openstack/kolla-ansible
Code Issues Proposed changes

Merge "Remove system scope token to access services"

Browse Source
This commit is contained in:
Zuul 2023-01-30 13:03:13 +00:00 committed by Gerrit Code Review
commit 98139b0f10
12 changed files with 35 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ansible/group_vars/all.yml
View File

@ -883,8 +883,9 @@ openstack_auth:
auth_url: "{{ keystone_internal_url }}"
username: "{{ keystone_admin_user }}"
password: "{{ keystone_admin_password }}"
user_domain_name: "{{ default_user_domain_name }}"
system_scope: "all"
project_name: "{{ keystone_admin_project }}"
domain_name: "default"
user_domain_name: "default"
#######################
# Glance options

4
ansible/roles/freezer/templates/freezer.conf.j2
View File

@ -15,9 +15,7 @@ jobs_dir = /etc/freezer/scheduler/conf.d
os_username = {{ openstack_auth.username }}
os_password = {{ openstack_auth.password }}
os_auth_url = {{ openstack_auth.auth_url }}
os_project_name = {{ keystone_admin_project }}
# TODO: transition to system scoped token when freezer supports that
# configuration option, os_project_domain_name should be removed.
os_project_name = {{ openstack_auth.project_name }}
os_project_domain_name = {{ default_project_domain_name }}
os_user_domain_name = {{ openstack_auth.user_domain_name }}
{% endif %}

2
ansible/roles/heat/defaults/main.yml
View File

@ -235,7 +235,7 @@ heat_ks_roles:
- "{{ heat_stack_user_role }}"
heat_ks_user_roles:
- project: "{{ keystone_admin_project }}"
- project: "{{ openstack_auth.project_name }}"
user: "{{ openstack_auth.username }}"
role: "{{ heat_stack_owner_role }}"

2
ansible/roles/heat/tasks/bootstrap_service.yml
View File

@ -15,8 +15,8 @@
OS_INTERFACE: "internal"
OS_USERNAME: "{{ openstack_auth.username }}"
OS_PASSWORD: "{{ openstack_auth.password }}"
OS_PROJECT_NAME: "{{ openstack_auth.project_name }}"
OS_USER_DOMAIN_NAME: "{{ openstack_auth.user_domain_name }}"
OS_SYSTEM_SCOPE: "{{ openstack_auth.system_scope }}"
OS_REGION_NAME: "{{ openstack_region_name }}"
OS_CACERT: "{{ openstack_cacert | default(omit) }}"
HEAT_DOMAIN_ADMIN_PASSWORD: "{{ heat_domain_admin_password }}"

2
ansible/roles/ironic/tasks/upgrade.yml
View File

@ -9,7 +9,7 @@
--os-password {{ openstack_auth.password }}
--os-identity-api-version 3
--os-user-domain-name {{ openstack_auth.user_domain_name }}
--os-system-scope {{ openstack_auth.system_scope }}
--os-system-scope "all"
--os-region-name {{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
baremetal node list --format json --column "Provisioning State"

2
ansible/roles/keystone/tasks/register.yml
View File

@ -3,7 +3,7 @@
become: true
command: >
{{ kolla_container_engine }} exec keystone kolla_keystone_bootstrap
{{ openstack_auth.username }} {{ openstack_auth.password }} {{ keystone_admin_project }}
{{ openstack_auth.username }} {{ openstack_auth.password }} {{ openstack_auth.project_name }}
admin {{ keystone_internal_url }} {{ keystone_public_url }} {{ item }}
register: keystone_bootstrap
changed_when: (keystone_bootstrap.stdout | from_json).changed

