Merge "Transition Keystone admin user to system scope"

ansible/group_vars/all.yml

@@ -884,9 +884,8 @@ openstack_auth:
   auth_url: "{{ keystone_admin_url }}"
   username: "{{ keystone_admin_user }}"
   password: "{{ keystone_admin_password }}"
-  project_name: "{{ keystone_admin_project }}"
+  user_domain_name: "{{ default_user_domain_name }}"
-  domain_name: "default"
+  system_scope: "all"
-  user_domain_name: "default"
 
 #######################
 # Glance options

ansible/roles/barbican/tasks/check.yml

@@ -7,7 +7,7 @@
     --os-auth-url={{ openstack_auth.auth_url }} \
     --os-password={{ openstack_auth.password }} \
     --os-username={{ openstack_auth.username }} \
-    --os-project-name={{ openstack_auth.project_name }} \
+    --os-system-scope={{ openstack_auth.system_scope }}
     secret store -f value -p kolla | head -1
   register: barbican_store_secret
   run_once: True
@@ -20,7 +20,7 @@
     --os-auth-url={{ openstack_auth.auth_url }}
     --os-password={{ openstack_auth.password }}
     --os-username={{ openstack_auth.username }}
-    --os-project-name={{ openstack_auth.project_name }}
+    --os-system-scope={{ openstack_auth.system_scope }}
     secret get -f value -p {{ barbican_store_secret.stdout }}
   register: barbican_get_secret
   failed_when: barbican_get_secret.stdout != 'kolla'
@@ -34,7 +34,7 @@
     --os-auth-url={{ openstack_auth.auth_url }}
     --os-password={{ openstack_auth.password }}
     --os-username={{ openstack_auth.username }}
-    --os-project-name={{ openstack_auth.project_name }}
+    --os-system-scope={{ openstack_auth.system_scope }}
     secret delete {{ barbican_store_secret.stdout }}
   run_once: True
   when: kolla_enable_sanity_barbican | bool

ansible/roles/freezer/templates/freezer.conf.j2

@@ -15,8 +15,10 @@ jobs_dir = /etc/freezer/scheduler/conf.d
 os_username = {{ openstack_auth.username }}
 os_password = {{ openstack_auth.password }}
 os_auth_url = {{ openstack_auth.auth_url }}/v3
-os_project_name = {{ openstack_auth.project_name }}
+os_project_name = {{ keystone_admin_project }}
 os_project_domain_name = {{ openstack_auth.domain_name }}
+# TODO: transition to system scoped token when freezer supports that
+# configuration option
 os_user_domain_name = {{ openstack_auth.user_domain_name }}
 {% endif %}
 

ansible/roles/heat/defaults/main.yml

@@ -219,7 +219,7 @@ heat_ks_roles:
   - "{{ heat_stack_user_role }}"
 
 heat_ks_user_roles:
-  - project: "{{ openstack_auth.project_name }}"
+  - project: "{{ keystone_admin_project }}"
     user: "{{ openstack_auth.username }}"
     role: "{{ heat_stack_owner_role }}"
 

ansible/roles/heat/tasks/bootstrap_service.yml

@@ -15,7 +15,8 @@
       OS_INTERFACE: "internal"
       OS_USERNAME: "{{ openstack_auth.username }}"
       OS_PASSWORD: "{{ openstack_auth.password }}"
-      OS_PROJECT_NAME: "{{ openstack_auth.project_name }}"
+      OS_USER_DOMAIN_NAME: "{{ openstack_auth.user_domain_name }}"
+      OS_SYSTEM_SCOPE: "{{ openstack_auth.system_scope }}"
       OS_REGION_NAME: "{{ openstack_region_name }}"
       OS_CACERT: "{{ openstack_cacert | default(omit) }}"
       HEAT_DOMAIN_ADMIN_PASSWORD: "{{ heat_domain_admin_password }}"

