Merge "Remove system scope token to access services"

2023-01-30 13:03:13 +00:00 · 2023-01-30 13:03:13 +00:00 · 98139b0f10
commit 98139b0f10
parent 38ccebb8cb 283fa242ca
12 changed files with 35 additions and 28 deletions
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@ -883,8 +883,9 @@ openstack_auth:
  auth_url: "{{ keystone_internal_url }}"
  username: "{{ keystone_admin_user }}"
  password: "{{ keystone_admin_password }}"
-  user_domain_name: "{{ default_user_domain_name }}"
+  project_name: "{{ keystone_admin_project }}"
-  system_scope: "all"
+  domain_name: "default"
  user_domain_name: "default"
 #######################
 # Glance options
--- a/ansible/roles/freezer/templates/freezer.conf.j2
+++ b/ansible/roles/freezer/templates/freezer.conf.j2
@ -15,9 +15,7 @@ jobs_dir = /etc/freezer/scheduler/conf.d
 os_username = {{ openstack_auth.username }}
 os_password = {{ openstack_auth.password }}
 os_auth_url = {{ openstack_auth.auth_url }}
-os_project_name = {{ keystone_admin_project }}
+os_project_name = {{ openstack_auth.project_name }}
 # TODO: transition to system scoped token when freezer supports that
 # configuration option, os_project_domain_name should be removed.
 os_project_domain_name = {{ default_project_domain_name }}
 os_user_domain_name = {{ openstack_auth.user_domain_name }}
 {% endif %}
--- a/ansible/roles/heat/defaults/main.yml
+++ b/ansible/roles/heat/defaults/main.yml
@ -235,7 +235,7 @@ heat_ks_roles:
  - "{{ heat_stack_user_role }}"
 heat_ks_user_roles:
-  - project: "{{ keystone_admin_project }}"
+  - project: "{{ openstack_auth.project_name }}"
    user: "{{ openstack_auth.username }}"
    role: "{{ heat_stack_owner_role }}"
--- a/ansible/roles/heat/tasks/bootstrap_service.yml
+++ b/ansible/roles/heat/tasks/bootstrap_service.yml
@ -15,8 +15,8 @@
      OS_INTERFACE: "internal"
      OS_USERNAME: "{{ openstack_auth.username }}"
      OS_PASSWORD: "{{ openstack_auth.password }}"
      OS_PROJECT_NAME: "{{ openstack_auth.project_name }}"
      OS_USER_DOMAIN_NAME: "{{ openstack_auth.user_domain_name }}"
      OS_SYSTEM_SCOPE: "{{ openstack_auth.system_scope }}"
      OS_REGION_NAME: "{{ openstack_region_name }}"
      OS_CACERT: "{{ openstack_cacert | default(omit) }}"
      HEAT_DOMAIN_ADMIN_PASSWORD: "{{ heat_domain_admin_password }}"
--- a/ansible/roles/ironic/tasks/upgrade.yml
+++ b/ansible/roles/ironic/tasks/upgrade.yml
@ -9,7 +9,7 @@
    --os-password {{ openstack_auth.password }}
    --os-identity-api-version 3
    --os-user-domain-name {{ openstack_auth.user_domain_name }}
-    --os-system-scope {{ openstack_auth.system_scope }}
+    --os-system-scope "all"
    --os-region-name {{ openstack_region_name }}
    {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
    baremetal node list --format json --column "Provisioning State"
--- a/ansible/roles/keystone/tasks/register.yml
+++ b/ansible/roles/keystone/tasks/register.yml
@ -3,7 +3,7 @@
  become: true
  command: >
    {{ kolla_container_engine }} exec keystone kolla_keystone_bootstrap
-    {{ openstack_auth.username }} {{ openstack_auth.password }} {{ keystone_admin_project }}
+    {{ openstack_auth.username }} {{ openstack_auth.password }} {{ openstack_auth.project_name }}
    admin {{ keystone_internal_url }} {{ keystone_public_url }} {{ item }}
  register: keystone_bootstrap
  changed_when: (keystone_bootstrap.stdout | from_json).changed
--- a/ansible/roles/keystone/tasks/register_identity_providers.yml
+++ b/ansible/roles/keystone/tasks/register_identity_providers.yml
@ -7,7 +7,7 @@
      --os-username={{ openstack_auth.username }}
      --os-identity-api-version=3
      --os-interface={{ openstack_interface }}
-      --os-system-scope={{ openstack_auth.system_scope }}
+      --os-system-scope="all"
      --os-user-domain-name={{ openstack_auth.user_domain_name }}
