Ocata Series Release Notes¶
Fetching expired tokens when using a valid service token is now allowed. This will help with long running operations that must continue between services longer than the original expiry of the token.
AuthToken middleware will now allow fetching an expired token when a valid service token is present. This service token must contain any one of the roles specified in
Service tokens are compared against a list of possible roles for validity. This will ensure that only services are submitting tokens as an
X-Service-Token. For backwards compatibility, if
service_token_roles_requiredis not set, a warning will be emitted. To enforce the check properly, set
True. It currently defaults to
service_token_rolesto a list of roles that services may have. The likely list is
service_token_rolesmay apply to accept the service token. Ensure service users have one of these roles so interservice communication continues to work correctly. When verified, set the
Trueto enforce this behaviour. This will become the default setting in future releases.
For backwards compatibility the
[keystone_authtoken]was added. The option defaults to
Falseand has been immediately deprecated. This will allow the current behaviour that service tokens are validated but not checked for roles to continue. The option should be set to
Trueas soon as possible. The option will default to
Truein a future release.