Merge "Remove system scope token to access services"
This commit is contained in:
Zuul
Gerrit Code Review
commit
98139b0f10
ansible
group_vars
roles
freezer/templates
heat
ironic/tasks
keystone/tasks
murano/tasks
nova-cell/tasks
nova/templates
doc/source/user
releasenotes/notes
@ -883,8 +883,9 @@ openstack_auth:
|
||||
auth_url: "{{ keystone_internal_url }}"
|
||||
username: "{{ keystone_admin_user }}"
|
||||
password: "{{ keystone_admin_password }}"
|
||||
user_domain_name: "{{ default_user_domain_name }}"
|
||||
system_scope: "all"
|
||||
project_name: "{{ keystone_admin_project }}"
|
||||
domain_name: "default"
|
||||
user_domain_name: "default"
|
||||
|
||||
#######################
|
||||
# Glance options
|
||||
|
||||
@ -15,9 +15,7 @@ jobs_dir = /etc/freezer/scheduler/conf.d
|
||||
os_username = {{ openstack_auth.username }}
|
||||
os_password = {{ openstack_auth.password }}
|
||||
os_auth_url = {{ openstack_auth.auth_url }}
|
||||
os_project_name = {{ keystone_admin_project }}
|
||||
# TODO: transition to system scoped token when freezer supports that
|
||||
# configuration option, os_project_domain_name should be removed.
|
||||
os_project_name = {{ openstack_auth.project_name }}
|
||||
os_project_domain_name = {{ default_project_domain_name }}
|
||||
os_user_domain_name = {{ openstack_auth.user_domain_name }}
|
||||
{% endif %}
|
||||
|
||||
@ -235,7 +235,7 @@ heat_ks_roles:
|
||||
- "{{ heat_stack_user_role }}"
|
||||
|
||||
heat_ks_user_roles:
|
||||
- project: "{{ keystone_admin_project }}"
|
||||
- project: "{{ openstack_auth.project_name }}"
|
||||
user: "{{ openstack_auth.username }}"
|
||||
role: "{{ heat_stack_owner_role }}"
|
||||
|
||||
|
||||
@ -15,8 +15,8 @@
|
||||
OS_INTERFACE: "internal"
|
||||
OS_USERNAME: "{{ openstack_auth.username }}"
|
||||
OS_PASSWORD: "{{ openstack_auth.password }}"
|
||||
OS_PROJECT_NAME: "{{ openstack_auth.project_name }}"
|
||||
OS_USER_DOMAIN_NAME: "{{ openstack_auth.user_domain_name }}"
|
||||
OS_SYSTEM_SCOPE: "{{ openstack_auth.system_scope }}"
|
||||
OS_REGION_NAME: "{{ openstack_region_name }}"
|
||||
OS_CACERT: "{{ openstack_cacert | default(omit) }}"
|
||||
HEAT_DOMAIN_ADMIN_PASSWORD: "{{ heat_domain_admin_password }}"
|
||||
|
||||
@ -9,7 +9,7 @@
|
||||
--os-password {{ openstack_auth.password }}
|
||||
--os-identity-api-version 3
|
||||
--os-user-domain-name {{ openstack_auth.user_domain_name }}
|
||||
--os-system-scope {{ openstack_auth.system_scope }}
|
||||
--os-system-scope "all"
|
||||
--os-region-name {{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
|
||||
baremetal node list --format json --column "Provisioning State"
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
become: true
|
||||
command: >
|
||||
{{ kolla_container_engine }} exec keystone kolla_keystone_bootstrap
|
||||
{{ openstack_auth.username }} {{ openstack_auth.password }} {{ keystone_admin_project }}
|
||||
{{ openstack_auth.username }} {{ openstack_auth.password }} {{ openstack_auth.project_name }}
|
||||
admin {{ keystone_internal_url }} {{ keystone_public_url }} {{ item }}
|
||||
register: keystone_bootstrap
|
||||
changed_when: (keystone_bootstrap.stdout | from_json).changed
|
||||
|
||||
@ -7,7 +7,7 @@
|
||||
--os-username={{ openstack_auth.username }}
|
||||
--os-identity-api-version=3
|
||||
--os-interface={{ openstack_interface }}
|
||||
--os-system-scope={{ openstack_auth.system_scope }}
|
||||
--os-system-scope="all"
|
||||
--os-user-domain-name={{ openstack_auth.user_domain_name }}
|
||||
--os-region-name={{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
