Transition Keystone admin user to system scope
A system-scoped token implies the user has authorization to act on the deployment system. These tokens are useful for interacting with resources that affect the deployment as a whole, or exposes resources that may otherwise violate project or domain isolation. Since Queens, the keystone-manage bootstrap command assigns the admin role to the admin user with system scope, as well as in the admin project. This patch transitions the Keystone admin user from authenticating using project scoped tokens to system scoped tokens. This is a necessary step towards being able to enable the updated oslo policies in services that allow finer grained access to system-level resources and APIs. An etherpad with discussion about the transition to the new oslo service policies is: https://etherpad.opendev.org/p/enabling-system-scope-in-kolla-ansible Change-Id: Ib631e2211682862296cce9ea179f2661c90fa585 Signed-off-by: Niklas Hagman <ubuntu@post.blinkiz.com>
This commit is contained in:
parent
3455105321
commit
2e933dceb5
@ -884,9 +884,8 @@ openstack_auth:
|
||||
auth_url: "{{ keystone_admin_url }}"
|
||||
username: "{{ keystone_admin_user }}"
|
||||
password: "{{ keystone_admin_password }}"
|
||||
project_name: "{{ keystone_admin_project }}"
|
||||
domain_name: "default"
|
||||
user_domain_name: "default"
|
||||
user_domain_name: "{{ default_user_domain_name }}"
|
||||
system_scope: "all"
|
||||
|
||||
#######################
|
||||
# Glance options
|
||||
|
@ -7,7 +7,7 @@
|
||||
--os-auth-url={{ openstack_auth.auth_url }} \
|
||||
--os-password={{ openstack_auth.password }} \
|
||||
--os-username={{ openstack_auth.username }} \
|
||||
--os-project-name={{ openstack_auth.project_name }} \
|
||||
--os-system-scope={{ openstack_auth.system_scope }}
|
||||
secret store -f value -p kolla | head -1
|
||||
register: barbican_store_secret
|
||||
run_once: True
|
||||
@ -20,7 +20,7 @@
|
||||
--os-auth-url={{ openstack_auth.auth_url }}
|
||||
--os-password={{ openstack_auth.password }}
|
||||
--os-username={{ openstack_auth.username }}
|
||||
--os-project-name={{ openstack_auth.project_name }}
|
||||
--os-system-scope={{ openstack_auth.system_scope }}
|
||||
secret get -f value -p {{ barbican_store_secret.stdout }}
|
||||
register: barbican_get_secret
|
||||
failed_when: barbican_get_secret.stdout != 'kolla'
|
||||
@ -34,7 +34,7 @@
|
||||
--os-auth-url={{ openstack_auth.auth_url }}
|
||||
--os-password={{ openstack_auth.password }}
|
||||
--os-username={{ openstack_auth.username }}
|
||||
--os-project-name={{ openstack_auth.project_name }}
|
||||
--os-system-scope={{ openstack_auth.system_scope }}
|
||||
secret delete {{ barbican_store_secret.stdout }}
|
||||
run_once: True
|
||||
when: kolla_enable_sanity_barbican | bool
|
||||
|
@ -15,8 +15,10 @@ jobs_dir = /etc/freezer/scheduler/conf.d
|
||||
os_username = {{ openstack_auth.username }}
|
||||
os_password = {{ openstack_auth.password }}
|
||||
os_auth_url = {{ openstack_auth.auth_url }}/v3
|
||||
os_project_name = {{ openstack_auth.project_name }}
|
||||
os_project_name = {{ keystone_admin_project }}
|
||||
os_project_domain_name = {{ openstack_auth.domain_name }}
|
||||
# TODO: transition to system scoped token when freezer supports that
|
||||
# configuration option
|
||||
os_user_domain_name = {{ openstack_auth.user_domain_name }}
|
||||
{% endif %}
|
||||
|
||||
|
@ -219,7 +219,7 @@ heat_ks_roles:
|
||||
- "{{ heat_stack_user_role }}"
|
||||
|
||||
heat_ks_user_roles:
|
||||
- project: "{{ openstack_auth.project_name }}"
|
||||
- project: "{{ keystone_admin_project }}"
|
||||
user: "{{ openstack_auth.username }}"
|
||||
role: "{{ heat_stack_owner_role }}"
|
||||
|
||||
|
@ -15,7 +15,8 @@
|
||||
