diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index a90aeb89c9..c685db2f66 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -884,9 +884,8 @@ openstack_auth:
auth_url: "{{ keystone_admin_url }}"
username: "{{ keystone_admin_user }}"
password: "{{ keystone_admin_password }}"
- project_name: "{{ keystone_admin_project }}"
- domain_name: "default"
- user_domain_name: "default"
+ user_domain_name: "{{ default_user_domain_name }}"
+ system_scope: "all"
#######################
# Glance options
diff --git a/ansible/roles/barbican/tasks/check.yml b/ansible/roles/barbican/tasks/check.yml
index 66692756c7..bba2f1d885 100644
--- a/ansible/roles/barbican/tasks/check.yml
+++ b/ansible/roles/barbican/tasks/check.yml
@@ -7,7 +7,7 @@
--os-auth-url={{ openstack_auth.auth_url }} \
--os-password={{ openstack_auth.password }} \
--os-username={{ openstack_auth.username }} \
- --os-project-name={{ openstack_auth.project_name }} \
+ --os-system-scope={{ openstack_auth.system_scope }}
secret store -f value -p kolla | head -1
register: barbican_store_secret
run_once: True
@@ -20,7 +20,7 @@
--os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }}
- --os-project-name={{ openstack_auth.project_name }}
+ --os-system-scope={{ openstack_auth.system_scope }}
secret get -f value -p {{ barbican_store_secret.stdout }}
register: barbican_get_secret
failed_when: barbican_get_secret.stdout != 'kolla'
@@ -34,7 +34,7 @@
--os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }}
- --os-project-name={{ openstack_auth.project_name }}
+ --os-system-scope={{ openstack_auth.system_scope }}
secret delete {{ barbican_store_secret.stdout }}
run_once: True
when: kolla_enable_sanity_barbican | bool
diff --git a/ansible/roles/freezer/templates/freezer.conf.j2 b/ansible/roles/freezer/templates/freezer.conf.j2
index b48ec6c864..aaa07dcb78 100644
--- a/ansible/roles/freezer/templates/freezer.conf.j2
+++ b/ansible/roles/freezer/templates/freezer.conf.j2
@@ -15,8 +15,10 @@ jobs_dir = /etc/freezer/scheduler/conf.d
os_username = {{ openstack_auth.username }}
os_password = {{ openstack_auth.password }}
os_auth_url = {{ openstack_auth.auth_url }}/v3
-os_project_name = {{ openstack_auth.project_name }}
+os_project_name = {{ keystone_admin_project }}
os_project_domain_name = {{ openstack_auth.domain_name }}
+# TODO: transition to system scoped token when freezer supports that
+# configuration option
os_user_domain_name = {{ openstack_auth.user_domain_name }}
{% endif %}
diff --git a/ansible/roles/heat/defaults/main.yml b/ansible/roles/heat/defaults/main.yml
index f3b6d5f4b5..0814234ce9 100644
--- a/ansible/roles/heat/defaults/main.yml
+++ b/ansible/roles/heat/defaults/main.yml
@@ -219,7 +219,7 @@ heat_ks_roles:
- "{{ heat_stack_user_role }}"
heat_ks_user_roles:
- - project: "{{ openstack_auth.project_name }}"
+ - project: "{{ keystone_admin_project }}"
user: "{{ openstack_auth.username }}"
role: "{{ heat_stack_owner_role }}"
diff --git a/ansible/roles/heat/tasks/bootstrap_service.yml b/ansible/roles/heat/tasks/bootstrap_service.yml
index 849d218bbb..4f166b8dc9 100644
--- a/ansible/roles/heat/tasks/bootstrap_service.yml
+++ b/ansible/roles/heat/tasks/bootstrap_service.yml
@@ -15,7 +15,8 @@
OS_INTERFACE: "internal"
OS_USERNAME: "{{ openstack_auth.username }}"
OS_PASSWORD: "{{ openstack_auth.password }}"
- OS_PROJECT_NAME: "{{ openstack_auth.project_name }}"
+ OS_USER_DOMAIN_NAME: "{{ openstack_auth.user_domain_name }}"
+ OS_SYSTEM_SCOPE: "{{ openstack_auth.system_scope }}"
OS_REGION_NAME: "{{ openstack_region_name }}"
OS_CACERT: "{{ openstack_cacert | default(omit) }}"
HEAT_DOMAIN_ADMIN_PASSWORD: "{{ heat_domain_admin_password }}"
diff --git a/ansible/roles/ironic/templates/ironic.conf.j2 b/ansible/roles/ironic/templates/ironic.conf.j2
