From b6d15a95cba562a9a58aca0970cb2fec40cb3f62 Mon Sep 17 00:00:00 2001 From: Dmitriy Rabotyagov Date: Wed, 15 Jun 2022 17:53:38 +0200 Subject: [PATCH] Support service tokens Implement support for service_tokens. For that we convert role_name to be a list along with renaming corresponding variable. Additionally service_type is defined now for keystone_authtoken which enables to validate tokens with restricted access rules Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690 Change-Id: Icb1de8c7e0a5196a4df457a5d4a3ca524d4622d0 --- defaults/main.yml | 13 ++++++++----- tasks/main.yml | 8 +++----- templates/cloudkitty.conf.j2 | 5 +++-- 3 files changed, 14 insertions(+), 12 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 9676063..5ebb0d4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -30,8 +30,6 @@ cloudkitty_service_setup_host_python_interpreter: "{{ openstack_service_setup_ho cloudkitty_package_state: "{{ package_state | default('latest') }}" cloudkitty_pip_package_state: "latest" -cloudkitty_service_user_name: cloudkitty - ## Oslo Messaging info # RPC @@ -79,13 +77,16 @@ cloudkitty_git_constraints: cloudkitty_notification_topics: notifications cloudkitty_collector: gnocchi +cloudkitty_service_user_name: cloudkitty cloudkitty_service_project_domain_id: default cloudkitty_service_project_name: "service" cloudkitty_service_user_domain_id: default cloudkitty_service_in_ldap: "{{ service_ldap_backend_enabled | default(False) }}" -cloudkitty_service_role_name: "admin" -cloudkitty_system_service_name: "cloudkitty-api" - +cloudkitty_service_role_names: + - admin + - rating + - service +cloudkitty_service_token_roles_required: "{{ openstack_service_token_roles_required | default(True) }}" cloudkitty_keystone_auth_plugin: password cloudkitty_output_backend: cloudkitty.backend.file.FileBackend cloudkitty_output_pipeline: osrf @@ -114,6 +115,8 @@ cloudkitty_uwsgi_bind_address: "{{ openstack_service_bind_address | default('0.0 ## Service Type and Data cloudkitty_service_region: "{{ service_region | default('RegionOne') }}" cloudkitty_service_name: cloudkitty +cloudkitty_service_type: rating +cloudkitty_service_description: "OpenStack Rating Service" cloudkitty_service_port: 8089 cloudkitty_service_proto: http cloudkitty_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(cloudkitty_service_proto) }}" diff --git a/tasks/main.yml b/tasks/main.yml index 8bf022d..8b29a31 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -140,9 +140,7 @@ _service_users: - name: "{{ cloudkitty_service_user_name }}" password: "{{ cloudkitty_service_password }}" - role: "rating" - - name: "{{ cloudkitty_service_user_name }}" - role: "{{ cloudkitty_service_role_name }}" + role: "{{ cloudkitty_service_role_names }}" _service_endpoints: - service: "{{ cloudkitty_service_name }}" interface: "public" @@ -155,8 +153,8 @@ url: "{{ cloudkitty_service_adminurl }}" _service_catalog: - name: "{{ cloudkitty_service_name }}" - type: "rating" - description: "OpenStack Rating Service" + type: "{{ cloudkitty_service_type }}" + description: "{{ cloudkitty_service_description }}" when: _cloudkitty_is_first_play_host tags: - always diff --git a/templates/cloudkitty.conf.j2 b/templates/cloudkitty.conf.j2 index 6fda6ff..013927c 100644 --- a/templates/cloudkitty.conf.j2 +++ b/templates/cloudkitty.conf.j2 @@ -47,8 +47,9 @@ username = {{ cloudkitty_service_user_name }} auth_url = {{ keystone_service_adminurl }} auth_type = {{ cloudkitty_keystone_auth_plugin }} region_name = {{ cloudkitty_service_region }} -service_token_roles_required = True -service_token_roles = {{ cloudkitty_service_role_name }} +service_token_roles_required = {{ cloudkitty_service_token_roles_required | bool }} +service_token_roles = {{ cloudkitty_service_role_names | join(',') }} +service_type = {{ cloudkitty_service_type }} [oslo_messaging_amqp]