OS_INTERFACE: "internal"
|
||||
OS_USERNAME: "{{ openstack_auth.username }}"
|
||||
OS_PASSWORD: "{{ openstack_auth.password }}"
|
||||
OS_PROJECT_NAME: "{{ openstack_auth.project_name }}"
|
||||
OS_USER_DOMAIN_NAME: "{{ openstack_auth.user_domain_name }}"
|
||||
OS_SYSTEM_SCOPE: "{{ openstack_auth.system_scope }}"
|
||||
OS_REGION_NAME: "{{ openstack_region_name }}"
|
||||
OS_CACERT: "{{ openstack_cacert | default(omit) }}"
|
||||
HEAT_DOMAIN_ADMIN_PASSWORD: "{{ heat_domain_admin_password }}"
|
||||
|
@ -75,7 +75,7 @@ memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_addres
|
||||
[cinder]
|
||||
auth_url = {{ keystone_admin_url }}
|
||||
auth_type = password
|
||||
project_domain_id = default
|
||||
project_domain_id = {{ default_project_domain_id }}
|
||||
user_domain_id = default
|
||||
project_name = service
|
||||
username = {{ ironic_keystone_user }}
|
||||
@ -89,7 +89,7 @@ cafile = {{ openstack_cacert }}
|
||||
[glance]
|
||||
auth_url = {{ keystone_admin_url }}
|
||||
auth_type = password
|
||||
project_domain_id = default
|
||||
project_domain_id = {{ default_project_domain_id }}
|
||||
user_domain_id = default
|
||||
project_name = service
|
||||
username = {{ ironic_keystone_user }}
|
||||
@ -103,7 +103,7 @@ cafile = {{ openstack_cacert }}
|
||||
[neutron]
|
||||
auth_url = {{ keystone_admin_url }}
|
||||
auth_type = password
|
||||
project_domain_id = default
|
||||
project_domain_id = {{ default_project_domain_id }}
|
||||
user_domain_id = default
|
||||
project_name = service
|
||||
username = {{ ironic_keystone_user }}
|
||||
@ -118,7 +118,7 @@ cafile = {{ openstack_cacert }}
|
||||
[nova]
|
||||
auth_url = {{ keystone_admin_url }}
|
||||
auth_type = password
|
||||
project_domain_id = default
|
||||
project_domain_id = {{ default_project_domain_id }}
|
||||
user_domain_id = default
|
||||
project_name = service
|
||||
username = {{ ironic_keystone_user }}
|
||||
@ -132,7 +132,7 @@ cafile = {{ openstack_cacert }}
|
||||
[swift]
|
||||
auth_url = {{ keystone_admin_url }}
|
||||
auth_type = password
|
||||
project_domain_id = {{ default_project_domain_id }}
|
||||
project_domain_id = {{ default_project_domain_id }}
|
||||
user_domain_id = {{ default_user_domain_id }}
|
||||
project_name = service
|
||||
username = {{ ironic_keystone_user }}
|
||||
@ -146,7 +146,7 @@ cafile = {{ openstack_cacert }}
|
||||
{% if ironic_enable_keystone_integration | bool %}
|
||||
auth_url = {{ keystone_admin_url }}
|
||||
auth_type = password
|
||||
project_domain_id = default
|
||||
project_domain_id = {{ default_project_domain_id }}
|
||||
user_domain_id = default
|
||||
project_name = service
|
||||
username = {{ ironic_keystone_user }}
|
||||
@ -163,7 +163,7 @@ endpoint_override = {{ ironic_inspector_internal_endpoint }}
|
||||
{% if ironic_enable_keystone_integration | bool %}
|
||||
auth_url = {{ keystone_admin_url }}
|
||||
auth_type = password
|
||||
project_domain_id = default
|
||||
project_domain_id = {{ default_project_domain_id }}
|
||||
user_domain_id = default
|
||||
project_name = service
|
||||
username = {{ ironic_keystone_user }}
|
||||
|
@ -3,7 +3,7 @@
|
||||
become: true
|
||||
command: >
|
||||
docker exec keystone kolla_keystone_bootstrap
|
||||
{{ openstack_auth.username }} {{ openstack_auth.password }} {{ openstack_auth.project_name }}
|
||||
{{ openstack_auth.username }} {{ openstack_auth.password }} {{ keystone_admin_project }}
|
||||
admin {{ keystone_admin_url }} {{ keystone_internal_url }} {{ keystone_public_url }} {{ item }}
|
||||
register: keystone_bootstrap
|
||||
changed_when: (keystone_bootstrap.stdout | from_json).changed
|
||||
|
@ -5,13 +5,12 @@
|
||||
--os-auth-url={{ openstack_auth.auth_url }}
|
||||
--os-password={{ openstack_auth.password }}