|
||||
@ -28,9 +28,9 @@
|
||||
--os-username={{ openstack_auth.username }}
|
||||
--os-identity-api-version=3
|
||||
--os-interface={{ openstack_interface }}
|
||||
--os-system-scope={{ openstack_auth.system_scope }}
|
||||
--os-system-scope="all"
|
||||
--os-user-domain-name={{ openstack_auth.user_domain_name }}
|
||||
--os-system-scope={{ openstack_auth.system_scope }}
|
||||
--os-system-scope="all"
|
||||
--os-region-name={{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
|
||||
mapping delete {{ item }}
|
||||
@ -64,7 +64,7 @@
|
||||
--os-username={{ openstack_auth.username }}
|
||||
--os-identity-api-version=3
|
||||
--os-interface {{ openstack_interface }}
|
||||
--os-system-scope={{ openstack_auth.system_scope }}
|
||||
--os-system-scope="all"
|
||||
--os-user-domain-name={{ openstack_auth.user_domain_name }}
|
||||
--os-region-name={{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
|
||||
@ -85,7 +85,7 @@
|
||||
--os-username={{ openstack_auth.username }}
|
||||
--os-identity-api-version=3
|
||||
--os-interface={{ openstack_interface }}
|
||||
--os-system-scope={{ openstack_auth.system_scope }}
|
||||
--os-system-scope="all"
|
||||
--os-user-domain-name={{ openstack_auth.user_domain_name }}
|
||||
--os-region-name={{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
|
||||
@ -106,7 +106,7 @@
|
||||
--os-username={{ openstack_auth.username }}
|
||||
--os-identity-api-version=3
|
||||
--os-interface={{ openstack_interface }}
|
||||
--os-system-scope={{ openstack_auth.system_scope }}
|
||||
--os-system-scope="all"
|
||||
--os-user-domain-name={{ openstack_auth.user_domain_name }}
|
||||
--os-region-name={{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
|
||||
@ -127,7 +127,7 @@
|
||||
--os-username={{ openstack_auth.username }}
|
||||
--os-identity-api-version=3
|
||||
--os-interface={{ openstack_interface }}
|
||||
--os-system-scope={{ openstack_auth.system_scope }}
|
||||
--os-system-scope="all"
|
||||
--os-user-domain-name={{ openstack_auth.user_domain_name }}
|
||||
--os-region-name={ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
|
||||
@ -147,7 +147,7 @@
|
||||
--os-username={{ openstack_auth.username }}
|
||||
--os-identity-api-version=3
|
||||
--os-interface={{ openstack_interface }}
|
||||
--os-system-scope={{ openstack_auth.system_scope }}
|
||||
--os-system-scope="all"
|
||||
--os-user-domain-name={{ openstack_auth.user_domain_name }}
|
||||
--os-region-name={{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
|
||||
@ -170,7 +170,7 @@
|
||||
--os-username={{ openstack_auth.username }}
|
||||
--os-identity-api-version=3
|
||||
--os-interface {{ openstack_interface }}
|
||||
--os-system-scope {{ openstack_auth.system_scope }}
|
||||
--os-system-scope "all"
|
||||
--os-user-domain-name {{ openstack_auth.user_domain_name }}
|
||||
--os-region-name {{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
|
||||
@ -192,7 +192,7 @@
|
||||
--os-username={{ openstack_auth.username }}
|
||||
--os-identity-api-version=3
|
||||
--os-interface={{ openstack_interface }}
|
||||
--os-system-scope={{ openstack_auth.system_scope }}
|
||||
--os-system-scope="all"
|
||||
--os-user-domain-name={{ openstack_auth.user_domain_name }}
|
||||
--os-region-name={{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
|
||||
@ -214,7 +214,7 @@
|
||||
--os-username={{ openstack_auth.username }}
|
||||
--os-identity-api-version=3
|
||||
--os-interface={{ openstack_interface }}
|
||||
--os-system-scope={{ openstack_auth.system_scope }}
|
||||
--os-system-scope="all"
