Merge "Add support to configure service_token_roles in authtoken middleware"

manifests/api/authtoken.pp

@@ -161,6 +161,16 @@
 #   (in seconds). Set to -1 to disable caching completely. Integer value
 #   Defaults to $::os_service_default.
 #
+# [*service_token_roles*]
+#   (Optional) A choice of roles that must be present in a service token.
+#   Service tokens are allowed to request that an expired token
+#   can be used and so this check should tightly control that
+#   only actual services should be sending this token. Roles
+#   here are applied as an ANY check so any role in this list
+#   must be present. For backwards compatibility reasons this
+#   currently only affects the allow_expired check. (list value)
+#   Defaults to $::os_service_default.
+#
 # [*service_token_roles_required*]
 #   (optional) backwards compatibility to ensure that the service tokens are
 #   compared against a list of possible roles for validity
@@ -200,6 +210,7 @@ class glance::api::authtoken(
   $manage_memcache_package        = false,
   $region_name                    = $::os_service_default,
   $token_cache_time               = $::os_service_default,
+  $service_token_roles            = $::os_service_default,
   $service_token_roles_required   = $::os_service_default,
 ) {
 
@@ -242,6 +253,7 @@ class glance::api::authtoken(
       manage_memcache_package        => $manage_memcache_package,
       region_name                    => $region_name,
       token_cache_time               => $token_cache_time,
+      service_token_roles            => $service_token_roles,
       service_token_roles_required   => $service_token_roles_required,
     }
 }

manifests/registry/authtoken.pp

@@ -161,6 +161,16 @@
 #   (in seconds). Set to -1 to disable caching completely. Integer value
 #   Defaults to $::os_service_default.
 #
+# [*service_token_roles*]
+#   (Optional) A choice of roles that must be present in a service token.
+#   Service tokens are allowed to request that an expired token
+#   can be used and so this check should tightly control that
+#   only actual services should be sending this token. Roles
+#   here are applied as an ANY check so any role in this list
+#   must be present. For backwards compatibility reasons this
+#   currently only affects the allow_expired check. (list value)
+#   Defaults to $::os_service_default.
+#
 # [*service_token_roles_required*]
 #   (optional) backwards compatibility to ensure that the service tokens are
 #   compared against a list of possible roles for validity
@@ -200,6 +210,7 @@ class glance::registry::authtoken(
   $manage_memcache_package        = false,
   $region_name                    = $::os_service_default,
   $token_cache_time               = $::os_service_default,
+  $service_token_roles            = $::os_service_default,
   $service_token_roles_required   = $::os_service_default,
 ) {
 
@@ -242,6 +253,7 @@ class glance::registry::authtoken(
       manage_memcache_package        => $manage_memcache_package,
       region_name                    => $region_name,
       token_cache_time               => $token_cache_time,
+      service_token_roles            => $service_token_roles,
       service_token_roles_required   => $service_token_roles_required,
     }
 }

releasenotes/notes/service_token_roles-72c9e4eaa139a9d6.yaml

@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    Add support to configure service_token_roles in authtoken middleware.

spec/classes/glance_api_authtoken_spec.rb

@@ -42,6 +42,7 @@ describe 'glance::api::authtoken' do
         is_expected.to contain_glance_api_config('keystone_authtoken/memcached_servers').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_glance_api_config('keystone_authtoken/region_name').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_glance_api_config('keystone_authtoken/token_cache_time').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_glance_api_config('keystone_authtoken/service_token_roles').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_glance_api_config('keystone_authtoken/service_token_roles_required').with_value('<SERVICE DEFAULT>')
       end
     end
@@ -81,6 +82,7 @@ describe 'glance::api::authtoken' do
           :manage_memcache_package              => true,
           :region_name                          => 'region2',
           :token_cache_time                     => '301',
+          :service_token_roles                  => ['service'],
           :service_token_roles_required         => false,
         })
       end
@@ -117,6 +119,7 @@ describe 'glance::api::authtoken' do
         is_expected.to contain_glance_api_config('keystone_authtoken/memcached_servers').with_value('memcached01:11211,memcached02:11211')
         is_expected.to contain_glance_api_config('keystone_authtoken/region_name').with_value(params[:region_name])
         is_expected.to contain_glance_api_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time])
+        is_expected.to contain_glance_api_config('keystone_authtoken/service_token_roles').with_value(params[:service_token_roles])
         is_expected.to contain_glance_api_config('keystone_authtoken/service_token_roles_required').with_value(params[:service_token_roles_required])
       end
 

spec/classes/glance_registry_authtoken_spec.rb

@@ -42,6 +42,7 @@ describe 'glance::registry::authtoken' do
         is_expected.to contain_glance_registry_config('keystone_authtoken/memcached_servers').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_glance_registry_config('keystone_authtoken/region_name').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_glance_registry_config('keystone_authtoken/token_cache_time').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_glance_registry_config('keystone_authtoken/service_token_roles').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_glance_registry_config('keystone_authtoken/service_token_roles_required').with_value('<SERVICE DEFAULT>')
       end
     end
@@ -81,6 +82,7 @@ describe 'glance::registry::authtoken' do
           :manage_memcache_package              => true,
           :region_name                          => 'region2',
           :token_cache_time                     => '301',
+          :service_token_roles                  => ['service'],
           :service_token_roles_required         => false,
         })
       end
@@ -117,6 +119,7 @@ describe 'glance::registry::authtoken' do
         is_expected.to contain_glance_registry_config('keystone_authtoken/memcached_servers').with_value('memcached01:11211,memcached02:11211')
         is_expected.to contain_glance_registry_config('keystone_authtoken/region_name').with_value(params[:region_name])
         is_expected.to contain_glance_registry_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time])
+        is_expected.to contain_glance_registry_config('keystone_authtoken/service_token_roles').with_value(params[:service_token_roles])
         is_expected.to contain_glance_registry_config('keystone_authtoken/service_token_roles_required').with_value(params[:service_token_roles_required])
       end