index 9b7de4d5c2..77bbc3f208 100644
--- a/ansible/roles/ironic/templates/ironic.conf.j2
+++ b/ansible/roles/ironic/templates/ironic.conf.j2
@@ -75,7 +75,7 @@ memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_addres
[cinder]
auth_url = {{ keystone_admin_url }}
auth_type = password
-project_domain_id = default
+project_domain_id = {{ default_project_domain_id }}
user_domain_id = default
project_name = service
username = {{ ironic_keystone_user }}
@@ -89,7 +89,7 @@ cafile = {{ openstack_cacert }}
[glance]
auth_url = {{ keystone_admin_url }}
auth_type = password
-project_domain_id = default
+project_domain_id = {{ default_project_domain_id }}
user_domain_id = default
project_name = service
username = {{ ironic_keystone_user }}
@@ -103,7 +103,7 @@ cafile = {{ openstack_cacert }}
[neutron]
auth_url = {{ keystone_admin_url }}
auth_type = password
-project_domain_id = default
+project_domain_id = {{ default_project_domain_id }}
user_domain_id = default
project_name = service
username = {{ ironic_keystone_user }}
@@ -118,7 +118,7 @@ cafile = {{ openstack_cacert }}
[nova]
auth_url = {{ keystone_admin_url }}
auth_type = password
-project_domain_id = default
+project_domain_id = {{ default_project_domain_id }}
user_domain_id = default
project_name = service
username = {{ ironic_keystone_user }}
@@ -132,7 +132,7 @@ cafile = {{ openstack_cacert }}
[swift]
auth_url = {{ keystone_admin_url }}
auth_type = password
-project_domain_id = {{ default_project_domain_id }}
+project_domain_id = {{ default_project_domain_id }}
user_domain_id = {{ default_user_domain_id }}
project_name = service
username = {{ ironic_keystone_user }}
@@ -146,7 +146,7 @@ cafile = {{ openstack_cacert }}
{% if ironic_enable_keystone_integration | bool %}
auth_url = {{ keystone_admin_url }}
auth_type = password
-project_domain_id = default
+project_domain_id = {{ default_project_domain_id }}
user_domain_id = default
project_name = service
username = {{ ironic_keystone_user }}
@@ -163,7 +163,7 @@ endpoint_override = {{ ironic_inspector_internal_endpoint }}
{% if ironic_enable_keystone_integration | bool %}
auth_url = {{ keystone_admin_url }}
auth_type = password
-project_domain_id = default
+project_domain_id = {{ default_project_domain_id }}
user_domain_id = default
project_name = service
username = {{ ironic_keystone_user }}
diff --git a/ansible/roles/keystone/tasks/register.yml b/ansible/roles/keystone/tasks/register.yml
index d79bdce8c8..4e7bdccc62 100644
--- a/ansible/roles/keystone/tasks/register.yml
+++ b/ansible/roles/keystone/tasks/register.yml
@@ -3,7 +3,7 @@
become: true
command: >
docker exec keystone kolla_keystone_bootstrap
- {{ openstack_auth.username }} {{ openstack_auth.password }} {{ openstack_auth.project_name }}
+ {{ openstack_auth.username }} {{ openstack_auth.password }} {{ keystone_admin_project }}
admin {{ keystone_admin_url }} {{ keystone_internal_url }} {{ keystone_public_url }} {{ item }}
register: keystone_bootstrap
changed_when: (keystone_bootstrap.stdout | from_json).changed
diff --git a/ansible/roles/keystone/tasks/register_identity_providers.yml b/ansible/roles/keystone/tasks/register_identity_providers.yml
index 40dd5b032e..d99cbe762d 100644
--- a/ansible/roles/keystone/tasks/register_identity_providers.yml
+++ b/ansible/roles/keystone/tasks/register_identity_providers.yml
@@ -5,13 +5,12 @@
--os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }}
- --os-project-name={{ openstack_auth.project_name }}
--os-identity-api-version=3
- --os-interface {{ openstack_interface }}
- --os-project-domain-name {{ openstack_auth.domain_name }}
- --os-user-domain-name {{ openstack_auth.domain_name }}
- --os-region-name {{ openstack_region_name }}
