
View File

@ -63,21 +63,3 @@ uwsgi_barbican_services: |-
{% endif %}
{% endfor %}
{{ services }}
barbican_service_users: |-
{% set users = [{
'name': barbican_service_user_name,
'password': barbican_service_password
}]
%}
{% for role in barbican_default_role_names %}
{% set _ = users.append({'role': role}) %}
{% endfor %}
{% for user_role in barbican_service_role_names %}
{% set _ = users.append({
'name': barbican_service_user_name,
'role': user_role
})
%}
{% endfor %}
{{ users }}