ansible/roles/ironic/templates/ironic.conf.j2

@@ -75,7 +75,7 @@ memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_addres
 [cinder]
 auth_url = {{ keystone_admin_url }}
 auth_type = password
-project_domain_id = default
+project_domain_id = {{ default_project_domain_id }}
 user_domain_id = default
 project_name = service
 username = {{ ironic_keystone_user }}
@@ -89,7 +89,7 @@ cafile = {{ openstack_cacert }}
 [glance]
 auth_url = {{ keystone_admin_url }}
 auth_type = password
-project_domain_id = default
+project_domain_id = {{ default_project_domain_id }}
 user_domain_id = default
 project_name = service
 username = {{ ironic_keystone_user }}
@@ -103,7 +103,7 @@ cafile = {{ openstack_cacert }}
 [neutron]
 auth_url = {{ keystone_admin_url }}
 auth_type = password
-project_domain_id = default
+project_domain_id = {{ default_project_domain_id }}
 user_domain_id = default
 project_name = service
 username = {{ ironic_keystone_user }}
@@ -118,7 +118,7 @@ cafile = {{ openstack_cacert }}
 [nova]
 auth_url = {{ keystone_admin_url }}
 auth_type = password
-project_domain_id = default
+project_domain_id = {{ default_project_domain_id }}
 user_domain_id = default
 project_name = service
 username = {{ ironic_keystone_user }}
@@ -146,7 +146,7 @@ cafile = {{ openstack_cacert }}
 {% if ironic_enable_keystone_integration | bool %}
 auth_url = {{ keystone_admin_url }}
 auth_type = password
-project_domain_id = default
+project_domain_id = {{ default_project_domain_id }}
 user_domain_id = default
 project_name = service
 username = {{ ironic_keystone_user }}
@@ -163,7 +163,7 @@ endpoint_override = {{ ironic_inspector_internal_endpoint }}
 {% if ironic_enable_keystone_integration | bool %}
 auth_url = {{ keystone_admin_url }}
 auth_type = password
-project_domain_id = default
+project_domain_id = {{ default_project_domain_id }}
 user_domain_id = default
 project_name = service
 username = {{ ironic_keystone_user }}

ansible/roles/keystone/tasks/register.yml

@@ -3,7 +3,7 @@
   become: true
   command: >
     docker exec keystone kolla_keystone_bootstrap
-    {{ openstack_auth.username }} {{ openstack_auth.password }} {{ openstack_auth.project_name }}
+    {{ openstack_auth.username }} {{ openstack_auth.password }} {{ keystone_admin_project }}
     admin {{ keystone_admin_url }} {{ keystone_internal_url }} {{ keystone_public_url }} {{ item }}
   register: keystone_bootstrap
   changed_when: (keystone_bootstrap.stdout | from_json).changed

