From 2e933dceb591c3505f35c2c1de924f3978fb81a7 Mon Sep 17 00:00:00 2001 From: Niklas Hagman Date: Tue, 19 Nov 2019 15:42:46 +0100 Subject: [PATCH] Transition Keystone admin user to system scope A system-scoped token implies the user has authorization to act on the deployment system. These tokens are useful for interacting with resources that affect the deployment as a whole, or exposes resources that may otherwise violate project or domain isolation. Since Queens, the keystone-manage bootstrap command assigns the admin role to the admin user with system scope, as well as in the admin project. This patch transitions the Keystone admin user from authenticating using project scoped tokens to system scoped tokens. This is a necessary step towards being able to enable the updated oslo policies in services that allow finer grained access to system-level resources and APIs. An etherpad with discussion about the transition to the new oslo service policies is: https://etherpad.opendev.org/p/enabling-system-scope-in-kolla-ansible Change-Id: Ib631e2211682862296cce9ea179f2661c90fa585 Signed-off-by: Niklas Hagman --- ansible/group_vars/all.yml | 5 +- ansible/roles/barbican/tasks/check.yml | 6 +- .../roles/freezer/templates/freezer.conf.j2 | 4 +- ansible/roles/heat/defaults/main.yml | 2 +- .../roles/heat/tasks/bootstrap_service.yml | 3 +- ansible/roles/ironic/templates/ironic.conf.j2 | 14 +-- ansible/roles/keystone/tasks/register.yml | 2 +- .../tasks/register_identity_providers.yml | 105 ++++++++---------- .../murano/tasks/import_library_packages.yml | 16 +-- .../nova-cell/tasks/discover_computes.yml | 11 +- ansible/roles/skydive/defaults/main.yml | 2 +- .../skydive/templates/skydive-agent.conf.j2 | 3 +- .../templates/skydive-analyzer.conf.j2 | 1 + .../roles/vitrage/templates/vitrage.conf.j2 | 2 +- doc/source/user/multi-regions.rst | 8 +- ...auth-to-system-scope-900db3265861ebde.yaml | 8 ++ tools/init-runonce | 1 - 17 files changed, 97 insertions(+), 96 deletions(-) create mode 100644 releasenotes/notes/move-keystone-user-auth-to-system-scope-900db3265861ebde.yaml diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index a90aeb89c9..c685db2f66 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -884,9 +884,8 @@ openstack_auth: auth_url: "{{ keystone_admin_url }}" username: "{{ keystone_admin_user }}" password: "{{ keystone_admin_password }}" - project_name: "{{ keystone_admin_project }}" - domain_name: "default" - user_domain_name: "default" + user_domain_name: "{{ default_user_domain_name }}" + system_scope: "all" ####################### # Glance options diff --git a/ansible/roles/barbican/tasks/check.yml b/ansible/roles/barbican/tasks/check.yml index 66692756c7..bba2f1d885 100644 --- a/ansible/roles/barbican/tasks/check.yml +++ b/ansible/roles/barbican/tasks/check.yml @@ -7,7 +7,7 @@ --os-auth-url={{ openstack_auth.auth_url }} \ --os-password={{ openstack_auth.password }} \ --os-username={{ openstack_auth.username }} \ - --os-project-name={{ openstack_auth.project_name }} \ + --os-system-scope={{ openstack_auth.system_scope }} secret store -f value -p kolla | head -1 register: barbican_store_secret run_once: True @@ -20,7 +20,7 @@ --os-auth-url={{ openstack_auth.auth_url }} --os-password={{ openstack_auth.password }} --os-username={{ openstack_auth.username }} - --os-project-name={{ openstack_auth.project_name }} + --os-system-scope={{ openstack_auth.system_scope }} secret get -f value -p {{ barbican_store_secret.stdout }} register: barbican_get_secret failed_when: barbican_get_secret.stdout != 'kolla' @@ -34,7 +34,7 @@ --os-auth-url={{ openstack_auth.auth_url }} --os-password={{ openstack_auth.password }} --os-username={{ openstack_auth.username }} - --os-project-name={{ openstack_auth.project_name }} + --os-system-scope={{ openstack_auth.system_scope }} secret delete {{ barbican_store_secret.stdout }} run_once: True when: kolla_enable_sanity_barbican | bool diff --git a/ansible/roles/freezer/templates/freezer.conf.j2 b/ansible/roles/freezer/templates/freezer.conf.j2 index b48ec6c864..aaa07dcb78 100644 --- a/ansible/roles/freezer/templates/freezer.conf.j2 +++ b/ansible/roles/freezer/templates/freezer.conf.j2 @@ -15,8 +15,10 @@ jobs_dir = /etc/freezer/scheduler/conf.d os_username = {{ openstack_auth.username }} os_password = {{ openstack_auth.password }} os_auth_url = {{ openstack_auth.auth_url }}/v3 -os_project_name = {{ openstack_auth.project_name }} +os_project_name = {{ keystone_admin_project }} os_project_domain_name = {{ openstack_auth.domain_name }} +# TODO: transition to system scoped token when freezer supports that +# configuration option os_user_domain_name = {{ openstack_auth.user_domain_name }} {% endif %} diff --git a/ansible/roles/heat/defaults/main.yml b/ansible/roles/heat/defaults/main.yml index f3b6d5f4b5..0814234ce9 100644 --- a/ansible/roles/heat/defaults/main.yml +++ b/ansible/roles/heat/defaults/main.yml @@ -219,7 +219,7 @@ heat_ks_roles: - "{{ heat_stack_user_role }}" heat_ks_user_roles: - - project: "{{ openstack_auth.project_name }}" + - project: "{{ keystone_admin_project }}" user: "{{ openstack_auth.username }}" role: "{{ heat_stack_owner_role }}" diff --git a/ansible/roles/heat/tasks/bootstrap_service.yml b/ansible/roles/heat/tasks/bootstrap_service.yml index 849d218bbb..4f166b8dc9 100644 --- a/ansible/roles/heat/tasks/bootstrap_service.yml +++ b/ansible/roles/heat/tasks/bootstrap_service.yml @@ -15,7 +15,8 @@ OS_INTERFACE: "internal" OS_USERNAME: "{{ openstack_auth.username }}" OS_PASSWORD: "{{ openstack_auth.password }}" - OS_PROJECT_NAME: "{{ openstack_auth.project_name }}" + OS_USER_DOMAIN_NAME: "{{ openstack_auth.user_domain_name }}" + OS_SYSTEM_SCOPE: "{{ openstack_auth.system_scope }}" OS_REGION_NAME: "{{ openstack_region_name }}" OS_CACERT: "{{ openstack_cacert | default(omit) }}" HEAT_DOMAIN_ADMIN_PASSWORD: "{{ heat_domain_admin_password }}" diff --git a/ansible/roles/ironic/templates/ironic.conf.j2 b/ansible/roles/ironic/templates/ironic.conf.j2 index 9b7de4d5c2..77bbc3f208 100644 --- a/ansible/roles/ironic/templates/ironic.conf.j2 +++ b/ansible/roles/ironic/templates/ironic.conf.j2 @@ -75,7 +75,7 @@ memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_addres [cinder] auth_url = {{ keystone_admin_url }} auth_type = password -project_domain_id = default +project_domain_id = {{ default_project_domain_id }} user_domain_id = default project_name = service username = {{ ironic_keystone_user }} @@ -89,7 +89,7 @@ cafile = {{ openstack_cacert }} [glance] auth_url = {{ keystone_admin_url }} auth_type = password -project_domain_id = default +project_domain_id = {{ default_project_domain_id }} user_domain_id = default project_name = service username = {{ ironic_keystone_user }} @@ -103,7 +103,7 @@ cafile = {{ openstack_cacert }} [neutron] auth_url = {{ keystone_admin_url }} auth_type = password -project_domain_id = default +project_domain_id = {{ default_project_domain_id }} user_domain_id = default project_name = service username = {{ ironic_keystone_user }} @@ -118,7 +118,7 @@ cafile = {{ openstack_cacert }} [nova] auth_url = {{ keystone_admin_url }} auth_type = password -project_domain_id = default +project_domain_id = {{ default_project_domain_id }} user_domain_id = default project_name = service