Transition Keystone admin user to system scope

A system-scoped token implies the user has authorization to act on the deployment system. These tokens are useful for interacting with resources that affect the deployment as a whole, or exposes resources that may otherwise violate project or domain isolation. Since Queens, the keystone-manage bootstrap command assigns the admin role to the admin user with system scope, as well as in the admin project. This patch transitions the Keystone admin user from authenticating using project scoped tokens to system scoped tokens. This is a necessary step towards being able to enable the updated oslo policies in services that allow finer grained access to system-level resources and APIs. An etherpad with discussion about the transition to the new oslo service policies is: https://etherpad.opendev.org/p/enabling-system-scope-in-kolla-ansible Change-Id: Ib631e2211682862296cce9ea179f2661c90fa585 Signed-off-by: Niklas Hagman <ubuntu@post.blinkiz.com>
2019-11-19 15:42:46 +01:00 · 2019-11-19 15:42:46 +01:00 · 2e933dceb5
parent 3455105321
commit 2e933dceb5
17 changed files with 97 additions and 96 deletions
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@ -884,9 +884,8 @@ openstack_auth:
  auth_url: "{{ keystone_admin_url }}"
  username: "{{ keystone_admin_user }}"
  password: "{{ keystone_admin_password }}"
-  project_name: "{{ keystone_admin_project }}"
-  domain_name: "default"
-  user_domain_name: "default"
+  user_domain_name: "{{ default_user_domain_name }}"
+  system_scope: "all"

 #######################
 # Glance options
--- a/ansible/roles/barbican/tasks/check.yml
+++ b/ansible/roles/barbican/tasks/check.yml
@ -7,7 +7,7 @@
    --os-auth-url={{ openstack_auth.auth_url }} \
    --os-password={{ openstack_auth.password }} \
    --os-username={{ openstack_auth.username }} \
-    --os-project-name={{ openstack_auth.project_name }} \
+    --os-system-scope={{ openstack_auth.system_scope }}
    secret store -f value -p kolla | head -1
  register: barbican_store_secret
  run_once: True
@ -20,7 +20,7 @@
    --os-auth-url={{ openstack_auth.auth_url }}
    --os-password={{ openstack_auth.password }}
    --os-username={{ openstack_auth.username }}
-    --os-project-name={{ openstack_auth.project_name }}
+    --os-system-scope={{ openstack_auth.system_scope }}
    secret get -f value -p {{ barbican_store_secret.stdout }}
  register: barbican_get_secret
  failed_when: barbican_get_secret.stdout != 'kolla'
@ -34,7 +34,7 @@
    --os-auth-url={{ openstack_auth.auth_url }}
    --os-password={{ openstack_auth.password }}
    --os-username={{ openstack_auth.username }}
-    --os-project-name={{ openstack_auth.project_name }}
+    --os-system-scope={{ openstack_auth.system_scope }}
    secret delete {{ barbican_store_secret.stdout }}
  run_once: True
  when: kolla_enable_sanity_barbican | bool
--- a/ansible/roles/freezer/templates/freezer.conf.j2
+++ b/ansible/roles/freezer/templates/freezer.conf.j2
@ -15,8 +15,10 @@ jobs_dir = /etc/freezer/scheduler/conf.d
 os_username = {{ openstack_auth.username }}
 os_password = {{ openstack_auth.password }}
 os_auth_url = {{ openstack_auth.auth_url }}/v3
-os_project_name = {{ openstack_auth.project_name }}
+os_project_name = {{ keystone_admin_project }}
 os_project_domain_name = {{ openstack_auth.domain_name }}
+# TODO: transition to system scoped token when freezer supports that
+# configuration option
 os_user_domain_name = {{ openstack_auth.user_domain_name }}
 {% endif %}

--- a/ansible/roles/heat/defaults/main.yml
+++ b/ansible/roles/heat/defaults/main.yml
@ -219,7 +219,7 @@ heat_ks_roles:
  - "{{ heat_stack_user_role }}"

 heat_ks_user_roles:
-  - project: "{{ openstack_auth.project_name }}"
+  - project: "{{ keystone_admin_project }}"
    user: "{{ openstack_auth.username }}"
    role: "{{ heat_stack_owner_role }}"

