Expose service_token_roles params

Expose the [keystone_authtoken]/service_token_roles Depends-On: https://review.opendev.org/#/c/654648/ Change-Id: I4bcc921347adf21f6eaf61af97f3d856c5217820
2018-10-31 14:12:20 +01:00 · 2018-10-31 14:12:20 +01:00 · 29451f9f05
parent 457c4a29c6
commit 29451f9f05
5 changed files with 48 additions and 0 deletions
--- a/manifests/api/authtoken.pp
+++ b/manifests/api/authtoken.pp
@ -161,6 +161,23 @@
 #   (in seconds). Set to -1 to disable caching completely. Integer value
 #   Defaults to $::os_service_default.
 #
+# [*service_token_roles*]
+#   (Optional) A choice of roles that must be present in a service token.
+#   Service tokens are allowed to request that an expired token
+#   can be used and so this check should tightly control that
+#   only actual services should be sending this token. Roles
+#   here are applied as an ANY check so any role in this list
+#   must be present. For backwards compatibility reasons this
+#   currently only affects the allow_expired check. (list value)
+#   Defaults to $::os_service_default.
+#
+# [*service_token_roles_required*]
+#   (Optional) For backwards compatibility reasons we must let
+#   valid service tokens pass that don't pass the service_token_roles
+#   check as valid. Setting this true will become the default in
+#   a future release and should be enabled if possible.
+#   Defaults to $::os_service_default.
+#
 # DEPRECATED PARAMETERS
 #
 # [*check_revocations_for_cached*]
@ -213,6 +230,8 @@ class ironic::api::authtoken(
  $manage_memcache_package        = false,
  $region_name                    = $::os_service_default,
  $token_cache_time               = $::os_service_default,
+  $service_token_roles            = $::os_service_default,
+  $service_token_roles_required   = $::os_service_default,
  # DEPRECATED PARAMETERS
  $check_revocations_for_cached   = undef,
  $hash_algorithms                = undef,
@ -265,5 +284,7 @@ class ironic::api::authtoken(
    manage_memcache_package        => $manage_memcache_package,
    region_name                    => $region_name,
    token_cache_time               => $token_cache_time,
+    service_token_roles            => $service_token_roles,
+    service_token_roles_required   => $service_token_roles_required,
  }
 }
--- a/manifests/inspector/authtoken.pp
+++ b/manifests/inspector/authtoken.pp
@ -161,6 +161,16 @@
 #   (in seconds). Set to -1 to disable caching completely. Integer value
 #   Defaults to $::os_service_default.
 #
+# [*service_token_roles*]
+#   (Optional) A choice of roles that must be present in a service token.
+#   Service tokens are allowed to request that an expired token
+#   can be used and so this check should tightly control that
+#   only actual services should be sending this token. Roles
+#   here are applied as an ANY check so any role in this list
+#   must be present. For backwards compatibility reasons this
+#   currently only affects the allow_expired check. (list value)
+#   Defaults to $::os_service_default.
+#
 # [*service_token_roles_required*]
 #   (optional) backwards compatibility to ensure that the service tokens are
 #   compared against a list of possible roles for validity
@ -219,6 +229,7 @@ class ironic::inspector::authtoken(
  $manage_memcache_package        = false,
  $region_name                    = $::os_service_default,
  $token_cache_time               = $::os_service_default,
+  $service_token_roles            = $::os_service_default,
  $service_token_roles_required   = $::os_service_default,
  # DEPRECATED PARAMETERS
  $check_revocations_for_cached   = undef,
@ -272,6 +283,7 @@ class ironic::inspector::authtoken(
    manage_memcache_package        => $manage_memcache_package,
    region_name                    => $region_name,
    token_cache_time               => $token_cache_time,
+    service_token_roles            => $service_token_roles,
    service_token_roles_required   => $service_token_roles_required,
  }
 }
--- a/releasenotes/notes/add_service_token_roles_required-7d0aa71af2f40ed9.yaml
+++ b/releasenotes/notes/add_service_token_roles_required-7d0aa71af2f40ed9.yaml
@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Expose the ``service_token_roles_required` and
+    ``service_token_roles`` parameters in both
+    ``::ironic::api::authtoken`` and ``ironic::inspector::authtoken``
--- a/spec/classes/ironic_api_authtoken_spec.rb
+++ b/spec/classes/ironic_api_authtoken_spec.rb
@ -42,6 +42,8 @@ describe 'ironic::api::authtoken' do
        is_expected.to contain_ironic_config('keystone_authtoken/memcached_servers').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_ironic_config('keystone_authtoken/region_name').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_ironic_config('keystone_authtoken/token_cache_time').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_config('keystone_authtoken/service_token_roles').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_config('keystone_authtoken/service_token_roles_required').with_value('<SERVICE DEFAULT>')
      end
    end

@ -80,6 +82,8 @@ describe 'ironic::api::authtoken' do
          :manage_memcache_package        => true,
          :region_name                    => 'region2',
          :token_cache_time               => '301',
+          :service_token_roles            => ['service'],
+          :service_token_roles_required   => true,
        })
      end

@ -115,6 +119,8 @@ describe 'ironic::api::authtoken' do
        is_expected.to contain_ironic_config('keystone_authtoken/memcached_servers').with_value('memcached01:11211,memcached02:11211')
        is_expected.to contain_ironic_config('keystone_authtoken/region_name').with_value(params[:region_name])
        is_expected.to contain_ironic_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time])
+        is_expected.to contain_ironic_config('keystone_authtoken/service_token_roles').with_value(params[:service_token_roles])
+        is_expected.to contain_ironic_config('keystone_authtoken/service_token_roles_required').with_value(params[:service_token_roles_required])
      end

      it 'installs python memcache package' do
--- a/spec/classes/ironic_inspector_authtoken_spec.rb
+++ b/spec/classes/ironic_inspector_authtoken_spec.rb
@ -42,6 +42,7 @@ describe 'ironic::inspector::authtoken' do
        is_expected.to contain_ironic_inspector_config('keystone_authtoken/memcached_servers').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_ironic_inspector_config('keystone_authtoken/region_name').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_ironic_inspector_config('keystone_authtoken/token_cache_time').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_inspector_config('keystone_authtoken/service_token_roles').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_ironic_inspector_config('keystone_authtoken/service_token_roles_required').with_value('<SERVICE DEFAULT>')
      end
    end
@ -81,6 +82,7 @@ describe 'ironic::inspector::authtoken' do
          :manage_memcache_package        => true,
          :region_name                    => 'region2',
          :token_cache_time               => '301',
+          :service_token_roles            => ['service'],
          :service_token_roles_required   => false,
        })
      end
@ -117,6 +119,7 @@ describe 'ironic::inspector::authtoken' do
        is_expected.to contain_ironic_inspector_config('keystone_authtoken/memcached_servers').with_value('memcached01:11211,memcached02:11211')
        is_expected.to contain_ironic_inspector_config('keystone_authtoken/region_name').with_value(params[:region_name])
        is_expected.to contain_ironic_inspector_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time])
+        is_expected.to contain_ironic_inspector_config('keystone_authtoken/service_token_roles').with_value(params[:service_token_roles])
        is_expected.to contain_ironic_inspector_config('keystone_authtoken/service_token_roles_required').with_value(params[:service_token_roles_required])
      end