Transition Keystone admin user to system scope

A system-scoped token implies the user has authorization to act on the
deployment system. These tokens are useful for interacting with
resources that affect the deployment as a whole, or exposes resources
that may otherwise violate project or domain isolation.

Since Queens, the keystone-manage bootstrap command assigns the admin
role to the admin user with system scope, as well as in the admin
project. This patch transitions the Keystone admin user from
authenticating using project scoped tokens to system scoped tokens.
This is a necessary step towards being able to enable the updated oslo
policies in services that allow finer grained access to system-level
resources and APIs.

An etherpad with discussion about the transition to the new oslo
service policies is:

https://etherpad.opendev.org/p/enabling-system-scope-in-kolla-ansible

Change-Id: Ib631e2211682862296cce9ea179f2661c90fa585
Signed-off-by: Niklas Hagman <ubuntu@post.blinkiz.com>
This commit is contained in:
Niklas Hagman 2019-11-19 15:42:46 +01:00 committed by headphonejames
parent 3455105321
commit 2e933dceb5
17 changed files with 97 additions and 96 deletions

View File

@ -884,9 +884,8 @@ openstack_auth:
auth_url: "{{ keystone_admin_url }}" auth_url: "{{ keystone_admin_url }}"
username: "{{ keystone_admin_user }}" username: "{{ keystone_admin_user }}"
password: "{{ keystone_admin_password }}" password: "{{ keystone_admin_password }}"
project_name: "{{ keystone_admin_project }}" user_domain_name: "{{ default_user_domain_name }}"
domain_name: "default" system_scope: "all"
user_domain_name: "default"
####################### #######################
# Glance options # Glance options

View File

@ -7,7 +7,7 @@
--os-auth-url={{ openstack_auth.auth_url }} \ --os-auth-url={{ openstack_auth.auth_url }} \
--os-password={{ openstack_auth.password }} \ --os-password={{ openstack_auth.password }} \
--os-username={{ openstack_auth.username }} \ --os-username={{ openstack_auth.username }} \
--os-project-name={{ openstack_auth.project_name }} \ --os-system-scope={{ openstack_auth.system_scope }}
secret store -f value -p kolla | head -1 secret store -f value -p kolla | head -1
register: barbican_store_secret register: barbican_store_secret
run_once: True run_once: True
@ -20,7 +20,7 @@
--os-auth-url={{ openstack_auth.auth_url }} --os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }} --os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }} --os-username={{ openstack_auth.username }}
--os-project-name={{ openstack_auth.project_name }} --os-system-scope={{ openstack_auth.system_scope }}
secret get -f value -p {{ barbican_store_secret.stdout }} secret get -f value -p {{ barbican_store_secret.stdout }}
register: barbican_get_secret register: barbican_get_secret
failed_when: barbican_get_secret.stdout != 'kolla' failed_when: barbican_get_secret.stdout != 'kolla'
@ -34,7 +34,7 @@
--os-auth-url={{ openstack_auth.auth_url }} --os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }} --os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }} --os-username={{ openstack_auth.username }}
--os-project-name={{ openstack_auth.project_name }} --os-system-scope={{ openstack_auth.system_scope }}
secret delete {{ barbican_store_secret.stdout }} secret delete {{ barbican_store_secret.stdout }}
run_once: True run_once: True
when: kolla_enable_sanity_barbican | bool when: kolla_enable_sanity_barbican | bool

View File

@ -15,8 +15,10 @@ jobs_dir = /etc/freezer/scheduler/conf.d
os_username = {{ openstack_auth.username }} os_username = {{ openstack_auth.username }}
os_password = {{ openstack_auth.password }} os_password = {{ openstack_auth.password }}
os_auth_url = {{ openstack_auth.auth_url }}/v3 os_auth_url = {{ openstack_auth.auth_url }}/v3
os_project_name = {{ openstack_auth.project_name }} os_project_name = {{ keystone_admin_project }}
os_project_domain_name = {{ openstack_auth.domain_name }} os_project_domain_name = {{ openstack_auth.domain_name }}
# TODO: transition to system scoped token when freezer supports that
# configuration option
os_user_domain_name = {{ openstack_auth.user_domain_name }} os_user_domain_name = {{ openstack_auth.user_domain_name }}
{% endif %} {% endif %}

