Merge "Remove system scope token to access services"

This commit is contained in:
Zuul 2023-01-30 13:03:13 +00:00 committed by Gerrit Code Review
commit 98139b0f10
12 changed files with 35 additions and 28 deletions

View File

@ -883,8 +883,9 @@ openstack_auth:
auth_url: "{{ keystone_internal_url }}"
username: "{{ keystone_admin_user }}"
password: "{{ keystone_admin_password }}"
user_domain_name: "{{ default_user_domain_name }}"
system_scope: "all"
project_name: "{{ keystone_admin_project }}"
domain_name: "default"
user_domain_name: "default"
#######################
# Glance options

View File

@ -15,9 +15,7 @@ jobs_dir = /etc/freezer/scheduler/conf.d
os_username = {{ openstack_auth.username }}
os_password = {{ openstack_auth.password }}
os_auth_url = {{ openstack_auth.auth_url }}
os_project_name = {{ keystone_admin_project }}
# TODO: transition to system scoped token when freezer supports that
# configuration option, os_project_domain_name should be removed.
os_project_name = {{ openstack_auth.project_name }}
os_project_domain_name = {{ default_project_domain_name }}
os_user_domain_name = {{ openstack_auth.user_domain_name }}
{% endif %}

View File

@ -235,7 +235,7 @@ heat_ks_roles:
- "{{ heat_stack_user_role }}"
heat_ks_user_roles:
- project: "{{ keystone_admin_project }}"
- project: "{{ openstack_auth.project_name }}"
user: "{{ openstack_auth.username }}"
role: "{{ heat_stack_owner_role }}"

View File

@ -15,8 +15,8 @@
OS_INTERFACE: "internal"
OS_USERNAME: "{{ openstack_auth.username }}"
OS_PASSWORD: "{{ openstack_auth.password }}"
OS_PROJECT_NAME: "{{ openstack_auth.project_name }}"
OS_USER_DOMAIN_NAME: "{{ openstack_auth.user_domain_name }}"
OS_SYSTEM_SCOPE: "{{ openstack_auth.system_scope }}"
OS_REGION_NAME: "{{ openstack_region_name }}"
OS_CACERT: "{{ openstack_cacert | default(omit) }}"
HEAT_DOMAIN_ADMIN_PASSWORD: "{{ heat_domain_admin_password }}"

View File

@ -9,7 +9,7 @@
--os-password {{ openstack_auth.password }}
--os-identity-api-version 3
--os-user-domain-name {{ openstack_auth.user_domain_name }}
--os-system-scope {{ openstack_auth.system_scope }}
--os-system-scope "all"
--os-region-name {{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
baremetal node list --format json --column "Provisioning State"

View File

@ -3,7 +3,7 @@
become: true
command: >
{{ kolla_container_engine }} exec keystone kolla_keystone_bootstrap
{{ openstack_auth.username }} {{ openstack_auth.password }} {{ keystone_admin_project }}
{{ openstack_auth.username }} {{ openstack_auth.password }} {{ openstack_auth.project_name }}
admin {{ keystone_internal_url }} {{ keystone_public_url }} {{ item }}
register: keystone_bootstrap
changed_when: (keystone_bootstrap.stdout | from_json).changed

