Remove system scope token to access services
As per the RBAC new direction in Zed cycle, we have dropped the system scope from API policies and all the policies are hardcoded to project scoped so that any user accessing APIs using system scope will get 403 error. It is dropped from all the OpenStack services except for the Ironic service which will have system scope and to support ironic only deployment, we are keeping system as well as project scope in Keystone. Complete discussion and direction can be found in the below gerrit change and TC goal direction: - https://review.opendev.org/c/openstack/governance/+/847418 - https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#the-issues-we-are-facing-with-scope-concept As phase-2 of RBAC goal, services will start enabling the new defaults and project scope by default. For example: Nova did in - https://review.opendev.org/c/openstack/nova/+/866218 Kolla who start accessing the services using system scope token - https://review.opendev.org/c/openstack/kolla-ansible/+/692179 This commit partially revert the above change except keeping system scope usage for Keystone and Ironic. Rest all services are changed to use the project scope token. And enable the scope and new defaults for Nova which was disabled by https://review.opendev.org/c/openstack/kolla-ansible/+/870804 Change-Id: I0adbe0a6c39e11d7c9542569085fc5d580f26c9d
This commit is contained in:
Ghanshyam Mann
parent
32dce70f09
commit
283fa242ca
@ -883,8 +883,9 @@ openstack_auth:
|
||||
auth_url: "{{ keystone_internal_url }}"
|
||||
username: "{{ keystone_admin_user }}"
|
||||
password: "{{ keystone_admin_password }}"
|
||||
user_domain_name: "{{ default_user_domain_name }}"
|
||||
system_scope: "all"
|
||||
project_name: "{{ keystone_admin_project }}"
|
||||
domain_name: "default"
|
||||
user_domain_name: "default"
|
||||
|
||||
#######################
|
||||
# Glance options
|
||||
|
||||
@ -15,9 +15,7 @@ jobs_dir = /etc/freezer/scheduler/conf.d
|
||||
os_username = {{ openstack_auth.username }}
|
||||
os_password = {{ openstack_auth.password }}
|
||||
os_auth_url = {{ openstack_auth.auth_url }}
|
||||
os_project_name = {{ keystone_admin_project }}
|
||||
# TODO: transition to system scoped token when freezer supports that
|
||||
# configuration option, os_project_domain_name should be removed.
|
||||
os_project_name = {{ openstack_auth.project_name }}
|
||||
os_project_domain_name = {{ default_project_domain_name }}
|
||||
os_user_domain_name = {{ openstack_auth.user_domain_name }}
|
||||
{% endif %}
|
||||
|
||||
@ -235,7 +235,7 @@ heat_ks_roles:
|
||||
- "{{ heat_stack_user_role }}"
|
||||
|
||||
heat_ks_user_roles:
|
||||
- project: "{{ keystone_admin_project }}"
|
||||
- project: "{{ openstack_auth.project_name }}"
|
||||
user: "{{ openstack_auth.username }}"
|
||||
role: "{{ heat_stack_owner_role }}"
|
||||
|
||||
|
||||
@ -15,8 +15,8 @@
|
||||
OS_INTERFACE: "internal"
|
||||
OS_USERNAME: "{{ openstack_auth.username }}"
|
||||
OS_PASSWORD: "{{ openstack_auth.password }}"
|
||||
OS_PROJECT_NAME: "{{ openstack_auth.project_name }}"
|
||||
OS_USER_DOMAIN_NAME: "{{ openstack_auth.user_domain_name }}"
|
||||
OS_SYSTEM_SCOPE: "{{ openstack_auth.system_scope }}"
|
||||
OS_REGION_NAME: "{{ openstack_region_name }}"
|
||||
OS_CACERT: "{{ openstack_cacert | default(omit) }}"
|
||||
HEAT_DOMAIN_ADMIN_PASSWORD: "{{ heat_domain_admin_password }}"
|
||||
|
||||
@ -9,7 +9,7 @@
|
||||
--os-password {{ openstack_auth.password }}
|
||||
--os-identity-api-version 3
|
||||
--os-user-domain-name {{ openstack_auth.user_domain_name }}
|
||||
--os-system-scope {{ openstack_auth.system_scope }}
|
||||
--os-system-scope "all"
|
||||
--os-region-name {{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
|
||||
baremetal node list --format json --column "Provisioning State"
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
become: true
|
||||
command: >
|
||||
