Add support for service_type in authtoken config

This is used to validate tokens that have restricted access rules.

Change-Id: I1ba6aef478592e681887d87380a15ee8667ff006
This commit is contained in:
Kieran Spear 2020-07-28 16:41:45 +10:00
parent d5e3a563e6
commit aba4a00d29
3 changed files with 17 additions and 0 deletions

View File

@ -212,6 +212,11 @@
# true/false # true/false
# Defaults to $::os_service_default. # Defaults to $::os_service_default.
# #
# [*service_type*]
# (Optional) The name or type of the service as it appears in the service
# catalog. This is used to validate tokens that have restricted access rules.
# Defaults to $::os_service_default.
#
# [*interface*] # [*interface*]
# (Optional) Interface to use for the Identity API endpoint. Valid values are # (Optional) Interface to use for the Identity API endpoint. Valid values are
# "public", "internal" or "admin". # "public", "internal" or "admin".
@ -253,6 +258,7 @@ define keystone::resource::authtoken(
$manage_memcache_package = false, $manage_memcache_package = false,
$service_token_roles = $::os_service_default, $service_token_roles = $::os_service_default,
$service_token_roles_required = $::os_service_default, $service_token_roles_required = $::os_service_default,
$service_type = $::os_service_default,
$interface = $::os_service_default, $interface = $::os_service_default,
) { ) {
@ -327,6 +333,7 @@ define keystone::resource::authtoken(
'keystone_authtoken/insecure' => {'value' => $insecure}, 'keystone_authtoken/insecure' => {'value' => $insecure},
'keystone_authtoken/service_token_roles' => {'value' => $service_token_roles}, 'keystone_authtoken/service_token_roles' => {'value' => $service_token_roles},
'keystone_authtoken/service_token_roles_required' => {'value' => $service_token_roles_required}, 'keystone_authtoken/service_token_roles_required' => {'value' => $service_token_roles_required},
'keystone_authtoken/service_type' => {'value' => $service_type},
'keystone_authtoken/interface' => {'value' => $interface}, 'keystone_authtoken/interface' => {'value' => $interface},
} }

View File

@ -0,0 +1,7 @@
---
features:
- |
Added the service_type parameter to keystone::resource::authtoken resource.
This value should be set to the name or type of the service as it appears
in the service catalog. This is used to validate tokens that have
restricted access rules.

View File

@ -47,6 +47,7 @@ describe 'keystone::resource::authtoken' do
is_expected.to contain_keystone_config('keystone_authtoken/region_name').with_value('<SERVICE DEFAULT>') is_expected.to contain_keystone_config('keystone_authtoken/region_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/service_token_roles').with_value('<SERVICE DEFAULT>') is_expected.to contain_keystone_config('keystone_authtoken/service_token_roles').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/service_token_roles_required').with_value('<SERVICE DEFAULT>') is_expected.to contain_keystone_config('keystone_authtoken/service_token_roles_required').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/service_type').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/token_cache_time').with_value('<SERVICE DEFAULT>') is_expected.to contain_keystone_config('keystone_authtoken/token_cache_time').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/interface').with_value('<SERVICE DEFAULT>') is_expected.to contain_keystone_config('keystone_authtoken/interface').with_value('<SERVICE DEFAULT>')
end end
@ -79,6 +80,7 @@ describe 'keystone::resource::authtoken' do
:region_name => 'MyRegion', :region_name => 'MyRegion',
:service_token_roles => 'service', :service_token_roles => 'service',
:service_token_roles_required => false, :service_token_roles_required => false,
:service_type => 'identity',
:token_cache_time => '20', :token_cache_time => '20',
:interface => 'internal', :interface => 'internal',
}) })
@ -116,6 +118,7 @@ describe 'keystone::resource::authtoken' do
is_expected.to contain_keystone_config('keystone_authtoken/region_name').with_value(params[:region_name]) is_expected.to contain_keystone_config('keystone_authtoken/region_name').with_value(params[:region_name])
is_expected.to contain_keystone_config('keystone_authtoken/service_token_roles').with_value(params[:service_token_roles]) is_expected.to contain_keystone_config('keystone_authtoken/service_token_roles').with_value(params[:service_token_roles])
is_expected.to contain_keystone_config('keystone_authtoken/service_token_roles_required').with_value(params[:service_token_roles_required]) is_expected.to contain_keystone_config('keystone_authtoken/service_token_roles_required').with_value(params[:service_token_roles_required])
is_expected.to contain_keystone_config('keystone_authtoken/service_type').with_value(params[:service_type])
is_expected.to contain_keystone_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time]) is_expected.to contain_keystone_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time])
is_expected.to contain_keystone_config('keystone_authtoken/interface').with_value(params[:interface]) is_expected.to contain_keystone_config('keystone_authtoken/interface').with_value(params[:interface])
end end