Transition Keystone admin user to system scope
A system-scoped token implies the user has authorization to act on the deployment system. These tokens are useful for interacting with resources that affect the deployment as a whole, or exposes resources that may otherwise violate project or domain isolation. Since Queens, the keystone-manage bootstrap command assigns the admin role to the admin user with system scope, as well as in the admin project. This patch transitions the Keystone admin user from authenticating using project scoped tokens to system scoped tokens. This is a necessary step towards being able to enable the updated oslo policies in services that allow finer grained access to system-level resources and APIs. An etherpad with discussion about the transition to the new oslo service policies is: https://etherpad.opendev.org/p/enabling-system-scope-in-kolla-ansible Change-Id: Ib631e2211682862296cce9ea179f2661c90fa585 Signed-off-by: Niklas Hagman <ubuntu@post.blinkiz.com>
This commit is contained in:
parent
3455105321
commit
2e933dceb5
@ -884,9 +884,8 @@ openstack_auth:
|
|||||||
auth_url: "{{ keystone_admin_url }}"
|
auth_url: "{{ keystone_admin_url }}"
|
||||||
username: "{{ keystone_admin_user }}"
|
username: "{{ keystone_admin_user }}"
|
||||||
password: "{{ keystone_admin_password }}"
|
password: "{{ keystone_admin_password }}"
|
||||||
project_name: "{{ keystone_admin_project }}"
|
user_domain_name: "{{ default_user_domain_name }}"
|
||||||
domain_name: "default"
|
system_scope: "all"
|
||||||
user_domain_name: "default"
|
|
||||||
|
|
||||||
#######################
|
#######################
|
||||||
# Glance options
|
# Glance options
|
||||||
|
@ -7,7 +7,7 @@
|
|||||||
--os-auth-url={{ openstack_auth.auth_url }} \
|
--os-auth-url={{ openstack_auth.auth_url }} \
|
||||||
--os-password={{ openstack_auth.password }} \
|
--os-password={{ openstack_auth.password }} \
|
||||||
--os-username={{ openstack_auth.username }} \
|
--os-username={{ openstack_auth.username }} \
|
||||||
--os-project-name={{ openstack_auth.project_name }} \
|
--os-system-scope={{ openstack_auth.system_scope }}
|
||||||
secret store -f value -p kolla | head -1
|
secret store -f value -p kolla | head -1
|
||||||
register: barbican_store_secret
|
register: barbican_store_secret
|
||||||
run_once: True
|
run_once: True
|
||||||
@ -20,7 +20,7 @@
|
|||||||
--os-auth-url={{ openstack_auth.auth_url }}
|
--os-auth-url={{ openstack_auth.auth_url }}
|
||||||
--os-password={{ openstack_auth.password }}
|
--os-password={{ openstack_auth.password }}
|
||||||
--os-username={{ openstack_auth.username }}
|
--os-username={{ openstack_auth.username }}
|
||||||
--os-project-name={{ openstack_auth.project_name }}
|
--os-system-scope={{ openstack_auth.system_scope }}
|
||||||
secret get -f value -p {{ barbican_store_secret.stdout }}
|
secret get -f value -p {{ barbican_store_secret.stdout }}
|
||||||
register: barbican_get_secret
|
register: barbican_get_secret
|
||||||
failed_when: barbican_get_secret.stdout != 'kolla'
|
failed_when: barbican_get_secret.stdout != 'kolla'
|
||||||
@ -34,7 +34,7 @@
|
|||||||
--os-auth-url={{ openstack_auth.auth_url }}
|
--os-auth-url={{ openstack_auth.auth_url }}
|
||||||
--os-password={{ openstack_auth.password }}
|
--os-password={{ openstack_auth.password }}
|
||||||
--os-username={{ openstack_auth.username }}
|
--os-username={{ openstack_auth.username }}
|
||||||
--os-project-name={{ openstack_auth.project_name }}
|
--os-system-scope={{ openstack_auth.system_scope }}
|
||||||
secret delete {{ barbican_store_secret.stdout }}
|
secret delete {{ barbican_store_secret.stdout }}
|
||||||
run_once: True
|
run_once: True
|
||||||
when: kolla_enable_sanity_barbican | bool
|
when: kolla_enable_sanity_barbican | bool
|
||||||
|
@ -15,8 +15,10 @@ jobs_dir = /etc/freezer/scheduler/conf.d
|
|||||||
os_username = {{ openstack_auth.username }}
|
