From 6e835ae758f0a2e8c87ab0bc22d578168395e424 Mon Sep 17 00:00:00 2001 From: Bartosz Bezak Date: Tue, 6 Feb 2024 17:40:04 +0100 Subject: [PATCH] Template system scoped admin-openrc and clouds.yml files Ironic enabled secure RBAC with system scoped enforcement [1]. Some API calls, for instance 'baremetal:driver:get' needs system scope role by design [2], even with elevated access project scope service role [3]. [1] https://review.opendev.org/c/openstack/ironic/+/902009 [2] https://opendev.org/openstack/ironic/src/commit/8ec56066223301230ac0ed0f0c471a10d366b474/ironic/common/policy.py#L1349-L1357 [3] https://review.opendev.org/c/openstack/kolla-ansible/+/908007 Related-Bug: #2051837 Change-Id: Id6313d7dd343b82d4c9ccf7bf429d340ea0e93d1 --- ansible/post-deploy.yml | 9 ++++++++ .../templates/admin-openrc-system.sh.j2 | 23 +++++++++++++++++++ ansible/roles/common/templates/clouds.yaml.j2 | 23 +++++++++++++++++++ tests/check-config.sh | 1 + tests/test-ironic.sh | 6 +++-- 5 files changed, 60 insertions(+), 2 deletions(-) create mode 100644 ansible/roles/common/templates/admin-openrc-system.sh.j2 diff --git a/ansible/post-deploy.yml b/ansible/post-deploy.yml index 61d91d765a..9b3a0b9d01 100644 --- a/ansible/post-deploy.yml +++ b/ansible/post-deploy.yml @@ -32,6 +32,15 @@ group: "{{ ansible_facts.user_gid }}" mode: 0600 + - name: Template out admin-openrc-system.sh + become: true + template: + src: "roles/common/templates/admin-openrc-system.sh.j2" + dest: "{{ node_config }}/admin-openrc-system.sh" + owner: "{{ ansible_facts.user_uid }}" + group: "{{ ansible_facts.user_gid }}" + mode: 0600 + - name: Template out public-openrc.sh become: true template: diff --git a/ansible/roles/common/templates/admin-openrc-system.sh.j2 b/ansible/roles/common/templates/admin-openrc-system.sh.j2 new file mode 100644 index 0000000000..6b4d95b969 --- /dev/null +++ b/ansible/roles/common/templates/admin-openrc-system.sh.j2 @@ -0,0 +1,23 @@ +# {{ ansible_managed }} + +# Clear any old environment that may conflict. +for key in $( set | awk '{FS="="} /^OS_/ {print $1}' ); do unset $key ; done +export OS_USER_DOMAIN_NAME='Default' +export OS_SYSTEM_SCOPE=all +export OS_USERNAME='{{ keystone_admin_user }}' +export OS_PASSWORD='{{ keystone_admin_password }}' +export OS_AUTH_URL='{{ keystone_internal_url }}' +export OS_INTERFACE='internal' +export OS_ENDPOINT_TYPE='internalURL' +{% if enable_manila | bool %} +export OS_MANILA_ENDPOINT_TYPE='internalURL' +{% endif %} +{% if enable_mistral | bool %} +export OS_MISTRAL_ENDPOINT_TYPE='internalURL' +{% endif %} +export OS_IDENTITY_API_VERSION='3' +export OS_REGION_NAME='{{ openstack_region_name }}' +export OS_AUTH_PLUGIN='password' +{% if kolla_admin_openrc_cacert is not none and kolla_admin_openrc_cacert | length > 0 %} +export OS_CACERT='{{ kolla_admin_openrc_cacert }}' +{% endif %} diff --git a/ansible/roles/common/templates/clouds.yaml.j2 b/ansible/roles/common/templates/clouds.yaml.j2 index 574a603f9f..0485bedabf 100644 --- a/ansible/roles/common/templates/clouds.yaml.j2 +++ b/ansible/roles/common/templates/clouds.yaml.j2 @@ -10,6 +10,17 @@ clouds: region_name: {{ openstack_region_name }} {% if kolla_admin_openrc_cacert is not none and kolla_admin_openrc_cacert | length > 0 %} cacert: {{ kolla_admin_openrc_cacert }} +{% endif %} + kolla-admin-system: + auth: + auth_url: {{ keystone_public_url }} + user_domain_name: Default + system_scope: all + username: {{ keystone_admin_user }} + password: {{ keystone_admin_password }} + region_name: {{ openstack_region_name }} +{% if kolla_admin_openrc_cacert is not none and kolla_admin_openrc_cacert | length > 0 %} + cacert: {{ kolla_admin_openrc_cacert }} {% endif %} kolla-admin-internal: auth: @@ -23,4 +34,16 @@ clouds: region_name: {{ openstack_region_name }} {% if kolla_admin_openrc_cacert is not none and kolla_admin_openrc_cacert | length > 0 %} cacert: {{ kolla_admin_openrc_cacert }} +{% endif %} + kolla-admin-system-internal: + auth: + auth_url: {{ keystone_internal_url }} + user_domain_name: Default + system_scope: all + username: {{ keystone_admin_user }} + password: {{ keystone_admin_password }} + interface: internal + region_name: {{ openstack_region_name }} +{% if kolla_admin_openrc_cacert is not none and kolla_admin_openrc_cacert | length > 0 %} + cacert: {{ kolla_admin_openrc_cacert }} {% endif %} diff --git a/tests/check-config.sh b/tests/check-config.sh index f78b7fab9d..d1fb7dd9fc 100755 --- a/tests/check-config.sh +++ b/tests/check-config.sh @@ -23,6 +23,7 @@ function check_config { -not -path /etc/kolla \ -not -path /etc/kolla/clouds.yaml \ -not -regex .*-openrc.sh \ + -not -regex .*-openrc-system.sh \ -not -name globals.yml \ -not -name header \ -not -name inventory \ diff --git a/tests/test-ironic.sh b/tests/test-ironic.sh index 55697fff09..4b011669aa 100755 --- a/tests/test-ironic.sh +++ b/tests/test-ironic.sh @@ -9,14 +9,16 @@ export PYTHONUNBUFFERED=1 function test_ironic_logged { # Assumes init-runonce has been executed. - . /etc/kolla/admin-openrc.sh + KOLLA_CONFIG_PATH=${KOLLA_CONFIG_PATH:-/etc/kolla} + export OS_CLIENT_CONFIG_FILE=${KOLLA_CONFIG_PATH}/clouds.yaml + export OS_CLOUD=kolla-admin-internal . ~/openstackclient-venv/bin/activate echo "Enabling DHCP on the external (\"public\") subnet" openstack subnet set --dhcp public1-subnet # Smoke test ironic API. - openstack baremetal driver list + openstack --os-cloud kolla-admin-system-internal baremetal driver list openstack baremetal node list openstack baremetal port list # Ironic Inspector API