Add keystone_authtoken.service_type

Fixes an issue where access rules failed to validate:

    Cannot validate request with restricted access rules. Set
    service_type in [keystone_authtoken] to allow access rule validation

I've used the values from the endpoint. This was mostly a straight
forward copy and paste, except:

- versioned endpoints e.g cinderv3 where I stripped the version
- monasca has multiple endpoints associated with a single service. For
  this, I concatenated logging and monitoring to be logging-monitoring.

Closes-Bug: #1965111
Change-Id: Ic4b3ab60abad8c3dd96cd4923a67f2a8f9d195d7

ansible/roles/aodh/templates/aodh.conf.j2

@@ -16,6 +16,7 @@ connection_recycle_time = {{ database_connection_recycle_time }}
 max_pool_size = {{ database_max_pool_size }}
 
 [keystone_authtoken]
+service_type = alarming
 memcache_security_strategy = ENCRYPT
 memcache_secret_key = {{ memcache_secret_key }}
 memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}

ansible/roles/barbican/templates/barbican.conf.j2

@@ -53,6 +53,7 @@ topic = barbican_notifications
 {% endif %}
 
 [keystone_authtoken]
+service_type = key-manager
 www_authenticate_uri = {{ keystone_internal_url }}
 project_domain_id = {{ default_project_domain_id }}
 project_name = service

ansible/roles/blazar/templates/blazar.conf.j2

@@ -20,6 +20,7 @@ api_v2_controllers = oshosts,leases
 plugins = virtual.instance.plugin,physical.host.plugin
 
 [keystone_authtoken]
+service_type = reservation
 www_authenticate_uri = {{ keystone_internal_url }}/v3
 auth_url = {{ keystone_internal_url }}/v3
 auth_type = password

ansible/roles/cinder/templates/cinder.conf.j2

@@ -98,6 +98,7 @@ max_pool_size = {{ database_max_pool_size }}
 max_retries = -1
 
 [keystone_authtoken]
+service_type = volume
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password

ansible/roles/cloudkitty/templates/cloudkitty.conf.j2

@@ -17,6 +17,7 @@ max_pool_size = {{ database_max_pool_size }}
 max_retries = -1
 
 [keystone_authtoken]
+service_type = rating
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password

ansible/roles/cyborg/templates/cyborg.conf.j2

@@ -15,6 +15,7 @@ connection_recycle_time = {{ database_connection_recycle_time }}
 max_pool_size = {{ database_max_pool_size }}
 
 [keystone_authtoken]
+service_type = cyborg
 memcache_security_strategy = ENCRYPT
 memcache_secret_key = {{ memcache_secret_key }}
 memcache_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}

ansible/roles/designate/templates/designate.conf.j2

@@ -19,6 +19,7 @@ enable_host_header = True
 enabled_extensions_admin = quotas, reports
 
 [keystone_authtoken]
+service_type = dns
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password

ansible/roles/freezer/templates/freezer.conf.j2

@@ -24,6 +24,7 @@ os_user_domain_name = {{ openstack_auth.user_domain_name }}
 
 {% if service_name == 'freezer-api' %}
 [keystone_authtoken]
+service_type = backup
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password

ansible/roles/glance/templates/glance-api.conf.j2

@@ -41,6 +41,7 @@ max_pool_size = {{ database_max_pool_size }}
 max_retries = -1
 
 [keystone_authtoken]
+service_type = image
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password

ansible/roles/gnocchi/templates/gnocchi.conf.j2

@@ -44,6 +44,7 @@ workers = {{ gnocchi_metricd_workers }}
 url = mysql+pymysql://{{ gnocchi_database_user }}:{{ gnocchi_database_password }}@{{ gnocchi_database_address }}/{{ gnocchi_database_name }}
 
 [keystone_authtoken]
+service_type = metric
 www_authenticate_uri = {{ keystone_internal_url }}/v3
 project_domain_id = {{ default_project_domain_id }}
 project_name = service

ansible/roles/heat/templates/heat.conf.j2

@@ -29,6 +29,7 @@ max_pool_size = {{ database_max_pool_size }}
 max_retries = -1
 
 [keystone_authtoken]
+service_type = orchestration
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password

ansible/roles/ironic/templates/ironic-inspector.conf.j2

@@ -37,6 +37,7 @@ endpoint_override = {{ ironic_internal_endpoint }}
 
 {% if ironic_enable_keystone_integration | bool %}
 [keystone_authtoken]
+service_type = baremetal-introspection
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password

ansible/roles/ironic/templates/ironic.conf.j2

@@ -47,6 +47,7 @@ max_retries = -1
 
 {% if ironic_enable_keystone_integration | bool %}
 [keystone_authtoken]
+service_type = baremetal
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password

ansible/roles/magnum/templates/magnum.conf.j2

@@ -75,6 +75,7 @@ auth_type = password
 cafile = {{ openstack_cacert }}
 
 [keystone_authtoken]
+service_type = container-infra
 auth_version = v3
 www_authenticate_uri = {{ keystone_internal_url }}/v3
 auth_url = {{ keystone_internal_url }}