--- a/ansible/roles/heat/tasks/bootstrap_service.yml
+++ b/ansible/roles/heat/tasks/bootstrap_service.yml
@ -15,7 +15,8 @@
      OS_INTERFACE: "internal"
      OS_USERNAME: "{{ openstack_auth.username }}"
      OS_PASSWORD: "{{ openstack_auth.password }}"
-      OS_PROJECT_NAME: "{{ openstack_auth.project_name }}"
+      OS_USER_DOMAIN_NAME: "{{ openstack_auth.user_domain_name }}"
+      OS_SYSTEM_SCOPE: "{{ openstack_auth.system_scope }}"
      OS_REGION_NAME: "{{ openstack_region_name }}"
      OS_CACERT: "{{ openstack_cacert | default(omit) }}"
      HEAT_DOMAIN_ADMIN_PASSWORD: "{{ heat_domain_admin_password }}"
--- a/ansible/roles/ironic/templates/ironic.conf.j2
+++ b/ansible/roles/ironic/templates/ironic.conf.j2
@ -75,7 +75,7 @@ memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_addres
 [cinder]
 auth_url = {{ keystone_admin_url }}
 auth_type = password
-project_domain_id = default
+project_domain_id = {{ default_project_domain_id }}
 user_domain_id = default
 project_name = service
 username = {{ ironic_keystone_user }}
@ -89,7 +89,7 @@ cafile = {{ openstack_cacert }}
 [glance]
 auth_url = {{ keystone_admin_url }}
 auth_type = password
-project_domain_id = default
+project_domain_id = {{ default_project_domain_id }}
 user_domain_id = default
 project_name = service
 username = {{ ironic_keystone_user }}
@ -103,7 +103,7 @@ cafile = {{ openstack_cacert }}
 [neutron]
 auth_url = {{ keystone_admin_url }}
 auth_type = password
-project_domain_id = default
+project_domain_id = {{ default_project_domain_id }}
 user_domain_id = default
 project_name = service
 username = {{ ironic_keystone_user }}
@ -118,7 +118,7 @@ cafile = {{ openstack_cacert }}
 [nova]
 auth_url = {{ keystone_admin_url }}
 auth_type = password
-project_domain_id = default
+project_domain_id = {{ default_project_domain_id }}
 user_domain_id = default
 project_name = service
 username = {{ ironic_keystone_user }}
@ -132,7 +132,7 @@ cafile = {{ openstack_cacert }}
 [swift]
 auth_url = {{ keystone_admin_url }}
 auth_type = password
-project_domain_id =  {{ default_project_domain_id }}
+project_domain_id = {{ default_project_domain_id }}
 user_domain_id = {{ default_user_domain_id }}
 project_name = service
 username = {{ ironic_keystone_user }}
@ -146,7 +146,7 @@ cafile = {{ openstack_cacert }}
 {% if ironic_enable_keystone_integration | bool %}
 auth_url = {{ keystone_admin_url }}
 auth_type = password
-project_domain_id = default
+project_domain_id = {{ default_project_domain_id }}
 user_domain_id = default
 project_name = service
 username = {{ ironic_keystone_user }}
@ -163,7 +163,7 @@ endpoint_override = {{ ironic_inspector_internal_endpoint }}
 {% if ironic_enable_keystone_integration | bool %}
 auth_url = {{ keystone_admin_url }}
 auth_type = password
-project_domain_id = default
+project_domain_id = {{ default_project_domain_id }}
 user_domain_id = default
 project_name = service
 username = {{ ironic_keystone_user }}
--- a/ansible/roles/keystone/tasks/register.yml
+++ b/ansible/roles/keystone/tasks/register.yml
@ -3,7 +3,7 @@
  become: true
  command: >
    docker exec keystone kolla_keystone_bootstrap
-    {{ openstack_auth.username }} {{ openstack_auth.password }} {{ openstack_auth.project_name }}
+    {{ openstack_auth.username }} {{ openstack_auth.password }} {{ keystone_admin_project }}
    admin {{ keystone_admin_url }} {{ keystone_internal_url }} {{ keystone_public_url }} {{ item }}
  register: keystone_bootstrap
  changed_when: (keystone_bootstrap.stdout | from_json).changed
--- a/ansible/roles/keystone/tasks/register_identity_providers.yml
+++ b/ansible/roles/keystone/tasks/register_identity_providers.yml
@ -5,13 +5,12 @@
      --os-auth-url={{ openstack_auth.auth_url }}
      --os-password={{ openstack_auth.password }}
      --os-username={{ openstack_auth.username }}
-      --os-project-name={{ openstack_auth.project_name }}
      --os-identity-api-version=3
-      --os-interface {{ openstack_interface }}
-      --os-project-domain-name {{ openstack_auth.domain_name }}
-      --os-user-domain-name {{ openstack_auth.domain_name }}
-      --os-region-name {{ openstack_region_name }}
-      {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
+      --os-interface={{ openstack_interface }}
+      --os-system-scope={{ openstack_auth.system_scope }}
+      --os-user-domain-name={{ openstack_auth.user_domain_name }}
+      --os-region-name={{ openstack_region_name }}
+      {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
    mapping list -c ID --format value
  run_once: True
  become: True
@ -27,13 +26,13 @@
    --os-auth-url={{ openstack_auth.auth_url }}
    --os-password={{ openstack_auth.password }}
    --os-username={{ openstack_auth.username }}
-    --os-project-name={{ openstack_auth.project_name }}
    --os-identity-api-version=3
-    --os-interface {{ openstack_interface }}
-    --os-project-domain-name {{ openstack_auth.domain_name }}
-    --os-user-domain-name {{ openstack_auth.domain_name }}
-    --os-region-name {{ openstack_region_name }}
-    {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
+    --os-interface={{ openstack_interface }}
+    --os-system-scope={{ openstack_auth.system_scope }}
+    --os-user-domain-name={{ openstack_auth.user_domain_name }}
+    --os-system-scope={{ openstack_auth.system_scope }}