os_username = {{ openstack_auth.username }}
|
||||||
os_password = {{ openstack_auth.password }}
|
os_password = {{ openstack_auth.password }}
|
||||||
os_auth_url = {{ openstack_auth.auth_url }}/v3
|
os_auth_url = {{ openstack_auth.auth_url }}/v3
|
||||||
os_project_name = {{ openstack_auth.project_name }}
|
os_project_name = {{ keystone_admin_project }}
|
||||||
os_project_domain_name = {{ openstack_auth.domain_name }}
|
os_project_domain_name = {{ openstack_auth.domain_name }}
|
||||||
|
# TODO: transition to system scoped token when freezer supports that
|
||||||
|
# configuration option
|
||||||
os_user_domain_name = {{ openstack_auth.user_domain_name }}
|
os_user_domain_name = {{ openstack_auth.user_domain_name }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
@ -219,7 +219,7 @@ heat_ks_roles:
|
|||||||
- "{{ heat_stack_user_role }}"
|
- "{{ heat_stack_user_role }}"
|
||||||
|
|
||||||
heat_ks_user_roles:
|
heat_ks_user_roles:
|
||||||
- project: "{{ openstack_auth.project_name }}"
|
- project: "{{ keystone_admin_project }}"
|
||||||
user: "{{ openstack_auth.username }}"
|
user: "{{ openstack_auth.username }}"
|
||||||
role: "{{ heat_stack_owner_role }}"
|
role: "{{ heat_stack_owner_role }}"
|
||||||
|
|
||||||
|
@ -15,7 +15,8 @@
|
|||||||
OS_INTERFACE: "internal"
|
OS_INTERFACE: "internal"
|
||||||
OS_USERNAME: "{{ openstack_auth.username }}"
|
OS_USERNAME: "{{ openstack_auth.username }}"
|
||||||
OS_PASSWORD: "{{ openstack_auth.password }}"
|
OS_PASSWORD: "{{ openstack_auth.password }}"
|
||||||
OS_PROJECT_NAME: "{{ openstack_auth.project_name }}"
|
OS_USER_DOMAIN_NAME: "{{ openstack_auth.user_domain_name }}"
|
||||||
|
OS_SYSTEM_SCOPE: "{{ openstack_auth.system_scope }}"
|
||||||
OS_REGION_NAME: "{{ openstack_region_name }}"
|
OS_REGION_NAME: "{{ openstack_region_name }}"
|
||||||
OS_CACERT: "{{ openstack_cacert | default(omit) }}"
|
OS_CACERT: "{{ openstack_cacert | default(omit) }}"
|
||||||
HEAT_DOMAIN_ADMIN_PASSWORD: "{{ heat_domain_admin_password }}"
|
HEAT_DOMAIN_ADMIN_PASSWORD: "{{ heat_domain_admin_password }}"
|
||||||
|
@ -75,7 +75,7 @@ memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_addres
|
|||||||
[cinder]
|
[cinder]
|
||||||
auth_url = {{ keystone_admin_url }}
|
auth_url = {{ keystone_admin_url }}
|
||||||
auth_type = password
|
auth_type = password
|
||||||
project_domain_id = default
|
project_domain_id = {{ default_project_domain_id }}
|
||||||
user_domain_id = default
|
user_domain_id = default
|
||||||
project_name = service
|
project_name = service
|
||||||
username = {{ ironic_keystone_user }}
|
username = {{ ironic_keystone_user }}
|
||||||
@ -89,7 +89,7 @@ cafile = {{ openstack_cacert }}
|
|||||||
[glance]
|
[glance]
|
||||||
auth_url = {{ keystone_admin_url }}
|
auth_url = {{ keystone_admin_url }}
|
||||||
auth_type = password
|
auth_type = password
|
||||||
project_domain_id = default
|
project_domain_id = {{ default_project_domain_id }}
|
||||||
user_domain_id = default
|
user_domain_id = default
|
||||||
project_name = service
|
project_name = service
|
||||||
username = {{ ironic_keystone_user }}
|
username = {{ ironic_keystone_user }}
|
||||||
@ -103,7 +103,7 @@ cafile = {{ openstack_cacert }}
|
|||||||
[neutron]
|
[neutron]
|
||||||
auth_url = {{ keystone_admin_url }}
|
auth_url = {{ keystone_admin_url }}
|
||||||
auth_type = password
|
auth_type = password
|
||||||
project_domain_id = default
|
project_domain_id = {{ default_project_domain_id }}
|
||||||
user_domain_id = default
|
user_domain_id = default
|
||||||
project_name = service
|
project_name = service
|
||||||
username = {{ ironic_keystone_user }}
|
username = {{ ironic_keystone_user }}
|
||||||
@ -118,7 +118,7 @@ cafile = {{ openstack_cacert }}
|
|||||||
[nova]
|
[nova]
|
||||||
auth_url = {{ keystone_admin_url }}
|
auth_url = {{ keystone_admin_url }}
|
||||||
auth_type = password
|
auth_type = password
|
||||||