View File

@ -219,7 +219,7 @@ heat_ks_roles:
- "{{ heat_stack_user_role }}" - "{{ heat_stack_user_role }}"
heat_ks_user_roles: heat_ks_user_roles:
- project: "{{ openstack_auth.project_name }}" - project: "{{ keystone_admin_project }}"
user: "{{ openstack_auth.username }}" user: "{{ openstack_auth.username }}"
role: "{{ heat_stack_owner_role }}" role: "{{ heat_stack_owner_role }}"

View File

@ -15,7 +15,8 @@
OS_INTERFACE: "internal" OS_INTERFACE: "internal"
OS_USERNAME: "{{ openstack_auth.username }}" OS_USERNAME: "{{ openstack_auth.username }}"
OS_PASSWORD: "{{ openstack_auth.password }}" OS_PASSWORD: "{{ openstack_auth.password }}"
OS_PROJECT_NAME: "{{ openstack_auth.project_name }}" OS_USER_DOMAIN_NAME: "{{ openstack_auth.user_domain_name }}"
OS_SYSTEM_SCOPE: "{{ openstack_auth.system_scope }}"
OS_REGION_NAME: "{{ openstack_region_name }}" OS_REGION_NAME: "{{ openstack_region_name }}"
OS_CACERT: "{{ openstack_cacert | default(omit) }}" OS_CACERT: "{{ openstack_cacert | default(omit) }}"
HEAT_DOMAIN_ADMIN_PASSWORD: "{{ heat_domain_admin_password }}" HEAT_DOMAIN_ADMIN_PASSWORD: "{{ heat_domain_admin_password }}"

View File

@ -75,7 +75,7 @@ memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_addres
[cinder] [cinder]
auth_url = {{ keystone_admin_url }} auth_url = {{ keystone_admin_url }}
auth_type = password auth_type = password
project_domain_id = default project_domain_id = {{ default_project_domain_id }}
user_domain_id = default user_domain_id = default
project_name = service project_name = service
username = {{ ironic_keystone_user }} username = {{ ironic_keystone_user }}
@ -89,7 +89,7 @@ cafile = {{ openstack_cacert }}
[glance] [glance]
auth_url = {{ keystone_admin_url }} auth_url = {{ keystone_admin_url }}
auth_type = password auth_type = password
project_domain_id = default project_domain_id = {{ default_project_domain_id }}
user_domain_id = default user_domain_id = default
project_name = service project_name = service
username = {{ ironic_keystone_user }} username = {{ ironic_keystone_user }}
@ -103,7 +103,7 @@ cafile = {{ openstack_cacert }}
[neutron] [neutron]
auth_url = {{ keystone_admin_url }} auth_url = {{ keystone_admin_url }}
auth_type = password auth_type = password
project_domain_id = default project_domain_id = {{ default_project_domain_id }}
user_domain_id = default user_domain_id = default
project_name = service project_name = service
username = {{ ironic_keystone_user }} username = {{ ironic_keystone_user }}
@ -118,7 +118,7 @@ cafile = {{ openstack_cacert }}
[nova] [nova]
auth_url = {{ keystone_admin_url }} auth_url = {{ keystone_admin_url }}
auth_type = password auth_type = password
project_domain_id = default project_domain_id = {{ default_project_domain_id }}
user_domain_id = default user_domain_id = default
project_name = service project_name = service
username = {{ ironic_keystone_user }} username = {{ ironic_keystone_user }}
@ -146,7 +146,7 @@ cafile = {{ openstack_cacert }}
{% if ironic_enable_keystone_integration | bool %} {% if ironic_enable_keystone_integration | bool %}
auth_url = {{ keystone_admin_url }} auth_url = {{ keystone_admin_url }}
auth_type = password auth_type = password
project_domain_id = default project_domain_id = {{ default_project_domain_id }}
user_domain_id = default user_domain_id = default
project_name = service project_name = service
username = {{ ironic_keystone_user }} username = {{ ironic_keystone_user }}
@ -163,7 +163,7 @@ endpoint_override = {{ ironic_inspector_internal_endpoint }}
{% if ironic_enable_keystone_integration | bool %} {% if ironic_enable_keystone_integration | bool %}
auth_url = {{ keystone_admin_url }} auth_url = {{ keystone_admin_url }}
auth_type = password auth_type = password
project_domain_id = default project_domain_id = {{ default_project_domain_id }}
user_domain_id = default user_domain_id = default
project_name = service project_name = service
username = {{ ironic_keystone_user }} username = {{ ironic_keystone_user }}

