Ocata Series Release Notes

4.12.0

Prelude

Fetching expired tokens when using a valid service token is now allowed. This will help with long running operations that must continue between services longer than the original expiry of the token.

New Features

  • AuthToken middleware will now allow fetching an expired token when a valid service token is present. This service token must contain any one of the roles specified in service_token_roles.

  • Service tokens are compared against a list of possible roles for validity. This will ensure that only services are submitting tokens as an X-Service-Token. For backwards compatibility, if service_token_roles_required is not set, a warning will be emitted. To enforce the check properly, set service_token_roles_required to True. It currently defaults to False

Upgrade Notes

  • Set the service_token_roles to a list of roles that services may have. The likely list is service or admin. Any service_token_roles may apply to accept the service token. Ensure service users have one of these roles so interservice communication continues to work correctly. When verified, set the service_token_roles_required flag to True to enforce this behaviour. This will become the default setting in future releases.

Deprecation Notes

  • For backwards compatibility the service_token_roles_required option in [keystone_authtoken] was added. The option defaults to False and has been immediately deprecated. This will allow the current behaviour that service tokens are validated but not checked for roles to continue. The option should be set to True as soon as possible. The option will default to True in a future release.