project_domain_id = default
|
project_domain_id = {{ default_project_domain_id }}
|
||||||
user_domain_id = default
|
user_domain_id = default
|
||||||
project_name = service
|
project_name = service
|
||||||
username = {{ ironic_keystone_user }}
|
username = {{ ironic_keystone_user }}
|
||||||
@ -146,7 +146,7 @@ cafile = {{ openstack_cacert }}
|
|||||||
{% if ironic_enable_keystone_integration | bool %}
|
{% if ironic_enable_keystone_integration | bool %}
|
||||||
auth_url = {{ keystone_admin_url }}
|
auth_url = {{ keystone_admin_url }}
|
||||||
auth_type = password
|
auth_type = password
|
||||||
project_domain_id = default
|
project_domain_id = {{ default_project_domain_id }}
|
||||||
user_domain_id = default
|
user_domain_id = default
|
||||||
project_name = service
|
project_name = service
|
||||||
username = {{ ironic_keystone_user }}
|
username = {{ ironic_keystone_user }}
|
||||||
@ -163,7 +163,7 @@ endpoint_override = {{ ironic_inspector_internal_endpoint }}
|
|||||||
{% if ironic_enable_keystone_integration | bool %}
|
{% if ironic_enable_keystone_integration | bool %}
|
||||||
auth_url = {{ keystone_admin_url }}
|
auth_url = {{ keystone_admin_url }}
|
||||||
auth_type = password
|
auth_type = password
|
||||||
project_domain_id = default
|
project_domain_id = {{ default_project_domain_id }}
|
||||||
user_domain_id = default
|
user_domain_id = default
|
||||||
project_name = service
|
project_name = service
|
||||||
username = {{ ironic_keystone_user }}
|
username = {{ ironic_keystone_user }}
|
||||||
|
@ -3,7 +3,7 @@
|
|||||||
become: true
|
become: true
|
||||||
command: >
|
command: >
|
||||||
docker exec keystone kolla_keystone_bootstrap
|
docker exec keystone kolla_keystone_bootstrap
|
||||||
{{ openstack_auth.username }} {{ openstack_auth.password }} {{ openstack_auth.project_name }}
|
{{ openstack_auth.username }} {{ openstack_auth.password }} {{ keystone_admin_project }}
|
||||||
admin {{ keystone_admin_url }} {{ keystone_internal_url }} {{ keystone_public_url }} {{ item }}
|
admin {{ keystone_admin_url }} {{ keystone_internal_url }} {{ keystone_public_url }} {{ item }}
|
||||||
register: keystone_bootstrap
|
register: keystone_bootstrap
|
||||||
changed_when: (keystone_bootstrap.stdout | from_json).changed
|
changed_when: (keystone_bootstrap.stdout | from_json).changed
|
||||||
|
@ -5,13 +5,12 @@
|
|||||||
--os-auth-url={{ openstack_auth.auth_url }}
|
--os-auth-url={{ openstack_auth.auth_url }}
|
||||||
--os-password={{ openstack_auth.password }}
|
--os-password={{ openstack_auth.password }}
|
||||||
--os-username={{ openstack_auth.username }}
|
--os-username={{ openstack_auth.username }}
|
||||||
--os-project-name={{ openstack_auth.project_name }}
|
|
||||||
--os-identity-api-version=3
|
--os-identity-api-version=3
|
||||||
--os-interface {{ openstack_interface }}
|
--os-interface={{ openstack_interface }}
|
||||||
--os-project-domain-name {{ openstack_auth.domain_name }}
|
--os-system-scope={{ openstack_auth.system_scope }}
|
||||||
--os-user-domain-name {{ openstack_auth.domain_name }}
|
--os-user-domain-name={{ openstack_auth.user_domain_name }}
|
||||||
--os-region-name {{ openstack_region_name }}
|
--os-region-name={{ openstack_region_name }}
|
||||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
|
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
|
||||||
mapping list -c ID --format value
|
mapping list -c ID --format value
|
||||||
run_once: True
|
run_once: True
|
||||||
become: True
|
become: True
|
||||||
@ -27,13 +26,13 @@
|
|||||||
--os-auth-url={{ openstack_auth.auth_url }}
|
--os-auth-url={{ openstack_auth.auth_url }}
|
||||||
--os-password={{ openstack_auth.password }}
|
--os-password={{ openstack_auth.password }}
|
||||||
--os-username={{ openstack_auth.username }}
|
--os-username={{ openstack_auth.username }}
|
||||||
--os-project-name={{ openstack_auth.project_name }}
|
|
||||||
--os-identity-api-version=3
