Ocata Series Release Notes¶
4.12.0¶
Prelude¶
Fetching expired tokens when using a valid service token is now allowed. This will help with long running operations that must continue between services longer than the original expiry of the token.
Nouvelles fonctionnalités¶
AuthToken middleware will now allow fetching an expired token when a valid service token is present. This service token must contain any one of the roles specified in
service_token_roles
.
Service tokens are compared against a list of possible roles for validity. This will ensure that only services are submitting tokens as an
X-Service-Token
. For backwards compatibility, ifservice_token_roles_required
is not set, a warning will be emitted. To enforce the check properly, setservice_token_roles_required
toTrue
. It currently defaults toFalse
Upgrade Notes¶
Set the
service_token_roles
to a list of roles that services may have. The likely list isservice
oradmin
. Anyservice_token_roles
may apply to accept the service token. Ensure service users have one of these roles so interservice communication continues to work correctly. When verified, set theservice_token_roles_required
flag toTrue
to enforce this behaviour. This will become the default setting in future releases.
Notes dépréciées¶
For backwards compatibility the
service_token_roles_required
option in[keystone_authtoken]
was added. The option defaults toFalse
and has been immediately deprecated. This will allow the current behaviour that service tokens are validated but not checked for roles to continue. The option should be set toTrue
as soon as possible. The option will default toTrue
in a future release.