+    --os-region-name={{ openstack_region_name }}
+    {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
    mapping delete {{ item }}
  run_once: True
  become: true
@ -62,13 +61,12 @@
    --os-auth-url={{ openstack_auth.auth_url }}
    --os-password={{ openstack_auth.password }}
    --os-username={{ openstack_auth.username }}
-    --os-project-name={{ openstack_auth.project_name }}
    --os-identity-api-version=3
    --os-interface {{ openstack_interface }}
-    --os-project-domain-name {{ openstack_auth.domain_name }}
-    --os-user-domain-name {{ openstack_auth.domain_name }}
-    --os-region-name {{ openstack_region_name }}
-    {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
+    --os-system-scope={{ openstack_auth.system_scope }}
+    --os-user-domain-name={{ openstack_auth.user_domain_name }}
+    --os-region-name={{ openstack_region_name }}
+    {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
    mapping create
    --rules "{{ keystone_container_federation_oidc_attribute_mappings_folder }}/{{ item.file | basename }}"
    {{ item.name }}
@ -84,15 +82,14 @@
    --os-auth-url={{ openstack_auth.auth_url }}
    --os-password={{ openstack_auth.password }}
    --os-username={{ openstack_auth.username }}
-    --os-project-name={{ openstack_auth.project_name }}
    --os-identity-api-version=3
-    --os-interface {{ openstack_interface }}
-    --os-project-domain-name {{ openstack_auth.domain_name }}
-    --os-user-domain-name {{ openstack_auth.domain_name }}
-    --os-region-name {{ openstack_region_name }}
-    {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
+    --os-interface={{ openstack_interface }}
+    --os-system-scope={{ openstack_auth.system_scope }}
+    --os-user-domain-name={{ openstack_auth.user_domain_name }}
+    --os-region-name={{ openstack_region_name }}
+    {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
    mapping set
-    --rules "{{ keystone_container_federation_oidc_attribute_mappings_folder }}/{{ item.file | basename }}"
+    --rules="{{ keystone_container_federation_oidc_attribute_mappings_folder }}/{{ item.file | basename }}"
    {{ item.name }}
  run_once: True
  when:
@ -106,13 +103,12 @@
    --os-auth-url={{ openstack_auth.auth_url }}
    --os-password={{ openstack_auth.password }}
    --os-username={{ openstack_auth.username }}
-    --os-project-name={{ openstack_auth.project_name }}
    --os-identity-api-version=3
-    --os-interface {{ openstack_interface }}
-    --os-project-domain-name {{ openstack_auth.domain_name }}
-    --os-user-domain-name {{ openstack_auth.domain_name }}
-    --os-region-name {{ openstack_region_name }}
-    {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
+    --os-interface={{ openstack_interface }}
+    --os-system-scope={{ openstack_auth.system_scope }}
+    --os-user-domain-name={{ openstack_auth.user_domain_name }}
+    --os-region-name={{ openstack_region_name }}
+    {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
    identity provider list -c ID --format value
  run_once: True
  register: existing_idps_register
@ -128,13 +124,12 @@
    --os-auth-url={{ openstack_auth.auth_url }}
    --os-password={{ openstack_auth.password }}
    --os-username={{ openstack_auth.username }}
-    --os-project-name={{ openstack_auth.project_name }}
    --os-identity-api-version=3
-    --os-interface {{ openstack_interface }}
-    --os-project-domain-name {{ openstack_auth.domain_name }}
-    --os-user-domain-name {{ openstack_auth.domain_name }}
-    --os-region-name {{ openstack_region_name }}
-    {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
+    --os-interface={{ openstack_interface }}
+    --os-system-scope={{ openstack_auth.system_scope }}
+    --os-user-domain-name={{ openstack_auth.user_domain_name }}
+    --os-region-name={ openstack_region_name }}
+    {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
    identity provider delete {{ item }}
  run_once: True
  with_items: "{{ existing_idps }}"
@ -149,13 +144,12 @@
    --os-auth-url={{ openstack_auth.auth_url }}
    --os-password={{ openstack_auth.password }}
    --os-username={{ openstack_auth.username }}
-    --os-project-name={{ openstack_auth.project_name }}
    --os-identity-api-version=3
-    --os-interface {{ openstack_interface }}
-    --os-project-domain-name {{ openstack_auth.domain_name }}
-    --os-user-domain-name {{ openstack_auth.domain_name }}
-    --os-region-name {{ openstack_region_name }}
-    {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
+    --os-interface={{ openstack_interface }}
+    --os-system-scope={{ openstack_auth.system_scope }}
+    --os-user-domain-name{{ openstack_auth.user_domain_name }}
+    --os-region-name={{ openstack_region_name }}
+    {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
    identity provider create
    --description "{{ item.public_name }}"
    --remote-id "{{ item.identifier }}"
@ -173,11 +167,10 @@
    --os-auth-url={{ openstack_auth.auth_url }}
    --os-password={{ openstack_auth.password }}
    --os-username={{ openstack_auth.username }}
-    --os-project-name={{ openstack_auth.project_name }}
    --os-identity-api-version=3
    --os-interface {{ openstack_interface }}
-    --os-project-domain-name {{ openstack_auth.domain_name }}