View File

@ -3,7 +3,7 @@
become: true become: true
command: > command: >
docker exec keystone kolla_keystone_bootstrap docker exec keystone kolla_keystone_bootstrap
{{ openstack_auth.username }} {{ openstack_auth.password }} {{ openstack_auth.project_name }} {{ openstack_auth.username }} {{ openstack_auth.password }} {{ keystone_admin_project }}
admin {{ keystone_admin_url }} {{ keystone_internal_url }} {{ keystone_public_url }} {{ item }} admin {{ keystone_admin_url }} {{ keystone_internal_url }} {{ keystone_public_url }} {{ item }}
register: keystone_bootstrap register: keystone_bootstrap
changed_when: (keystone_bootstrap.stdout | from_json).changed changed_when: (keystone_bootstrap.stdout | from_json).changed

View File

@ -5,13 +5,12 @@
--os-auth-url={{ openstack_auth.auth_url }} --os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }} --os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }} --os-username={{ openstack_auth.username }}
--os-project-name={{ openstack_auth.project_name }}
--os-identity-api-version=3 --os-identity-api-version=3
--os-interface {{ openstack_interface }} --os-interface={{ openstack_interface }}
--os-project-domain-name {{ openstack_auth.domain_name }} --os-system-scope={{ openstack_auth.system_scope }}
--os-user-domain-name {{ openstack_auth.domain_name }} --os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name {{ openstack_region_name }} --os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %} {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
mapping list -c ID --format value mapping list -c ID --format value
run_once: True run_once: True
become: True become: True
@ -27,13 +26,13 @@
--os-auth-url={{ openstack_auth.auth_url }} --os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }} --os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }} --os-username={{ openstack_auth.username }}
--os-project-name={{ openstack_auth.project_name }}
--os-identity-api-version=3 --os-identity-api-version=3
--os-interface {{ openstack_interface }} --os-interface={{ openstack_interface }}
--os-project-domain-name {{ openstack_auth.domain_name }} --os-system-scope={{ openstack_auth.system_scope }}
--os-user-domain-name {{ openstack_auth.domain_name }} --os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name {{ openstack_region_name }} --os-system-scope={{ openstack_auth.system_scope }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %} --os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
mapping delete {{ item }} mapping delete {{ item }}
run_once: True run_once: True
become: true become: true
@ -62,13 +61,12 @@
--os-auth-url={{ openstack_auth.auth_url }} --os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }} --os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }} --os-username={{ openstack_auth.username }}
--os-project-name={{ openstack_auth.project_name }}
--os-identity-api-version=3 --os-identity-api-version=3
--os-interface {{ openstack_interface }} --os-interface {{ openstack_interface }}
--os-project-domain-name {{ openstack_auth.domain_name }} --os-system-scope={{ openstack_auth.system_scope }}
--os-user-domain-name {{ openstack_auth.domain_name }} --os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name {{ openstack_region_name }} --os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %} {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
mapping create mapping create
--rules "{{ keystone_container_federation_oidc_attribute_mappings_folder }}/{{ item.file | basename }}" --rules "{{ keystone_container_federation_oidc_attribute_mappings_folder }}/{{ item.file | basename }}"
{{ item.name }} {{ item.name }}
@ -84,15 +82,14 @@
--os-auth-url={{ openstack_auth.auth_url }} --os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }} --os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }} --os-username={{ openstack_auth.username }}
--os-project-name={{ openstack_auth.project_name }}
--os-identity-api-version=3 --os-identity-api-version=3
--os-interface {{ openstack_interface }} --os-interface={{ openstack_interface }}
--os-project-domain-name {{ openstack_auth.domain_name }} --os-system-scope={{ openstack_auth.system_scope }}
--os-user-domain-name {{ openstack_auth.domain_name }} --os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name {{ openstack_region_name }} --os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %} {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
mapping set mapping set
--rules "{{ keystone_container_federation_oidc_attribute_mappings_folder }}/{{ item.file | basename }}" --rules="{{ keystone_container_federation_oidc_attribute_mappings_folder }}/{{ item.file | basename }}"
{{ item.name }} {{ item.name }}
run_once: True run_once: True
when: when:
@ -106,13 +103,12 @@
--os-auth-url={{ openstack_auth.auth_url }} --os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }} --os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }} --os-username={{ openstack_auth.username }}
--os-project-name={{ openstack_auth.project_name }}
--os-identity-api-version=3 --os-identity-api-version=3
--os-interface {{ openstack_interface }} --os-interface={{ openstack_interface }}
--os-project-domain-name {{ openstack_auth.domain_name }} --os-system-scope={{ openstack_auth.system_scope }}
