From 20a533dd535bec90ba69f3b25008351dd47e6d7d Mon Sep 17 00:00:00 2001 From: Dmitriy Rabotyagov Date: Wed, 15 Jun 2022 18:38:10 +0200 Subject: [PATCH] Support service tokens Implement support for service_tokens. For that we convert role_name to be a list along with renaming corresponding variable. Additionally service_type is defined now for keystone_authtoken which enables to validate tokens with restricted access rules Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690 Change-Id: I1d70c2c46fef6ffc0fcebe4b56a0ecdedc1d3298 --- defaults/main.yml | 14 ++++++++++++-- templates/inspector.conf.j2 | 5 +++++ templates/ironic.conf.j2 | 4 ++++ vars/main.yml | 4 ++-- 4 files changed, 23 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 8ab2c675..2dc19a5c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -108,7 +108,12 @@ ironic_service_region: "{{ service_region | default('RegionOne') }}" ironic_service_project_name: "service" ironic_service_project_domain_id: default ironic_service_user_domain_id: default -ironic_service_role_name: "admin" +ironic_service_role_names: + - admin + - service +ironic_service_token_roles: + - service +ironic_service_token_roles_required: "{{ openstack_service_token_roles_required | default(True) }}" ironic_service_in_ldap: "{{ service_ldap_backend_enabled | default(False) }}" # Ironic image store information @@ -311,7 +316,12 @@ ironic_inspector_service_adminuri: "{{ ironic_inspector_service_adminuri_proto } ironic_inspector_service_adminurl: "{{ ironic_inspector_service_adminuri }}" ironic_inspector_service_internaluri: "{{ ironic_inspector_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ ironic_inspector_service_port }}" ironic_inspector_service_internalurl: "{{ ironic_inspector_service_internaluri }}" -ironic_inspector_service_role_name: "admin" +ironic_inspector_service_role_names: + - admin + - service +ironic_inspector_service_token_roles: + - service +ironic_inspector_service_token_roles_required: "{{ openstack_service_token_roles_required | default(True) }}" ironic_inspector_service_project_name: "service" ironic_inspector_service_in_ldap: "{{ service_ldap_backend_enabled | default(False) }}" ironic_inspector_service_domain_id: default diff --git a/templates/inspector.conf.j2 b/templates/inspector.conf.j2 index 6b7f0447..2bb77ebb 100644 --- a/templates/inspector.conf.j2 +++ b/templates/inspector.conf.j2 @@ -62,6 +62,11 @@ project_name = "service" username = ironic_inspector password = {{ ironic_inspector_service_password }} region_name = {{ keystone_service_region }} + +service_token_roles = {{ ironic_inspector_service_token_roles | join(',') }} +service_token_roles_required = {{ ironic_inspector_service_token_roles_required | bool }} +service_type = {{ ironic_inspector_service_type }} + memcached_servers = {{ memcached_servers }} # if your memcached server is shared, use these settings to avoid cache poisoning memcache_security_strategy = ENCRYPT diff --git a/templates/ironic.conf.j2 b/templates/ironic.conf.j2 index e7b5a253..472ff305 100644 --- a/templates/ironic.conf.j2 +++ b/templates/ironic.conf.j2 @@ -128,6 +128,10 @@ username = {{ ironic_service_user_name }} password = {{ ironic_service_password }} region_name = {{ keystone_service_region }} +service_token_roles = {{ ironic_service_token_roles | join(',') }} +service_token_roles_required = {{ ironic_service_token_roles_required | bool }} +service_type = {{ ironic_service_type }} + memcached_servers = {{ ironic_memcached_servers }} token_cache_time = 300 diff --git a/vars/main.yml b/vars/main.yml index c54c1468..c3fa7eb2 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -147,7 +147,7 @@ ironic_service_user_list: > { 'name': ironic_service_user_name, 'password': ironic_service_password, - 'role': ironic_service_role_name + 'role': ironic_service_role_names } ) %} @@ -157,7 +157,7 @@ ironic_service_user_list: > { 'name': ironic_inspector_service_user_name, 'password': ironic_inspector_service_password, - 'role': ironic_inspector_service_role_name + 'role': ironic_inspector_service_role_names } ) %}