From df5ad970cd92aa5729e8b5379b4c0454bda3ac7e Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Sat, 21 Sep 2019 09:54:37 +0900 Subject: [PATCH] Add support to configure service_token_roles in authtoken middleware Change-Id: Ia198c96c30226e1ddaa5b68919d471014d5edfd0 --- manifests/api/authtoken.pp | 12 ++++++++++++ manifests/registry/authtoken.pp | 12 ++++++++++++ .../notes/service_token_roles-72c9e4eaa139a9d6.yaml | 4 ++++ spec/classes/glance_api_authtoken_spec.rb | 3 +++ spec/classes/glance_registry_authtoken_spec.rb | 3 +++ 5 files changed, 34 insertions(+) create mode 100644 releasenotes/notes/service_token_roles-72c9e4eaa139a9d6.yaml diff --git a/manifests/api/authtoken.pp b/manifests/api/authtoken.pp index 3e241d14..57afb86b 100644 --- a/manifests/api/authtoken.pp +++ b/manifests/api/authtoken.pp @@ -161,6 +161,16 @@ # (in seconds). Set to -1 to disable caching completely. Integer value # Defaults to $::os_service_default. # +# [*service_token_roles*] +# (Optional) A choice of roles that must be present in a service token. +# Service tokens are allowed to request that an expired token +# can be used and so this check should tightly control that +# only actual services should be sending this token. Roles +# here are applied as an ANY check so any role in this list +# must be present. For backwards compatibility reasons this +# currently only affects the allow_expired check. (list value) +# Defaults to $::os_service_default. +# # [*service_token_roles_required*] # (optional) backwards compatibility to ensure that the service tokens are # compared against a list of possible roles for validity @@ -200,6 +210,7 @@ class glance::api::authtoken( $manage_memcache_package = false, $region_name = $::os_service_default, $token_cache_time = $::os_service_default, + $service_token_roles = $::os_service_default, $service_token_roles_required = $::os_service_default, ) { @@ -242,6 +253,7 @@ class glance::api::authtoken( manage_memcache_package => $manage_memcache_package, region_name => $region_name, token_cache_time => $token_cache_time, + service_token_roles => $service_token_roles, service_token_roles_required => $service_token_roles_required, } } diff --git a/manifests/registry/authtoken.pp b/manifests/registry/authtoken.pp index ff57ada4..870cfdb4 100644 --- a/manifests/registry/authtoken.pp +++ b/manifests/registry/authtoken.pp @@ -161,6 +161,16 @@ # (in seconds). Set to -1 to disable caching completely. Integer value # Defaults to $::os_service_default. # +# [*service_token_roles*] +# (Optional) A choice of roles that must be present in a service token. +# Service tokens are allowed to request that an expired token +# can be used and so this check should tightly control that +# only actual services should be sending this token. Roles +# here are applied as an ANY check so any role in this list +# must be present. For backwards compatibility reasons this +# currently only affects the allow_expired check. (list value) +# Defaults to $::os_service_default. +# # [*service_token_roles_required*] # (optional) backwards compatibility to ensure that the service tokens are # compared against a list of possible roles for validity @@ -200,6 +210,7 @@ class glance::registry::authtoken( $manage_memcache_package = false, $region_name = $::os_service_default, $token_cache_time = $::os_service_default, + $service_token_roles = $::os_service_default, $service_token_roles_required = $::os_service_default, ) { @@ -242,6 +253,7 @@ class glance::registry::authtoken( manage_memcache_package => $manage_memcache_package, region_name => $region_name, token_cache_time => $token_cache_time, + service_token_roles => $service_token_roles, service_token_roles_required => $service_token_roles_required, } } diff --git a/releasenotes/notes/service_token_roles-72c9e4eaa139a9d6.yaml b/releasenotes/notes/service_token_roles-72c9e4eaa139a9d6.yaml new file mode 100644 index 00000000..ad0f1614 --- /dev/null +++ b/releasenotes/notes/service_token_roles-72c9e4eaa139a9d6.yaml @@ -0,0 +1,4 @@ +--- +features: + - | + Add support to configure service_token_roles in authtoken middleware. diff --git a/spec/classes/glance_api_authtoken_spec.rb b/spec/classes/glance_api_authtoken_spec.rb index e6939ebd..571c428f 100644 --- a/spec/classes/glance_api_authtoken_spec.rb +++ b/spec/classes/glance_api_authtoken_spec.rb @@ -42,6 +42,7 @@ describe 'glance::api::authtoken' do is_expected.to contain_glance_api_config('keystone_authtoken/memcached_servers').with_value('') is_expected.to contain_glance_api_config('keystone_authtoken/region_name').with_value('') is_expected.to contain_glance_api_config('keystone_authtoken/token_cache_time').with_value('') + is_expected.to contain_glance_api_config('keystone_authtoken/service_token_roles').with_value('') is_expected.to contain_glance_api_config('keystone_authtoken/service_token_roles_required').with_value('') end end @@ -81,6 +82,7 @@ describe 'glance::api::authtoken' do :manage_memcache_package => true, :region_name => 'region2', :token_cache_time => '301', + :service_token_roles => ['service'], :service_token_roles_required => false, }) end @@ -117,6 +119,7 @@ describe 'glance::api::authtoken' do is_expected.to contain_glance_api_config('keystone_authtoken/memcached_servers').with_value('memcached01:11211,memcached02:11211') is_expected.to contain_glance_api_config('keystone_authtoken/region_name').with_value(params[:region_name]) is_expected.to contain_glance_api_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time]) + is_expected.to contain_glance_api_config('keystone_authtoken/service_token_roles').with_value(params[:service_token_roles]) is_expected.to contain_glance_api_config('keystone_authtoken/service_token_roles_required').with_value(params[:service_token_roles_required]) end diff --git a/spec/classes/glance_registry_authtoken_spec.rb b/spec/classes/glance_registry_authtoken_spec.rb index e191f22b..c10090ed 100644 --- a/spec/classes/glance_registry_authtoken_spec.rb +++ b/spec/classes/glance_registry_authtoken_spec.rb @@ -42,6 +42,7 @@ describe 'glance::registry::authtoken' do is_expected.to contain_glance_registry_config('keystone_authtoken/memcached_servers').with_value('') is_expected.to contain_glance_registry_config('keystone_authtoken/region_name').with_value('') is_expected.to contain_glance_registry_config('keystone_authtoken/token_cache_time').with_value('') + is_expected.to contain_glance_registry_config('keystone_authtoken/service_token_roles').with_value('') is_expected.to contain_glance_registry_config('keystone_authtoken/service_token_roles_required').with_value('') end end @@ -81,6 +82,7 @@ describe 'glance::registry::authtoken' do :manage_memcache_package => true, :region_name => 'region2', :token_cache_time => '301', + :service_token_roles => ['service'], :service_token_roles_required => false, }) end @@ -117,6 +119,7 @@ describe 'glance::registry::authtoken' do is_expected.to contain_glance_registry_config('keystone_authtoken/memcached_servers').with_value('memcached01:11211,memcached02:11211') is_expected.to contain_glance_registry_config('keystone_authtoken/region_name').with_value(params[:region_name]) is_expected.to contain_glance_registry_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time]) + is_expected.to contain_glance_registry_config('keystone_authtoken/service_token_roles').with_value(params[:service_token_roles]) is_expected.to contain_glance_registry_config('keystone_authtoken/service_token_roles_required').with_value(params[:service_token_roles_required]) end