openstack
/
puppet-glance
Code Issues Proposed changes

Add support to configure service_token_roles in authtoken middleware 

Change-Id: Ia198c96c30226e1ddaa5b68919d471014d5edfd0
This commit is contained in:
Takashi Kajinami 2019-09-21 09:54:37 +09:00
parent e82d93c1c0
commit df5ad970cd
5 changed files with 34 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
manifests/api/authtoken.pp
View File

@ -161,6 +161,16 @@
# (in seconds). Set to -1 to disable caching completely. Integer value # (in seconds). Set to -1 to disable caching completely. Integer value
# Defaults to $::os_service_default. # Defaults to $::os_service_default.
# #
# [*service_token_roles*]
# (Optional) A choice of roles that must be present in a service token.
# Service tokens are allowed to request that an expired token
# can be used and so this check should tightly control that
# only actual services should be sending this token. Roles
# here are applied as an ANY check so any role in this list
# must be present. For backwards compatibility reasons this
# currently only affects the allow_expired check. (list value)
# Defaults to $::os_service_default.
#
# [*service_token_roles_required*] # [*service_token_roles_required*]
# (optional) backwards compatibility to ensure that the service tokens are # (optional) backwards compatibility to ensure that the service tokens are
# compared against a list of possible roles for validity # compared against a list of possible roles for validity
@ -200,6 +210,7 @@ class glance::api::authtoken(
$manage_memcache_package = false, $manage_memcache_package = false,
$region_name = $::os_service_default, $region_name = $::os_service_default,
$token_cache_time = $::os_service_default, $token_cache_time = $::os_service_default,
$service_token_roles = $::os_service_default,
$service_token_roles_required = $::os_service_default, $service_token_roles_required = $::os_service_default,
) { ) {
@ -242,6 +253,7 @@ class glance::api::authtoken(
manage_memcache_package => $manage_memcache_package, manage_memcache_package => $manage_memcache_package,
region_name => $region_name, region_name => $region_name,
token_cache_time => $token_cache_time, token_cache_time => $token_cache_time,
service_token_roles => $service_token_roles,
service_token_roles_required => $service_token_roles_required, service_token_roles_required => $service_token_roles_required,
} }
} }

12
manifests/registry/authtoken.pp
View File

@ -161,6 +161,16 @@
# (in seconds). Set to -1 to disable caching completely. Integer value # (in seconds). Set to -1 to disable caching completely. Integer value
# Defaults to $::os_service_default. # Defaults to $::os_service_default.
# #
# [*service_token_roles*]
# (Optional) A choice of roles that must be present in a service token.
# Service tokens are allowed to request that an expired token
# can be used and so this check should tightly control that
# only actual services should be sending this token. Roles
# here are applied as an ANY check so any role in this list
# must be present. For backwards compatibility reasons this
# currently only affects the allow_expired check. (list value)
# Defaults to $::os_service_default.
#
# [*service_token_roles_required*] # [*service_token_roles_required*]
# (optional) backwards compatibility to ensure that the service tokens are # (optional) backwards compatibility to ensure that the service tokens are
# compared against a list of possible roles for validity # compared against a list of possible roles for validity
@ -200,6 +210,7 @@ class glance::registry::authtoken(
$manage_memcache_package = false, $manage_memcache_package = false,
$region_name = $::os_service_default, $region_name = $::os_service_default,
$token_cache_time = $::os_service_default, $token_cache_time = $::os_service_default,
$service_token_roles = $::os_service_default,
$service_token_roles_required = $::os_service_default, $service_token_roles_required = $::os_service_default,
) { ) {
@ -242,6 +253,7 @@ class glance::registry::authtoken(
manage_memcache_package => $manage_memcache_package, manage_memcache_package => $manage_memcache_package,
region_name => $region_name, region_name => $region_name,
token_cache_time => $token_cache_time, token_cache_time => $token_cache_time,
service_token_roles => $service_token_roles,
service_token_roles_required => $service_token_roles_required, service_token_roles_required => $service_token_roles_required,
} }
} }

4
releasenotes/notes/service_token_roles-72c9e4eaa139a9d6.yaml Normal file
View File

@ -0,0 +1,4 @@
---
features:
- |
Add support to configure service_token_roles in authtoken middleware.

