From 1b644e2a32c227635935e5f2c1dc922c1a3fb141 Mon Sep 17 00:00:00 2001
From: Luigi Toscano <ltoscano@redhat.com>
Date: Wed, 11 Jul 2018 10:34:53 +0200
Subject: [PATCH] Do not set service_token_roles_required = True for now

This change was introduced in https://review.openstack.org/#/c/578618/

When this value is set to True, the service user should be assigned a
service role listed in the service_token_roles configuration key.

Otherwise other services which use the nova API will not work properly
(see the discussion in https://review.openstack.org/#/c/569886/ )

Apparently this is not the case for nova, where the service role
seems to be "admin", but the value of service_token_roles has
the default value of 'service' (it is not explicitly set).

So change back to the default value, even if it leads to a deprecation
warning.

For more details see:
https://bugs.launchpad.net/keystone/+bug/1779889
http://eavesdrop.openstack.org/irclogs/%23openstack-ansible/%23openstack-ansible.2018-07-10.log.html#t2018-07-10T17:47:14
http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2018-07-10.log.html#t2018-07-10T16:52:31

Change-Id: I08f32350b867ae0d26806b2d1774051467e90eb5
---
 templates/nova.conf.j2 | 1 -
 1 file changed, 1 deletion(-)

diff --git a/templates/nova.conf.j2 b/templates/nova.conf.j2
index 51f6588c..0c5f081e 100644
--- a/templates/nova.conf.j2
+++ b/templates/nova.conf.j2
@@ -193,7 +193,6 @@ workers = {{ nova_conductor_workers | default(nova_api_threads) }}
 
 
 [keystone_authtoken]
-service_token_roles_required = True
 insecure = {{ keystone_service_internaluri_insecure | bool }}
 auth_type = {{ nova_keystone_auth_plugin }}
 auth_url = {{ keystone_service_adminuri }}