diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index b259b8a81a..612ee0b8bc 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -359,6 +359,7 @@ keystone_public_url: "{{ public_protocol }}://{{ kolla_external_fqdn }}:{{ keyst keystone_token_provider: "uuid" fernet_token_expiry: 86400 +keystone_default_user_role: "_member_" ####################### # Glance options diff --git a/ansible/roles/ceph/templates/ceph.conf.j2 b/ansible/roles/ceph/templates/ceph.conf.j2 index a6e15c63ec..2a0e79aaa1 100644 --- a/ansible/roles/ceph/templates/ceph.conf.j2 +++ b/ansible/roles/ceph/templates/ceph.conf.j2 @@ -40,7 +40,7 @@ rgw_keystone_admin_password = {{ openstack_auth.password }} rgw_keystone_admin_project = {{ openstack_auth.project_name }} rgw_keystone_admin_domain = default rgw_keystone_api_version = 3 -rgw_keystone_accepted_roles = admin, _member_ +rgw_keystone_accepted_roles = admin, {{ keystone_default_user_role }} {% endif %} keyring = /etc/ceph/ceph.client.radosgw.keyring log file = /var/log/kolla/ceph/client.radosgw.gateway.log diff --git a/ansible/roles/horizon/defaults/main.yml b/ansible/roles/horizon/defaults/main.yml index 2658e2fd3b..b2ddaa559d 100644 --- a/ansible/roles/horizon/defaults/main.yml +++ b/ansible/roles/horizon/defaults/main.yml @@ -22,9 +22,3 @@ horizon_image_full: "{{ horizon_image }}:{{ horizon_tag }}" openstack_horizon_auth: "{'auth_url':'{{ openstack_auth.auth_url }}','username':'{{ openstack_auth.username }}','password':'{{ openstack_auth.password }}','project_name':'{{ openstack_auth.project_name }}'}" horizon_logging_debug: "{{ openstack_logging_debug }}" - - -#################### -# Horizon -#################### -horizon_openstack_keystone_default_role: "_member_" diff --git a/ansible/roles/horizon/tasks/deploy.yml b/ansible/roles/horizon/tasks/deploy.yml index 3c04e136d2..07d49b6ace 100644 --- a/ansible/roles/horizon/tasks/deploy.yml +++ b/ansible/roles/horizon/tasks/deploy.yml @@ -1,8 +1,6 @@ --- - include: config.yml -- include: register.yml - - include: bootstrap.yml when: horizon_backend_database | bool diff --git a/ansible/roles/horizon/tasks/register.yml b/ansible/roles/horizon/tasks/register.yml deleted file mode 100644 index 0c78e9821f..0000000000 --- a/ansible/roles/horizon/tasks/register.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -- name: Creating the _member_ role - command: docker exec -t kolla_toolbox /usr/bin/ansible localhost - -m os_keystone_role - -a "name={{ horizon_openstack_keystone_default_role }} - auth={{ '{{ openstack_horizon_auth }}' }}" - -e "{'openstack_horizon_auth':{{ openstack_horizon_auth }}}" - register: horizon_role - changed_when: "{{ horizon_role.stdout.find('localhost | SUCCESS => ') != -1 and (horizon_role.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}" - until: horizon_role.stdout.split()[2] == 'SUCCESS' - retries: 10 - delay: 5 - run_once: True diff --git a/ansible/roles/horizon/templates/local_settings.j2 b/ansible/roles/horizon/templates/local_settings.j2 index 1d4a0e43f8..a115655384 100644 --- a/ansible/roles/horizon/templates/local_settings.j2 +++ b/ansible/roles/horizon/templates/local_settings.j2 @@ -193,7 +193,7 @@ EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend' OPENSTACK_HOST = "{% if orchestration_engine == 'KUBERNETES' %}{{ api_interface_address }}{% else %}{{ kolla_internal_fqdn }}{% endif %}" OPENSTACK_KEYSTONE_URL = "{{ keystone_internal_url }}" -OPENSTACK_KEYSTONE_DEFAULT_ROLE = "{{ horizon_openstack_keystone_default_role }}" +OPENSTACK_KEYSTONE_DEFAULT_ROLE = "{{ keystone_default_user_role }}" # Enables keystone web single-sign-on if set to True. #WEBSSO_ENABLED = False diff --git a/ansible/roles/keystone/tasks/register.yml b/ansible/roles/keystone/tasks/register.yml index 08875907d2..5c00f913a7 100644 --- a/ansible/roles/keystone/tasks/register.yml +++ b/ansible/roles/keystone/tasks/register.yml @@ -5,3 +5,16 @@ changed_when: "{{ (keystone_bootstrap.stdout | from_json).changed }}" failed_when: "{{ (keystone_bootstrap.stdout | from_json).failed }}" run_once: True + +- name: Creating default user role + command: docker exec -t kolla_toolbox /usr/bin/ansible localhost + -m os_keystone_role + -a "name={{ keystone_default_user_role }} + auth={{ '{{ openstack_keystone_auth }}' }}" + -e "{'openstack_keystone_auth':{{ openstack_keystone_auth }}}" + register: default_role + changed_when: "{{ default_role.stdout.find('localhost | SUCCESS => ') != -1 and (default_role.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}" + until: default_role.stdout.split()[2] == 'SUCCESS' + retries: 10 + delay: 5 + run_once: True diff --git a/ansible/roles/swift/templates/proxy-server.conf.j2 b/ansible/roles/swift/templates/proxy-server.conf.j2 index 40fc02a97a..596d96cb43 100644 --- a/ansible/roles/swift/templates/proxy-server.conf.j2 +++ b/ansible/roles/swift/templates/proxy-server.conf.j2 @@ -46,7 +46,7 @@ memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansi [filter:keystoneauth] use = egg:swift#keystoneauth -operator_roles = admin,user +operator_roles = admin,{{ keystone_default_user_role }} [filter:container_sync] use = egg:swift#container_sync