Merge "Add service_token_roles for keystone authtoken config"

manifests/resource/authtoken.pp

@@ -196,6 +196,16 @@
 #  (Optional) Whether to install the python-memcache package.
 #  Defaults to false.
 #
+# [*service_token_roles*]
+#  (Optional) A choice of roles that must be present in a service token.
+#  Service tokens are allowed to request that an expired token
+#  can be used and so this check should tightly control that
+#  only actual services should be sending this token. Roles
+#  here are applied as an ANY check so any role in this list
+#  must be present. For backwards compatibility reasons this
+#  currently only affects the allow_expired check. (list value)
+#  Defaults to $::os_service_default.
+#
 # [*service_token_roles_required*]
 #  (optional) backwards compatibility to ensure that the service tokens are
 #  compared against a list of possible roles for validity
@@ -259,6 +269,7 @@ define keystone::resource::authtoken(
   $region_name                    = $::os_service_default,
   $token_cache_time               = $::os_service_default,
   $manage_memcache_package        = false,
+  $service_token_roles            = $::os_service_default,
   $service_token_roles_required   = $::os_service_default,
   # DEPRECATED PARAMETERS
   $auth_uri                       = undef,
@@ -350,6 +361,7 @@ define keystone::resource::authtoken(
     'keystone_authtoken/project_name'                   => {'value' => $project_name},
     'keystone_authtoken/project_domain_name'            => {'value' => $project_domain_name},
     'keystone_authtoken/insecure'                       => {'value' => $insecure},
+    'keystone_authtoken/service_token_roles'            => {'value' => $service_token_roles},
     'keystone_authtoken/service_token_roles_required'   => {'value' => $service_token_roles_required},
   }
   create_resources($name, $keystonemiddleware_options)

releasenotes/notes/add-service_token_roles-0439534920042962.yaml

@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Add support to configure `[keystone_authtoken]/service_token_roles` with
+    `$service_token_roles` in the `keystone::resource::authtoken` resource.

spec/defines/keystone_resource_authtoken_spec.rb

@@ -45,6 +45,7 @@ describe 'keystone::resource::authtoken' do
         is_expected.to contain_keystone_config('keystone_authtoken/memcache_use_advanced_pool').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('keystone_authtoken/memcached_servers').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('keystone_authtoken/region_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('keystone_authtoken/service_token_roles').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('keystone_authtoken/service_token_roles_required').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('keystone_authtoken/token_cache_time').with_value('<SERVICE DEFAULT>')
       end
@@ -75,6 +76,7 @@ describe 'keystone::resource::authtoken' do
           :include_service_catalog      => false,
           :keyfile                      => 'somekey.key',
           :region_name                  => 'MyRegion',
+          :service_token_roles          => 'service',
           :service_token_roles_required => false,
           :token_cache_time             => '20',
         })
@@ -107,6 +109,7 @@ describe 'keystone::resource::authtoken' do
         is_expected.to contain_keystone_config('keystone_authtoken/memcache_use_advanced_pool').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('keystone_authtoken/memcached_servers').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('keystone_authtoken/region_name').with_value(params[:region_name])
+        is_expected.to contain_keystone_config('keystone_authtoken/service_token_roles').with_value(params[:service_token_roles])
         is_expected.to contain_keystone_config('keystone_authtoken/service_token_roles_required').with_value(params[:service_token_roles_required])
         is_expected.to contain_keystone_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time])
       end