ansible/roles/keystone/tasks/register_identity_providers.yml

@@ -5,13 +5,12 @@
       --os-auth-url={{ openstack_auth.auth_url }}
       --os-password={{ openstack_auth.password }}
       --os-username={{ openstack_auth.username }}
-      --os-project-name={{ openstack_auth.project_name }}
       --os-identity-api-version=3
-      --os-interface {{ openstack_interface }}
+      --os-interface={{ openstack_interface }}
-      --os-project-domain-name {{ openstack_auth.domain_name }}
+      --os-system-scope={{ openstack_auth.system_scope }}
-      --os-user-domain-name {{ openstack_auth.domain_name }}
+      --os-user-domain-name={{ openstack_auth.user_domain_name }}
-      --os-region-name {{ openstack_region_name }}
+      --os-region-name={{ openstack_region_name }}
-      {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
+      {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
     mapping list -c ID --format value
   run_once: True
   become: True
@@ -27,13 +26,13 @@
     --os-auth-url={{ openstack_auth.auth_url }}
     --os-password={{ openstack_auth.password }}
     --os-username={{ openstack_auth.username }}
-    --os-project-name={{ openstack_auth.project_name }}
     --os-identity-api-version=3
-    --os-interface {{ openstack_interface }}
+    --os-interface={{ openstack_interface }}
-    --os-project-domain-name {{ openstack_auth.domain_name }}
+    --os-system-scope={{ openstack_auth.system_scope }}
-    --os-user-domain-name {{ openstack_auth.domain_name }}
+    --os-user-domain-name={{ openstack_auth.user_domain_name }}
-    --os-region-name {{ openstack_region_name }}
+    --os-system-scope={{ openstack_auth.system_scope }}
-    {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
+    --os-region-name={{ openstack_region_name }}
+    {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
     mapping delete {{ item }}
   run_once: True
   become: true
@@ -62,13 +61,12 @@
     --os-auth-url={{ openstack_auth.auth_url }}
     --os-password={{ openstack_auth.password }}
     --os-username={{ openstack_auth.username }}
-    --os-project-name={{ openstack_auth.project_name }}
     --os-identity-api-version=3
     --os-interface {{ openstack_interface }}
-    --os-project-domain-name {{ openstack_auth.domain_name }}
+    --os-system-scope={{ openstack_auth.system_scope }}
-    --os-user-domain-name {{ openstack_auth.domain_name }}
+    --os-user-domain-name={{ openstack_auth.user_domain_name }}
-    --os-region-name {{ openstack_region_name }}
+    --os-region-name={{ openstack_region_name }}
-    {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
+    {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
     mapping create
     --rules "{{ keystone_container_federation_oidc_attribute_mappings_folder }}/{{ item.file | basename }}"
     {{ item.name }}
@@ -84,15 +82,14 @@
     --os-auth-url={{ openstack_auth.auth_url }}
     --os-password={{ openstack_auth.password }}
     --os-username={{ openstack_auth.username }}
-    --os-project-name={{ openstack_auth.project_name }}
     --os-identity-api-version=3
-    --os-interface {{ openstack_interface }}
+    --os-interface={{ openstack_interface }}
-    --os-project-domain-name {{ openstack_auth.domain_name }}
+    --os-system-scope={{ openstack_auth.system_scope }}
-    --os-user-domain-name {{ openstack_auth.domain_name }}
+    --os-user-domain-name={{ openstack_auth.user_domain_name }}
-    --os-region-name {{ openstack_region_name }}
+    --os-region-name={{ openstack_region_name }}
-    {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
+    {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
     mapping set
-    --rules "{{ keystone_container_federation_oidc_attribute_mappings_folder }}/{{ item.file | basename }}"
+    --rules="{{ keystone_container_federation_oidc_attribute_mappings_folder }}/{{ item.file | basename }}"
     {{ item.name }}
   run_once: True
   when:
@@ -106,13 +103,12 @@
     --os-auth-url={{ openstack_auth.auth_url }}
     --os-password={{ openstack_auth.password }}
     --os-username={{ openstack_auth.username }}
-    --os-project-name={{ openstack_auth.project_name }}
     --os-identity-api-version=3
-    --os-interface {{ openstack_interface }}
+    --os-interface={{ openstack_interface }}
-    --os-project-domain-name {{ openstack_auth.domain_name }}
+    --os-system-scope={{ openstack_auth.system_scope }}
-    --os-user-domain-name {{ openstack_auth.domain_name }}
+    --os-user-domain-name={{ openstack_auth.user_domain_name }}
-    --os-region-name {{ openstack_region_name }}
+    --os-region-name={{ openstack_region_name }}
-    {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
+    {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
     identity provider list -c ID --format value
   run_once: True
   register: existing_idps_register
@@ -128,13 +124,12 @@
     --os-auth-url={{ openstack_auth.auth_url }}
     --os-password={{ openstack_auth.password }}
     --os-username={{ openstack_auth.username }}
-    --os-project-name={{ openstack_auth.project_name }}
     --os-identity-api-version=3
-    --os-interface {{ openstack_interface }}
+    --os-interface={{ openstack_interface }}
-    --os-project-domain-name {{ openstack_auth.domain_name }}
+    --os-system-scope={{ openstack_auth.system_scope }}
-    --os-user-domain-name {{ openstack_auth.domain_name }}
+    --os-user-domain-name={{ openstack_auth.user_domain_name }}
-    --os-region-name {{ openstack_region_name }}
+    --os-region-name={ openstack_region_name }}
-    {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
+    {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
     identity provider delete {{ item }}
   run_once: True
   with_items: "{{ existing_idps }}"
@@ -149,13 +144,12 @@
     --os-auth-url={{ openstack_auth.auth_url }}
     --os-password={{ openstack_auth.password }}
     --os-username={{ openstack_auth.username }}
-    --os-project-name={{ openstack_auth.project_name }}
     --os-identity-api-version=3
-    --os-interface {{ openstack_interface }}
+    --os-interface={{ openstack_interface }}
-    --os-project-domain-name {{ openstack_auth.domain_name }}
+    --os-system-scope={{ openstack_auth.system_scope }}
-    --os-user-domain-name {{ openstack_auth.domain_name }}
+    --os-user-domain-name{{ openstack_auth.user_domain_name }}
-    --os-region-name {{ openstack_region_name }}
+    --os-region-name={{ openstack_region_name }}
-    {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
+    {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
     identity provider create
     --description "{{ item.public_name }}"
     --remote-id "{{ item.identifier }}"
@@ -173,11 +167,10 @@
     --os-auth-url={{ openstack_auth.auth_url }}
     --os-password={{ openstack_auth.password }}
     --os-username={{ openstack_auth.username }}
-    --os-project-name={{ openstack_auth.project_name }}
     --os-identity-api-version=3
     --os-interface {{ openstack_interface }}
-    --os-project-domain-name {{ openstack_auth.domain_name }}
+    --os-system-scope {{ openstack_auth.system_scope }}
-    --os-user-domain-name {{ openstack_auth.domain_name }}
+    --os-user-domain-name {{ openstack_auth.user_domain_name }}
     --os-region-name {{ openstack_region_name }}
     {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
     identity provider set
@@ -196,13 +189,12 @@
     --os-auth-url={{ openstack_auth.auth_url }}
     --os-password={{ openstack_auth.password }}
     --os-username={{ openstack_auth.username }}
-    --os-project-name={{ openstack_auth.project_name }}
     --os-identity-api-version=3
-    --os-interface {{ openstack_interface }}
+    --os-interface={{ openstack_interface }}
-    --os-project-domain-name {{ openstack_auth.domain_name }}
+    --os-system-scope={{ openstack_auth.system_scope }}
-    --os-user-domain-name {{ openstack_auth.domain_name }}
+    --os-user-domain-name={{ openstack_auth.user_domain_name }}
-    --os-region-name {{ openstack_region_name }}
+    --os-region-name={{ openstack_region_name }}
-    {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
+    {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
     federation protocol create
     --mapping {{ item.attribute_mapping }}
     --identity-provider {{ item.name }}
@@ -219,13 +211,12 @@
     --os-auth-url={{ openstack_auth.auth_url }}
     --os-password={{ openstack_auth.password }}
     --os-username={{ openstack_auth.username }}
-    --os-project-name={{ openstack_auth.project_name }}
     --os-identity-api-version=3
-    --os-interface {{ openstack_interface }}
+    --os-interface={{ openstack_interface }}
-    --os-project-domain-name {{ openstack_auth.domain_name }}
+    --os-system-scope={{ openstack_auth.system_scope }}
-    --os-user-domain-name {{ openstack_auth.domain_name }}
+    --os-user-domain-name={{ openstack_auth.user_domain_name }}
-    --os-region-name {{ openstack_region_name }}
+    --os-region-name={{ openstack_region_name }}
-    {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
+    {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
     federation protocol set
     --identity-provider {{ item.name }}
     --mapping {{ item.attribute_mapping }}