--os-user-domain-name {{ openstack_auth.domain_name }} --os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name {{ openstack_region_name }} --os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %} {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
identity provider list -c ID --format value identity provider list -c ID --format value
run_once: True run_once: True
register: existing_idps_register register: existing_idps_register
@ -128,13 +124,12 @@
--os-auth-url={{ openstack_auth.auth_url }} --os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }} --os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }} --os-username={{ openstack_auth.username }}
--os-project-name={{ openstack_auth.project_name }}
--os-identity-api-version=3 --os-identity-api-version=3
--os-interface {{ openstack_interface }} --os-interface={{ openstack_interface }}
--os-project-domain-name {{ openstack_auth.domain_name }} --os-system-scope={{ openstack_auth.system_scope }}
--os-user-domain-name {{ openstack_auth.domain_name }} --os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name {{ openstack_region_name }} --os-region-name={ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %} {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
identity provider delete {{ item }} identity provider delete {{ item }}
run_once: True run_once: True
with_items: "{{ existing_idps }}" with_items: "{{ existing_idps }}"
@ -149,13 +144,12 @@
--os-auth-url={{ openstack_auth.auth_url }} --os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }} --os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }} --os-username={{ openstack_auth.username }}
--os-project-name={{ openstack_auth.project_name }}
--os-identity-api-version=3 --os-identity-api-version=3
--os-interface {{ openstack_interface }} --os-interface={{ openstack_interface }}
--os-project-domain-name {{ openstack_auth.domain_name }} --os-system-scope={{ openstack_auth.system_scope }}
--os-user-domain-name {{ openstack_auth.domain_name }} --os-user-domain-name{{ openstack_auth.user_domain_name }}
--os-region-name {{ openstack_region_name }} --os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %} {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
identity provider create identity provider create
--description "{{ item.public_name }}" --description "{{ item.public_name }}"
--remote-id "{{ item.identifier }}" --remote-id "{{ item.identifier }}"
@ -173,11 +167,10 @@
--os-auth-url={{ openstack_auth.auth_url }} --os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }} --os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }} --os-username={{ openstack_auth.username }}
--os-project-name={{ openstack_auth.project_name }}
--os-identity-api-version=3 --os-identity-api-version=3
--os-interface {{ openstack_interface }} --os-interface {{ openstack_interface }}
--os-project-domain-name {{ openstack_auth.domain_name }} --os-system-scope {{ openstack_auth.system_scope }}
--os-user-domain-name {{ openstack_auth.domain_name }} --os-user-domain-name {{ openstack_auth.user_domain_name }}
--os-region-name {{ openstack_region_name }} --os-region-name {{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %} {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
identity provider set identity provider set
@ -196,13 +189,12 @@
--os-auth-url={{ openstack_auth.auth_url }} --os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }} --os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }} --os-username={{ openstack_auth.username }}
--os-project-name={{ openstack_auth.project_name }}
--os-identity-api-version=3 --os-identity-api-version=3
--os-interface {{ openstack_interface }} --os-interface={{ openstack_interface }}
--os-project-domain-name {{ openstack_auth.domain_name }} --os-system-scope={{ openstack_auth.system_scope }}
--os-user-domain-name {{ openstack_auth.domain_name }} --os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name {{ openstack_region_name }} --os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %} {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
federation protocol create federation protocol create
--mapping {{ item.attribute_mapping }} --mapping {{ item.attribute_mapping }}
--identity-provider {{ item.name }} --identity-provider {{ item.name }}
@ -219,13 +211,12 @@
--os-auth-url={{ openstack_auth.auth_url }} --os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }} --os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }} --os-username={{ openstack_auth.username }}
--os-project-name={{ openstack_auth.project_name }}
--os-identity-api-version=3 --os-identity-api-version=3
--os-interface {{ openstack_interface }} --os-interface={{ openstack_interface }}
--os-project-domain-name {{ openstack_auth.domain_name }} --os-system-scope={{ openstack_auth.system_scope }}
--os-user-domain-name {{ openstack_auth.domain_name }} --os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name {{ openstack_region_name }} --os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %} {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
federation protocol set federation protocol set
--identity-provider {{ item.name }} --identity-provider {{ item.name }}
--mapping {{ item.attribute_mapping }} --mapping {{ item.attribute_mapping }}

