Support service tokens

Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.

Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: If34e0170ea0e0f7727cfadba982f3c7dae6ae216

defaults/main.yml

@@ -118,7 +118,12 @@ swift_service_project_name: service
 swift_service_project_domain_id: "default"
 swift_service_project_domain_name: "Default"
 swift_service_user_domain_id: "default"
-swift_service_role_name: "admin"
+swift_service_role_names:
+  - admin
+  - service
+swift_service_token_roles:
+  - service
+swift_service_token_roles_required: "{{ openstack_service_token_roles_required | default(True) }}"
 swift_service_type: object-store
 swift_service_proto: http
 swift_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(swift_service_proto) }}"

tasks/main.yml

@@ -172,7 +172,7 @@
     _service_users:
       - name: "{{ swift_service_user_name }}"
         password: "{{ swift_service_password }}"
-        role: "{{ swift_service_role_name }}"
+        role: "{{ swift_service_role_names }}"
       - name: "{{ swift_dispersion_user }}"
         password: "{{ swift_dispersion_password }}"
         role: "{{ swift_operator_role }}"

templates/proxy-server.conf.j2

@@ -66,6 +66,11 @@ username = {{ swift_service_user_name }}
 password = {{ swift_service_password }}
 delay_auth_decision = {{ swift_delay_auth_decision }}
 include_service_catalog = False
+
+service_token_roles_required = {{ swift_service_token_roles_required | bool }}
+service_token_roles = {{ swift_service_token_roles | join(',') }}
+service_type = {{ swift_service_type }}
+
 {% if memcached_servers is defined %}
 memcached_servers = {{ swift_memcached_servers }}
 cache = swift.cache