Add a cloud profile for system-admins
Keystone's bootstrap process will create administrative role assignments for the admin user on an admin project. It will also do this for system role assignments. Let's create a cloud profile specifically for system-scoped access. This will be useful as we adopt more secure RBAC personas and convert tripleo plumbing to interact with administrative APIs using system-scoped tokens (as more projects adopt system-admin). Change-Id: I3471dd1da3ea8987ae6dcb25a7e5fbc0b573e89b
This commit is contained in:
parent
34775b8efa
commit
feef0cc1e0
|
@ -779,6 +779,31 @@ outputs:
|
|||
identity_api_version: '3'
|
||||
volume_api_version: '3'
|
||||
region_name: {get_param: KeystoneRegion}
|
||||
- name: Configure system admin account in /etc/openstack/clouds.yaml
|
||||
include_role:
|
||||
name: tripleo_keystone_resources
|
||||
tasks_from: clouds
|
||||
vars:
|
||||
tripleo_keystone_resources_cloud_name:
|
||||
list_join:
|
||||
- '-'
|
||||
- - {get_param: RootStackName}
|
||||
- 'system-admin'
|
||||
tripleo_keystone_resources_cloud_config:
|
||||
auth:
|
||||
auth_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
|
||||
password: {get_param: AdminPassword}
|
||||
system_scope: all
|
||||
user_domain_name: Default
|
||||
username: admin
|
||||
cacert:
|
||||
if:
|
||||
- public_tls_enabled
|
||||
- {get_param: PublicTLSCAFile}
|
||||
- ''
|
||||
identity_api_version: '3'
|
||||
volume_api_version: '3'
|
||||
region_name: {get_param: KeystoneRegion}
|
||||
- name: Manage Keystone resources
|
||||
become: true
|
||||
when:
|
||||
|
|
Loading…
Reference in New Issue