Support service tokens

Implement support for service_tokens. For that we convert role_name to be a list along with renaming corresponding variable. Additionally service_type is defined now for keystone_authtoken which enables to validate tokens with restricted access rules Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690 Change-Id: I04b22722b32b6dc8b1dc95e18c3fe96ad17e51ac
2022-06-15 11:08:48 +02:00 · 2022-06-15 11:08:48 +02:00 · c36fdaa960
commit c36fdaa960
parent cf66cd365c
3 changed files with 11 additions and 2 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -190,7 +190,12 @@ nova_service_project_name: "service"
 nova_service_project_domain_id: default
 nova_service_user_domain_id: default
 nova_service_user_name: "nova"
-nova_service_role_name: "admin"
+nova_service_role_names:
+  - admin
+  - service
+nova_service_token_roles:
+  - service
+nova_service_token_roles_required: "{{ openstack_service_token_roles_required | default(True) }}"

 ## Keystone authentication middleware
 nova_keystone_auth_plugin: password
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -185,7 +185,7 @@
    _service_users:
      - name: "{{ nova_service_user_name }}"
        password: "{{ nova_service_password }}"
-        role: "{{ nova_service_role_name }}"
+        role: "{{ nova_service_role_names }}"
    _service_endpoints:
      - service: "{{ nova_service_name }}"
        interface: "public"
--- a/templates/nova.conf.j2
+++ b/templates/nova.conf.j2
@ -190,6 +190,10 @@ username = {{ nova_service_user_name }}
 password = {{ nova_service_password }}
 region_name = {{ keystone_service_region }}

+service_token_roles_required = {{ nova_service_token_roles_required | bool }}
+service_token_roles = {{ nova_service_token_roles | join(',') }}
+service_type = {{ nova_service_type }}
+
 memcached_servers = {{ memcached_servers }}

 token_cache_time = 300