|
||||
--os-username={{ openstack_auth.username }}
|
||||
--os-project-name={{ openstack_auth.project_name }}
|
||||
--os-identity-api-version=3
|
||||
--os-interface {{ openstack_interface }}
|
||||
--os-project-domain-name {{ openstack_auth.domain_name }}
|
||||
--os-user-domain-name {{ openstack_auth.domain_name }}
|
||||
--os-region-name {{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
|
||||
--os-interface={{ openstack_interface }}
|
||||
--os-system-scope={{ openstack_auth.system_scope }}
|
||||
--os-user-domain-name={{ openstack_auth.user_domain_name }}
|
||||
--os-region-name={{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
|
||||
mapping list -c ID --format value
|
||||
run_once: True
|
||||
become: True
|
||||
@ -27,13 +26,13 @@
|
||||
--os-auth-url={{ openstack_auth.auth_url }}
|
||||
--os-password={{ openstack_auth.password }}
|
||||
--os-username={{ openstack_auth.username }}
|
||||
--os-project-name={{ openstack_auth.project_name }}
|
||||
--os-identity-api-version=3
|
||||
--os-interface {{ openstack_interface }}
|
||||
--os-project-domain-name {{ openstack_auth.domain_name }}
|
||||
--os-user-domain-name {{ openstack_auth.domain_name }}
|
||||
--os-region-name {{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
|
||||
--os-interface={{ openstack_interface }}
|
||||
--os-system-scope={{ openstack_auth.system_scope }}
|
||||
--os-user-domain-name={{ openstack_auth.user_domain_name }}
|
||||
--os-system-scope={{ openstack_auth.system_scope }}
|
||||
--os-region-name={{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
|
||||
mapping delete {{ item }}
|
||||
run_once: True
|
||||
become: true
|
||||
@ -62,13 +61,12 @@
|
||||
--os-auth-url={{ openstack_auth.auth_url }}
|
||||
--os-password={{ openstack_auth.password }}
|
||||
--os-username={{ openstack_auth.username }}
|
||||
--os-project-name={{ openstack_auth.project_name }}
|
||||
--os-identity-api-version=3
|
||||
--os-interface {{ openstack_interface }}
|
||||
--os-project-domain-name {{ openstack_auth.domain_name }}
|
||||
--os-user-domain-name {{ openstack_auth.domain_name }}
|
||||
--os-region-name {{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
|
||||
--os-system-scope={{ openstack_auth.system_scope }}
|
||||
--os-user-domain-name={{ openstack_auth.user_domain_name }}
|
||||
--os-region-name={{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
|
||||
mapping create
|
||||
--rules "{{ keystone_container_federation_oidc_attribute_mappings_folder }}/{{ item.file | basename }}"
|
||||
{{ item.name }}
|
||||
@ -84,15 +82,14 @@
|
||||
--os-auth-url={{ openstack_auth.auth_url }}
|
||||
--os-password={{ openstack_auth.password }}
|
||||
--os-username={{ openstack_auth.username }}
|
||||
--os-project-name={{ openstack_auth.project_name }}
|
||||
--os-identity-api-version=3
|
||||
--os-interface {{ openstack_interface }}
|
||||
--os-project-domain-name {{ openstack_auth.domain_name }}
|
||||
--os-user-domain-name {{ openstack_auth.domain_name }}
|
||||
--os-region-name {{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
|
||||
--os-interface={{ openstack_interface }}
|
||||
--os-system-scope={{ openstack_auth.system_scope }}
|
||||
--os-user-domain-name={{ openstack_auth.user_domain_name }}
|
||||
--os-region-name={{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
|
||||
mapping set
|
||||
--rules "{{ keystone_container_federation_oidc_attribute_mappings_folder }}/{{ item.file | basename }}"
|
||||
--rules="{{ keystone_container_federation_oidc_attribute_mappings_folder }}/{{ item.file | basename }}"
|
||||
{{ item.name }}
|
||||
run_once: True
|
||||
when:
|
||||
@ -106,13 +103,12 @@
|
||||
--os-auth-url={{ openstack_auth.auth_url }}
|
||||
--os-password={{ openstack_auth.password }}
