From 6af3cb9eb273c127c20bc07f65c9a5d7f8ba95cd Mon Sep 17 00:00:00 2001
From: Julia Kreger <juliaashleykreger@gmail.com>
Date: Thu, 11 Mar 2021 11:28:47 -0800
Subject: [PATCH] nova ironic-hypevisor - support scoped auth config

The Secure RBAC effort has updated Ironic such that it
can support a mode where it is scope enforcing for all
interactions with the API. Due to the design, and operating
nature of Ironic's API, services speaking with it must
authenticate with a system scope to have a full picture
of the universe.

In this case, we need to update the nova configuration
accordingly such that the compute service understands
how to talk to ironic so that it can see the nodes under
management.

Ironic will likely update this again at a later point in
time to enable a "hybrid" mixed-mode as the operating model
and related permissions *should* allow nova to use a project
scoped "owner" account with Ironic, in order to access
and command nodes to deploy. But at this time, we're
focusing on the exclusive operating mode.

Change-Id: I1946725ce08c495178c419eaf38829f921c91bbe
Needed-By: https://review.opendev.org/c/openstack/ironic/+/778957
---
 functions-common                   | 5 +++++
 lib/nova_plugins/hypervisor-ironic | 9 ++++++---
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/functions-common b/functions-common
index 340da754a2..11679e4aa3 100644
--- a/functions-common
+++ b/functions-common
@@ -1037,6 +1037,11 @@ function is_ironic_hardware {
     return 1
 }
 
+function is_ironic_enforce_scope {
+    is_service_enabled ironic && [[ "$IRONIC_ENFORCE_SCOPE" == "True" ]] && return 0
+    return 1
+}
+
 
 # Package Functions
 # =================
diff --git a/lib/nova_plugins/hypervisor-ironic b/lib/nova_plugins/hypervisor-ironic
index bda6ef6998..f058e9bb53 100644
--- a/lib/nova_plugins/hypervisor-ironic
+++ b/lib/nova_plugins/hypervisor-ironic
@@ -47,9 +47,13 @@ function configure_nova_hypervisor {
     iniset $NOVA_CONF ironic username admin
     iniset $NOVA_CONF ironic password $ADMIN_PASSWORD
     iniset $NOVA_CONF ironic auth_url $KEYSTONE_SERVICE_URI
-    iniset $NOVA_CONF ironic project_domain_id default
+    if is_ironic_enforce_scope; then
+        iniset $NOVA_CONF ironic system_scope all
+    else
+        iniset $NOVA_CONF ironic project_domain_id default
+        iniset $NOVA_CONF ironic project_name demo
+    fi
     iniset $NOVA_CONF ironic user_domain_id default
-    iniset $NOVA_CONF ironic project_name demo
     iniset $NOVA_CONF ironic region_name $REGION_NAME
 
     # These are used with crufty legacy ironicclient
@@ -82,7 +86,6 @@ function stop_nova_hypervisor {
     :
 }
 
-
 # Restore xtrace
 $_XTRACE_HYP_IRONIC