-    --os-user-domain-name {{ openstack_auth.domain_name }}
+    --os-system-scope {{ openstack_auth.system_scope }}
+    --os-user-domain-name {{ openstack_auth.user_domain_name }}
    --os-region-name {{ openstack_region_name }}
    {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
    identity provider set
@ -196,13 +189,12 @@
    --os-auth-url={{ openstack_auth.auth_url }}
    --os-password={{ openstack_auth.password }}
    --os-username={{ openstack_auth.username }}
-    --os-project-name={{ openstack_auth.project_name }}
    --os-identity-api-version=3
-    --os-interface {{ openstack_interface }}
-    --os-project-domain-name {{ openstack_auth.domain_name }}
-    --os-user-domain-name {{ openstack_auth.domain_name }}
-    --os-region-name {{ openstack_region_name }}
-    {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
+    --os-interface={{ openstack_interface }}
+    --os-system-scope={{ openstack_auth.system_scope }}
+    --os-user-domain-name={{ openstack_auth.user_domain_name }}
+    --os-region-name={{ openstack_region_name }}
+    {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
    federation protocol create
    --mapping {{ item.attribute_mapping }}
    --identity-provider {{ item.name }}
@ -219,13 +211,12 @@
    --os-auth-url={{ openstack_auth.auth_url }}
    --os-password={{ openstack_auth.password }}
    --os-username={{ openstack_auth.username }}
-    --os-project-name={{ openstack_auth.project_name }}
    --os-identity-api-version=3
-    --os-interface {{ openstack_interface }}
-    --os-project-domain-name {{ openstack_auth.domain_name }}
-    --os-user-domain-name {{ openstack_auth.domain_name }}
-    --os-region-name {{ openstack_region_name }}
-    {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
+    --os-interface={{ openstack_interface }}
+    --os-system-scope={{ openstack_auth.system_scope }}
+    --os-user-domain-name={{ openstack_auth.user_domain_name }}
+    --os-region-name={{ openstack_region_name }}
+    {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
    federation protocol set
    --identity-provider {{ item.name }}
    --mapping {{ item.attribute_mapping }}
--- a/ansible/roles/murano/tasks/import_library_packages.yml
+++ b/ansible/roles/murano/tasks/import_library_packages.yml
@ -17,8 +17,8 @@
  command: >
    docker exec murano_api murano
    --os-username {{ openstack_auth.username }}
-    --os-password {{ keystone_admin_password }}
-    --os-project-name {{ openstack_auth.project_name }}
+    --os-password {{ openstack_auth.password }}
+    --os-system-scope {{ openstack_auth.system_scope }}
    {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
    --os-auth-url {{ keystone_admin_url }}
    --murano-url {{ murano_admin_endpoint }}
@ -33,10 +33,10 @@
  command: >
    docker exec murano_api murano
    --os-username {{ openstack_auth.username }}
-    --os-password {{ keystone_admin_password }}
-    --os-project-name {{ openstack_auth.project_name }}
+    --os-password {{ openstack_auth.password }}
+    --os-system-scope {{ openstack_auth.system_scope }}
    {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
-    --os-auth-url {{ keystone_admin_url }}
+    --os-auth-url {{ openstack_auth.auth_url }}
    --murano-url {{ murano_admin_endpoint }}
    package-import --exists-action u --is-public /io.murano.zip
  run_once: True
@ -49,10 +49,10 @@
  command: >
    docker exec murano_api murano
    --os-username {{ openstack_auth.username }}
-    --os-password {{ keystone_admin_password }}
-    --os-project-name {{ openstack_auth.project_name }}
+    --os-password {{ openstack_auth.password }}
+    --os-system-scope {{ openstack_auth.system_scope }}
    {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
-    --os-auth-url {{ keystone_admin_url }}
+    --os-auth-url {{ openstack_auth.auth_url }}
    --murano-url {{ murano_admin_endpoint }}
    package-import --exists-action u --is-public /io.murano.applications.zip
  run_once: True
--- a/ansible/roles/nova-cell/tasks/discover_computes.yml
+++ b/ansible/roles/nova-cell/tasks/discover_computes.yml
@ -28,13 +28,12 @@
  command: >
    docker exec kolla_toolbox openstack
    --os-interface {{ openstack_interface }}
-    --os-auth-url {{ keystone_admin_url }}
-    --os-identity-api-version 3
-    --os-project-domain-name {{ openstack_auth.domain_name }}
-    --os-project-name {{ openstack_auth.project_name }}
+    --os-auth-url {{ openstack_auth.auth_url }}
    --os-username {{ openstack_auth.username }}
-    --os-password {{ keystone_admin_password }}
-    --os-user-domain-name {{ openstack_auth.domain_name }}
+    --os-password {{ openstack_auth.password }}
+    --os-identity-api-version 3
+    --os-user-domain-name {{ openstack_auth.user_domain_name }}
+    --os-system-scope {{ openstack_auth.system_scope }}
    --os-region-name {{ openstack_region_name }}
    {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
    compute service list --format json --column Host --service nova-compute
--- a/ansible/roles/skydive/defaults/main.yml
+++ b/ansible/roles/skydive/defaults/main.yml
@ -41,7 +41,7 @@ skydive_analyzer_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{
 skydive_analyzer_tag: "{{ skydive_tag }}"
 skydive_analyzer_image_full: "{{ skydive_analyzer_image }}:{{ skydive_analyzer_tag }}"

