Support service tokens
Implement support for service_tokens. For that we convert role_name to be a list along with renaming corresponding variable. Additionally service_type is defined now for keystone_authtoken which enables to validate tokens with restricted access rules Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690 Change-Id: I1d70c2c46fef6ffc0fcebe4b56a0ecdedc1d3298
This commit is contained in:
parent
d88b2f50c0
commit
20a533dd53
@ -108,7 +108,12 @@ ironic_service_region: "{{ service_region | default('RegionOne') }}"
|
||||
ironic_service_project_name: "service"
|
||||
ironic_service_project_domain_id: default
|
||||
ironic_service_user_domain_id: default
|
||||
ironic_service_role_name: "admin"
|
||||
ironic_service_role_names:
|
||||
- admin
|
||||
- service
|
||||
ironic_service_token_roles:
|
||||
- service
|
||||
ironic_service_token_roles_required: "{{ openstack_service_token_roles_required | default(True) }}"
|
||||
ironic_service_in_ldap: "{{ service_ldap_backend_enabled | default(False) }}"
|
||||
|
||||
# Ironic image store information
|
||||
@ -311,7 +316,12 @@ ironic_inspector_service_adminuri: "{{ ironic_inspector_service_adminuri_proto }
|
||||
ironic_inspector_service_adminurl: "{{ ironic_inspector_service_adminuri }}"
|
||||
ironic_inspector_service_internaluri: "{{ ironic_inspector_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ ironic_inspector_service_port }}"
|
||||
ironic_inspector_service_internalurl: "{{ ironic_inspector_service_internaluri }}"
|
||||
ironic_inspector_service_role_name: "admin"
|
||||
ironic_inspector_service_role_names:
|
||||
- admin
|
||||
- service
|
||||
ironic_inspector_service_token_roles:
|
||||
- service
|
||||
ironic_inspector_service_token_roles_required: "{{ openstack_service_token_roles_required | default(True) }}"
|
||||
ironic_inspector_service_project_name: "service"
|
||||
ironic_inspector_service_in_ldap: "{{ service_ldap_backend_enabled | default(False) }}"
|
||||
ironic_inspector_service_domain_id: default
|
||||
|
@ -62,6 +62,11 @@ project_name = "service"
|
||||
username = ironic_inspector
|
||||
password = {{ ironic_inspector_service_password }}
|
||||
region_name = {{ keystone_service_region }}
|
||||
|
||||
service_token_roles = {{ ironic_inspector_service_token_roles | join(',') }}
|
||||
service_token_roles_required = {{ ironic_inspector_service_token_roles_required | bool }}
|
||||
service_type = {{ ironic_inspector_service_type }}
|
||||
|
||||
memcached_servers = {{ memcached_servers }}
|
||||
# if your memcached server is shared, use these settings to avoid cache poisoning
|
||||
memcache_security_strategy = ENCRYPT
|
||||
|
@ -128,6 +128,10 @@ username = {{ ironic_service_user_name }}
|
||||
password = {{ ironic_service_password }}
|
||||
region_name = {{ keystone_service_region }}
|
||||
|
||||
service_token_roles = {{ ironic_service_token_roles | join(',') }}
|
||||
service_token_roles_required = {{ ironic_service_token_roles_required | bool }}
|
||||
service_type = {{ ironic_service_type }}
|
||||
|
||||
memcached_servers = {{ ironic_memcached_servers }}
|
||||
|
||||
token_cache_time = 300
|
||||
|
@ -147,7 +147,7 @@ ironic_service_user_list: >
|
||||
{
|
||||
'name': ironic_service_user_name,
|
||||
'password': ironic_service_password,
|
||||
'role': ironic_service_role_name
|
||||
'role': ironic_service_role_names
|
||||
}
|
||||
)
|
||||
%}
|
||||
@ -157,7 +157,7 @@ ironic_service_user_list: >
|
||||
{
|
||||
'name': ironic_inspector_service_user_name,
|
||||
'password': ironic_inspector_service_password,
|
||||
'role': ironic_inspector_service_role_name
|
||||
'role': ironic_inspector_service_role_names
|
||||
}
|
||||
)
|
||||
%}
|
||||
|
Loading…
Reference in New Issue
Block a user