View File

@ -17,8 +17,8 @@
command: > command: >
docker exec murano_api murano docker exec murano_api murano
--os-username {{ openstack_auth.username }} --os-username {{ openstack_auth.username }}
--os-password {{ keystone_admin_password }} --os-password {{ openstack_auth.password }}
--os-project-name {{ openstack_auth.project_name }} --os-system-scope {{ openstack_auth.system_scope }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %} {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
--os-auth-url {{ keystone_admin_url }} --os-auth-url {{ keystone_admin_url }}
--murano-url {{ murano_admin_endpoint }} --murano-url {{ murano_admin_endpoint }}
@ -33,10 +33,10 @@
command: > command: >
docker exec murano_api murano docker exec murano_api murano
--os-username {{ openstack_auth.username }} --os-username {{ openstack_auth.username }}
--os-password {{ keystone_admin_password }} --os-password {{ openstack_auth.password }}
--os-project-name {{ openstack_auth.project_name }} --os-system-scope {{ openstack_auth.system_scope }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %} {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
--os-auth-url {{ keystone_admin_url }} --os-auth-url {{ openstack_auth.auth_url }}
--murano-url {{ murano_admin_endpoint }} --murano-url {{ murano_admin_endpoint }}
package-import --exists-action u --is-public /io.murano.zip package-import --exists-action u --is-public /io.murano.zip
run_once: True run_once: True
@ -49,10 +49,10 @@
command: > command: >
docker exec murano_api murano docker exec murano_api murano
--os-username {{ openstack_auth.username }} --os-username {{ openstack_auth.username }}
--os-password {{ keystone_admin_password }} --os-password {{ openstack_auth.password }}
--os-project-name {{ openstack_auth.project_name }} --os-system-scope {{ openstack_auth.system_scope }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %} {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
--os-auth-url {{ keystone_admin_url }} --os-auth-url {{ openstack_auth.auth_url }}
--murano-url {{ murano_admin_endpoint }} --murano-url {{ murano_admin_endpoint }}
package-import --exists-action u --is-public /io.murano.applications.zip package-import --exists-action u --is-public /io.murano.applications.zip
run_once: True run_once: True

View File

@ -28,13 +28,12 @@
command: > command: >
docker exec kolla_toolbox openstack docker exec kolla_toolbox openstack
--os-interface {{ openstack_interface }} --os-interface {{ openstack_interface }}
--os-auth-url {{ keystone_admin_url }} --os-auth-url {{ openstack_auth.auth_url }}
--os-identity-api-version 3
--os-project-domain-name {{ openstack_auth.domain_name }}
--os-project-name {{ openstack_auth.project_name }}
--os-username {{ openstack_auth.username }} --os-username {{ openstack_auth.username }}
--os-password {{ keystone_admin_password }} --os-password {{ openstack_auth.password }}
--os-user-domain-name {{ openstack_auth.domain_name }} --os-identity-api-version 3
--os-user-domain-name {{ openstack_auth.user_domain_name }}
--os-system-scope {{ openstack_auth.system_scope }}
--os-region-name {{ openstack_region_name }} --os-region-name {{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %} {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
compute service list --format json --column Host --service nova-compute compute service list --format json --column Host --service nova-compute

