cd0bbbdad3
Keystone is moving away from using either project-scope or domain-scope for the main cloud administrator user, and instead moving toward the admin user having a role assignment on the "system" scope[1]. This will mean that no particular project or domain is special, and instead the cloud administrator scopes to the system in order to make deployment-wide changes. Keystone has now migrated all of its policies to understand system scope[2], and if a deployment sets [oslo_policy]/enforce_scope=true in keystone.conf and uses the new policies, an admin user scoped to the admin project will not be able to create dynamic credentials for tempest. This patch adds a new parameter ``[auth]/admin_system`` to indicate that neither the ``admin_project`` or ``admin_domain`` parameters apply to the admin user and that the user should instead authenticate with the system scope. This also adds ``admin_user_domain_name`` so that the admin user can be found in its domain (namespace) without setting ``domain_name``, and for completeness also adds ``admin_project_domain_name`` so that ``domain_name`` could be omitted even if using project scope. [1] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html [2] https://bugs.launchpad.net/keystone/+bugs?field.status%3Alist=FIXRELEASED&field.tag=system-scope Depends-on: https://review.opendev.org/739262 Change-Id: I840b273c37ca7cc4592c43813abfb424337e2836 |
||
|---|---|---|
| .. | ||
| api_schema | ||
| cli | ||
| cmd | ||
| common | ||
| services | ||
| __init__.py | ||
| auth.py | ||
| base.py | ||
| decorators.py | ||
| exceptions.py | ||