{{ kolla_container_engine }} exec keystone kolla_keystone_bootstrap
|
||||
{{ openstack_auth.username }} {{ openstack_auth.password }} {{ keystone_admin_project }}
|
||||
{{ openstack_auth.username }} {{ openstack_auth.password }} {{ openstack_auth.project_name }}
|
||||
admin {{ keystone_internal_url }} {{ keystone_public_url }} {{ item }}
|
||||
register: keystone_bootstrap
|
||||
changed_when: (keystone_bootstrap.stdout | from_json).changed
|
||||
|
||||
@ -7,7 +7,7 @@
|
||||
--os-username={{ openstack_auth.username }}
|
||||
--os-identity-api-version=3
|
||||
--os-interface={{ openstack_interface }}
|
||||
--os-system-scope={{ openstack_auth.system_scope }}
|
||||
--os-system-scope="all"
|
||||
--os-user-domain-name={{ openstack_auth.user_domain_name }}
|
||||
--os-region-name={{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
|
||||
@ -28,9 +28,9 @@
|
||||
--os-username={{ openstack_auth.username }}
|
||||
--os-identity-api-version=3
|
||||
--os-interface={{ openstack_interface }}
|
||||
--os-system-scope={{ openstack_auth.system_scope }}
|
||||
--os-system-scope="all"
|
||||
--os-user-domain-name={{ openstack_auth.user_domain_name }}
|
||||
--os-system-scope={{ openstack_auth.system_scope }}
|
||||
--os-system-scope="all"
|
||||
--os-region-name={{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
|
||||
mapping delete {{ item }}
|
||||
@ -64,7 +64,7 @@
|
||||
--os-username={{ openstack_auth.username }}
|
||||
--os-identity-api-version=3
|
||||
--os-interface {{ openstack_interface }}
|
||||
--os-system-scope={{ openstack_auth.system_scope }}
|
||||
--os-system-scope="all"
|
||||
--os-user-domain-name={{ openstack_auth.user_domain_name }}
|
||||
--os-region-name={{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
|
||||
@ -85,7 +85,7 @@
|
||||
--os-username={{ openstack_auth.username }}
|
||||
--os-identity-api-version=3
|
||||
--os-interface={{ openstack_interface }}
|
||||
--os-system-scope={{ openstack_auth.system_scope }}
|
||||
--os-system-scope="all"
|
||||
--os-user-domain-name={{ openstack_auth.user_domain_name }}
|
||||
--os-region-name={{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
|
||||
@ -106,7 +106,7 @@
|
||||
--os-username={{ openstack_auth.username }}
|
||||
--os-identity-api-version=3
|
||||
--os-interface={{ openstack_interface }}
|
||||
--os-system-scope={{ openstack_auth.system_scope }}
|
||||
--os-system-scope="all"
|
||||
--os-user-domain-name={{ openstack_auth.user_domain_name }}
|
||||
--os-region-name={{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
|
||||
@ -127,7 +127,7 @@
|
||||
--os-username={{ openstack_auth.username }}
|
||||
--os-identity-api-version=3
|
||||
--os-interface={{ openstack_interface }}
|
||||
--os-system-scope={{ openstack_auth.system_scope }}
|
||||
--os-system-scope="all"
|
||||
--os-user-domain-name={{ openstack_auth.user_domain_name }}
|
||||
--os-region-name={ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
|
||||
@ -147,7 +147,7 @@
|
||||
--os-username={{ openstack_auth.username }}
|
||||
--os-identity-api-version=3
|
||||
--os-interface={{ openstack_interface }}
|
||||
--os-system-scope={{ openstack_auth.system_scope }}
|
||||
--os-system-scope="all"
|
||||
--os-user-domain-name={{ openstack_auth.user_domain_name }}
|
||||
--os-region-name={{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
|
||||
@ -170,7 +170,7 @@
|
||||
--os-username={{ openstack_auth.username }}
|
||||
--os-identity-api-version=3
|
||||
--os-interface {{ openstack_interface }}
|
||||
--os-system-scope {{ openstack_auth.system_scope }}
|
||||
--os-system-scope "all"
|
||||
--os-user-domain-name {{ openstack_auth.user_domain_name }}
|
||||
--os-region-name {{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
|
||||
@ -192,7 +192,7 @@
|
||||
--os-username={{ openstack_auth.username }}
|
||||
--os-identity-api-version=3
|
||||
--os-interface={{ openstack_interface }}
|
||||
--os-system-scope={{ openstack_auth.system_scope }}
|
||||
--os-system-scope="all"