- {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
+ --os-interface={{ openstack_interface }}
+ --os-system-scope={{ openstack_auth.system_scope }}
+ --os-user-domain-name={{ openstack_auth.user_domain_name }}
+ --os-region-name={{ openstack_region_name }}
+ {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
mapping list -c ID --format value
run_once: True
become: True
@@ -27,13 +26,13 @@
--os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }}
- --os-project-name={{ openstack_auth.project_name }}
--os-identity-api-version=3
- --os-interface {{ openstack_interface }}
- --os-project-domain-name {{ openstack_auth.domain_name }}
- --os-user-domain-name {{ openstack_auth.domain_name }}
- --os-region-name {{ openstack_region_name }}
- {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
+ --os-interface={{ openstack_interface }}
+ --os-system-scope={{ openstack_auth.system_scope }}
+ --os-user-domain-name={{ openstack_auth.user_domain_name }}
+ --os-system-scope={{ openstack_auth.system_scope }}
+ --os-region-name={{ openstack_region_name }}
+ {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
mapping delete {{ item }}
run_once: True
become: true
@@ -62,13 +61,12 @@
--os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }}
- --os-project-name={{ openstack_auth.project_name }}
--os-identity-api-version=3
--os-interface {{ openstack_interface }}
- --os-project-domain-name {{ openstack_auth.domain_name }}
- --os-user-domain-name {{ openstack_auth.domain_name }}
- --os-region-name {{ openstack_region_name }}
- {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
+ --os-system-scope={{ openstack_auth.system_scope }}
+ --os-user-domain-name={{ openstack_auth.user_domain_name }}
+ --os-region-name={{ openstack_region_name }}
+ {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
mapping create
--rules "{{ keystone_container_federation_oidc_attribute_mappings_folder }}/{{ item.file | basename }}"
{{ item.name }}
@@ -84,15 +82,14 @@
--os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }}
- --os-project-name={{ openstack_auth.project_name }}
--os-identity-api-version=3
- --os-interface {{ openstack_interface }}
- --os-project-domain-name {{ openstack_auth.domain_name }}
- --os-user-domain-name {{ openstack_auth.domain_name }}
- --os-region-name {{ openstack_region_name }}
- {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
+ --os-interface={{ openstack_interface }}
+ --os-system-scope={{ openstack_auth.system_scope }}
+ --os-user-domain-name={{ openstack_auth.user_domain_name }}
+ --os-region-name={{ openstack_region_name }}
+ {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
mapping set
- --rules "{{ keystone_container_federation_oidc_attribute_mappings_folder }}/{{ item.file | basename }}"
+ --rules="{{ keystone_container_federation_oidc_attribute_mappings_folder }}/{{ item.file | basename }}"
{{ item.name }}
run_once: True
when:
@@ -106,13 +103,12 @@
--os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }}
- --os-project-name={{ openstack_auth.project_name }}
--os-identity-api-version=3
- --os-interface {{ openstack_interface }}
- --os-project-domain-name {{ openstack_auth.domain_name }}
- --os-user-domain-name {{ openstack_auth.domain_name }}
- --os-region-name {{ openstack_region_name }}
- {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
+ --os-interface={{ openstack_interface }}
+ --os-system-scope={{ openstack_auth.system_scope }}
+ --os-user-domain-name={{ openstack_auth.user_domain_name }}
+ --os-region-name={{ openstack_region_name }}
+ {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
identity provider list -c ID --format value
run_once: True
register: existing_idps_register
@@ -128,13 +124,12 @@