      --os-region-name={{ openstack_region_name }}
      {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
@ -28,9 +28,9 @@
    --os-username={{ openstack_auth.username }}
    --os-identity-api-version=3
    --os-interface={{ openstack_interface }}
-    --os-system-scope={{ openstack_auth.system_scope }}
+    --os-system-scope="all"
    --os-user-domain-name={{ openstack_auth.user_domain_name }}
-    --os-system-scope={{ openstack_auth.system_scope }}
+    --os-system-scope="all"
    --os-region-name={{ openstack_region_name }}
    {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
    mapping delete {{ item }}
@ -64,7 +64,7 @@
    --os-username={{ openstack_auth.username }}
    --os-identity-api-version=3
    --os-interface {{ openstack_interface }}
-    --os-system-scope={{ openstack_auth.system_scope }}
+    --os-system-scope="all"
    --os-user-domain-name={{ openstack_auth.user_domain_name }}
    --os-region-name={{ openstack_region_name }}
    {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
@ -85,7 +85,7 @@
    --os-username={{ openstack_auth.username }}
    --os-identity-api-version=3
    --os-interface={{ openstack_interface }}
-    --os-system-scope={{ openstack_auth.system_scope }}
+    --os-system-scope="all"
    --os-user-domain-name={{ openstack_auth.user_domain_name }}
    --os-region-name={{ openstack_region_name }}
    {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
@ -106,7 +106,7 @@
    --os-username={{ openstack_auth.username }}
    --os-identity-api-version=3
    --os-interface={{ openstack_interface }}
-    --os-system-scope={{ openstack_auth.system_scope }}
+    --os-system-scope="all"
    --os-user-domain-name={{ openstack_auth.user_domain_name }}
    --os-region-name={{ openstack_region_name }}
    {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
@ -127,7 +127,7 @@
    --os-username={{ openstack_auth.username }}
    --os-identity-api-version=3
    --os-interface={{ openstack_interface }}
-    --os-system-scope={{ openstack_auth.system_scope }}
+    --os-system-scope="all"
    --os-user-domain-name={{ openstack_auth.user_domain_name }}
    --os-region-name={ openstack_region_name }}
    {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
@ -147,7 +147,7 @@
    --os-username={{ openstack_auth.username }}
    --os-identity-api-version=3
    --os-interface={{ openstack_interface }}
-    --os-system-scope={{ openstack_auth.system_scope }}
+    --os-system-scope="all"
    --os-user-domain-name={{ openstack_auth.user_domain_name }}
    --os-region-name={{ openstack_region_name }}
    {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
@ -170,7 +170,7 @@
    --os-username={{ openstack_auth.username }}
    --os-identity-api-version=3
    --os-interface {{ openstack_interface }}
-    --os-system-scope {{ openstack_auth.system_scope }}
+    --os-system-scope "all"
    --os-user-domain-name {{ openstack_auth.user_domain_name }}
    --os-region-name {{ openstack_region_name }}
    {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
@ -192,7 +192,7 @@
    --os-username={{ openstack_auth.username }}
    --os-identity-api-version=3
    --os-interface={{ openstack_interface }}
-    --os-system-scope={{ openstack_auth.system_scope }}
+    --os-system-scope="all"
    --os-user-domain-name={{ openstack_auth.user_domain_name }}
    --os-region-name={{ openstack_region_name }}
    {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
@ -214,7 +214,7 @@
    --os-username={{ openstack_auth.username }}
    --os-identity-api-version=3
    --os-interface={{ openstack_interface }}
-    --os-system-scope={{ openstack_auth.system_scope }}
+    --os-system-scope="all"
    --os-user-domain-name={{ openstack_auth.user_domain_name }}
    --os-region-name={{ openstack_region_name }}