View File

@ -41,7 +41,7 @@ skydive_analyzer_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{
skydive_analyzer_tag: "{{ skydive_tag }}" skydive_analyzer_tag: "{{ skydive_tag }}"
skydive_analyzer_image_full: "{{ skydive_analyzer_image }}:{{ skydive_analyzer_tag }}" skydive_analyzer_image_full: "{{ skydive_analyzer_image }}:{{ skydive_analyzer_tag }}"
skydive_admin_tenant_name: "{{ openstack_auth['project_name'] }}" skydive_admin_tenant_name: "{{ keystone_admin_project }}"
skydive_agent_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ skydive_install_type }}-skydive-agent" skydive_agent_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ skydive_install_type }}-skydive-agent"
skydive_agent_tag: "{{ skydive_tag }}" skydive_agent_tag: "{{ skydive_tag }}"
skydive_agent_image_full: "{{ skydive_agent_image }}:{{ skydive_agent_tag }}" skydive_agent_image_full: "{{ skydive_agent_image }}:{{ skydive_agent_tag }}"

View File

@ -45,11 +45,12 @@ agent:
- ovsdb - ovsdb
{% endif %} {% endif %}
### TODO migrate from tenant_name to system_scope when supported in skydive
neutron: neutron:
auth_url: {{ keystone_internal_url }}/v3 auth_url: {{ keystone_internal_url }}/v3
username: {{ openstack_auth['username'] }} username: {{ openstack_auth['username'] }}
password: {{ openstack_auth['password'] }} password: {{ openstack_auth['password'] }}
tenant_name: {{ openstack_auth['project_name'] }} tenant_name: {{ skydive_admin_tenant_name }}
region_name: {{ openstack_region_name }} region_name: {{ openstack_region_name }}
domain_name: Default domain_name: Default
endpoint_type: internal endpoint_type: internal

View File

@ -1,5 +1,6 @@
### Skydive analyzer config file ### Skydive analyzer config file
### TODO migrate from tenant_name to system_scope when supported in skydive
auth: auth:
keystone: keystone:
type: keystone type: keystone

View File

@ -52,7 +52,7 @@ memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_addres
auth_url = {{ keystone_internal_url }}/v3 auth_url = {{ keystone_internal_url }}/v3
region_name = {{ openstack_region_name }} region_name = {{ openstack_region_name }}
auth_type = password auth_type = password
project_domain_id = default project_domain_id = {{ default_project_domain_id }}
user_domain_id = default user_domain_id = default
project_name = admin project_name = admin
password = {{ vitrage_keystone_password }} password = {{ vitrage_keystone_password }}

View File

@ -73,11 +73,11 @@ the value of ``kolla_internal_fqdn`` in RegionOne:
keystone_internal_url: "{{ internal_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_public_port }}" keystone_internal_url: "{{ internal_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_public_port }}"
openstack_auth: openstack_auth:
auth_url: "{{ admin_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_admin_port }}" auth_url: "{{ keystone_admin_url }}"
username: "admin" username: "{{ keystone_admin_user }}"
password: "{{ keystone_admin_password }}" password: "{{ keystone_admin_password }}"
project_name: "admin" user_domain_name: "{{ default_user_domain_name }}"
domain_name: "default" system_scope: "all"
.. note:: .. note::

View File

@ -0,0 +1,8 @@
---
features:
- Transitions to using system-scoped tokens when authenticating as the
Keystone admin user. This is a necessary step towards being able to
enable the updated oslo policies in services that allow finer grained
access to system-level resources and APIs. Since Queens, the admin role
is assigned to the admin user with system scope as well as in the admin
project.

View File

@ -95,7 +95,6 @@ if [[ $ENABLE_EXT_NET -eq 1 ]]; then
fi fi
# Get admin user and tenant IDs # Get admin user and tenant IDs
ADMIN_USER_ID=$($KOLLA_OPENSTACK_COMMAND user list | awk '/ admin / {print $2}')
ADMIN_PROJECT_ID=$($KOLLA_OPENSTACK_COMMAND project list | awk '/ admin / {print $2}') ADMIN_PROJECT_ID=$($KOLLA_OPENSTACK_COMMAND project list | awk '/ admin / {print $2}')
ADMIN_SEC_GROUP=$($KOLLA_OPENSTACK_COMMAND security group list --project ${ADMIN_PROJECT_ID} | awk '/ default / {print $2}') ADMIN_SEC_GROUP=$($KOLLA_OPENSTACK_COMMAND security group list --project ${ADMIN_PROJECT_ID} | awk '/ default / {print $2}')