-skydive_admin_tenant_name: "{{ openstack_auth['project_name'] }}"
+skydive_admin_tenant_name: "{{ keystone_admin_project }}"
 skydive_agent_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ skydive_install_type }}-skydive-agent"
 skydive_agent_tag: "{{ skydive_tag }}"
 skydive_agent_image_full: "{{ skydive_agent_image }}:{{ skydive_agent_tag }}"
--- a/ansible/roles/skydive/templates/skydive-agent.conf.j2
+++ b/ansible/roles/skydive/templates/skydive-agent.conf.j2
@ -45,11 +45,12 @@ agent:
      - ovsdb
 {% endif %}

+### TODO migrate from tenant_name to system_scope when supported in skydive
    neutron:
      auth_url: {{ keystone_internal_url }}/v3
      username: {{ openstack_auth['username'] }}
      password: {{ openstack_auth['password'] }}
-      tenant_name: {{ openstack_auth['project_name'] }}
+      tenant_name: {{ skydive_admin_tenant_name }}
      region_name: {{ openstack_region_name }}
      domain_name: Default
      endpoint_type: internal
--- a/ansible/roles/skydive/templates/skydive-analyzer.conf.j2
+++ b/ansible/roles/skydive/templates/skydive-analyzer.conf.j2
@ -1,5 +1,6 @@
 ### Skydive analyzer config file