|
--os-identity-api-version=3
|
||||||
--os-interface {{ openstack_interface }}
|
--os-interface={{ openstack_interface }}
|
||||||
--os-project-domain-name {{ openstack_auth.domain_name }}
|
--os-system-scope={{ openstack_auth.system_scope }}
|
||||||
--os-user-domain-name {{ openstack_auth.domain_name }}
|
--os-user-domain-name={{ openstack_auth.user_domain_name }}
|
||||||
--os-region-name {{ openstack_region_name }}
|
--os-system-scope={{ openstack_auth.system_scope }}
|
||||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
|
--os-region-name={{ openstack_region_name }}
|
||||||
|
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
|
||||||
mapping delete {{ item }}
|
mapping delete {{ item }}
|
||||||
run_once: True
|
run_once: True
|
||||||
become: true
|
become: true
|
||||||
@ -62,13 +61,12 @@
|
|||||||
--os-auth-url={{ openstack_auth.auth_url }}
|
--os-auth-url={{ openstack_auth.auth_url }}
|
||||||
--os-password={{ openstack_auth.password }}
|
--os-password={{ openstack_auth.password }}
|
||||||
--os-username={{ openstack_auth.username }}
|
--os-username={{ openstack_auth.username }}
|
||||||
--os-project-name={{ openstack_auth.project_name }}
|
|
||||||
--os-identity-api-version=3
|
--os-identity-api-version=3
|
||||||
--os-interface {{ openstack_interface }}
|
--os-interface {{ openstack_interface }}
|
||||||
--os-project-domain-name {{ openstack_auth.domain_name }}
|
--os-system-scope={{ openstack_auth.system_scope }}
|
||||||
--os-user-domain-name {{ openstack_auth.domain_name }}
|
--os-user-domain-name={{ openstack_auth.user_domain_name }}
|
||||||
--os-region-name {{ openstack_region_name }}
|
--os-region-name={{ openstack_region_name }}
|
||||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
|
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
|
||||||
mapping create
|
mapping create
|
||||||
--rules "{{ keystone_container_federation_oidc_attribute_mappings_folder }}/{{ item.file | basename }}"
|
--rules "{{ keystone_container_federation_oidc_attribute_mappings_folder }}/{{ item.file | basename }}"
|
||||||
{{ item.name }}
|
{{ item.name }}
|
||||||
@ -84,15 +82,14 @@
|
|||||||
--os-auth-url={{ openstack_auth.auth_url }}
|
--os-auth-url={{ openstack_auth.auth_url }}
|
||||||
--os-password={{ openstack_auth.password }}
|
--os-password={{ openstack_auth.password }}
|
||||||
--os-username={{ openstack_auth.username }}
|
--os-username={{ openstack_auth.username }}
|
||||||
--os-project-name={{ openstack_auth.project_name }}
|
|
||||||
--os-identity-api-version=3
|
--os-identity-api-version=3
|
||||||
--os-interface {{ openstack_interface }}
|
--os-interface={{ openstack_interface }}
|
||||||
--os-project-domain-name {{ openstack_auth.domain_name }}
|
--os-system-scope={{ openstack_auth.system_scope }}
|
||||||
--os-user-domain-name {{ openstack_auth.domain_name }}
|
--os-user-domain-name={{ openstack_auth.user_domain_name }}
|
||||||
--os-region-name {{ openstack_region_name }}
|
--os-region-name={{ openstack_region_name }}
|
||||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
|
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
|
||||||
mapping set
|
mapping set
|
||||||
--rules "{{ keystone_container_federation_oidc_attribute_mappings_folder }}/{{ item.file | basename }}"
|
--rules="{{ keystone_container_federation_oidc_attribute_mappings_folder }}/{{ item.file | basename }}"
|
||||||
{{ item.name }}
|
{{ item.name }}
|
||||||
run_once: True
|
run_once: True
|
||||||
when:
|
when:
|
||||||
@ -106,13 +103,12 @@
|
|||||||
--os-auth-url={{ openstack_auth.auth_url }}
|
--os-auth-url={{ openstack_auth.auth_url }}
|
||||||
--os-password={{ openstack_auth.password }}
|
--os-password={{ openstack_auth.password }}
|
||||||
--os-username={{ openstack_auth.username }}
|
--os-username={{ openstack_auth.username }}
|
||||||
--os-project-name={{ openstack_auth.project_name }}
|
|
||||||
--os-identity-api-version=3