|
||||
--os-username={{ openstack_auth.username }}
|
||||
--os-project-name={{ openstack_auth.project_name }}
|
||||
--os-identity-api-version=3
|
||||
--os-interface {{ openstack_interface }}
|
||||
--os-project-domain-name {{ openstack_auth.domain_name }}
|
||||
--os-user-domain-name {{ openstack_auth.domain_name }}
|
||||
--os-region-name {{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
|
||||
--os-interface={{ openstack_interface }}
|
||||
--os-system-scope={{ openstack_auth.system_scope }}
|
||||
--os-user-domain-name={{ openstack_auth.user_domain_name }}
|
||||
--os-region-name={{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
|
||||
identity provider list -c ID --format value
|
||||
run_once: True
|
||||
register: existing_idps_register
|
||||
@ -128,13 +124,12 @@
|
||||
--os-auth-url={{ openstack_auth.auth_url }}
|
||||
--os-password={{ openstack_auth.password }}
|
||||
--os-username={{ openstack_auth.username }}
|
||||
--os-project-name={{ openstack_auth.project_name }}
|
||||
--os-identity-api-version=3
|
||||
--os-interface {{ openstack_interface }}
|
||||
--os-project-domain-name {{ openstack_auth.domain_name }}
|
||||
--os-user-domain-name {{ openstack_auth.domain_name }}
|
||||
--os-region-name {{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
|
||||
--os-interface={{ openstack_interface }}
|
||||
--os-system-scope={{ openstack_auth.system_scope }}
|
||||
--os-user-domain-name={{ openstack_auth.user_domain_name }}
|
||||
--os-region-name={ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
|
||||
identity provider delete {{ item }}
|
||||
run_once: True
|
||||
with_items: "{{ existing_idps }}"
|
||||
@ -149,13 +144,12 @@
|
||||
--os-auth-url={{ openstack_auth.auth_url }}
|
||||
--os-password={{ openstack_auth.password }}
|
||||
--os-username={{ openstack_auth.username }}
|
||||
--os-project-name={{ openstack_auth.project_name }}
|
||||
--os-identity-api-version=3
|
||||
--os-interface {{ openstack_interface }}
|
||||
--os-project-domain-name {{ openstack_auth.domain_name }}
|
||||
--os-user-domain-name {{ openstack_auth.domain_name }}
|
||||
--os-region-name {{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
|
||||
--os-interface={{ openstack_interface }}
|
||||
--os-system-scope={{ openstack_auth.system_scope }}
|
||||
--os-user-domain-name{{ openstack_auth.user_domain_name }}
|
||||
--os-region-name={{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
|
||||
identity provider create
|
||||
--description "{{ item.public_name }}"
|
||||
--remote-id "{{ item.identifier }}"
|
||||
@ -173,11 +167,10 @@
|
||||
--os-auth-url={{ openstack_auth.auth_url }}
|
||||
--os-password={{ openstack_auth.password }}
|
||||
--os-username={{ openstack_auth.username }}
|
||||
--os-project-name={{ openstack_auth.project_name }}
|
||||
--os-identity-api-version=3
|
||||
--os-interface {{ openstack_interface }}
|
||||
--os-project-domain-name {{ openstack_auth.domain_name }}
|
||||
--os-user-domain-name {{ openstack_auth.domain_name }}
|
||||
--os-system-scope {{ openstack_auth.system_scope }}
|
||||
--os-user-domain-name {{ openstack_auth.user_domain_name }}
|
||||
--os-region-name {{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
|
||||
identity provider set
|
||||
@ -196,13 +189,12 @@
|
||||
--os-auth-url={{ openstack_auth.auth_url }}
|
||||
--os-password={{ openstack_auth.password }}
|
||||
--os-username={{ openstack_auth.username }}
|
||||
--os-project-name={{ openstack_auth.project_name }}
|
||||
--os-identity-api-version=3
|
||||
--os-interface {{ openstack_interface }}
|
||||
--os-project-domain-name {{ openstack_auth.domain_name }}
|
||||
--os-user-domain-name {{ openstack_auth.domain_name }}
|
||||
