From c460fd0bf6779b14653ed394ad06809e165bfa07 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <tkajinam@redhat.com>
Date: Fri, 12 Jul 2019 11:09:14 +0900
Subject: [PATCH] Configure keystone_authtoken/service_token_roles

This patch introduces a new hieradata to configure service_token_roles
in keystone authtoken middleware configuration, so that we can use
a customized role for user who uses service token feature.

Change-Id: I3075b760149a3510fe93bc8bce062b53465a7f1e
---
 manifests/keystone/authtoken.pp                      | 12 ++++++++++++
 ...thtoken-service_token_roles-4fe0a7d97045d06b.yaml |  6 ++++++
 spec/classes/neutron_keystone_authtoken_spec.rb      |  3 +++
 3 files changed, 21 insertions(+)
 create mode 100644 releasenotes/notes/keystone_authtoken-service_token_roles-4fe0a7d97045d06b.yaml

diff --git a/manifests/keystone/authtoken.pp b/manifests/keystone/authtoken.pp
index 6ad665563..239d31511 100644
--- a/manifests/keystone/authtoken.pp
+++ b/manifests/keystone/authtoken.pp
@@ -161,6 +161,16 @@
 #   (in seconds). Set to -1 to disable caching completely. Integer value
 #   Defaults to $::os_service_default.
 #
+# [*service_token_roles*]
+#   (Optional) A choice of roles that must be present in a service token.
+#   Service tokens are allowed to request that an expired token
+#   can be used and so this check should tightly control that
+#   only actual services should be sending this token. Roles
+#   here are applied as an ANY check so any role in this list
+#   must be present. For backwards compatibility reasons this
+#   currently only affects the allow_expired check. (list value)
+#   Defaults to $::os_service_default.
+#
 # [*service_token_roles_required*]
 #   (optional) backwards compatibility to ensure that the service tokens are
 #   compared against a list of possible roles for validity
@@ -219,6 +229,7 @@ class neutron::keystone::authtoken(
   $manage_memcache_package        = false,
   $region_name                    = $::os_service_default,
   $token_cache_time               = $::os_service_default,
+  $service_token_roles            = $::os_service_default,
   $service_token_roles_required   = $::os_service_default,
   # DEPRECATED PARAMETERS
   $check_revocations_for_cached   = undef,
@@ -272,6 +283,7 @@ class neutron::keystone::authtoken(
     manage_memcache_package        => $manage_memcache_package,
     region_name                    => $region_name,
     token_cache_time               => $token_cache_time,
+    service_token_roles            => $service_token_roles,
     service_token_roles_required   => $service_token_roles_required,
   }
 }
diff --git a/releasenotes/notes/keystone_authtoken-service_token_roles-4fe0a7d97045d06b.yaml b/releasenotes/notes/keystone_authtoken-service_token_roles-4fe0a7d97045d06b.yaml
new file mode 100644
index 000000000..91d98fb14
--- /dev/null
+++ b/releasenotes/notes/keystone_authtoken-service_token_roles-4fe0a7d97045d06b.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    New hieradata, neutron::keystone::authtoken::service_token_roles, is
+    introduced so that specific role can be assigned to the service user
+    who can use service token feature.
diff --git a/spec/classes/neutron_keystone_authtoken_spec.rb b/spec/classes/neutron_keystone_authtoken_spec.rb
index c8ae27301..72d719dda 100644
--- a/spec/classes/neutron_keystone_authtoken_spec.rb
+++ b/spec/classes/neutron_keystone_authtoken_spec.rb
@@ -39,6 +39,7 @@ describe 'neutron::keystone::authtoken' do
         should contain_neutron_config('keystone_authtoken/memcached_servers').with_value('<SERVICE DEFAULT>')
         should contain_neutron_config('keystone_authtoken/region_name').with_value('<SERVICE DEFAULT>')
         should contain_neutron_config('keystone_authtoken/token_cache_time').with_value('<SERVICE DEFAULT>')
+        should contain_neutron_config('keystone_authtoken/service_token_roles').with_value('<SERVICE DEFAULT>')
         should contain_neutron_config('keystone_authtoken/service_token_roles_required').with_value('<SERVICE DEFAULT>')
       end
     end
@@ -78,6 +79,7 @@ describe 'neutron::keystone::authtoken' do
           :manage_memcache_package              => true,
           :region_name                          => 'region2',
           :token_cache_time                     => '301',
+          :service_token_roles                  => ['service'],
           :service_token_roles_required         => false,
         })
       end
@@ -114,6 +116,7 @@ describe 'neutron::keystone::authtoken' do
         should contain_neutron_config('keystone_authtoken/memcached_servers').with_value('memcached01:11211,memcached02:11211')
         should contain_neutron_config('keystone_authtoken/region_name').with_value(params[:region_name])
         should contain_neutron_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time])
+        should contain_neutron_config('keystone_authtoken/service_token_roles').with_value(params[:service_token_roles])
         should contain_neutron_config('keystone_authtoken/service_token_roles_required').with_value(params[:service_token_roles_required])
       end