|
--os-identity-api-version=3
|
||||||
--os-interface {{ openstack_interface }}
|
--os-interface={{ openstack_interface }}
|
||||||
--os-project-domain-name {{ openstack_auth.domain_name }}
|
--os-system-scope={{ openstack_auth.system_scope }}
|
||||||
--os-user-domain-name {{ openstack_auth.domain_name }}
|
--os-user-domain-name={{ openstack_auth.user_domain_name }}
|
||||||
--os-region-name {{ openstack_region_name }}
|
--os-region-name={{ openstack_region_name }}
|
||||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
|
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
|
||||||
identity provider list -c ID --format value
|
identity provider list -c ID --format value
|
||||||
run_once: True
|
run_once: True
|
||||||
register: existing_idps_register
|
register: existing_idps_register
|
||||||
@ -128,13 +124,12 @@
|
|||||||
--os-auth-url={{ openstack_auth.auth_url }}
|
--os-auth-url={{ openstack_auth.auth_url }}
|
||||||
--os-password={{ openstack_auth.password }}
|
--os-password={{ openstack_auth.password }}
|
||||||
--os-username={{ openstack_auth.username }}
|
--os-username={{ openstack_auth.username }}
|
||||||
--os-project-name={{ openstack_auth.project_name }}
|
|
||||||
--os-identity-api-version=3
|
--os-identity-api-version=3
|
||||||
--os-interface {{ openstack_interface }}
|
--os-interface={{ openstack_interface }}
|
||||||
--os-project-domain-name {{ openstack_auth.domain_name }}
|
--os-system-scope={{ openstack_auth.system_scope }}
|
||||||
--os-user-domain-name {{ openstack_auth.domain_name }}
|
--os-user-domain-name={{ openstack_auth.user_domain_name }}
|
||||||
--os-region-name {{ openstack_region_name }}
|
--os-region-name={ openstack_region_name }}
|
||||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
|
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
|
||||||
identity provider delete {{ item }}
|
identity provider delete {{ item }}
|
||||||
run_once: True
|
run_once: True
|
||||||
with_items: "{{ existing_idps }}"
|
with_items: "{{ existing_idps }}"
|
||||||
@ -149,13 +144,12 @@
|
|||||||
--os-auth-url={{ openstack_auth.auth_url }}
|
--os-auth-url={{ openstack_auth.auth_url }}
|
||||||
--os-password={{ openstack_auth.password }}
|
--os-password={{ openstack_auth.password }}
|
||||||
--os-username={{ openstack_auth.username }}
|
--os-username={{ openstack_auth.username }}
|
||||||
--os-project-name={{ openstack_auth.project_name }}
|
|
||||||
--os-identity-api-version=3
|
--os-identity-api-version=3
|
||||||
--os-interface {{ openstack_interface }}
|
--os-interface={{ openstack_interface }}
|
||||||
--os-project-domain-name {{ openstack_auth.domain_name }}
|
--os-system-scope={{ openstack_auth.system_scope }}
|
||||||
--os-user-domain-name {{ openstack_auth.domain_name }}
|
--os-user-domain-name{{ openstack_auth.user_domain_name }}
|
||||||
--os-region-name {{ openstack_region_name }}
|
--os-region-name={{ openstack_region_name }}
|
||||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
|
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
|
||||||
identity provider create
|
identity provider create
|
||||||
--description "{{ item.public_name }}"
|
--description "{{ item.public_name }}"
|
||||||
--remote-id "{{ item.identifier }}"
|
--remote-id "{{ item.identifier }}"
|
||||||
@ -173,11 +167,10 @@
|
|||||||
--os-auth-url={{ openstack_auth.auth_url }}
|
--os-auth-url={{ openstack_auth.auth_url }}
|
||||||
--os-password={{ openstack_auth.password }}
|
--os-password={{ openstack_auth.password }}
|
||||||
--os-username={{ openstack_auth.username }}
|
--os-username={{ openstack_auth.username }}
|
||||||
--os-project-name={{ openstack_auth.project_name }}
|
|
||||||
--os-identity-api-version=3
|
--os-identity-api-version=3
|
||||||
--os-interface {{ openstack_interface }}
|
--os-interface {{ openstack_interface }}
|
||||||
--os-project-domain-name {{ openstack_auth.domain_name }}
|