username = {{ ironic_keystone_user }} @@ -132,7 +132,7 @@ cafile = {{ openstack_cacert }} [swift] auth_url = {{ keystone_admin_url }} auth_type = password -project_domain_id = {{ default_project_domain_id }} +project_domain_id = {{ default_project_domain_id }} user_domain_id = {{ default_user_domain_id }} project_name = service username = {{ ironic_keystone_user }} @@ -146,7 +146,7 @@ cafile = {{ openstack_cacert }} {% if ironic_enable_keystone_integration | bool %} auth_url = {{ keystone_admin_url }} auth_type = password -project_domain_id = default +project_domain_id = {{ default_project_domain_id }} user_domain_id = default project_name = service username = {{ ironic_keystone_user }} @@ -163,7 +163,7 @@ endpoint_override = {{ ironic_inspector_internal_endpoint }} {% if ironic_enable_keystone_integration | bool %} auth_url = {{ keystone_admin_url }} auth_type = password -project_domain_id = default +project_domain_id = {{ default_project_domain_id }} user_domain_id = default project_name = service username = {{ ironic_keystone_user }} diff --git a/ansible/roles/keystone/tasks/register.yml b/ansible/roles/keystone/tasks/register.yml index d79bdce8c8..4e7bdccc62 100644 --- a/ansible/roles/keystone/tasks/register.yml +++ b/ansible/roles/keystone/tasks/register.yml @@ -3,7 +3,7 @@ become: true command: > docker exec keystone kolla_keystone_bootstrap - {{ openstack_auth.username }} {{ openstack_auth.password }} {{ openstack_auth.project_name }} + {{ openstack_auth.username }} {{ openstack_auth.password }} {{ keystone_admin_project }} admin {{ keystone_admin_url }} {{ keystone_internal_url }} {{ keystone_public_url }} {{ item }} register: keystone_bootstrap changed_when: (keystone_bootstrap.stdout | from_json).changed diff --git a/ansible/roles/keystone/tasks/register_identity_providers.yml b/ansible/roles/keystone/tasks/register_identity_providers.yml index 40dd5b032e..d99cbe762d 100644 --- a/ansible/roles/keystone/tasks/register_identity_providers.yml +++ b/ansible/roles/keystone/tasks/register_identity_providers.yml @@ -5,13 +5,12 @@ --os-auth-url={{ openstack_auth.auth_url }} --os-password={{ openstack_auth.password }} --os-username={{ openstack_auth.username }} - --os-project-name={{ openstack_auth.project_name }} --os-identity-api-version=3 - --os-interface {{ openstack_interface }} - --os-project-domain-name {{ openstack_auth.domain_name }} - --os-user-domain-name {{ openstack_auth.domain_name }} - --os-region-name {{ openstack_region_name }} - {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %} + --os-interface={{ openstack_interface }} + --os-system-scope={{ openstack_auth.system_scope }} + --os-user-domain-name={{ openstack_auth.user_domain_name }} + --os-region-name={{ openstack_region_name }} + {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %} mapping list -c ID --format value run_once: True become: True @@ -27,13 +26,13 @@ --os-auth-url={{ openstack_auth.auth_url }} --os-password={{ openstack_auth.password }} --os-username={{ openstack_auth.username }} - --os-project-name={{ openstack_auth.project_name }} --os-identity-api-version=3 - --os-interface {{ openstack_interface }} - --os-project-domain-name {{ openstack_auth.domain_name }} - --os-user-domain-name {{ openstack_auth.domain_name }} - --os-region-name {{ openstack_region_name }} - {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %} + --os-interface={{ openstack_interface }} + --os-system-scope={{ openstack_auth.system_scope }} + --os-user-domain-name={{ openstack_auth.user_domain_name }} + --os-system-scope={{ openstack_auth.system_scope }} + --os-region-name={{ openstack_region_name }} + {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %} mapping delete {{ item }} run_once: True become: true @@ -62,13 +61,12 @@ --os-auth-url={{ openstack_auth.auth_url }} --os-password={{ openstack_auth.password }} --os-username={{ openstack_auth.username }} - --os-project-name={{ openstack_auth.project_name }} --os-identity-api-version=3 --os-interface {{ openstack_interface }} - --os-project-domain-name {{ openstack_auth.domain_name }} - --os-user-domain-name {{ openstack_auth.domain_name }} - --os-region-name {{ openstack_region_name }} - {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %} + --os-system-scope={{ openstack_auth.system_scope }} + --os-user-domain-name={{ openstack_auth.user_domain_name }} + --os-region-name={{ openstack_region_name }} + {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %} mapping create --rules "{{ keystone_container_federation_oidc_attribute_mappings_folder }}/{{ item.file | basename }}" {{ item.name }} @@ -84,15 +82,14 @@ --os-auth-url={{ openstack_auth.auth_url }} --os-password={{ openstack_auth.password }} --os-username={{ openstack_auth.username }} - --os-project-name={{ openstack_auth.project_name }} --os-identity-api-version=3 - --os-interface {{ openstack_interface }} - --os-project-domain-name {{ openstack_auth.domain_name }} - --os-user-domain-name {{ openstack_auth.domain_name }} - --os-region-name {{ openstack_region_name }} - {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %} + --os-interface={{ openstack_interface }} + --os-system-scope={{ openstack_auth.system_scope }} + --os-user-domain-name={{ openstack_auth.user_domain_name }} + --os-region-name={{ openstack_region_name }} + {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %} mapping set - --rules "{{ keystone_container_federation_oidc_attribute_mappings_folder }}/{{ item.file | basename }}" + --rules="{{ keystone_container_federation_oidc_attribute_mappings_folder }}/{{ item.file | basename }}" {{ item.name }} run_once: True when: @@ -106,13 +103,12 @@ --os-auth-url={{ openstack_auth.auth_url }} --os-password={{ openstack_auth.password }} --os-username={{ openstack_auth.username }} - --os-project-name={{ openstack_auth.project_name }} --os-identity-api-version=3 - --os-interface {{ openstack_interface }} - --os-project-domain-name {{ openstack_auth.domain_name }} - --os-user-domain-name {{ openstack_auth.domain_name }} - --os-region-name {{ openstack_region_name }} - {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %} + --os-interface={{ openstack_interface }} + --os-system-scope={{ openstack_auth.system_scope }} + --os-user-domain-name={{ openstack_auth.user_domain_name }} + --os-region-name={{ openstack_region_name }} + {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %} identity provider list -c ID --format value run_once: True register: existing_idps_register @@ -128,13 +124,12 @@ --os-auth-url={{ openstack_auth.auth_url }} --os-password={{ openstack_auth.password }} --os-username={{ openstack_auth.username }} - --os-project-name={{ openstack_auth.project_name }} --os-identity-api-version=3 - --os-interface {{ openstack_interface }} - --os-project-domain-name {{ openstack_auth.domain_name }} - --os-user-domain-name {{ openstack_auth.domain_name }} - --os-region-name {{ openstack_region_name }} - {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %} + --os-interface={{ openstack_interface }} + --os-system-scope={{ openstack_auth.system_scope }} + --os-user-domain-name={{ openstack_auth.user_domain_name }} + --os-region-name={ openstack_region_name }} + {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %} identity