ansible/roles/manila/templates/manila.conf.j2

@@ -31,6 +31,7 @@ max_pool_size = {{ database_max_pool_size }}
 max_retries = -1
 
 [keystone_authtoken]
+service_type = share
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password

ansible/roles/masakari/templates/masakari.conf.j2

@@ -22,6 +22,7 @@ max_pool_size = {{ database_max_pool_size }}
 max_retries = -1
 
 [keystone_authtoken]
+service_type = instance-ha
 www_authenticate_uri = {{ keystone_internal_url }}/v3
 auth_url = {{ keystone_internal_url }}
 auth_type = password

ansible/roles/mistral/templates/mistral.conf.j2

@@ -39,6 +39,7 @@ max_pool_size = {{ database_max_pool_size }}
 max_retries = -1
 
 [keystone_authtoken]
+service_type = workflow
 www_authenticate_uri = {{ keystone_internal_url }}/v3
 auth_url = {{ keystone_internal_url }}/v3
 auth_type = password

ansible/roles/monasca/templates/monasca-api/api.conf.j2

@@ -31,6 +31,7 @@ read_only_authorized_roles = {{ monasca_read_only_authorized_roles|join(', ') }}
 delegate_authorized_roles = {{ monasca_delegate_authorized_roles|join(', ') }}
 
 [keystone_authtoken]
+service_type = logging-monitoring
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password

ansible/roles/murano/templates/murano.conf.j2

@@ -21,6 +21,7 @@ max_pool_size = {{ database_max_pool_size }}
 max_retries = -1
 
 [keystone_authtoken]
+service_type = application-catalog
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password

ansible/roles/neutron/templates/neutron.conf.j2

@@ -113,6 +113,7 @@ max_pool_size = {{ database_max_pool_size }}
 max_retries = -1
 
 [keystone_authtoken]
+service_type = network
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password

ansible/roles/nova/templates/nova.conf.j2

@@ -110,6 +110,7 @@ memcache_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address
 
 
 [keystone_authtoken]
+service_type = compute
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password

ansible/roles/octavia/templates/octavia.conf.j2

@@ -58,6 +58,7 @@ memcache_secret_key = {{ memcache_secret_key }}
 memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
 
 [keystone_authtoken]
+service_type = load-balancer
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password

ansible/roles/placement/templates/placement.conf.j2

@@ -25,6 +25,7 @@ memcache_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address
 
 
 [keystone_authtoken]
+service_type = placement
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password

ansible/roles/sahara/templates/sahara.conf.j2

@@ -16,6 +16,7 @@ connection_recycle_time = {{ database_connection_recycle_time }}
 max_pool_size = {{ database_max_pool_size }}
 
 [keystone_authtoken]
+service_type = data-processing
 auth_url = {{ keystone_internal_url }}
 auth_type = password
 user_domain_name = {{ default_project_domain_name }}

ansible/roles/senlin/templates/senlin.conf.j2

@@ -42,6 +42,7 @@ workers = {{ openstack_service_workers }}
 {% endif %}
 
 [keystone_authtoken]
+service_type = clustering
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password

ansible/roles/solum/templates/solum.conf.j2

@@ -48,6 +48,7 @@ max_pool_size = {{ database_max_pool_size }}
 max_retries = -1
 
 [keystone_authtoken]
+service_type = application_deployment
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password

ansible/roles/tacker/templates/tacker.conf.j2

@@ -32,6 +32,7 @@ max_pool_size = {{ database_max_pool_size }}
 max_retries = -1
 
 [keystone_authtoken]
+service_type = nfv-orchestration
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password

ansible/roles/trove/templates/trove.conf.j2

@@ -50,6 +50,7 @@ max_pool_size = {{ database_max_pool_size }}
 max_retries = -1
 
 [keystone_authtoken]
+service_type = database
 www_authenticate_uri = {{ keystone_internal_url }}
 project_domain_name = {{ default_project_domain_name }}
 project_name = service

ansible/roles/vitrage/templates/vitrage.conf.j2

@@ -27,6 +27,7 @@ types = {{ vitrage_datasources|map(attribute='name')|join(',') }}
 plugins = jaccard_correlation
 
 [keystone_authtoken]
+service_type = rca
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password

ansible/roles/watcher/templates/watcher.conf.j2

@@ -19,6 +19,7 @@ max_pool_size = {{ database_max_pool_size }}
 max_retries = -1
 
 [keystone_authtoken]
+service_type = infra-optim
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password

ansible/roles/zun/templates/zun.conf.j2

@@ -48,6 +48,7 @@ memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_addres
 # keystone_authtoken sections are used and Zun internals may use either -
 # - best keep them both in sync
 [keystone_authtoken]
+service_type = container
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password

releasenotes/notes/fix-app-cred-access-rules-14b5dcfcd5a5669a.yaml

@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Adds configuration necessary for application credential access rules to
+    properly function.
+    `LP#1965111 <https://bugs.launchpad.net/kolla-ansible/+bug/1965111>`__