Support service tokens

Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.

Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: I1d0156a2ad829aa730419e1d9dfa1cd49026a6be
Related-Bug: #1948456

defaults/main.yml

@@ -145,7 +145,12 @@ cinder_service_project_domain_id: default
 cinder_service_user_domain_id: default
 cinder_service_user_name: cinder
 cinder_service_project_name: service
-cinder_service_role_name: admin
+cinder_service_role_names:
+  - admin
+  - service
+cinder_service_token_roles:
+  - service
+cinder_service_token_roles_required: "{{ openstack_service_token_roles_required | default(True) }}"
 cinder_service_region: "{{ service_region | default('RegionOne') }}"
 cinder_service_description: "Cinder Volume Service"
 cinder_service_port: 8776

tasks/main.yml

@@ -180,7 +180,7 @@
     _service_users:
       - name: "{{ cinder_service_user_name }}"
         password: "{{ cinder_service_password }}"
-        role: "{{ cinder_service_role_name }}"
+        role: "{{ cinder_service_role_names }}"
   when:
     - "_cinder_is_first_play_host"
   tags:

templates/cinder.conf.j2

@@ -165,6 +165,10 @@ token_cache_time = 300
 memcache_security_strategy = ENCRYPT
 memcache_secret_key = {{ memcached_encryption_key }}
 
+service_token_roles_required = {{ cinder_service_token_roles_required | bool }}
+service_token_roles = {{ cinder_service_token_roles | join(',') }}
+service_type = {{ cinder_service_type }}
+
 [nova]
 interface = internal
 insecure = {{ keystone_service_internaluri_insecure | bool }}