|
||||
--os-user-domain-name={{ openstack_auth.user_domain_name }}
|
||||
--os-region-name={{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
|
||||
|
||||
@ -18,7 +18,7 @@
|
||||
{{ kolla_container_engine }} exec murano_api murano
|
||||
--os-username {{ openstack_auth.username }}
|
||||
--os-password {{ openstack_auth.password }}
|
||||
--os-system-scope {{ openstack_auth.system_scope }}
|
||||
--os-project-name {{ openstack_auth.project_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
|
||||
--os-auth-url {{ openstack_auth.auth_url }}
|
||||
--murano-url {{ murano_internal_endpoint }}
|
||||
@ -34,7 +34,7 @@
|
||||
{{ kolla_container_engine }} exec murano_api murano
|
||||
--os-username {{ openstack_auth.username }}
|
||||
--os-password {{ openstack_auth.password }}
|
||||
--os-system-scope {{ openstack_auth.system_scope }}
|
||||
--os-project-name {{ openstack_auth.project_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
|
||||
--os-auth-url {{ openstack_auth.auth_url }}
|
||||
--murano-url {{ murano_internal_endpoint }}
|
||||
@ -50,7 +50,7 @@
|
||||
{{ kolla_container_engine }} exec murano_api murano
|
||||
--os-username {{ openstack_auth.username }}
|
||||
--os-password {{ openstack_auth.password }}
|
||||
--os-system-scope {{ openstack_auth.system_scope }}
|
||||
--os-project-name {{ openstack_auth.project_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
|
||||
--os-auth-url {{ openstack_auth.auth_url }}
|
||||
--murano-url {{ murano_internal_endpoint }}
|
||||
|
||||
@ -11,11 +11,12 @@
|
||||
{{ kolla_container_engine }} exec kolla_toolbox openstack
|
||||
--os-interface {{ openstack_interface }}
|
||||
--os-auth-url {{ openstack_auth.auth_url }}
|
||||
--os-project-domain-name {{ openstack_auth.domain_name }}
|
||||
--os-project-name {{ openstack_auth.project_name }}
|
||||
--os-username {{ openstack_auth.username }}
|
||||
--os-password {{ openstack_auth.password }}
|
||||
--os-identity-api-version 3
|
||||
--os-user-domain-name {{ openstack_auth.user_domain_name }}
|
||||
--os-system-scope {{ openstack_auth.system_scope }}
|
||||
--os-region-name {{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
|
||||
compute service list --format json --column Host --service nova-compute
|
||||
|
||||
@ -149,9 +149,6 @@ amqp_durable_queues = true
|
||||
{% endif %}
|
||||
|
||||
[oslo_policy]
|
||||
# TODO(priteau): Remove enforce_* once secure RBAC is supported
|
||||
enforce_new_defaults = False
|
||||
enforce_scope = False
|
||||
{% if service_name in nova_services_require_policy_json and nova_policy_file is defined %}
|
||||
policy_file = {{ nova_policy_file }}
|
||||
{% endif %}
|
||||
|
||||
@ -76,7 +76,8 @@ the value of ``kolla_internal_fqdn`` in RegionOne:
|
||||
username: "{{ keystone_admin_user }}"
|
||||
password: "{{ keystone_admin_password }}"
|
||||
user_domain_name: "{{ default_user_domain_name }}"
|
||||
system_scope: "all"
|
||||
project_name: "{{ keystone_admin_project }}"
|
||||
domain_name: "default"
|
||||
|
||||
.. note::
|
||||
|
||||
|
||||
@ -0,0 +1,9 @@
|
||||
---
|
||||
upgrade:
|
||||
- |
|
||||
OpenStack services (except Ironic and Keystone) stopped supporting
|
||||
the system scope in their API policy. Kolla who started using the
|
||||
system scope token during the OpenStack Xena release needs to revert
|
||||
it and use the project scope token to perform those services API
|
||||
operations. The Ironic and Keystone operations are still performed
|
||||
using the system scope token.
|
||||
Loading…
x
Reference in New Issue
Block a user