--os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }}
- --os-project-name={{ openstack_auth.project_name }}
--os-identity-api-version=3
- --os-interface {{ openstack_interface }}
- --os-project-domain-name {{ openstack_auth.domain_name }}
- --os-user-domain-name {{ openstack_auth.domain_name }}
- --os-region-name {{ openstack_region_name }}
- {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
+ --os-interface={{ openstack_interface }}
+ --os-system-scope={{ openstack_auth.system_scope }}
+ --os-user-domain-name={{ openstack_auth.user_domain_name }}
+ --os-region-name={ openstack_region_name }}
+ {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
identity provider delete {{ item }}
run_once: True
with_items: "{{ existing_idps }}"
@@ -149,13 +144,12 @@
--os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }}
- --os-project-name={{ openstack_auth.project_name }}
--os-identity-api-version=3
- --os-interface {{ openstack_interface }}
- --os-project-domain-name {{ openstack_auth.domain_name }}
- --os-user-domain-name {{ openstack_auth.domain_name }}
- --os-region-name {{ openstack_region_name }}
- {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
+ --os-interface={{ openstack_interface }}
+ --os-system-scope={{ openstack_auth.system_scope }}
+ --os-user-domain-name{{ openstack_auth.user_domain_name }}
+ --os-region-name={{ openstack_region_name }}
+ {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
identity provider create
--description "{{ item.public_name }}"
--remote-id "{{ item.identifier }}"
@@ -173,11 +167,10 @@
--os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }}
- --os-project-name={{ openstack_auth.project_name }}
--os-identity-api-version=3
--os-interface {{ openstack_interface }}
- --os-project-domain-name {{ openstack_auth.domain_name }}
- --os-user-domain-name {{ openstack_auth.domain_name }}
+ --os-system-scope {{ openstack_auth.system_scope }}
+ --os-user-domain-name {{ openstack_auth.user_domain_name }}
--os-region-name {{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
identity provider set
@@ -196,13 +189,12 @@
--os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }}
- --os-project-name={{ openstack_auth.project_name }}
--os-identity-api-version=3
- --os-interface {{ openstack_interface }}
- --os-project-domain-name {{ openstack_auth.domain_name }}
- --os-user-domain-name {{ openstack_auth.domain_name }}
- --os-region-name {{ openstack_region_name }}
- {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
+ --os-interface={{ openstack_interface }}
+ --os-system-scope={{ openstack_auth.system_scope }}
+ --os-user-domain-name={{ openstack_auth.user_domain_name }}
+ --os-region-name={{ openstack_region_name }}
+ {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
federation protocol create
--mapping {{ item.attribute_mapping }}
--identity-provider {{ item.name }}
@@ -219,13 +211,12 @@
--os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }}
- --os-project-name={{ openstack_auth.project_name }}
--os-identity-api-version=3
- --os-interface {{ openstack_interface }}
- --os-project-domain-name {{ openstack_auth.domain_name }}
- --os-user-domain-name {{ openstack_auth.domain_name }}
- --os-region-name {{ openstack_region_name }}
- {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
+ --os-interface={{ openstack_interface }}
+ --os-system-scope={{ openstack_auth.system_scope }}
+ --os-user-domain-name={{ openstack_auth.user_domain_name }}
+ --os-region-name={{ openstack_region_name }}
+ {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
federation protocol set
--identity-provider {{ item.name }}
--mapping {{ item.attribute_mapping }}
diff --git a/ansible/roles/murano/tasks/import_library_packages.yml b/ansible/roles/murano/tasks/import_library_packages.yml