3
spec/classes/glance_api_authtoken_spec.rb
View File

@ -42,6 +42,7 @@ describe 'glance::api::authtoken' do
is_expected.to contain_glance_api_config('keystone_authtoken/memcached_servers').with_value('<SERVICE DEFAULT>') is_expected.to contain_glance_api_config('keystone_authtoken/memcached_servers').with_value('<SERVICE DEFAULT>')
is_expected.to contain_glance_api_config('keystone_authtoken/region_name').with_value('<SERVICE DEFAULT>') is_expected.to contain_glance_api_config('keystone_authtoken/region_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_glance_api_config('keystone_authtoken/token_cache_time').with_value('<SERVICE DEFAULT>') is_expected.to contain_glance_api_config('keystone_authtoken/token_cache_time').with_value('<SERVICE DEFAULT>')
is_expected.to contain_glance_api_config('keystone_authtoken/service_token_roles').with_value('<SERVICE DEFAULT>')
is_expected.to contain_glance_api_config('keystone_authtoken/service_token_roles_required').with_value('<SERVICE DEFAULT>') is_expected.to contain_glance_api_config('keystone_authtoken/service_token_roles_required').with_value('<SERVICE DEFAULT>')
end end
end end
@ -81,6 +82,7 @@ describe 'glance::api::authtoken' do
:manage_memcache_package => true, :manage_memcache_package => true,
:region_name => 'region2', :region_name => 'region2',
:token_cache_time => '301', :token_cache_time => '301',
:service_token_roles => ['service'],
:service_token_roles_required => false, :service_token_roles_required => false,
}) })
end end
@ -117,6 +119,7 @@ describe 'glance::api::authtoken' do
is_expected.to contain_glance_api_config('keystone_authtoken/memcached_servers').with_value('memcached01:11211,memcached02:11211') is_expected.to contain_glance_api_config('keystone_authtoken/memcached_servers').with_value('memcached01:11211,memcached02:11211')
is_expected.to contain_glance_api_config('keystone_authtoken/region_name').with_value(params[:region_name]) is_expected.to contain_glance_api_config('keystone_authtoken/region_name').with_value(params[:region_name])
is_expected.to contain_glance_api_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time]) is_expected.to contain_glance_api_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time])
is_expected.to contain_glance_api_config('keystone_authtoken/service_token_roles').with_value(params[:service_token_roles])
is_expected.to contain_glance_api_config('keystone_authtoken/service_token_roles_required').with_value(params[:service_token_roles_required]) is_expected.to contain_glance_api_config('keystone_authtoken/service_token_roles_required').with_value(params[:service_token_roles_required])
end end

3
spec/classes/glance_registry_authtoken_spec.rb
View File

@ -42,6 +42,7 @@ describe 'glance::registry::authtoken' do
is_expected.to contain_glance_registry_config('keystone_authtoken/memcached_servers').with_value('<SERVICE DEFAULT>') is_expected.to contain_glance_registry_config('keystone_authtoken/memcached_servers').with_value('<SERVICE DEFAULT>')
is_expected.to contain_glance_registry_config('keystone_authtoken/region_name').with_value('<SERVICE DEFAULT>') is_expected.to contain_glance_registry_config('keystone_authtoken/region_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_glance_registry_config('keystone_authtoken/token_cache_time').with_value('<SERVICE DEFAULT>') is_expected.to contain_glance_registry_config('keystone_authtoken/token_cache_time').with_value('<SERVICE DEFAULT>')
is_expected.to contain_glance_registry_config('keystone_authtoken/service_token_roles').with_value('<SERVICE DEFAULT>')
is_expected.to contain_glance_registry_config('keystone_authtoken/service_token_roles_required').with_value('<SERVICE DEFAULT>') is_expected.to contain_glance_registry_config('keystone_authtoken/service_token_roles_required').with_value('<SERVICE DEFAULT>')
end end
end end
@ -81,6 +82,7 @@ describe 'glance::registry::authtoken' do
:manage_memcache_package => true, :manage_memcache_package => true,
:region_name => 'region2', :region_name => 'region2',
:token_cache_time => '301', :token_cache_time => '301',
:service_token_roles => ['service'],
:service_token_roles_required => false, :service_token_roles_required => false,
}) })
end end
@ -117,6 +119,7 @@ describe 'glance::registry::authtoken' do
is_expected.to contain_glance_registry_config('keystone_authtoken/memcached_servers').with_value('memcached01:11211,memcached02:11211') is_expected.to contain_glance_registry_config('keystone_authtoken/memcached_servers').with_value('memcached01:11211,memcached02:11211')
is_expected.to contain_glance_registry_config('keystone_authtoken/region_name').with_value(params[:region_name]) is_expected.to contain_glance_registry_config('keystone_authtoken/region_name').with_value(params[:region_name])
is_expected.to contain_glance_registry_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time]) is_expected.to contain_glance_registry_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time])
is_expected.to contain_glance_registry_config('keystone_authtoken/service_token_roles').with_value(params[:service_token_roles])
is_expected.to contain_glance_registry_config('keystone_authtoken/service_token_roles_required').with_value(params[:service_token_roles_required]) is_expected.to contain_glance_registry_config('keystone_authtoken/service_token_roles_required').with_value(params[:service_token_roles_required])
end end