provider delete {{ item }} run_once: True with_items: "{{ existing_idps }}" @@ -149,13 +144,12 @@ --os-auth-url={{ openstack_auth.auth_url }} --os-password={{ openstack_auth.password }} --os-username={{ openstack_auth.username }} - --os-project-name={{ openstack_auth.project_name }} --os-identity-api-version=3 - --os-interface {{ openstack_interface }} - --os-project-domain-name {{ openstack_auth.domain_name }} - --os-user-domain-name {{ openstack_auth.domain_name }} - --os-region-name {{ openstack_region_name }} - {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %} + --os-interface={{ openstack_interface }} + --os-system-scope={{ openstack_auth.system_scope }} + --os-user-domain-name{{ openstack_auth.user_domain_name }} + --os-region-name={{ openstack_region_name }} + {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %} identity provider create --description "{{ item.public_name }}" --remote-id "{{ item.identifier }}" @@ -173,11 +167,10 @@ --os-auth-url={{ openstack_auth.auth_url }} --os-password={{ openstack_auth.password }} --os-username={{ openstack_auth.username }} - --os-project-name={{ openstack_auth.project_name }} --os-identity-api-version=3 --os-interface {{ openstack_interface }} - --os-project-domain-name {{ openstack_auth.domain_name }} - --os-user-domain-name {{ openstack_auth.domain_name }} + --os-system-scope {{ openstack_auth.system_scope }} + --os-user-domain-name {{ openstack_auth.user_domain_name }} --os-region-name {{ openstack_region_name }} {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %} identity provider set @@ -196,13 +189,12 @@ --os-auth-url={{ openstack_auth.auth_url }} --os-password={{ openstack_auth.password }} --os-username={{ openstack_auth.username }} - --os-project-name={{ openstack_auth.project_name }} --os-identity-api-version=3 - --os-interface {{ openstack_interface }} - --os-project-domain-name {{ openstack_auth.domain_name }} - --os-user-domain-name {{ openstack_auth.domain_name }} - --os-region-name {{ openstack_region_name }} - {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %} + --os-interface={{ openstack_interface }} + --os-system-scope={{ openstack_auth.system_scope }} + --os-user-domain-name={{ openstack_auth.user_domain_name }} + --os-region-name={{ openstack_region_name }} + {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %} federation protocol create --mapping {{ item.attribute_mapping }} --identity-provider {{ item.name }} @@ -219,13 +211,12 @@ --os-auth-url={{ openstack_auth.auth_url }} --os-password={{ openstack_auth.password }} --os-username={{ openstack_auth.username }} - --os-project-name={{ openstack_auth.project_name }} --os-identity-api-version=3 - --os-interface {{ openstack_interface }} - --os-project-domain-name {{ openstack_auth.domain_name }} - --os-user-domain-name {{ openstack_auth.domain_name }} - --os-region-name {{ openstack_region_name }} - {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %} + --os-interface={{ openstack_interface }} + --os-system-scope={{ openstack_auth.system_scope }} + --os-user-domain-name={{ openstack_auth.user_domain_name }} + --os-region-name={{ openstack_region_name }} + {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %} federation protocol set --identity-provider {{ item.name }} --mapping {{ item.attribute_mapping }} diff --git a/ansible/roles/murano/tasks/import_library_packages.yml b/ansible/roles/murano/tasks/import_library_packages.yml index 615bfa5124..438455c44e 100644 --- a/ansible/roles/murano/tasks/import_library_packages.yml +++ b/ansible/roles/murano/tasks/import_library_packages.yml @@ -17,8 +17,8 @@ command: > docker