--os-system-scope {{ openstack_auth.system_scope }}
|
||||||
--os-user-domain-name {{ openstack_auth.domain_name }}
|
--os-user-domain-name {{ openstack_auth.user_domain_name }}
|
||||||
--os-region-name {{ openstack_region_name }}
|
--os-region-name {{ openstack_region_name }}
|
||||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
|
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
|
||||||
identity provider set
|
identity provider set
|
||||||
@ -196,13 +189,12 @@
|
|||||||
--os-auth-url={{ openstack_auth.auth_url }}
|
--os-auth-url={{ openstack_auth.auth_url }}
|
||||||
--os-password={{ openstack_auth.password }}
|
--os-password={{ openstack_auth.password }}
|
||||||
--os-username={{ openstack_auth.username }}
|
--os-username={{ openstack_auth.username }}
|
||||||
--os-project-name={{ openstack_auth.project_name }}
|
|
||||||
--os-identity-api-version=3
|
--os-identity-api-version=3
|
||||||
--os-interface {{ openstack_interface }}
|
--os-interface={{ openstack_interface }}
|
||||||
--os-project-domain-name {{ openstack_auth.domain_name }}
|
--os-system-scope={{ openstack_auth.system_scope }}
|
||||||
--os-user-domain-name {{ openstack_auth.domain_name }}
|
--os-user-domain-name={{ openstack_auth.user_domain_name }}
|
||||||
--os-region-name {{ openstack_region_name }}
|
--os-region-name={{ openstack_region_name }}
|
||||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
|
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
|
||||||
federation protocol create
|
federation protocol create
|
||||||
--mapping {{ item.attribute_mapping }}
|
--mapping {{ item.attribute_mapping }}
|
||||||
--identity-provider {{ item.name }}
|
--identity-provider {{ item.name }}
|
||||||
@ -219,13 +211,12 @@
|
|||||||
--os-auth-url={{ openstack_auth.auth_url }}
|
--os-auth-url={{ openstack_auth.auth_url }}
|
||||||
--os-password={{ openstack_auth.password }}
|
--os-password={{ openstack_auth.password }}
|
||||||
--os-username={{ openstack_auth.username }}
|
--os-username={{ openstack_auth.username }}
|
||||||
--os-project-name={{ openstack_auth.project_name }}
|
|
||||||
--os-identity-api-version=3
|
--os-identity-api-version=3
|
||||||
--os-interface {{ openstack_interface }}
|
--os-interface={{ openstack_interface }}
|
||||||
--os-project-domain-name {{ openstack_auth.domain_name }}
|
--os-system-scope={{ openstack_auth.system_scope }}
|
||||||
--os-user-domain-name {{ openstack_auth.domain_name }}
|
--os-user-domain-name={{ openstack_auth.user_domain_name }}
|
||||||
--os-region-name {{ openstack_region_name }}
|
--os-region-name={{ openstack_region_name }}
|
||||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
|
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
|
||||||
federation protocol set
|
federation protocol set
|
||||||
--identity-provider {{ item.name }}
|
--identity-provider {{ item.name }}
|
||||||
--mapping {{ item.attribute_mapping }}
|
--mapping {{ item.attribute_mapping }}
|
||||||
|
@ -17,8 +17,8 @@
|
|||||||
command: >
|
command: >
|
||||||
docker exec murano_api murano
|
docker exec murano_api murano
|
||||||
--os-username {{ openstack_auth.username }}
|
--os-username {{ openstack_auth.username }}
|
||||||
--os-password {{ keystone_admin_password }}
|
--os-password {{ openstack_auth.password }}
|
||||||
--os-project-name {{ openstack_auth.project_name }}
|
--os-system-scope {{ openstack_auth.system_scope }}
|
||||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
|
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
|
||||||
--os-auth-url {{ keystone_admin_url }}
|
--os-auth-url {{ keystone_admin_url }}
|
||||||
--murano-url {{ murano_admin_endpoint }}
|
--murano-url {{ murano_admin_endpoint }}
|
||||||
@ -33,10 +33,10 @@
|
|||||||
command: >
|
command: >
|
||||||
docker exec murano_api murano
|
docker exec murano_api murano
|
||||||
--os-username {{ openstack_auth.username }}
|
--os-username {{ openstack_auth.username }}