--os-region-name {{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
|
||||
--os-interface={{ openstack_interface }}
|
||||
--os-system-scope={{ openstack_auth.system_scope }}
|
||||
--os-user-domain-name={{ openstack_auth.user_domain_name }}
|
||||
--os-region-name={{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
|
||||
federation protocol create
|
||||
--mapping {{ item.attribute_mapping }}
|
||||
--identity-provider {{ item.name }}
|
||||
@ -219,13 +211,12 @@
|
||||
--os-auth-url={{ openstack_auth.auth_url }}
|
||||
--os-password={{ openstack_auth.password }}
|
||||
--os-username={{ openstack_auth.username }}
|
||||
--os-project-name={{ openstack_auth.project_name }}
|
||||
--os-identity-api-version=3
|
||||
--os-interface {{ openstack_interface }}
|
||||
--os-project-domain-name {{ openstack_auth.domain_name }}
|
||||
--os-user-domain-name {{ openstack_auth.domain_name }}
|
||||
--os-region-name {{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
|
||||
--os-interface={{ openstack_interface }}
|
||||
--os-system-scope={{ openstack_auth.system_scope }}
|
||||
--os-user-domain-name={{ openstack_auth.user_domain_name }}
|
||||
--os-region-name={{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
|
||||
federation protocol set
|
||||
--identity-provider {{ item.name }}
|
||||
--mapping {{ item.attribute_mapping }}
|
||||
|
@ -17,8 +17,8 @@
|
||||
command: >
|
||||
docker exec murano_api murano
|
||||
--os-username {{ openstack_auth.username }}
|
||||
--os-password {{ keystone_admin_password }}
|
||||
--os-project-name {{ openstack_auth.project_name }}
|
||||
--os-password {{ openstack_auth.password }}
|
||||
--os-system-scope {{ openstack_auth.system_scope }}
|
||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
|
||||
--os-auth-url {{ keystone_admin_url }}
|
||||
--murano-url {{ murano_admin_endpoint }}
|
||||
@ -33,10 +33,10 @@
|
||||
command: >
|
||||
docker exec murano_api murano
|
||||
--os-username {{ openstack_auth.username }}
|
||||
--os-password {{ keystone_admin_password }}
|
||||
--os-project-name {{ openstack_auth.project_name }}
|
||||
--os-password {{ openstack_auth.password }}
|
||||
--os-system-scope {{ openstack_auth.system_scope }}
|
||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
|
||||
--os-auth-url {{ keystone_admin_url }}
|
||||
--os-auth-url {{ openstack_auth.auth_url }}
|
||||
--murano-url {{ murano_admin_endpoint }}
|
||||
package-import --exists-action u --is-public /io.murano.zip
|
||||
run_once: True
|
||||
@ -49,10 +49,10 @@
|
||||
command: >
|
||||
docker exec murano_api murano
|
||||
--os-username {{ openstack_auth.username }}
|
||||
--os-password {{ keystone_admin_password }}
|
||||
--os-project-name {{ openstack_auth.project_name }}
|
||||
--os-password {{ openstack_auth.password }}
|
||||
--os-system-scope {{ openstack_auth.system_scope }}
|
||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
|
||||
--os-auth-url {{ keystone_admin_url }}
|
||||
--os-auth-url {{ openstack_auth.auth_url }}
|
||||
--murano-url {{ murano_admin_endpoint }}
|
||||
package-import --exists-action u --is-public /io.murano.applications.zip
|
||||
run_once: True
|
||||
|
@ -28,13 +28,12 @@
|
||||
command: >
|
||||
docker exec kolla_toolbox openstack
|
||||
--os-interface {{ openstack_interface }}
|
||||
--os-auth-url {{ keystone_admin_url }}
|
||||
--os-identity-api-version 3
|
||||
--os-project-domain-name {{ openstack_auth.domain_name }}
|
||||
--os-project-name {{ openstack_auth.project_name }}
|
||||
--os-auth-url {{ openstack_auth.auth_url }}
|
||||
--os-username {{ openstack_auth.username }}
|
||||
--os-password {{ keystone_admin_password }}
|
||||
--os-user-domain-name {{ openstack_auth.domain_name }}
|
||||
--os-password {{ openstack_auth.password }}
|