index 615bfa5124..438455c44e 100644
--- a/ansible/roles/murano/tasks/import_library_packages.yml
+++ b/ansible/roles/murano/tasks/import_library_packages.yml
@@ -17,8 +17,8 @@
command: >
docker exec murano_api murano
--os-username {{ openstack_auth.username }}
- --os-password {{ keystone_admin_password }}
- --os-project-name {{ openstack_auth.project_name }}
+ --os-password {{ openstack_auth.password }}
+ --os-system-scope {{ openstack_auth.system_scope }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
--os-auth-url {{ keystone_admin_url }}
--murano-url {{ murano_admin_endpoint }}
@@ -33,10 +33,10 @@
command: >
docker exec murano_api murano
--os-username {{ openstack_auth.username }}
- --os-password {{ keystone_admin_password }}
- --os-project-name {{ openstack_auth.project_name }}
+ --os-password {{ openstack_auth.password }}
+ --os-system-scope {{ openstack_auth.system_scope }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
- --os-auth-url {{ keystone_admin_url }}
+ --os-auth-url {{ openstack_auth.auth_url }}
--murano-url {{ murano_admin_endpoint }}
package-import --exists-action u --is-public /io.murano.zip
run_once: True
@@ -49,10 +49,10 @@
command: >
docker exec murano_api murano
--os-username {{ openstack_auth.username }}
- --os-password {{ keystone_admin_password }}
- --os-project-name {{ openstack_auth.project_name }}
+ --os-password {{ openstack_auth.password }}
+ --os-system-scope {{ openstack_auth.system_scope }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
- --os-auth-url {{ keystone_admin_url }}
+ --os-auth-url {{ openstack_auth.auth_url }}
--murano-url {{ murano_admin_endpoint }}
package-import --exists-action u --is-public /io.murano.applications.zip
run_once: True
diff --git a/ansible/roles/nova-cell/tasks/discover_computes.yml b/ansible/roles/nova-cell/tasks/discover_computes.yml
index 1ee0e1c0ec..d13589cca8 100644
--- a/ansible/roles/nova-cell/tasks/discover_computes.yml
+++ b/ansible/roles/nova-cell/tasks/discover_computes.yml
@@ -28,13 +28,12 @@
command: >
docker exec kolla_toolbox openstack
--os-interface {{ openstack_interface }}
- --os-auth-url {{ keystone_admin_url }}
- --os-identity-api-version 3
- --os-project-domain-name {{ openstack_auth.domain_name }}
- --os-project-name {{ openstack_auth.project_name }}
+ --os-auth-url {{ openstack_auth.auth_url }}
--os-username {{ openstack_auth.username }}
- --os-password {{ keystone_admin_password }}
- --os-user-domain-name {{ openstack_auth.domain_name }}
+ --os-password {{ openstack_auth.password }}
+ --os-identity-api-version 3
+ --os-user-domain-name {{ openstack_auth.user_domain_name }}
+ --os-system-scope {{ openstack_auth.system_scope }}
--os-region-name {{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
compute service list --format json --column Host --service nova-compute
diff --git a/ansible/roles/skydive/defaults/main.yml b/ansible/roles/skydive/defaults/main.yml
index b2ac934499..2d7175132c 100644
--- a/ansible/roles/skydive/defaults/main.yml
+++ b/ansible/roles/skydive/defaults/main.yml
@@ -41,7 +41,7 @@ skydive_analyzer_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{
skydive_analyzer_tag: "{{ skydive_tag }}"
skydive_analyzer_image_full: "{{ skydive_analyzer_image }}:{{ skydive_analyzer_tag }}"
-skydive_admin_tenant_name: "{{ openstack_auth['project_name'] }}"
+skydive_admin_tenant_name: "{{ keystone_admin_project }}"
skydive_agent_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ skydive_install_type }}-skydive-agent"
skydive_agent_tag: "{{ skydive_tag }}"
skydive_agent_image_full: "{{ skydive_agent_image }}:{{ skydive_agent_tag }}"
diff --git a/ansible/roles/skydive/templates/skydive-agent.conf.j2 b/ansible/roles/skydive/templates/skydive-agent.conf.j2