ansible/roles/murano/tasks/import_library_packages.yml

@@ -17,8 +17,8 @@
   command: >
     docker exec murano_api murano
     --os-username {{ openstack_auth.username }}
-    --os-password {{ keystone_admin_password }}
+    --os-password {{ openstack_auth.password }}
-    --os-project-name {{ openstack_auth.project_name }}
+    --os-system-scope {{ openstack_auth.system_scope }}
     {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
     --os-auth-url {{ keystone_admin_url }}
     --murano-url {{ murano_admin_endpoint }}
@@ -33,10 +33,10 @@
   command: >
     docker exec murano_api murano
     --os-username {{ openstack_auth.username }}
-    --os-password {{ keystone_admin_password }}
+    --os-password {{ openstack_auth.password }}
-    --os-project-name {{ openstack_auth.project_name }}
+    --os-system-scope {{ openstack_auth.system_scope }}
     {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
-    --os-auth-url {{ keystone_admin_url }}
+    --os-auth-url {{ openstack_auth.auth_url }}
     --murano-url {{ murano_admin_endpoint }}
     package-import --exists-action u --is-public /io.murano.zip
   run_once: True
@@ -49,10 +49,10 @@
   command: >
     docker exec murano_api murano
     --os-username {{ openstack_auth.username }}
-    --os-password {{ keystone_admin_password }}
+    --os-password {{ openstack_auth.password }}
-    --os-project-name {{ openstack_auth.project_name }}
+    --os-system-scope {{ openstack_auth.system_scope }}
     {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
-    --os-auth-url {{ keystone_admin_url }}
+    --os-auth-url {{ openstack_auth.auth_url }}
     --murano-url {{ murano_admin_endpoint }}
     package-import --exists-action u --is-public /io.murano.applications.zip
   run_once: True

