fix keystone auth scope
Fixes bifrost so it utilizes: * The admin role, instead of the long deprecated baremetal_admin role. * Utilizes system scope and admin scoped access where needed for during installation self-test commands to execute as expected. * The user utilized for inspector's keystone access now utilizes the "admin" role instead of the baremetal_admin role. Closes-Bug: 2051168 Change-Id: I090520547846a7a8d85bd032a52d6da039761186
This commit is contained in:
Dmitry Tantsur
Julia Kreger
parent
c64f6ba5c1
commit
9bf1fde62a
@ -51,6 +51,7 @@
|
||||
config_project_name: "{{ keystone.bootstrap.project_name }}"
|
||||
config_region_name: "{{ keystone.bootstrap.region_name }}"
|
||||
config_auth_url: "{{ keystone.bootstrap.public_url }}"
|
||||
config_system_scope: true
|
||||
- role: bifrost-create-dib-image
|
||||
dib_imagename: "{{ http_boot_folder }}/ipa"
|
||||
build_ramdisk: false
|
||||
|
||||
@ -134,22 +134,6 @@
|
||||
ca_cert: "{{ tls_certificate_path | default(omit) }}"
|
||||
environment: "{{ bifrost_venv_env }}"
|
||||
|
||||
- name: "Create baremetal_admin role"
|
||||
openstack.cloud.identity_role:
|
||||
name: "baremetal_admin"
|
||||
state: present
|
||||
auth: "{{ keystone_auth }}"
|
||||
ca_cert: "{{ tls_certificate_path | default(omit) }}"
|
||||
environment: "{{ bifrost_venv_env }}"
|
||||
|
||||
- name: "Create baremetal_observer role"
|
||||
openstack.cloud.identity_role:
|
||||
name: "baremetal_observer"
|
||||
state: present
|
||||
auth: "{{ keystone_auth }}"
|
||||
ca_cert: "{{ tls_certificate_path | default(omit) }}"
|
||||
environment: "{{ bifrost_venv_env }}"
|
||||
|
||||
- name: "Create baremetal project"
|
||||
os_project:
|
||||
name: "baremetal"
|
||||
@ -175,7 +159,7 @@
|
||||
- name: "Associate bifrost user with baremetal_admin"
|
||||
openstack.cloud.role_assignment:
|
||||
user: "{{ ironic.keystone.default_username }}"
|
||||
role: "baremetal_admin"
|
||||
role: "admin"
|
||||
project: "baremetal"
|
||||
auth: "{{ keystone_auth }}"
|
||||
wait: yes
|
||||
|
||||
@ -133,10 +133,10 @@
|
||||
ca_cert: "{{ tls_certificate_path | default(omit) }}"
|
||||
environment: "{{ bifrost_venv_env }}"
|
||||
|
||||
- name: "Associate inspector_user with baremetal_admin"
|
||||
- name: "Associate inspector_user with admin role"
|
||||
openstack.cloud.role_assignment:
|
||||
user: "{{ ironic_inspector.keystone.default_username }}"
|
||||
role: "baremetal_admin"
|
||||
role: "admin"
|
||||
project: baremetal
|
||||
auth: "{{ keystone_auth }}"
|
||||
wait: yes
|
||||
|
||||
@ -17,11 +17,10 @@
|
||||
testing_env:
|
||||
OS_AUTH_TYPE: password
|
||||
OS_AUTH_URL: "{{ ironic.service_catalog.auth_url }}"
|
||||
OS_USERNAME: "{{ ironic.service_catalog.username }}"
|
||||
OS_PASSWORD: "{{ ironic.service_catalog.password }}"
|
||||
OS_PROJECT_NAME: "{{ ironic.service_catalog.project_name }}"
|
||||
OS_USERNAME: "{{ admin_username }}"
|
||||
OS_PASSWORD: "{{ admin_password }}"
|
||||
OS_USER_DOMAIN_NAME: default
|
||||
OS_PROJECT_DOMAIN_NAME: default
|
||||
OS_SYSTEM_SCOPE: all
|
||||
when: enable_keystone | bool
|
||||
no_log: yes
|
||||
|
||||
|
||||
@ -8,10 +8,14 @@ clouds:
|
||||
auth:
|
||||
username: "{{ cloud.1.config_username }}"
|
||||
password: "{{ cloud.1.config_password }}"
|
||||
project_name: "{{ cloud.1.config_project_name }}"
|
||||
auth_url: {{ cloud.1.config_auth_url }}
|
||||
project_domain_id: "{{ cloud.1.config_project_domain_id | default('default') }}"
|
||||
user_domain_id: "{{ cloud.1.config_user_domain_id | default('default') }}"
|
||||
{% if cloud.1.config_system_scope | default(false) | bool %}
|
||||
system_scope: "all"
|
||||
{% else %}
|
||||
project_name: "{{ cloud.1.config_project_name }}"
|
||||
project_domain_id: "{{ cloud.1.config_project_domain_id | default('default') }}"
|
||||
{% endif %}
|
||||
identity_api_version: "3"
|
||||
{% if enable_tls | bool %}
|
||||
cacert: "{{ tls_certificate_path }}"
|
||||
|
||||
@ -12,13 +12,17 @@ case "$1" in
|
||||
{% for cloud in clouds | default({}) | dictsort %}
|
||||
# Section for {{ cloud.0 }}
|
||||
"{{ cloud.0 }}")
|
||||
export OS_PROJECT_DOMAIN_NAME="{{ cloud.1.config_project_domain_id | default('default') }}"
|
||||
export OS_USER_DOMAIN_NAME="{{ cloud.1.config_user_domain_id | default('default') }}"
|
||||
export OS_PROJECT_NAME="{{ cloud.1.config_project_name }}"
|
||||
export OS_USERNAME="{{ cloud.1.config_username }}"
|
||||
export OS_PASSWORD="{{ cloud.1.config_password }}"
|
||||
export OS_AUTH_URL={{ cloud.1.config_auth_url }}
|
||||
export OS_IDENTITY_API_VERSION=3
|
||||
export OS_USER_DOMAIN_NAME="{{ cloud.1.config_user_domain_id | default('default') }}"
|
||||
{% if cloud.1.config_system_scope | default(false) | bool %}
|
||||
export OS_SYSTEM_SCOPE=all
|
||||
{% else %}
|
||||
export OS_PROJECT_NAME="{{ cloud.1.config_project_name }}"
|
||||
export OS_PROJECT_DOMAIN_NAME="{{ cloud.1.config_project_domain_id | default('default') }}"
|
||||
{% endif %}
|
||||
;;
|
||||
{% endfor %}
|
||||
*) echo -e "\nERROR unsupported or unspecified profile: $1\nMust be one of {{ clouds | default({}) | dictsort | map(attribute='0') | join(',') }}";;
|
||||
|
||||
@ -0,0 +1,10 @@
|
||||
---
|
||||
fixes:
|
||||
- |
|
||||
Fixes Bifrost's creation of accounts and Keystone account usage to align
|
||||
with the newer role based access control within Ironic. Ironic deprecated
|
||||
the legacy access policy, which utilized custom roles ``baremetal_admin``
|
||||
and ``baremetal_observer`` in the Wallaby release of OpenStack, and
|
||||
Bifrost now utilizes a mix of a project scoped and system scoped
|
||||
``admin`` accounts with Keystone to facilitate authentication
|
||||
and authorization to resources.
|
||||
Loading…
x
Reference in New Issue
Block a user