From 6af3cb9eb273c127c20bc07f65c9a5d7f8ba95cd Mon Sep 17 00:00:00 2001 From: Julia Kreger Date: Thu, 11 Mar 2021 11:28:47 -0800 Subject: [PATCH] nova ironic-hypevisor - support scoped auth config The Secure RBAC effort has updated Ironic such that it can support a mode where it is scope enforcing for all interactions with the API. Due to the design, and operating nature of Ironic's API, services speaking with it must authenticate with a system scope to have a full picture of the universe. In this case, we need to update the nova configuration accordingly such that the compute service understands how to talk to ironic so that it can see the nodes under management. Ironic will likely update this again at a later point in time to enable a "hybrid" mixed-mode as the operating model and related permissions *should* allow nova to use a project scoped "owner" account with Ironic, in order to access and command nodes to deploy. But at this time, we're focusing on the exclusive operating mode. Change-Id: I1946725ce08c495178c419eaf38829f921c91bbe Needed-By: https://review.opendev.org/c/openstack/ironic/+/778957 --- functions-common | 5 +++++ lib/nova_plugins/hypervisor-ironic | 9 ++++++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/functions-common b/functions-common index 340da754a2..11679e4aa3 100644 --- a/functions-common +++ b/functions-common @@ -1037,6 +1037,11 @@ function is_ironic_hardware { return 1 } +function is_ironic_enforce_scope { + is_service_enabled ironic && [[ "$IRONIC_ENFORCE_SCOPE" == "True" ]] && return 0 + return 1 +} + # Package Functions # ================= diff --git a/lib/nova_plugins/hypervisor-ironic b/lib/nova_plugins/hypervisor-ironic index bda6ef6998..f058e9bb53 100644 --- a/lib/nova_plugins/hypervisor-ironic +++ b/lib/nova_plugins/hypervisor-ironic @@ -47,9 +47,13 @@ function configure_nova_hypervisor { iniset $NOVA_CONF ironic username admin iniset $NOVA_CONF ironic password $ADMIN_PASSWORD iniset $NOVA_CONF ironic auth_url $KEYSTONE_SERVICE_URI - iniset $NOVA_CONF ironic project_domain_id default + if is_ironic_enforce_scope; then + iniset $NOVA_CONF ironic system_scope all + else + iniset $NOVA_CONF ironic project_domain_id default + iniset $NOVA_CONF ironic project_name demo + fi iniset $NOVA_CONF ironic user_domain_id default - iniset $NOVA_CONF ironic project_name demo iniset $NOVA_CONF ironic region_name $REGION_NAME # These are used with crufty legacy ironicclient @@ -82,7 +86,6 @@ function stop_nova_hypervisor { : } - # Restore xtrace $_XTRACE_HYP_IRONIC