Use default user group consistently
Default user group should be set much earlier in deployment and should be used consistently accross all projects. Change-Id: Id399f9ddebc903bb9c3eeb5a0ff6f33ca6d6828c Closes-Bug: #1650501
This commit is contained in:
parent
627719e66c
commit
25fcdfb986
@ -359,6 +359,7 @@ keystone_public_url: "{{ public_protocol }}://{{ kolla_external_fqdn }}:{{ keyst
|
|||||||
keystone_token_provider: "uuid"
|
keystone_token_provider: "uuid"
|
||||||
fernet_token_expiry: 86400
|
fernet_token_expiry: 86400
|
||||||
|
|
||||||
|
keystone_default_user_role: "_member_"
|
||||||
|
|
||||||
#######################
|
#######################
|
||||||
# Glance options
|
# Glance options
|
||||||
|
@ -40,7 +40,7 @@ rgw_keystone_admin_password = {{ openstack_auth.password }}
|
|||||||
rgw_keystone_admin_project = {{ openstack_auth.project_name }}
|
rgw_keystone_admin_project = {{ openstack_auth.project_name }}
|
||||||
rgw_keystone_admin_domain = default
|
rgw_keystone_admin_domain = default
|
||||||
rgw_keystone_api_version = 3
|
rgw_keystone_api_version = 3
|
||||||
rgw_keystone_accepted_roles = admin, _member_
|
rgw_keystone_accepted_roles = admin, {{ keystone_default_user_role }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
keyring = /etc/ceph/ceph.client.radosgw.keyring
|
keyring = /etc/ceph/ceph.client.radosgw.keyring
|
||||||
log file = /var/log/kolla/ceph/client.radosgw.gateway.log
|
log file = /var/log/kolla/ceph/client.radosgw.gateway.log
|
||||||
|
@ -22,9 +22,3 @@ horizon_image_full: "{{ horizon_image }}:{{ horizon_tag }}"
|
|||||||
openstack_horizon_auth: "{'auth_url':'{{ openstack_auth.auth_url }}','username':'{{ openstack_auth.username }}','password':'{{ openstack_auth.password }}','project_name':'{{ openstack_auth.project_name }}'}"
|
openstack_horizon_auth: "{'auth_url':'{{ openstack_auth.auth_url }}','username':'{{ openstack_auth.username }}','password':'{{ openstack_auth.password }}','project_name':'{{ openstack_auth.project_name }}'}"
|
||||||
|
|
||||||
horizon_logging_debug: "{{ openstack_logging_debug }}"
|
horizon_logging_debug: "{{ openstack_logging_debug }}"
|
||||||
|
|
||||||
|
|
||||||
####################
|
|
||||||
# Horizon
|
|
||||||
####################
|
|
||||||
horizon_openstack_keystone_default_role: "_member_"
|
|
||||||
|
@ -1,8 +1,6 @@
|
|||||||
---
|
---
|
||||||
- include: config.yml
|
- include: config.yml
|
||||||
|
|
||||||
- include: register.yml
|
|
||||||
|
|
||||||
- include: bootstrap.yml
|
- include: bootstrap.yml
|
||||||
when: horizon_backend_database | bool
|
when: horizon_backend_database | bool
|
||||||
|
|
||||||
|
@ -1,13 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Creating the _member_ role
|
|
||||||
command: docker exec -t kolla_toolbox /usr/bin/ansible localhost
|
|
||||||
-m os_keystone_role
|
|
||||||
-a "name={{ horizon_openstack_keystone_default_role }}
|
|
||||||
auth={{ '{{ openstack_horizon_auth }}' }}"
|
|
||||||
-e "{'openstack_horizon_auth':{{ openstack_horizon_auth }}}"
|
|
||||||
register: horizon_role
|
|
||||||
changed_when: "{{ horizon_role.stdout.find('localhost | SUCCESS => ') != -1 and (horizon_role.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
|
|
||||||
until: horizon_role.stdout.split()[2] == 'SUCCESS'
|
|
||||||
retries: 10
|
|
||||||
delay: 5
|
|
||||||
run_once: True
|
|
@ -193,7 +193,7 @@ EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
|
|||||||
OPENSTACK_HOST = "{% if orchestration_engine == 'KUBERNETES' %}{{ api_interface_address }}{% else %}{{ kolla_internal_fqdn }}{% endif %}"
|
OPENSTACK_HOST = "{% if orchestration_engine == 'KUBERNETES' %}{{ api_interface_address }}{% else %}{{ kolla_internal_fqdn }}{% endif %}"
|
||||||
|
|
||||||
OPENSTACK_KEYSTONE_URL = "{{ keystone_internal_url }}"
|
OPENSTACK_KEYSTONE_URL = "{{ keystone_internal_url }}"
|
||||||
OPENSTACK_KEYSTONE_DEFAULT_ROLE = "{{ horizon_openstack_keystone_default_role }}"
|
OPENSTACK_KEYSTONE_DEFAULT_ROLE = "{{ keystone_default_user_role }}"
|
||||||
|
|
||||||
# Enables keystone web single-sign-on if set to True.
|
# Enables keystone web single-sign-on if set to True.
|
||||||
#WEBSSO_ENABLED = False
|
#WEBSSO_ENABLED = False
|
||||||
|
@ -5,3 +5,16 @@
|
|||||||
changed_when: "{{ (keystone_bootstrap.stdout | from_json).changed }}"
|
changed_when: "{{ (keystone_bootstrap.stdout | from_json).changed }}"
|
||||||
failed_when: "{{ (keystone_bootstrap.stdout | from_json).failed }}"
|
failed_when: "{{ (keystone_bootstrap.stdout | from_json).failed }}"
|
||||||
run_once: True
|
run_once: True
|
||||||
|
|
||||||
|
- name: Creating default user role
|
||||||
|
command: docker exec -t kolla_toolbox /usr/bin/ansible localhost
|
||||||
|
-m os_keystone_role
|
||||||
|
-a "name={{ keystone_default_user_role }}
|
||||||
|
auth={{ '{{ openstack_keystone_auth }}' }}"
|
||||||
|
-e "{'openstack_keystone_auth':{{ openstack_keystone_auth }}}"
|
||||||
|
register: default_role
|
||||||
|
changed_when: "{{ default_role.stdout.find('localhost | SUCCESS => ') != -1 and (default_role.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
|
||||||
|
until: default_role.stdout.split()[2] == 'SUCCESS'
|
||||||
|
retries: 10
|
||||||
|
delay: 5
|
||||||
|
run_once: True
|
||||||
|
@ -46,7 +46,7 @@ memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansi
|
|||||||
|
|
||||||
[filter:keystoneauth]
|
[filter:keystoneauth]
|
||||||
use = egg:swift#keystoneauth
|
use = egg:swift#keystoneauth
|
||||||
operator_roles = admin,user
|
operator_roles = admin,{{ keystone_default_user_role }}
|
||||||
|
|
||||||
[filter:container_sync]
|
[filter:container_sync]
|
||||||
use = egg:swift#container_sync
|
use = egg:swift#container_sync
|
||||||
|
Loading…
Reference in New Issue
Block a user