diff --git a/manifests/resource/authtoken.pp b/manifests/resource/authtoken.pp index e13a5bb5c..d0e38d327 100644 --- a/manifests/resource/authtoken.pp +++ b/manifests/resource/authtoken.pp @@ -196,6 +196,16 @@ # (Optional) Whether to install the python-memcache package. # Defaults to false. # +# [*service_token_roles*] +# (Optional) A choice of roles that must be present in a service token. +# Service tokens are allowed to request that an expired token +# can be used and so this check should tightly control that +# only actual services should be sending this token. Roles +# here are applied as an ANY check so any role in this list +# must be present. For backwards compatibility reasons this +# currently only affects the allow_expired check. (list value) +# Defaults to $::os_service_default. +# # [*service_token_roles_required*] # (optional) backwards compatibility to ensure that the service tokens are # compared against a list of possible roles for validity @@ -259,6 +269,7 @@ define keystone::resource::authtoken( $region_name = $::os_service_default, $token_cache_time = $::os_service_default, $manage_memcache_package = false, + $service_token_roles = $::os_service_default, $service_token_roles_required = $::os_service_default, # DEPRECATED PARAMETERS $auth_uri = undef, @@ -350,6 +361,7 @@ define keystone::resource::authtoken( 'keystone_authtoken/project_name' => {'value' => $project_name}, 'keystone_authtoken/project_domain_name' => {'value' => $project_domain_name}, 'keystone_authtoken/insecure' => {'value' => $insecure}, + 'keystone_authtoken/service_token_roles' => {'value' => $service_token_roles}, 'keystone_authtoken/service_token_roles_required' => {'value' => $service_token_roles_required}, } create_resources($name, $keystonemiddleware_options) diff --git a/releasenotes/notes/add-service_token_roles-0439534920042962.yaml b/releasenotes/notes/add-service_token_roles-0439534920042962.yaml new file mode 100644 index 000000000..6cf785115 --- /dev/null +++ b/releasenotes/notes/add-service_token_roles-0439534920042962.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Add support to configure `[keystone_authtoken]/service_token_roles` with + `$service_token_roles` in the `keystone::resource::authtoken` resource. diff --git a/spec/defines/keystone_resource_authtoken_spec.rb b/spec/defines/keystone_resource_authtoken_spec.rb index 6ef997321..771674015 100644 --- a/spec/defines/keystone_resource_authtoken_spec.rb +++ b/spec/defines/keystone_resource_authtoken_spec.rb @@ -45,6 +45,7 @@ describe 'keystone::resource::authtoken' do is_expected.to contain_keystone_config('keystone_authtoken/memcache_use_advanced_pool').with_value('') is_expected.to contain_keystone_config('keystone_authtoken/memcached_servers').with_value('') is_expected.to contain_keystone_config('keystone_authtoken/region_name').with_value('') + is_expected.to contain_keystone_config('keystone_authtoken/service_token_roles').with_value('') is_expected.to contain_keystone_config('keystone_authtoken/service_token_roles_required').with_value('') is_expected.to contain_keystone_config('keystone_authtoken/token_cache_time').with_value('') end @@ -75,6 +76,7 @@ describe 'keystone::resource::authtoken' do :include_service_catalog => false, :keyfile => 'somekey.key', :region_name => 'MyRegion', + :service_token_roles => 'service', :service_token_roles_required => false, :token_cache_time => '20', }) @@ -107,6 +109,7 @@ describe 'keystone::resource::authtoken' do is_expected.to contain_keystone_config('keystone_authtoken/memcache_use_advanced_pool').with_value('') is_expected.to contain_keystone_config('keystone_authtoken/memcached_servers').with_value('') is_expected.to contain_keystone_config('keystone_authtoken/region_name').with_value(params[:region_name]) + is_expected.to contain_keystone_config('keystone_authtoken/service_token_roles').with_value(params[:service_token_roles]) is_expected.to contain_keystone_config('keystone_authtoken/service_token_roles_required').with_value(params[:service_token_roles_required]) is_expected.to contain_keystone_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time]) end