||||
--os-identity-api-version 3
|
||||
--os-user-domain-name {{ openstack_auth.user_domain_name }}
|
||||
--os-system-scope {{ openstack_auth.system_scope }}
|
||||
--os-region-name {{ openstack_region_name }}
|
||||
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
|
||||
compute service list --format json --column Host --service nova-compute
|
||||
|
@ -41,7 +41,7 @@ skydive_analyzer_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{
|
||||
skydive_analyzer_tag: "{{ skydive_tag }}"
|
||||
skydive_analyzer_image_full: "{{ skydive_analyzer_image }}:{{ skydive_analyzer_tag }}"
|
||||
|
||||
skydive_admin_tenant_name: "{{ openstack_auth['project_name'] }}"
|
||||
skydive_admin_tenant_name: "{{ keystone_admin_project }}"
|
||||
skydive_agent_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ skydive_install_type }}-skydive-agent"
|
||||
skydive_agent_tag: "{{ skydive_tag }}"
|
||||
skydive_agent_image_full: "{{ skydive_agent_image }}:{{ skydive_agent_tag }}"
|
||||
|
@ -45,11 +45,12 @@ agent:
|
||||
- ovsdb
|
||||
{% endif %}
|
||||
|
||||
### TODO migrate from tenant_name to system_scope when supported in skydive
|
||||
neutron:
|
||||
auth_url: {{ keystone_internal_url }}/v3
|
||||
username: {{ openstack_auth['username'] }}
|
||||
password: {{ openstack_auth['password'] }}
|
||||
tenant_name: {{ openstack_auth['project_name'] }}
|
||||
tenant_name: {{ skydive_admin_tenant_name }}
|
||||
region_name: {{ openstack_region_name }}
|
||||
domain_name: Default
|
||||
endpoint_type: internal
|
||||
|
@ -1,5 +1,6 @@
|
||||
### Skydive analyzer config file
|
||||
|
||||
### TODO migrate from tenant_name to system_scope when supported in skydive
|
||||
auth:
|
||||
keystone:
|
||||
type: keystone
|
||||
|
@ -52,7 +52,7 @@ memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_addres
|
||||
auth_url = {{ keystone_internal_url }}/v3
|
||||
region_name = {{ openstack_region_name }}
|
||||
auth_type = password
|
||||
project_domain_id = default
|
||||
project_domain_id = {{ default_project_domain_id }}
|
||||
user_domain_id = default
|
||||
project_name = admin
|
||||
password = {{ vitrage_keystone_password }}
|
||||
|
@ -73,11 +73,11 @@ the value of ``kolla_internal_fqdn`` in RegionOne:
|
||||
keystone_internal_url: "{{ internal_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_public_port }}"
|
||||
|
||||
openstack_auth:
|
||||
auth_url: "{{ admin_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_admin_port }}"
|
||||
username: "admin"
|
||||
auth_url: "{{ keystone_admin_url }}"
|
||||
username: "{{ keystone_admin_user }}"
|
||||
password: "{{ keystone_admin_password }}"
|
||||
project_name: "admin"
|
||||
domain_name: "default"
|
||||
user_domain_name: "{{ default_user_domain_name }}"
|
||||
system_scope: "all"
|
||||
|
||||
.. note::
|
||||
|
||||
|
@ -0,0 +1,8 @@
|
||||
---
|
||||
features:
|
||||
- Transitions to using system-scoped tokens when authenticating as the
|
||||
Keystone admin user. This is a necessary step towards being able to
|
||||
enable the updated oslo policies in services that allow finer grained
|
||||
access to system-level resources and APIs. Since Queens, the admin role
|
||||
is assigned to the admin user with system scope as well as in the admin
|
||||
project.
|
@ -95,7 +95,6 @@ if [[ $ENABLE_EXT_NET -eq 1 ]]; then
|
||||
fi
|
||||
|
||||
# Get admin user and tenant IDs
|
||||
ADMIN_USER_ID=$($KOLLA_OPENSTACK_COMMAND user list | awk '/ admin / {print $2}')
|
||||
ADMIN_PROJECT_ID=$($KOLLA_OPENSTACK_COMMAND project list | awk '/ admin / {print $2}')
|
||||
ADMIN_SEC_GROUP=$($KOLLA_OPENSTACK_COMMAND security group list --project ${ADMIN_PROJECT_ID} | awk '/ default / {print $2}')
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user