Add support for service token parameters
Add support for the parameters in authtoken middleware, which are related to service token feature. Change-Id: If60373cb44a62397678cee7aaefad3431a91f7e4
This commit is contained in:
Takashi Kajinami
@@ -55,6 +55,22 @@
|
|||||||
# not set the X-Service-Catalog header. Boolean value.
|
# not set the X-Service-Catalog header. Boolean value.
|
||||||
# Defaults to false
|
# Defaults to false
|
||||||
#
|
#
|
||||||
|
# [*service_token_roles*]
|
||||||
|
# (Optional) A choice of roles that must be present in a service token.
|
||||||
|
# Service tokens are allowed to request that an expired token
|
||||||
|
# can be used and so this check should tightly control that
|
||||||
|
# only actual services should be sending this token. Roles
|
||||||
|
# here are applied as an ANY check so any role in this list
|
||||||
|
# must be present. For backwards compatibility reasons this
|
||||||
|
# currently only affects the allow_expired check. (list value)
|
||||||
|
# Defaults to $::os_service_default.
|
||||||
|
#
|
||||||
|
# [*service_token_roles_required*]
|
||||||
|
# (optional) backwards compatibility to ensure that the service tokens are
|
||||||
|
# compared against a list of possible roles for validity
|
||||||
|
# true/false
|
||||||
|
# Defaults to $::os_service_default.
|
||||||
|
#
|
||||||
# == DEPRECATED
|
# == DEPRECATED
|
||||||
#
|
#
|
||||||
# [*identity_uri*]
|
# [*identity_uri*]
|
||||||
@@ -98,6 +114,8 @@ class swift::proxy::authtoken(
|
|||||||
$username = 'swift',
|
$username = 'swift',
|
||||||
$password = 'password',
|
$password = 'password',
|
||||||
$include_service_catalog = false,
|
$include_service_catalog = false,
|
||||||
|
$service_token_roles = $::os_service_default,
|
||||||
|
$service_token_roles_required = $::os_service_default,
|
||||||
# DEPRECATED PARAMETERS
|
# DEPRECATED PARAMETERS
|
||||||
$admin_user = undef,
|
$admin_user = undef,
|
||||||
$admin_tenant_name = undef,
|
$admin_tenant_name = undef,
|
||||||
@@ -162,5 +180,7 @@ class swift::proxy::authtoken(
|
|||||||
'filter:authtoken/delay_auth_decision': value => $delay_auth_decision;
|
'filter:authtoken/delay_auth_decision': value => $delay_auth_decision;
|
||||||
'filter:authtoken/cache': value => $cache;
|
'filter:authtoken/cache': value => $cache;
|
||||||
'filter:authtoken/include_service_catalog': value => $include_service_catalog;
|
'filter:authtoken/include_service_catalog': value => $include_service_catalog;
|
||||||
|
'filter:authtoken/service_token_roles': value => $service_token_roles;
|
||||||
|
'filter:authtoken/service_token_roles_required': value => $service_token_roles_required;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
swift::proxy::authtoken::service_token_roles and
|
||||||
|
swift::proxy::authtoken::service_token_roles_required were added to
|
||||||
|
add support for the authtoken parameters related to service token feature
|
||||||
@@ -32,6 +32,8 @@ describe 'swift::proxy::authtoken' do
|
|||||||
it { is_expected.to contain_swift_proxy_config('filter:authtoken/delay_auth_decision').with_value('1') }
|
it { is_expected.to contain_swift_proxy_config('filter:authtoken/delay_auth_decision').with_value('1') }
|
||||||
it { is_expected.to contain_swift_proxy_config('filter:authtoken/cache').with_value('swift.cache') }
|
it { is_expected.to contain_swift_proxy_config('filter:authtoken/cache').with_value('swift.cache') }
|
||||||
it { is_expected.to contain_swift_proxy_config('filter:authtoken/include_service_catalog').with_value('false') }
|
it { is_expected.to contain_swift_proxy_config('filter:authtoken/include_service_catalog').with_value('false') }
|
||||||
|
it { is_expected.to contain_swift_proxy_config('filter:authtoken/service_token_roles').with_value('<SERVICE DEFAULT>') }
|
||||||
|
it { is_expected.to contain_swift_proxy_config('filter:authtoken/service_token_roles_required').with_value('<SERVICE DEFAULT>') }
|
||||||
end
|
end
|
||||||
|
|
||||||
describe "when overriding parameters" do
|
describe "when overriding parameters" do
|
||||||
@@ -42,7 +44,9 @@ describe 'swift::proxy::authtoken' do
|
|||||||
:admin_password => 'swiftpassword',
|
:admin_password => 'swiftpassword',
|
||||||
:cache => 'foo',
|
:cache => 'foo',
|
||||||
:delay_auth_decision => '0',
|
:delay_auth_decision => '0',
|
||||||
:signing_dir => '/home/swift/keystone-signing'
|
:signing_dir => '/home/swift/keystone-signing',
|
||||||
|
:service_token_roles => ['service'],
|
||||||
|
:service_token_roles_required => true,
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
@@ -60,6 +64,8 @@ describe 'swift::proxy::authtoken' do
|
|||||||
it { is_expected.to contain_swift_proxy_config('filter:authtoken/delay_auth_decision').with_value('0') }
|
it { is_expected.to contain_swift_proxy_config('filter:authtoken/delay_auth_decision').with_value('0') }
|
||||||
it { is_expected.to contain_swift_proxy_config('filter:authtoken/cache').with_value('foo') }
|
it { is_expected.to contain_swift_proxy_config('filter:authtoken/cache').with_value('foo') }
|
||||||
it { is_expected.to contain_swift_proxy_config('filter:authtoken/include_service_catalog').with_value('false') }
|
it { is_expected.to contain_swift_proxy_config('filter:authtoken/include_service_catalog').with_value('false') }
|
||||||
|
it { is_expected.to contain_swift_proxy_config('filter:authtoken/service_token_roles').with_value(['service']) }
|
||||||
|
it { is_expected.to contain_swift_proxy_config('filter:authtoken/service_token_roles_required').with_value(true) }
|
||||||
end
|
end
|
||||||
|
|
||||||
describe 'when overriding www_authenticate_uri' do
|
describe 'when overriding www_authenticate_uri' do
|
||||||
|
|||||||
Reference in New Issue
Block a user