Ability to define service_token_roles PROD-32905 Change-Id: I9f345a508d88617287da09e1114ccd59eba88f6d

commit: f623c3e10ff8fb447f60753888d56d6d9f92825e [log] [tgz]
author: Ivan Berezovskiy <iberezovskiy@mirantis.com> Wed Aug 28 20:04:40 2019 +0400
committer: Ivan Berezovskiy <iberezovskiy@mirantis.com> Wed Aug 28 16:08:30 2019 +0000
tree: 0441e6ce4fcc5e95a5bae2662ccc3f0bbdec3e60
parent: 34cc4ce286923335ba9e28e4a51a11e3efc2cafc [diff]
diff --git a/oslo_templates/files/queens/keystonemiddleware/_auth_token.conf b/oslo_templates/files/queens/keystonemiddleware/_auth_token.conf
index 755a991..57276bc 100644
--- a/oslo_templates/files/queens/keystonemiddleware/_auth_token.conf
+++ b/oslo_templates/files/queens/keystonemiddleware/_auth_token.conf

@@ -197,12 +197,18 @@
 # For backwards compatibility reasons this currently only affects the
 # allow_expired check. (list value)
 #service_token_roles = service
+{%- if _data.service_token_roles is defined %}
+service_token_roles = {{ _data.service_token_roles }}
+{%- endif %}
 
 # For backwards compatibility reasons we must let valid service tokens pass
 # that don't pass the service_token_roles check as valid. Setting this true
 # will become the default in a future release and should be enabled if
 # possible. (boolean value)
 #service_token_roles_required = false
+{%- if _data.service_token_roles_required is defined %}
+service_token_roles_required = {{ _data.service_token_roles_required }}
+{%- endif %}
 
 # Authentication type to load (string value)
 # Deprecated group/name - [keystone_authtoken]/auth_plugin
commit	f623c3e10ff8fb447f60753888d56d6d9f92825e	[log] [tgz]
author	Ivan Berezovskiy <iberezovskiy@mirantis.com>	Wed Aug 28 20:04:40 2019 +0400
committer	Ivan Berezovskiy <iberezovskiy@mirantis.com>	Wed Aug 28 16:08:30 2019 +0000
tree	0441e6ce4fcc5e95a5bae2662ccc3f0bbdec3e60
parent	34cc4ce286923335ba9e28e4a51a11e3efc2cafc [diff]