22
ansible/roles/keystone/tasks/register_identity_providers.yml
View File

@ -7,7 +7,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface={{ openstack_interface }}
--os-system-scope={{ openstack_auth.system_scope }}
--os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
@ -28,9 +28,9 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface={{ openstack_interface }}
--os-system-scope={{ openstack_auth.system_scope }}
--os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-system-scope={{ openstack_auth.system_scope }}
--os-system-scope="all"
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
mapping delete {{ item }}
@ -64,7 +64,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface {{ openstack_interface }}
--os-system-scope={{ openstack_auth.system_scope }}
--os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
@ -85,7 +85,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface={{ openstack_interface }}
--os-system-scope={{ openstack_auth.system_scope }}
--os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
@ -106,7 +106,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface={{ openstack_interface }}
--os-system-scope={{ openstack_auth.system_scope }}
--os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
@ -127,7 +127,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface={{ openstack_interface }}
--os-system-scope={{ openstack_auth.system_scope }}
--os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
@ -147,7 +147,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface={{ openstack_interface }}
--os-system-scope={{ openstack_auth.system_scope }}
--os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
@ -170,7 +170,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface {{ openstack_interface }}
--os-system-scope {{ openstack_auth.system_scope }}
--os-system-scope "all"
--os-user-domain-name {{ openstack_auth.user_domain_name }}
--os-region-name {{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
@ -192,7 +192,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface={{ openstack_interface }}
--os-system-scope={{ openstack_auth.system_scope }}
--os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
@ -214,7 +214,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface={{ openstack_interface }}
--os-system-scope={{ openstack_auth.system_scope }}
--os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}

6
ansible/roles/murano/tasks/import_library_packages.yml
View File

@ -18,7 +18,7 @@
{{ kolla_container_engine }} exec murano_api murano
--os-username {{ openstack_auth.username }}
--os-password {{ openstack_auth.password }}
--os-system-scope {{ openstack_auth.system_scope }}
--os-project-name {{ openstack_auth.project_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
--os-auth-url {{ openstack_auth.auth_url }}
--murano-url {{ murano_internal_endpoint }}
@ -34,7 +34,7 @@
{{ kolla_container_engine }} exec murano_api murano
--os-username {{ openstack_auth.username }}
--os-password {{ openstack_auth.password }}
--os-system-scope {{ openstack_auth.system_scope }}
--os-project-name {{ openstack_auth.project_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
--os-auth-url {{ openstack_auth.auth_url }}
--murano-url {{ murano_internal_endpoint }}
@ -50,7 +50,7 @@
{{ kolla_container_engine }} exec murano_api murano
--os-username {{ openstack_auth.username }}
--os-password {{ openstack_auth.password }}
--os-system-scope {{ openstack_auth.system_scope }}
--os-project-name {{ openstack_auth.project_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
--os-auth-url {{ openstack_auth.auth_url }}
--murano-url {{ murano_internal_endpoint }}

3
ansible/roles/nova-cell/tasks/wait_discover_computes.yml
View File

@ -11,11 +11,12 @@
{{ kolla_container_engine }} exec kolla_toolbox openstack
--os-interface {{ openstack_interface }}
--os-auth-url {{ openstack_auth.auth_url }}
--os-project-domain-name {{ openstack_auth.domain_name }}
--os-project-name {{ openstack_auth.project_name }}
--os-username {{ openstack_auth.username }}
--os-password {{ openstack_auth.password }}
--os-identity-api-version 3
--os-user-domain-name {{ openstack_auth.user_domain_name }}
--os-system-scope {{ openstack_auth.system_scope }}
--os-region-name {{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
compute service list --format json --column Host --service nova-compute

3
ansible/roles/nova/templates/nova.conf.j2
View File

@ -149,9 +149,6 @@ amqp_durable_queues = true
{% endif %}
[oslo_policy]
# TODO(priteau): Remove enforce_* once secure RBAC is supported
enforce_new_defaults = False
enforce_scope = False
{% if service_name in nova_services_require_policy_json and nova_policy_file is defined %}
policy_file = {{ nova_policy_file }}
{% endif %}

3
doc/source/user/multi-regions.rst
View File

@ -76,7 +76,8 @@ the value of ``kolla_internal_fqdn`` in RegionOne:
username: "{{ keystone_admin_user }}"
password: "{{ keystone_admin_password }}"
user_domain_name: "{{ default_user_domain_name }}"
system_scope: "all"
project_name: "{{ keystone_admin_project }}"
domain_name: "default"
.. note::

9
releasenotes/notes/stop-using-system-scope-token-328a64927dc0fb2e.yaml Normal file
View File

@ -0,0 +1,9 @@
---
upgrade:
- |
OpenStack services (except Ironic and Keystone) stopped supporting
the system scope in their API policy. Kolla who started using the
system scope token during the OpenStack Xena release needs to revert
it and use the project scope token to perform those services API
operations. The Ironic and Keystone operations are still performed
using the system scope token.