index 15cda502a2..34dba6716c 100644
--- a/ansible/roles/skydive/templates/skydive-agent.conf.j2
+++ b/ansible/roles/skydive/templates/skydive-agent.conf.j2
@@ -45,11 +45,12 @@ agent:
- ovsdb
{% endif %}
+### TODO migrate from tenant_name to system_scope when supported in skydive
neutron:
auth_url: {{ keystone_internal_url }}/v3
username: {{ openstack_auth['username'] }}
password: {{ openstack_auth['password'] }}
- tenant_name: {{ openstack_auth['project_name'] }}
+ tenant_name: {{ skydive_admin_tenant_name }}
region_name: {{ openstack_region_name }}
domain_name: Default
endpoint_type: internal
diff --git a/ansible/roles/skydive/templates/skydive-analyzer.conf.j2 b/ansible/roles/skydive/templates/skydive-analyzer.conf.j2
index 549bafff22..551b8dc65a 100644
--- a/ansible/roles/skydive/templates/skydive-analyzer.conf.j2
+++ b/ansible/roles/skydive/templates/skydive-analyzer.conf.j2
@@ -1,5 +1,6 @@
### Skydive analyzer config file
+### TODO migrate from tenant_name to system_scope when supported in skydive
auth:
keystone:
type: keystone
diff --git a/ansible/roles/vitrage/templates/vitrage.conf.j2 b/ansible/roles/vitrage/templates/vitrage.conf.j2
index 3fdaa2f9fb..1482f8278a 100644
--- a/ansible/roles/vitrage/templates/vitrage.conf.j2
+++ b/ansible/roles/vitrage/templates/vitrage.conf.j2
@@ -52,7 +52,7 @@ memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_addres
auth_url = {{ keystone_internal_url }}/v3
region_name = {{ openstack_region_name }}
auth_type = password
-project_domain_id = default
+project_domain_id = {{ default_project_domain_id }}
user_domain_id = default
project_name = admin
password = {{ vitrage_keystone_password }}
diff --git a/doc/source/user/multi-regions.rst b/doc/source/user/multi-regions.rst
index e2a4da6c04..98fd5a7599 100644
--- a/doc/source/user/multi-regions.rst
+++ b/doc/source/user/multi-regions.rst
@@ -73,11 +73,11 @@ the value of ``kolla_internal_fqdn`` in RegionOne:
keystone_internal_url: "{{ internal_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_public_port }}"
openstack_auth:
- auth_url: "{{ admin_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_admin_port }}"
- username: "admin"
+ auth_url: "{{ keystone_admin_url }}"
+ username: "{{ keystone_admin_user }}"
password: "{{ keystone_admin_password }}"
- project_name: "admin"
- domain_name: "default"
+ user_domain_name: "{{ default_user_domain_name }}"
+ system_scope: "all"
.. note::
diff --git a/releasenotes/notes/move-keystone-user-auth-to-system-scope-900db3265861ebde.yaml b/releasenotes/notes/move-keystone-user-auth-to-system-scope-900db3265861ebde.yaml
new file mode 100644
index 0000000000..ae7909d08b
--- /dev/null
+++ b/releasenotes/notes/move-keystone-user-auth-to-system-scope-900db3265861ebde.yaml
@@ -0,0 +1,8 @@
+---
+features:
+ - Transitions to using system-scoped tokens when authenticating as the
+ Keystone admin user. This is a necessary step towards being able to
+ enable the updated oslo policies in services that allow finer grained
+ access to system-level resources and APIs. Since Queens, the admin role
+ is assigned to the admin user with system scope as well as in the admin
+ project.
diff --git a/tools/init-runonce b/tools/init-runonce
index b4b8739917..f8d7b1c179 100755
--- a/tools/init-runonce
+++ b/tools/init-runonce
@@ -95,7 +95,6 @@ if [[ $ENABLE_EXT_NET -eq 1 ]]; then
fi
# Get admin user and tenant IDs
-ADMIN_USER_ID=$($KOLLA_OPENSTACK_COMMAND user list | awk '/ admin / {print $2}')
ADMIN_PROJECT_ID=$($KOLLA_OPENSTACK_COMMAND project list | awk '/ admin / {print $2}')
ADMIN_SEC_GROUP=$($KOLLA_OPENSTACK_COMMAND security group list --project ${ADMIN_PROJECT_ID} | awk '/ default / {print $2}')