Expose service_token_roles params
Expose the [keystone_authtoken]/service_token_roles Depends-On: https://review.opendev.org/#/c/654648/ Change-Id: I4bcc921347adf21f6eaf61af97f3d856c5217820
This commit is contained in:
parent
457c4a29c6
commit
29451f9f05
|
@ -161,6 +161,23 @@
|
|||
# (in seconds). Set to -1 to disable caching completely. Integer value
|
||||
# Defaults to $::os_service_default.
|
||||
#
|
||||
# [*service_token_roles*]
|
||||
# (Optional) A choice of roles that must be present in a service token.
|
||||
# Service tokens are allowed to request that an expired token
|
||||
# can be used and so this check should tightly control that
|
||||
# only actual services should be sending this token. Roles
|
||||
# here are applied as an ANY check so any role in this list
|
||||
# must be present. For backwards compatibility reasons this
|
||||
# currently only affects the allow_expired check. (list value)
|
||||
# Defaults to $::os_service_default.
|
||||
#
|
||||
# [*service_token_roles_required*]
|
||||
# (Optional) For backwards compatibility reasons we must let
|
||||
# valid service tokens pass that don't pass the service_token_roles
|
||||
# check as valid. Setting this true will become the default in
|
||||
# a future release and should be enabled if possible.
|
||||
# Defaults to $::os_service_default.
|
||||
#
|
||||
# DEPRECATED PARAMETERS
|
||||
#
|
||||
# [*check_revocations_for_cached*]
|
||||
|
@ -213,6 +230,8 @@ class ironic::api::authtoken(
|
|||
$manage_memcache_package = false,
|
||||
$region_name = $::os_service_default,
|
||||
$token_cache_time = $::os_service_default,
|
||||
$service_token_roles = $::os_service_default,
|
||||
$service_token_roles_required = $::os_service_default,
|
||||
# DEPRECATED PARAMETERS
|
||||
$check_revocations_for_cached = undef,
|
||||
$hash_algorithms = undef,
|
||||
|
@ -265,5 +284,7 @@ class ironic::api::authtoken(
|
|||
manage_memcache_package => $manage_memcache_package,
|
||||
region_name => $region_name,
|
||||
token_cache_time => $token_cache_time,
|
||||
service_token_roles => $service_token_roles,
|
||||
service_token_roles_required => $service_token_roles_required,
|
||||
}
|
||||
}
|
||||
|
|
|
@ -161,6 +161,16 @@
|
|||
# (in seconds). Set to -1 to disable caching completely. Integer value
|
||||
# Defaults to $::os_service_default.
|
||||
#
|
||||
# [*service_token_roles*]
|
||||
# (Optional) A choice of roles that must be present in a service token.
|
||||
# Service tokens are allowed to request that an expired token
|
||||
# can be used and so this check should tightly control that
|
||||
# only actual services should be sending this token. Roles
|
||||
# here are applied as an ANY check so any role in this list
|
||||
# must be present. For backwards compatibility reasons this
|
||||
# currently only affects the allow_expired check. (list value)
|
||||
# Defaults to $::os_service_default.
|
||||
#
|
||||
# [*service_token_roles_required*]
|
||||
# (optional) backwards compatibility to ensure that the service tokens are
|
||||
# compared against a list of possible roles for validity
|
||||
|
@ -219,6 +229,7 @@ class ironic::inspector::authtoken(
|
|||
$manage_memcache_package = false,
|
||||
$region_name = $::os_service_default,
|
||||
$token_cache_time = $::os_service_default,
|
||||
$service_token_roles = $::os_service_default,
|
||||
$service_token_roles_required = $::os_service_default,
|
||||
# DEPRECATED PARAMETERS
|
||||
$check_revocations_for_cached = undef,
|
||||
|
@ -272,6 +283,7 @@ class ironic::inspector::authtoken(
|
|||
manage_memcache_package => $manage_memcache_package,
|
||||
region_name => $region_name,
|
||||
token_cache_time => $token_cache_time,
|
||||
service_token_roles => $service_token_roles,
|
||||
service_token_roles_required => $service_token_roles_required,
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
Expose the ``service_token_roles_required` and
|
||||
``service_token_roles`` parameters in both
|
||||
``::ironic::api::authtoken`` and ``ironic::inspector::authtoken``
|
|
@ -42,6 +42,8 @@ describe 'ironic::api::authtoken' do
|
|||
is_expected.to contain_ironic_config('keystone_authtoken/memcached_servers').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_ironic_config('keystone_authtoken/region_name').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_ironic_config('keystone_authtoken/token_cache_time').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_ironic_config('keystone_authtoken/service_token_roles').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_ironic_config('keystone_authtoken/service_token_roles_required').with_value('<SERVICE DEFAULT>')
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -80,6 +82,8 @@ describe 'ironic::api::authtoken' do
|
|||
:manage_memcache_package => true,
|
||||
:region_name => 'region2',
|
||||
:token_cache_time => '301',
|
||||
:service_token_roles => ['service'],
|
||||
:service_token_roles_required => true,
|
||||
})
|
||||
end
|
||||
|
||||
|
@ -115,6 +119,8 @@ describe 'ironic::api::authtoken' do
|
|||
is_expected.to contain_ironic_config('keystone_authtoken/memcached_servers').with_value('memcached01:11211,memcached02:11211')
|
||||
is_expected.to contain_ironic_config('keystone_authtoken/region_name').with_value(params[:region_name])
|
||||
is_expected.to contain_ironic_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time])
|
||||
is_expected.to contain_ironic_config('keystone_authtoken/service_token_roles').with_value(params[:service_token_roles])
|
||||
is_expected.to contain_ironic_config('keystone_authtoken/service_token_roles_required').with_value(params[:service_token_roles_required])
|
||||
end
|
||||
|
||||
it 'installs python memcache package' do
|
||||
|
|
|
@ -42,6 +42,7 @@ describe 'ironic::inspector::authtoken' do
|
|||
is_expected.to contain_ironic_inspector_config('keystone_authtoken/memcached_servers').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_ironic_inspector_config('keystone_authtoken/region_name').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_ironic_inspector_config('keystone_authtoken/token_cache_time').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_ironic_inspector_config('keystone_authtoken/service_token_roles').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_ironic_inspector_config('keystone_authtoken/service_token_roles_required').with_value('<SERVICE DEFAULT>')
|
||||
end
|
||||
end
|
||||
|
@ -81,6 +82,7 @@ describe 'ironic::inspector::authtoken' do
|
|||
:manage_memcache_package => true,
|
||||
:region_name => 'region2',
|
||||
:token_cache_time => '301',
|
||||
:service_token_roles => ['service'],
|
||||
:service_token_roles_required => false,
|
||||
})
|
||||
end
|
||||
|
@ -117,6 +119,7 @@ describe 'ironic::inspector::authtoken' do
|
|||
is_expected.to contain_ironic_inspector_config('keystone_authtoken/memcached_servers').with_value('memcached01:11211,memcached02:11211')
|
||||
is_expected.to contain_ironic_inspector_config('keystone_authtoken/region_name').with_value(params[:region_name])
|
||||
is_expected.to contain_ironic_inspector_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time])
|
||||
is_expected.to contain_ironic_inspector_config('keystone_authtoken/service_token_roles').with_value(params[:service_token_roles])
|
||||
is_expected.to contain_ironic_inspector_config('keystone_authtoken/service_token_roles_required').with_value(params[:service_token_roles_required])
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue