From 242e17c230651ce4718d839b5d77590a296469a3 Mon Sep 17 00:00:00 2001
From: Dmitriy Rabotyagov <dmitriy.rabotyagov@citynetwork.eu>
Date: Tue, 14 Jun 2022 10:58:05 +0200
Subject: [PATCH] Support service tokens

Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.

Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: I4e9fff59bbfa9c8a1ae0236d077ac9ee2881c04b
Related-Bug: #1948456
---
 defaults/main.yml           | 12 +++++++++++-
 tasks/main.yml              |  2 +-
 templates/placement.conf.j2 |  3 +++
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 4d30ec8..7c1a2c1 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -87,11 +87,21 @@ placement_service_internalurl: "{{ placement_service_internaluri_proto }}://{{ i
 placement_service_adminurl: "{{ placement_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ placement_service_port }}"
 placement_service_in_ldap: "{{ service_ldap_backend_enabled | default(False) }}"
 
+# List of roles assigned to placement_service_user_name
+placement_service_role_names:
+  - admin
+  - service
+
+# List of roles for which service tokens will be accepted
+placement_service_token_roles:
+  - service
+
+placement_service_token_roles_required: "{{ openstack_service_token_roles_required | default(True) }}"
+
 placement_auth_strategy: keystone
 
 ## Keystone authentication middleware
 placement_keystone_auth_type: password
-placement_role_name: admin
 
 # Common pip packages
 placement_pip_packages:
diff --git a/tasks/main.yml b/tasks/main.yml
index 032fae6..7ed2242 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -108,7 +108,7 @@
     _service_users:
       - name: "{{ placement_service_user_name }}"
         password: "{{ placement_service_password }}"
-        role: "{{ placement_role_name }}"
+        role: "{{ placement_service_role_names }}"
     _service_endpoints:
       - service: "{{ placement_service_name }}"
         interface: "public"
diff --git a/templates/placement.conf.j2 b/templates/placement.conf.j2
index a7b87d3..0311fb2 100644
--- a/templates/placement.conf.j2
+++ b/templates/placement.conf.j2
@@ -17,6 +17,9 @@ region_name = {{ keystone_service_region }}
 memcached_servers = {{ placement_memcached_servers }}
 memcache_security_strategy = ENCRYPT
 memcache_secret_key = {{ memcached_encryption_key }}
+service_token_roles_required = {{ placement_service_token_roles_required | bool }}
+service_token_roles = {{ placement_service_token_roles | join(',') }}
+service_type = {{ placement_service_type }}
 
 [placement_database]
 connection = mysql+pymysql://{{ placement_galera_user }}:{{ placement_galera_password }}@{{ placement_galera_address }}/{{ placement_galera_database }}?charset=utf8{% if placement_galera_use_ssl | bool %}&ssl_verify_cert=true{% if placement_galera_ssl_ca_cert | length > 0 %}&ssl_ca={{ placement_galera_ssl_ca_cert }}{% endif %}{% endif +%}