exec murano_api murano --os-username {{ openstack_auth.username }} - --os-password {{ keystone_admin_password }} - --os-project-name {{ openstack_auth.project_name }} + --os-password {{ openstack_auth.password }} + --os-system-scope {{ openstack_auth.system_scope }} {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %} --os-auth-url {{ keystone_admin_url }} --murano-url {{ murano_admin_endpoint }} @@ -33,10 +33,10 @@ command: > docker exec murano_api murano --os-username {{ openstack_auth.username }} - --os-password {{ keystone_admin_password }} - --os-project-name {{ openstack_auth.project_name }} + --os-password {{ openstack_auth.password }} + --os-system-scope {{ openstack_auth.system_scope }} {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %} - --os-auth-url {{ keystone_admin_url }} + --os-auth-url {{ openstack_auth.auth_url }} --murano-url {{ murano_admin_endpoint }} package-import --exists-action u --is-public /io.murano.zip run_once: True @@ -49,10 +49,10 @@ command: > docker exec murano_api murano --os-username {{ openstack_auth.username }} - --os-password {{ keystone_admin_password }} - --os-project-name {{ openstack_auth.project_name }} + --os-password {{ openstack_auth.password }} + --os-system-scope {{ openstack_auth.system_scope }} {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %} - --os-auth-url {{ keystone_admin_url }} + --os-auth-url {{ openstack_auth.auth_url }} --murano-url {{ murano_admin_endpoint }} package-import --exists-action u --is-public /io.murano.applications.zip run_once: True diff --git a/ansible/roles/nova-cell/tasks/discover_computes.yml b/ansible/roles/nova-cell/tasks/discover_computes.yml index 1ee0e1c0ec..d13589cca8 100644 --- a/ansible/roles/nova-cell/tasks/discover_computes.yml +++ b/ansible/roles/nova-cell/tasks/discover_computes.yml @@ -28,13 +28,12 @@ command: > docker exec kolla_toolbox openstack --os-interface {{ openstack_interface }} - --os-auth-url {{ keystone_admin_url }} - --os-identity-api-version 3 - --os-project-domain-name {{ openstack_auth.domain_name }} - --os-project-name {{ openstack_auth.project_name }} + --os-auth-url {{ openstack_auth.auth_url }} --os-username {{ openstack_auth.username }} - --os-password {{ keystone_admin_password }} - --os-user-domain-name {{ openstack_auth.domain_name }} + --os-password {{ openstack_auth.password }} + --os-identity-api-version 3 + --os-user-domain-name {{ openstack_auth.user_domain_name }} + --os-system-scope {{ openstack_auth.system_scope }} --os-region-name {{ openstack_region_name }} {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %} compute service list --format json --column Host --service nova-compute diff --git a/ansible/roles/skydive/defaults/main.yml b/ansible/roles/skydive/defaults/main.yml index b2ac934499..2d7175132c 100644 --- a/ansible/roles/skydive/defaults/main.yml +++ b/ansible/roles/skydive/defaults/main.yml @@ -41,7 +41,7 @@ skydive_analyzer_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{ skydive_analyzer_tag: "{{ skydive_tag }}" skydive_analyzer_image_full: "{{ skydive_analyzer_image }}:{{ skydive_analyzer_tag }}" -skydive_admin_tenant_name: "{{ openstack_auth['project_name'] }}" +skydive_admin_tenant_name: "{{ keystone_admin_project }}" skydive_agent_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ skydive_install_type }}-skydive-agent" skydive_agent_tag: "{{ skydive_tag }}" skydive_agent_image_full: "{{ skydive_agent_image }}:{{ skydive_agent_tag }}" diff --git a/ansible/roles/skydive/templates/skydive-agent.conf.j2 b/ansible/roles/skydive/templates/skydive-agent.conf.j2 index 15cda502a2..34dba6716c 100644 --- a/ansible/roles/skydive/templates/skydive-agent.conf.j2 +++ b/ansible/roles/skydive/templates/skydive-agent.conf.j2 @@ -45,11 +45,12 @@ agent: - ovsdb {% endif %} +### TODO migrate from tenant_name to system_scope when supported in skydive neutron: auth_url: {{ keystone_internal_url }}/v3 username: {{ openstack_auth['username'] }} password: {{ openstack_auth['password'] }} - tenant_name: {{ openstack_auth['project_name'] }} + tenant_name: {{ skydive_admin_tenant_name }} region_name: {{ openstack_region_name }} domain_name: Default endpoint_type: internal diff --git a/ansible/roles/skydive/templates/skydive-analyzer.conf.j2 b/ansible/roles/skydive/templates/skydive-analyzer.conf.j2 index 549bafff22..551b8dc65a 100644 --- a/ansible/roles/skydive/templates/skydive-analyzer.conf.j2 +++ b/ansible/roles/skydive/templates/skydive-analyzer.conf.j2 @@ -1,5 +1,6 @@ ### Skydive analyzer config file +### TODO migrate from tenant_name to system_scope when supported in skydive auth: keystone: type: keystone diff --git a/ansible/roles/vitrage/templates/vitrage.conf.j2 b/ansible/roles/vitrage/templates/vitrage.conf.j2 index 3fdaa2f9fb..1482f8278a 100644 --- a/ansible/roles/vitrage/templates/vitrage.conf.j2 +++ b/ansible/roles/vitrage/templates/vitrage.conf.j2 @@ -52,7 +52,7 @@ memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_addres auth_url = {{ keystone_internal_url }}/v3 region_name = {{ openstack_region_name }} auth_type = password -project_domain_id = default +project_domain_id = {{ default_project_domain_id }} user_domain_id = default project_name = admin password = {{ vitrage_keystone_password }} diff --git a/doc/source/user/multi-regions.rst b/doc/source/user/multi-regions.rst index e2a4da6c04..98fd5a7599 100644 --- a/doc/source/user/multi-regions.rst +++ b/doc/source/user/multi-regions.rst @@ -73,11 +73,11 @@ the value of ``kolla_internal_fqdn`` in RegionOne: keystone_internal_url: "{{ internal_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_public_port }}" openstack_auth: - auth_url: "{{ admin_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_admin_port }}" - username: "admin" + auth_url: "{{ keystone_admin_url }}" + username: "{{ keystone_admin_user }}" password: "{{ keystone_admin_password }}" - project_name: "admin" - domain_name: "default" + user_domain_name: "{{ default_user_domain_name }}" + system_scope: "all" .. note:: diff --git a/releasenotes/notes/move-keystone-user-auth-to-system-scope-900db3265861ebde.yaml b/releasenotes/notes/move-keystone-user-auth-to-system-scope-900db3265861ebde.yaml new file mode 100644 index 0000000000..ae7909d08b --- /dev/null +++ b/releasenotes/notes/move-keystone-user-auth-to-system-scope-900db3265861ebde.yaml @@ -0,0 +1,8 @@ +--- +features: + - Transitions to using system-scoped tokens when authenticating as the + Keystone admin user. This is a necessary step towards being able to + enable the updated oslo policies in services that allow finer grained + access to system-level resources and APIs. Since Queens, the admin role + is assigned to the admin user with system scope as well as in the admin + project. diff --git a/tools/init-runonce b/tools/init-runonce index b4b8739917..f8d7b1c179 100755 --- a/tools/init-runonce +++ b/tools/init-runonce @@ -95,7 +95,6 @@ if [[ $ENABLE_EXT_NET -eq 1 ]]; then fi # Get admin user and tenant IDs -ADMIN_USER_ID=$($KOLLA_OPENSTACK_COMMAND user list | awk '/ admin / {print $2}') ADMIN_PROJECT_ID=$($KOLLA_OPENSTACK_COMMAND project list | awk '/ admin / {print $2}') ADMIN_SEC_GROUP=$($KOLLA_OPENSTACK_COMMAND security group list --project ${ADMIN_PROJECT_ID} | awk '/ default / {print $2}')