|
||||||
--os-password {{ keystone_admin_password }}
|
--os-password {{ openstack_auth.password }}
|
||||||
--os-project-name {{ openstack_auth.project_name }}
|
--os-system-scope {{ openstack_auth.system_scope }}
|
||||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
|
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
|
||||||
--os-auth-url {{ keystone_admin_url }}
|
--os-auth-url {{ openstack_auth.auth_url }}
|
||||||
--murano-url {{ murano_admin_endpoint }}
|
--murano-url {{ murano_admin_endpoint }}
|
||||||
package-import --exists-action u --is-public /io.murano.zip
|
package-import --exists-action u --is-public /io.murano.zip
|
||||||
run_once: True
|
run_once: True
|
||||||
@ -49,10 +49,10 @@
|
|||||||
command: >
|
command: >
|
||||||
docker exec murano_api murano
|
docker exec murano_api murano
|
||||||
--os-username {{ openstack_auth.username }}
|
--os-username {{ openstack_auth.username }}
|
||||||
--os-password {{ keystone_admin_password }}
|
--os-password {{ openstack_auth.password }}
|
||||||
--os-project-name {{ openstack_auth.project_name }}
|
--os-system-scope {{ openstack_auth.system_scope }}
|
||||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
|
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
|
||||||
--os-auth-url {{ keystone_admin_url }}
|
--os-auth-url {{ openstack_auth.auth_url }}
|
||||||
--murano-url {{ murano_admin_endpoint }}
|
--murano-url {{ murano_admin_endpoint }}
|
||||||
package-import --exists-action u --is-public /io.murano.applications.zip
|
package-import --exists-action u --is-public /io.murano.applications.zip
|
||||||
run_once: True
|
run_once: True
|
||||||
|
@ -28,13 +28,12 @@
|
|||||||
command: >
|
command: >
|
||||||
docker exec kolla_toolbox openstack
|
docker exec kolla_toolbox openstack
|
||||||
--os-interface {{ openstack_interface }}
|
--os-interface {{ openstack_interface }}
|
||||||
--os-auth-url {{ keystone_admin_url }}
|
--os-auth-url {{ openstack_auth.auth_url }}
|
||||||
--os-identity-api-version 3
|
|
||||||
--os-project-domain-name {{ openstack_auth.domain_name }}
|
|
||||||
--os-project-name {{ openstack_auth.project_name }}
|
|
||||||
--os-username {{ openstack_auth.username }}
|
--os-username {{ openstack_auth.username }}
|
||||||
--os-password {{ keystone_admin_password }}
|
--os-password {{ openstack_auth.password }}
|
||||||
--os-user-domain-name {{ openstack_auth.domain_name }}
|
--os-identity-api-version 3
|
||||||
|
--os-user-domain-name {{ openstack_auth.user_domain_name }}
|
||||||
|
--os-system-scope {{ openstack_auth.system_scope }}
|
||||||
--os-region-name {{ openstack_region_name }}
|
--os-region-name {{ openstack_region_name }}
|
||||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
|
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
|
||||||
compute service list --format json --column Host --service nova-compute
|
compute service list --format json --column Host --service nova-compute
|
||||||
|
@ -41,7 +41,7 @@ skydive_analyzer_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{
|
|||||||
skydive_analyzer_tag: "{{ skydive_tag }}"
|
skydive_analyzer_tag: "{{ skydive_tag }}"
|
||||||
skydive_analyzer_image_full: "{{ skydive_analyzer_image }}:{{ skydive_analyzer_tag }}"
|
skydive_analyzer_image_full: "{{ skydive_analyzer_image }}:{{ skydive_analyzer_tag }}"
|
||||||
|
|
||||||
skydive_admin_tenant_name: "{{ openstack_auth['project_name'] }}"
|
skydive_admin_tenant_name: "{{ keystone_admin_project }}"
|
||||||
skydive_agent_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ skydive_install_type }}-skydive-agent"
|
skydive_agent_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ skydive_install_type }}-skydive-agent"
|
||||||
skydive_agent_tag: "{{ skydive_tag }}"
|
skydive_agent_tag: "{{ skydive_tag }}"
|
||||||
skydive_agent_image_full: "{{ skydive_agent_image }}:{{ skydive_agent_tag }}"
|