View File

@ -7,7 +7,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface={{ openstack_interface }}
--os-system-scope={{ openstack_auth.system_scope }}
--os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
@ -28,9 +28,9 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface={{ openstack_interface }}
--os-system-scope={{ openstack_auth.system_scope }}
--os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-system-scope={{ openstack_auth.system_scope }}
--os-system-scope="all"
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
mapping delete {{ item }}
@ -64,7 +64,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface {{ openstack_interface }}
--os-system-scope={{ openstack_auth.system_scope }}
--os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
@ -85,7 +85,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface={{ openstack_interface }}
--os-system-scope={{ openstack_auth.system_scope }}
--os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
@ -106,7 +106,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface={{ openstack_interface }}
--os-system-scope={{ openstack_auth.system_scope }}
--os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
@ -127,7 +127,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface={{ openstack_interface }}
--os-system-scope={{ openstack_auth.system_scope }}
--os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
@ -147,7 +147,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface={{ openstack_interface }}
--os-system-scope={{ openstack_auth.system_scope }}
--os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
@ -170,7 +170,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface {{ openstack_interface }}
--os-system-scope {{ openstack_auth.system_scope }}
--os-system-scope "all"
--os-user-domain-name {{ openstack_auth.user_domain_name }}
--os-region-name {{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
@ -192,7 +192,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface={{ openstack_interface }}
--os-system-scope={{ openstack_auth.system_scope }}
--os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
@ -214,7 +214,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface={{ openstack_interface }}
--os-system-scope={{ openstack_auth.system_scope }}
--os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}

View File

@ -18,7 +18,7 @@
{{ kolla_container_engine }} exec murano_api murano
--os-username {{ openstack_auth.username }}
--os-password {{ openstack_auth.password }}
--os-system-scope {{ openstack_auth.system_scope }}
--os-project-name {{ openstack_auth.project_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
--os-auth-url {{ openstack_auth.auth_url }}
--murano-url {{ murano_internal_endpoint }}
@ -34,7 +34,7 @@
{{ kolla_container_engine }} exec murano_api murano
--os-username {{ openstack_auth.username }}
--os-password {{ openstack_auth.password }}
--os-system-scope {{ openstack_auth.system_scope }}
--os-project-name {{ openstack_auth.project_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
--os-auth-url {{ openstack_auth.auth_url }}
--murano-url {{ murano_internal_endpoint }}
@ -50,7 +50,7 @@
{{ kolla_container_engine }} exec murano_api murano
--os-username {{ openstack_auth.username }}
--os-password {{ openstack_auth.password }}
--os-system-scope {{ openstack_auth.system_scope }}
--os-project-name {{ openstack_auth.project_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
--os-auth-url {{ openstack_auth.auth_url }}
--murano-url {{ murano_internal_endpoint }}

View File

@ -11,11 +11,12 @@
{{ kolla_container_engine }} exec kolla_toolbox openstack
--os-interface {{ openstack_interface }}
--os-auth-url {{ openstack_auth.auth_url }}
--os-project-domain-name {{ openstack_auth.domain_name }}
--os-project-name {{ openstack_auth.project_name }}
--os-username {{ openstack_auth.username }}
--os-password {{ openstack_auth.password }}
--os-identity-api-version 3
--os-user-domain-name {{ openstack_auth.user_domain_name }}
--os-system-scope {{ openstack_auth.system_scope }}
--os-region-name {{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
compute service list --format json --column Host --service nova-compute

View File

@ -149,9 +149,6 @@ amqp_durable_queues = true
{% endif %}
[oslo_policy]
# TODO(priteau): Remove enforce_* once secure RBAC is supported
enforce_new_defaults = False
enforce_scope = False
{% if service_name in nova_services_require_policy_json and nova_policy_file is defined %}
policy_file = {{ nova_policy_file }}
{% endif %}

View File

@ -76,7 +76,8 @@ the value of ``kolla_internal_fqdn`` in RegionOne:
username: "{{ keystone_admin_user }}"
password: "{{ keystone_admin_password }}"
user_domain_name: "{{ default_user_domain_name }}"
system_scope: "all"
project_name: "{{ keystone_admin_project }}"
domain_name: "default"
.. note::

View File

@ -0,0 +1,9 @@
---
upgrade:
- |
OpenStack services (except Ironic and Keystone) stopped supporting
the system scope in their API policy. Kolla who started using the
system scope token during the OpenStack Xena release needs to revert
it and use the project scope token to perform those services API
operations. The Ironic and Keystone operations are still performed
using the system scope token.