+### TODO migrate from tenant_name to system_scope when supported in skydive
 auth:
  keystone:
    type: keystone
--- a/ansible/roles/vitrage/templates/vitrage.conf.j2
+++ b/ansible/roles/vitrage/templates/vitrage.conf.j2
@ -52,7 +52,7 @@ memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_addres
 auth_url = {{ keystone_internal_url }}/v3
 region_name = {{ openstack_region_name }}
 auth_type = password
-project_domain_id = default
+project_domain_id = {{ default_project_domain_id }}
 user_domain_id = default
 project_name = admin
 password = {{ vitrage_keystone_password }}
--- a/doc/source/user/multi-regions.rst
+++ b/doc/source/user/multi-regions.rst
@ -73,11 +73,11 @@ the value of ``kolla_internal_fqdn`` in RegionOne:
   keystone_internal_url: "{{ internal_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_public_port }}"

   openstack_auth:
-       auth_url: "{{ admin_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_admin_port }}"
-       username: "admin"
+       auth_url: "{{ keystone_admin_url }}"
+       username: "{{ keystone_admin_user }}"
       password: "{{ keystone_admin_password }}"
-       project_name: "admin"
-       domain_name: "default"
+       user_domain_name: "{{ default_user_domain_name }}"
+       system_scope: "all"

 .. note::

--- a/releasenotes/notes/move-keystone-user-auth-to-system-scope-900db3265861ebde.yaml
+++ b/releasenotes/notes/move-keystone-user-auth-to-system-scope-900db3265861ebde.yaml
@ -0,0 +1,8 @@
+---
+features:
+  - Transitions to using system-scoped tokens when authenticating as the
+    Keystone admin user. This is a necessary step towards being able to
+    enable the updated oslo policies in services that allow finer grained
+    access to system-level resources and APIs. Since Queens, the admin role
+    is assigned to the admin user with system scope as well as in the admin
+    project.
--- a/tools/init-runonce
+++ b/tools/init-runonce
@ -95,7 +95,6 @@ if [[ $ENABLE_EXT_NET -eq 1 ]]; then
 fi

 # Get admin user and tenant IDs
-ADMIN_USER_ID=$($KOLLA_OPENSTACK_COMMAND user list | awk '/ admin / {print $2}')
 ADMIN_PROJECT_ID=$($KOLLA_OPENSTACK_COMMAND project list | awk '/ admin / {print $2}')
 ADMIN_SEC_GROUP=$($KOLLA_OPENSTACK_COMMAND security group list --project ${ADMIN_PROJECT_ID} | awk '/ default / {print $2}')