kolla-ansible/ansible/roles/barbican
Niklas Hagman 2e933dceb5 Transition Keystone admin user to system scope
A system-scoped token implies the user has authorization to act on the
deployment system. These tokens are useful for interacting with
resources that affect the deployment as a whole, or exposes resources
that may otherwise violate project or domain isolation.

Since Queens, the keystone-manage bootstrap command assigns the admin
role to the admin user with system scope, as well as in the admin
project. This patch transitions the Keystone admin user from
authenticating using project scoped tokens to system scoped tokens.
This is a necessary step towards being able to enable the updated oslo
policies in services that allow finer grained access to system-level
resources and APIs.

An etherpad with discussion about the transition to the new oslo
service policies is:

https://etherpad.opendev.org/p/enabling-system-scope-in-kolla-ansible

Change-Id: Ib631e2211682862296cce9ea179f2661c90fa585
Signed-off-by: Niklas Hagman <ubuntu@post.blinkiz.com>
2021-09-28 09:45:06 -07:00
..
defaults Use ansible_facts to reference facts 2021-06-23 10:38:06 +01:00
handlers Use Docker healthchecks for barbican services 2021-01-09 18:59:50 +08:00
tasks Transition Keystone admin user to system scope 2021-09-28 09:45:06 -07:00
templates Add missing region_name in keystoneauth sections 2021-06-22 08:35:35 +02:00