    {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
--- a/ansible/roles/murano/tasks/import_library_packages.yml
+++ b/ansible/roles/murano/tasks/import_library_packages.yml
@ -18,7 +18,7 @@
    {{ kolla_container_engine }} exec murano_api murano
    --os-username {{ openstack_auth.username }}
    --os-password {{ openstack_auth.password }}
-    --os-system-scope {{ openstack_auth.system_scope }}
+    --os-project-name {{ openstack_auth.project_name }}
    {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
    --os-auth-url {{ openstack_auth.auth_url }}
    --murano-url {{ murano_internal_endpoint }}
@ -34,7 +34,7 @@
    {{ kolla_container_engine }} exec murano_api murano
    --os-username {{ openstack_auth.username }}
    --os-password {{ openstack_auth.password }}
-    --os-system-scope {{ openstack_auth.system_scope }}
+    --os-project-name {{ openstack_auth.project_name }}
    {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
    --os-auth-url {{ openstack_auth.auth_url }}
    --murano-url {{ murano_internal_endpoint }}
@ -50,7 +50,7 @@
    {{ kolla_container_engine }} exec murano_api murano
    --os-username {{ openstack_auth.username }}
    --os-password {{ openstack_auth.password }}
-    --os-system-scope {{ openstack_auth.system_scope }}
+    --os-project-name {{ openstack_auth.project_name }}
    {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
    --os-auth-url {{ openstack_auth.auth_url }}
    --murano-url {{ murano_internal_endpoint }}
--- a/ansible/roles/nova-cell/tasks/wait_discover_computes.yml
+++ b/ansible/roles/nova-cell/tasks/wait_discover_computes.yml
@ -11,11 +11,12 @@
        {{ kolla_container_engine }} exec kolla_toolbox openstack
        --os-interface {{ openstack_interface }}
        --os-auth-url {{ openstack_auth.auth_url }}
        --os-project-domain-name {{ openstack_auth.domain_name }}
        --os-project-name {{ openstack_auth.project_name }}
        --os-username {{ openstack_auth.username }}
        --os-password {{ openstack_auth.password }}
        --os-identity-api-version 3
        --os-user-domain-name {{ openstack_auth.user_domain_name }}
        --os-system-scope {{ openstack_auth.system_scope }}
        --os-region-name {{ openstack_region_name }}
        {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
        compute service list --format json --column Host --service nova-compute
--- a/ansible/roles/nova/templates/nova.conf.j2
+++ b/ansible/roles/nova/templates/nova.conf.j2
@ -149,9 +149,6 @@ amqp_durable_queues = true
 {% endif %}
 [oslo_policy]
 # TODO(priteau): Remove enforce_* once secure RBAC is supported
 enforce_new_defaults = False
 enforce_scope = False
 {% if service_name in nova_services_require_policy_json and nova_policy_file is defined %}
 policy_file = {{ nova_policy_file }}
 {% endif %}
--- a/doc/source/user/multi-regions.rst
+++ b/doc/source/user/multi-regions.rst
@ -76,7 +76,8 @@ the value of ``kolla_internal_fqdn`` in RegionOne:
       username: "{{ keystone_admin_user }}"
       password: "{{ keystone_admin_password }}"
       user_domain_name: "{{ default_user_domain_name }}"
-       system_scope: "all"
+       project_name: "{{ keystone_admin_project }}"
       domain_name: "default"
 .. note::
--- a/releasenotes/notes/stop-using-system-scope-token-328a64927dc0fb2e.yaml
+++ b/releasenotes/notes/stop-using-system-scope-token-328a64927dc0fb2e.yaml
@ -0,0 +1,9 @@
 ---
 upgrade:
  - |
    OpenStack services (except Ironic and Keystone) stopped supporting
    the system scope in their API policy. Kolla who started using the
    system scope token during the OpenStack Xena release needs to revert
    it and use the project scope token to perform those services API
    operations. The Ironic and Keystone operations are still performed
    using the system scope token.