|
||||
--os-user-domain-name={{ openstack_auth.user_domain_name }}
|
||||
--os-region-name={{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
|
||||
@ -214,7 +214,7 @@
|
||||
--os-username={{ openstack_auth.username }}
|
||||
--os-identity-api-version=3
|
||||
--os-interface={{ openstack_interface }}
|
||||
--os-system-scope={{ openstack_auth.system_scope }}
|
||||
--os-system-scope="all"
|
||||
--os-user-domain-name={{ openstack_auth.user_domain_name }}
|
||||
--os-region-name={{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
|
||||
|
||||
@ -18,7 +18,7 @@
|
||||
{{ kolla_container_engine }} exec murano_api murano
|
||||
--os-username {{ openstack_auth.username }}
|
||||
--os-password {{ openstack_auth.password }}
|
||||
--os-system-scope {{ openstack_auth.system_scope }}
|
||||
--os-project-name {{ openstack_auth.project_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
|
||||
--os-auth-url {{ openstack_auth.auth_url }}
|
||||
--murano-url {{ murano_internal_endpoint }}
|
||||
@ -34,7 +34,7 @@
|
||||
{{ kolla_container_engine }} exec murano_api murano
|
||||
--os-username {{ openstack_auth.username }}
|
||||
--os-password {{ openstack_auth.password }}
|
||||
--os-system-scope {{ openstack_auth.system_scope }}
|
||||
--os-project-name {{ openstack_auth.project_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
|
||||
--os-auth-url {{ openstack_auth.auth_url }}
|
||||
--murano-url {{ murano_internal_endpoint }}
|
||||
@ -50,7 +50,7 @@
|
||||
{{ kolla_container_engine }} exec murano_api murano
|
||||
--os-username {{ openstack_auth.username }}
|
||||
--os-password {{ openstack_auth.password }}
|
||||
--os-system-scope {{ openstack_auth.system_scope }}
|
||||
--os-project-name {{ openstack_auth.project_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
|
||||
--os-auth-url {{ openstack_auth.auth_url }}
|
||||
--murano-url {{ murano_internal_endpoint }}
|
||||
|
||||
@ -11,11 +11,12 @@
|
||||
{{ kolla_container_engine }} exec kolla_toolbox openstack
|
||||
--os-interface {{ openstack_interface }}
|
||||
--os-auth-url {{ openstack_auth.auth_url }}
|
||||
--os-project-domain-name {{ openstack_auth.domain_name }}
|
||||
--os-project-name {{ openstack_auth.project_name }}
|
||||
--os-username {{ openstack_auth.username }}
|
||||
--os-password {{ openstack_auth.password }}
|
||||
--os-identity-api-version 3
|
||||
--os-user-domain-name {{ openstack_auth.user_domain_name }}
|
||||
--os-system-scope {{ openstack_auth.system_scope }}
|
||||
--os-region-name {{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
|
||||
compute service list --format json --column Host --service nova-compute
|
||||
|
||||
@ -149,9 +149,6 @@ amqp_durable_queues = true
|
||||
{% endif %}
|
||||
|
||||
[oslo_policy]
|
||||
# TODO(priteau): Remove enforce_* once secure RBAC is supported
|
||||
enforce_new_defaults = False
|
||||
enforce_scope = False
|
||||
{% if service_name in nova_services_require_policy_json and nova_policy_file is defined %}
|
||||
policy_file = {{ nova_policy_file }}
|
||||
{% endif %}
|
||||
|
||||
@ -76,7 +76,8 @@ the value of ``kolla_internal_fqdn`` in RegionOne:
|
||||
username: "{{ keystone_admin_user }}"
|
||||
password: "{{ keystone_admin_password }}"
|
||||
user_domain_name: "{{ default_user_domain_name }}"
|
||||
system_scope: "all"
|
||||
project_name: "{{ keystone_admin_project }}"
|
||||
domain_name: "default"
|
||||
|
||||
.. note::
|
||||
|
||||
|
||||
@ -0,0 +1,9 @@
|
||||
---
|
||||
upgrade:
|
||||
- |
|
||||
OpenStack services (except Ironic and Keystone) stopped supporting
|
||||
the system scope in their API policy. Kolla who started using the
|
||||
system scope token during the OpenStack Xena release needs to revert
|
||||
it and use the project scope token to perform those services API
|
||||
operations. The Ironic and Keystone operations are still performed
|
||||
using the system scope token.
|
||||
Loading…
Reference in New Issue
Block a user