skydive_agent_image_full: "{{ skydive_agent_image }}:{{ skydive_agent_tag }}"
|
||||||
|
@ -45,11 +45,12 @@ agent:
|
|||||||
- ovsdb
|
- ovsdb
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
### TODO migrate from tenant_name to system_scope when supported in skydive
|
||||||
neutron:
|
neutron:
|
||||||
auth_url: {{ keystone_internal_url }}/v3
|
auth_url: {{ keystone_internal_url }}/v3
|
||||||
username: {{ openstack_auth['username'] }}
|
username: {{ openstack_auth['username'] }}
|
||||||
password: {{ openstack_auth['password'] }}
|
password: {{ openstack_auth['password'] }}
|
||||||
tenant_name: {{ openstack_auth['project_name'] }}
|
tenant_name: {{ skydive_admin_tenant_name }}
|
||||||
region_name: {{ openstack_region_name }}
|
region_name: {{ openstack_region_name }}
|
||||||
domain_name: Default
|
domain_name: Default
|
||||||
endpoint_type: internal
|
endpoint_type: internal
|
||||||
|
@ -1,5 +1,6 @@
|
|||||||
### Skydive analyzer config file
|
### Skydive analyzer config file
|
||||||
|
|
||||||
|
### TODO migrate from tenant_name to system_scope when supported in skydive
|
||||||
auth:
|
auth:
|
||||||
keystone:
|
keystone:
|
||||||
type: keystone
|
type: keystone
|
||||||
|
@ -52,7 +52,7 @@ memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_addres
|
|||||||
auth_url = {{ keystone_internal_url }}/v3
|
auth_url = {{ keystone_internal_url }}/v3
|
||||||
region_name = {{ openstack_region_name }}
|
region_name = {{ openstack_region_name }}
|
||||||
auth_type = password
|
auth_type = password
|
||||||
project_domain_id = default
|
project_domain_id = {{ default_project_domain_id }}
|
||||||
user_domain_id = default
|
user_domain_id = default
|
||||||
project_name = admin
|
project_name = admin
|
||||||
password = {{ vitrage_keystone_password }}
|
password = {{ vitrage_keystone_password }}
|
||||||
|
@ -73,11 +73,11 @@ the value of ``kolla_internal_fqdn`` in RegionOne:
|
|||||||
keystone_internal_url: "{{ internal_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_public_port }}"
|
keystone_internal_url: "{{ internal_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_public_port }}"
|
||||||
|
|
||||||
openstack_auth:
|
openstack_auth:
|
||||||
auth_url: "{{ admin_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_admin_port }}"
|
auth_url: "{{ keystone_admin_url }}"
|
||||||
username: "admin"
|
username: "{{ keystone_admin_user }}"
|
||||||
password: "{{ keystone_admin_password }}"
|
password: "{{ keystone_admin_password }}"
|
||||||
project_name: "admin"
|
user_domain_name: "{{ default_user_domain_name }}"
|
||||||
domain_name: "default"
|
system_scope: "all"
|
||||||
|
|
||||||
.. note::
|
.. note::
|
||||||
|
|
||||||
|
@ -0,0 +1,8 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- Transitions to using system-scoped tokens when authenticating as the
|
||||||
|
Keystone admin user. This is a necessary step towards being able to
|
||||||
|
enable the updated oslo policies in services that allow finer grained
|
||||||
|
access to system-level resources and APIs. Since Queens, the admin role
|
||||||
|
is assigned to the admin user with system scope as well as in the admin
|
||||||
|
project.
|
@ -95,7 +95,6 @@ if [[ $ENABLE_EXT_NET -eq 1 ]]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Get admin user and tenant IDs
|
# Get admin user and tenant IDs
|
||||||
ADMIN_USER_ID=$($KOLLA_OPENSTACK_COMMAND user list | awk '/ admin / {print $2}')
|
|
||||||
ADMIN_PROJECT_ID=$($KOLLA_OPENSTACK_COMMAND project list | awk '/ admin / {print $2}')
|
ADMIN_PROJECT_ID=$($KOLLA_OPENSTACK_COMMAND project list | awk '/ admin / {print $2}')
|
||||||
ADMIN_SEC_GROUP=$($KOLLA_OPENSTACK_COMMAND security group list --project ${ADMIN_PROJECT_ID} | awk '/ default / {print $2}')
|
ADMIN_SEC_GROUP=$($KOLLA_OPENSTACK_COMMAND security group list --project ${ADMIN_PROJECT_ID} | awk '/ default / {print $2}')
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user