ansible/roles/nova-cell/tasks/discover_computes.yml

@@ -28,13 +28,12 @@
   command: >
     docker exec kolla_toolbox openstack
     --os-interface {{ openstack_interface }}
-    --os-auth-url {{ keystone_admin_url }}
+    --os-auth-url {{ openstack_auth.auth_url }}
-    --os-identity-api-version 3
-    --os-project-domain-name {{ openstack_auth.domain_name }}
-    --os-project-name {{ openstack_auth.project_name }}
     --os-username {{ openstack_auth.username }}
-    --os-password {{ keystone_admin_password }}
+    --os-password {{ openstack_auth.password }}
-    --os-user-domain-name {{ openstack_auth.domain_name }}
+    --os-identity-api-version 3
+    --os-user-domain-name {{ openstack_auth.user_domain_name }}
+    --os-system-scope {{ openstack_auth.system_scope }}
     --os-region-name {{ openstack_region_name }}
     {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
     compute service list --format json --column Host --service nova-compute

ansible/roles/skydive/defaults/main.yml

@@ -41,7 +41,7 @@ skydive_analyzer_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{
 skydive_analyzer_tag: "{{ skydive_tag }}"
 skydive_analyzer_image_full: "{{ skydive_analyzer_image }}:{{ skydive_analyzer_tag }}"
 
-skydive_admin_tenant_name: "{{ openstack_auth['project_name'] }}"
+skydive_admin_tenant_name: "{{ keystone_admin_project }}"
 skydive_agent_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ skydive_install_type }}-skydive-agent"
 skydive_agent_tag: "{{ skydive_tag }}"
 skydive_agent_image_full: "{{ skydive_agent_image }}:{{ skydive_agent_tag }}"

ansible/roles/skydive/templates/skydive-agent.conf.j2

@@ -45,11 +45,12 @@ agent:
       - ovsdb
 {% endif %}
 
+### TODO migrate from tenant_name to system_scope when supported in skydive
     neutron:
       auth_url: {{ keystone_internal_url }}/v3
       username: {{ openstack_auth['username'] }}
       password: {{ openstack_auth['password'] }}
-      tenant_name: {{ openstack_auth['project_name'] }}
+      tenant_name: {{ skydive_admin_tenant_name }}
       region_name: {{ openstack_region_name }}
       domain_name: Default
       endpoint_type: internal

ansible/roles/skydive/templates/skydive-analyzer.conf.j2

@@ -1,5 +1,6 @@
 ### Skydive analyzer config file
 
+### TODO migrate from tenant_name to system_scope when supported in skydive
 auth:
   keystone:
     type: keystone

ansible/roles/vitrage/templates/vitrage.conf.j2

@@ -52,7 +52,7 @@ memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_addres
 auth_url = {{ keystone_internal_url }}/v3
 region_name = {{ openstack_region_name }}
 auth_type = password
-project_domain_id = default
+project_domain_id = {{ default_project_domain_id }}
 user_domain_id = default
 project_name = admin
 password = {{ vitrage_keystone_password }}

doc/source/user/multi-regions.rst

@@ -73,11 +73,11 @@ the value of ``kolla_internal_fqdn`` in RegionOne:
    keystone_internal_url: "{{ internal_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_public_port }}"
 
    openstack_auth:
-       auth_url: "{{ admin_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_admin_port }}"
+       auth_url: "{{ keystone_admin_url }}"
-       username: "admin"
+       username: "{{ keystone_admin_user }}"
        password: "{{ keystone_admin_password }}"
-       project_name: "admin"
+       user_domain_name: "{{ default_user_domain_name }}"
-       domain_name: "default"
+       system_scope: "all"
 
 .. note::
 

releasenotes/notes/move-keystone-user-auth-to-system-scope-900db3265861ebde.yaml

@@ -0,0 +1,8 @@
+---
+features:
+  - Transitions to using system-scoped tokens when authenticating as the
+    Keystone admin user. This is a necessary step towards being able to
+    enable the updated oslo policies in services that allow finer grained
+    access to system-level resources and APIs. Since Queens, the admin role
+    is assigned to the admin user with system scope as well as in the admin
+    project.

tools/init-runonce

@@ -95,7 +95,6 @@ if [[ $ENABLE_EXT_NET -eq 1 ]]; then
 fi
 
 # Get admin user and tenant IDs
-ADMIN_USER_ID=$($KOLLA_OPENSTACK_COMMAND user list | awk '/ admin / {print $2}')
 ADMIN_PROJECT_ID=$($KOLLA_OPENSTACK_COMMAND project list | awk '/ admin / {print $2}')
 ADMIN_SEC_GROUP=$($KOLLA_OPENSTACK_COMMAND security group list --project ${ADMIN_PROJECT_ID} | awk '/ default / {print $2}')