Add service role to ironic service users

Add the service role to ironic service users. Ironic recently enforced
new policy validation as part of the RBAC efforts. [1][2]
Service user support was also added to Ironic. [3]
Admin role needs to stay as not all services added service role support. [4][5]

[1] https://review.opendev.org/c/openstack/ironic/+/902009
[2] e2a47de10a/goals/selected/consistent-and-secure-rbac.rst (phase-2)
[3] https://review.opendev.org/c/openstack/ironic/+/907148
[4] https://review.opendev.org/q/topic:bp%252Fpolicy-service-role-default
[5] https://review.opendev.org/q/topic:%22New-Location-Apis%22

Related-Bug: #2051837
Change-Id: I048402c2247188cf57f35437f557f84ac25d4ff2
This commit is contained in:
Bartosz Bezak 2024-02-09 15:00:24 +01:00
parent 121aa3d258
commit 600e912400
4 changed files with 21 additions and 0 deletions

View File

@ -364,6 +364,14 @@ ironic_ks_users:
password: "{{ ironic_inspector_keystone_password }}"
role: "admin"
ironic_ks_user_roles:
- project: "service"
user: "{{ ironic_keystone_user }}"
role: "service"
- project: "service"
user: "{{ ironic_inspector_keystone_user }}"
role: "service"
####################
# TLS
####################

View File

@ -5,3 +5,4 @@
service_ks_register_auth: "{{ openstack_ironic_auth }}"
service_ks_register_services: "{{ ironic_ks_services }}"
service_ks_register_users: "{{ ironic_ks_users }}"
service_ks_register_user_roles: "{{ ironic_ks_user_roles }}"

View File

@ -32,3 +32,10 @@
- include_tasks: legacy_upgrade.yml
when: not ironic_enable_rolling_upgrade | bool
# TODO(bbezak): Remove this task in the Dalmatian cycle.
- import_role:
name: service-ks-register
vars:
service_ks_register_auth: "{{ openstack_ironic_auth }}"
service_ks_register_user_roles: "{{ ironic_ks_user_roles }}"

View File

@ -0,0 +1,5 @@
---
features:
- |
Add the service role to ironic service users. Ironic recently enforced
new policy validation and added service role support.