diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index a90aeb89c9..c685db2f66 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -884,9 +884,8 @@ openstack_auth: auth_url: "{{ keystone_admin_url }}" username: "{{ keystone_admin_user }}" password: "{{ keystone_admin_password }}" - project_name: "{{ keystone_admin_project }}" - domain_name: "default" - user_domain_name: "default" + user_domain_name: "{{ default_user_domain_name }}" + system_scope: "all" ####################### # Glance options diff --git a/ansible/roles/barbican/tasks/check.yml b/ansible/roles/barbican/tasks/check.yml index 66692756c7..bba2f1d885 100644 --- a/ansible/roles/barbican/tasks/check.yml +++ b/ansible/roles/barbican/tasks/check.yml @@ -7,7 +7,7 @@ --os-auth-url={{ openstack_auth.auth_url }} \ --os-password={{ openstack_auth.password }} \ --os-username={{ openstack_auth.username }} \ - --os-project-name={{ openstack_auth.project_name }} \ + --os-system-scope={{ openstack_auth.system_scope }} secret store -f value -p kolla | head -1 register: barbican_store_secret run_once: True @@ -20,7 +20,7 @@ --os-auth-url={{ openstack_auth.auth_url }} --os-password={{ openstack_auth.password }} --os-username={{ openstack_auth.username }} - --os-project-name={{ openstack_auth.project_name }} + --os-system-scope={{ openstack_auth.system_scope }} secret get -f value -p {{ barbican_store_secret.stdout }} register: barbican_get_secret failed_when: barbican_get_secret.stdout != 'kolla' @@ -34,7 +34,7 @@ --os-auth-url={{ openstack_auth.auth_url }} --os-password={{ openstack_auth.password }} --os-username={{ openstack_auth.username }} - --os-project-name={{ openstack_auth.project_name }} + --os-system-scope={{ openstack_auth.system_scope }} secret delete {{ barbican_store_secret.stdout }} run_once: True when: kolla_enable_sanity_barbican | bool diff --git a/ansible/roles/freezer/templates/freezer.conf.j2 b/ansible/roles/freezer/templates/freezer.conf.j2 index b48ec6c864..aaa07dcb78 100644 --- a/ansible/roles/freezer/templates/freezer.conf.j2 +++ b/ansible/roles/freezer/templates/freezer.conf.j2 @@ -15,8 +15,10 @@ jobs_dir = /etc/freezer/scheduler/conf.d os_username = {{ openstack_auth.username }} os_password = {{ openstack_auth.password }} os_auth_url = {{ openstack_auth.auth_url }}/v3 -os_project_name = {{ openstack_auth.project_name }} +os_project_name = {{ keystone_admin_project }} os_project_domain_name = {{ openstack_auth.domain_name }} +# TODO: transition to system scoped token when freezer supports that +# configuration option os_user_domain_name = {{ openstack_auth.user_domain_name }} {% endif %} diff --git a/ansible/roles/heat/defaults/main.yml b/ansible/roles/heat/defaults/main.yml index f3b6d5f4b5..0814234ce9 100644 --- a/ansible/roles/heat/defaults/main.yml +++ b/ansible/roles/heat/defaults/main.yml @@ -219,7 +219,7 @@ heat_ks_roles: - "{{ heat_stack_user_role }}" heat_ks_user_roles: - - project: "{{ openstack_auth.project_name }}" + - project: "{{ keystone_admin_project }}" user: "{{ openstack_auth.username }}" role: "{{ heat_stack_owner_role }}" diff --git a/ansible/roles/heat/tasks/bootstrap_service.yml b/ansible/roles/heat/tasks/bootstrap_service.yml index 849d218bbb..4f166b8dc9 100644 --- a/ansible/roles/heat/tasks/bootstrap_service.yml +++ b/ansible/roles/heat/tasks/bootstrap_service.yml @@ -15,7 +15,8 @@ OS_INTERFACE: "internal" OS_USERNAME: "{{ openstack_auth.username }}" OS_PASSWORD: "{{ openstack_auth.password }}" - OS_PROJECT_NAME: "{{ openstack_auth.project_name }}" + OS_USER_DOMAIN_NAME: "{{ openstack_auth.user_domain_name }}" + OS_SYSTEM_SCOPE: "{{ openstack_auth.system_scope }}" OS_REGION_NAME: "{{ openstack_region_name }}" OS_CACERT: "{{ openstack_cacert | default(omit) }}" HEAT_DOMAIN_ADMIN_PASSWORD: "{{ heat_domain_admin_password }}" diff --git a/ansible/roles/ironic/templates/ironic.conf.j2 b/ansible/roles/ironic/templates/ironic.conf.j2 index 9b7de4d5c2..77bbc3f208 100644 --- a/ansible/roles/ironic/templates/ironic.conf.j2 +++ b/ansible/roles/ironic/templates/ironic.conf.j2 @@ -75,7 +75,7 @@ memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_addres [cinder] auth_url = {{ keystone_admin_url }} auth_type = password -project_domain_id = default +project_domain_id = {{ default_project_domain_id }} user_domain_id = default project_name = service username = {{ ironic_keystone_user }} @@ -89,7 +89,7 @@ cafile = {{ openstack_cacert }} [glance] auth_url = {{ keystone_admin_url }} auth_type = password -project_domain_id = default +project_domain_id = {{ default_project_domain_id }} user_domain_id = default project_name = service username = {{ ironic_keystone_user }} @@ -103,7 +103,7 @@ cafile = {{ openstack_cacert }} [neutron] auth_url = {{ keystone_admin_url }} auth_type = password -project_domain_id = default +project_domain_id = {{ default_project_domain_id }} user_domain_id = default project_name = service username = {{ ironic_keystone_user }} @@ -118,7 +118,7 @@ cafile = {{ openstack_cacert }} [nova] auth_url = {{ keystone_admin_url }} auth_type = password -project_domain_id = default +project_domain_id = {{ default_project_domain_id }} user_domain_id = default project_name = service username = {{ ironic_keystone_user }} @@ -132,7 +132,7 @@ cafile = {{ openstack_cacert }} [swift] auth_url = {{ keystone_admin_url }} auth_type = password -project_domain_id = {{ default_project_domain_id }} +project_domain_id = {{ default_project_domain_id }} user_domain_id = {{ default_user_domain_id }} project_name = service username = {{ ironic_keystone_user }} @@ -146,7 +146,7 @@ cafile = {{ openstack_cacert }} {% if ironic_enable_keystone_integration | bool %} auth_url = {{ keystone_admin_url }} auth_type = password -project_domain_id = default +project_domain_id = {{ default_project_domain_id }} user_domain_id = default project_name = service username = {{ ironic_keystone_user }} @@ -163,7 +163,7 @@ endpoint_override = {{ ironic_inspector_internal_endpoint }} {% if ironic_enable_keystone_integration | bool %} auth_url = {{ keystone_admin_url }} auth_type = password -project_domain_id = default +project_domain_id = {{ default_project_domain_id }} user_domain_id = default project_name = service username = {{ ironic_keystone_user }} diff --git a/ansible/roles/keystone/tasks/register.yml b/ansible/roles/keystone/tasks/register.yml index d79bdce8c8..4e7bdccc62 100644 --- a/ansible/roles/keystone/tasks/register.yml +++ b/ansible/roles/keystone/tasks/register.yml @@ -3,7 +3,7 @@ become: true command: > docker exec keystone kolla_keystone_bootstrap - {{ openstack_auth.username }} {{ openstack_auth.password }} {{ openstack_auth.project_name }} + {{ openstack_auth.username }} {{ openstack_auth.password }} {{ keystone_admin_project }} admin {{ keystone_admin_url }} {{ keystone_internal_url }} {{ keystone_public_url }} {{ item }} register: keystone_bootstrap changed_when: (keystone_bootstrap.stdout | from_json).changed diff --git a/ansible/roles/keystone/tasks/register_identity_providers.yml b/ansible/roles/keystone/tasks/register_identity_providers.yml index 40dd5b032e..d99cbe762d 100644 --- a/ansible/roles/keystone/tasks/register_identity_providers.yml +++ b/ansible/roles/keystone/tasks/register_identity_providers.yml @@ -5,13 +5,12 @@ --os-auth-url={{ openstack_auth.auth_url }} --os-password={{ openstack_auth.password }} --os-username={{ openstack_auth.username }} - --os-project-name={{ openstack_auth.project_name }} --os-identity-api-version=3 - --os-interface {{ openstack_interface }} - --os-project-domain-name {{ openstack_auth.domain_name }} - --os-user-domain-name {{ openstack_auth.domain_name }} - --os-region-name {{ openstack_region_name }} - {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %} + --os-interface={{ openstack_interface }} + --os-system-scope={{ openstack_auth.system_scope }} + --os-user-domain-name={{ openstack_auth.user_domain_name }} + --os-region-name={{ openstack_region_name }} + {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %} mapping list -c ID --format value run_once: True become: True @@ -27,13 +26,13 @@ --os-auth-url={{ openstack_auth.auth_url }} --os-password={{ openstack_auth.password }} --os-username={{ openstack_auth.username }} - --os-project-name={{ openstack_auth.project_name }} --os-identity-api-version=3 - --os-interface {{ openstack_interface }} - --os-project-domain-name {{ openstack_auth.domain_name }} - --os-user-domain-name {{ openstack_auth.domain_name }} - --os-region-name {{ openstack_region_name }} - {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %} + --os-interface={{ openstack_interface }} + --os-system-scope={{ openstack_auth.system_scope }} + --os-user-domain-name={{ openstack_auth.user_domain_name }} + --os-system-scope={{ openstack_auth.system_scope }} + --os-region-name={{ openstack_region_name }} + {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %} mapping delete {{ item }} run_once: True become: true @@ -62,13 +61,12 @@ --os-auth-url={{ openstack_auth.auth_url }} --os-password={{ openstack_auth.password }} --os-username={{ openstack_auth.username }} - --os-project-name={{ openstack_auth.project_name }} --os-identity-api-version=3 --os-interface {{ openstack_interface }} - --os-project-domain-name {{ openstack_auth.domain_name }} - --os-user-domain-name {{ openstack_auth.domain_name }} - --os-region-name {{ openstack_region_name }} - {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %} + --os-system-scope={{ openstack_auth.system_scope }} + --os-user-domain-name={{ openstack_auth.user_domain_name }} + --os-region-name={{ openstack_region_name }} + {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %} mapping create --rules "{{ keystone_container_federation_oidc_attribute_mappings_folder }}/{{ item.file | basename }}" {{ item.name }} @@ -84,15 +82,14 @@ --os-auth-url={{ openstack_auth.auth_url }} --os-password={{ openstack_auth.password }} --os-username={{ openstack_auth.username }} - --os-project-name={{ openstack_auth.project_name }} --os-identity-api-version=3 - --os-interface {{ openstack_interface }} - --os-project-domain-name {{ openstack_auth.domain_name }} - --os-user-domain-name {{ openstack_auth.domain_name }} - --os-region-name {{ openstack_region_name }} - {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %} + --os-interface={{ openstack_interface }} + --os-system-scope={{ openstack_auth.system_scope }} + --os-user-domain-name={{ openstack_auth.user_domain_name }} + --os-region-name={{ openstack_region_name }} + {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %} mapping set - --rules "{{ keystone_container_federation_oidc_attribute_mappings_folder }}/{{ item.file | basename }}" + --rules="{{ keystone_container_federation_oidc_attribute_mappings_folder }}/{{ item.file | basename }}" {{ item.name }} run_once: True when: @@ -106,13 +103,12 @@ --os-auth-url={{ openstack_auth.auth_url }} --os-password={{ openstack_auth.password }} --os-username={{ openstack_auth.username }} - --os-project-name={{ openstack_auth.project_name }} --os-identity-api-version=3 - --os-interface {{ openstack_interface }} - --os-project-domain-name {{ openstack_auth.domain_name }} - --os-user-domain-name {{ openstack_auth.domain_name }} - --os-region-name {{ openstack_region_name }} - {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %} + --os-interface={{ openstack_interface }} + --os-system-scope={{ openstack_auth.system_scope }} + --os-user-domain-name={{ openstack_auth.user_domain_name }} + --os-region-name={{ openstack_region_name }} + {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %} identity provider list -c ID --format value run_once: True register: existing_idps_register @@ -128,13 +124,12 @@ --os-auth-url={{ openstack_auth.auth_url }} --os-password={{ openstack_auth.password }} --os-username={{ openstack_auth.username }} - --os-project-name={{ openstack_auth.project_name }} --os-identity-api-version=3 - --os-interface {{ openstack_interface }} - --os-project-domain-name {{ openstack_auth.domain_name }} - --os-user-domain-name {{ openstack_auth.domain_name }} - --os-region-name {{ openstack_region_name }} - {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %} + --os-interface={{ openstack_interface }} + --os-system-scope={{ openstack_auth.system_scope }} + --os-user-domain-name={{ openstack_auth.user_domain_name }} + --os-region-name={ openstack_region_name }} + {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %} identity provider delete {{ item }} run_once: True with_items: "{{ existing_idps }}" @@ -149,13 +144,12 @@ --os-auth-url={{ openstack_auth.auth_url }} --os-password={{ openstack_auth.password }} --os-username={{ openstack_auth.username }} - --os-project-name={{ openstack_auth.project_name }} --os-identity-api-version=3 - --os-interface {{ openstack_interface }} - --os-project-domain-name {{ openstack_auth.domain_name }} - --os-user-domain-name {{ openstack_auth.domain_name }} - --os-region-name {{ openstack_region_name }} - {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %} + --os-interface={{ openstack_interface }} + --os-system-scope={{ openstack_auth.system_scope }} + --os-user-domain-name{{ openstack_auth.user_domain_name }} + --os-region-name={{ openstack_region_name }} + {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %} identity provider create --description "{{ item.public_name }}" --remote-id "{{ item.identifier }}" @@ -173,11 +167,10 @@ --os-auth-url={{ openstack_auth.auth_url }} --os-password={{ openstack_auth.password }} --os-username={{ openstack_auth.username }} - --os-project-name={{ openstack_auth.project_name }} --os-identity-api-version=3 --os-interface {{ openstack_interface }} - --os-project-domain-name {{ openstack_auth.domain_name }} - --os-user-domain-name {{ openstack_auth.domain_name }} + --os-system-scope {{ openstack_auth.system_scope }} + --os-user-domain-name {{ openstack_auth.user_domain_name }} --os-region-name {{ openstack_region_name }} {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %} identity provider set @@ -196,13 +189,12 @@ --os-auth-url={{ openstack_auth.auth_url }} --os-password={{ openstack_auth.password }} --os-username={{ openstack_auth.username }} - --os-project-name={{ openstack_auth.project_name }} --os-identity-api-version=3 - --os-interface {{ openstack_interface }} - --os-project-domain-name {{ openstack_auth.domain_name }} - --os-user-domain-name {{ openstack_auth.domain_name }} - --os-region-name {{ openstack_region_name }} - {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %} + --os-interface={{ openstack_interface }} + --os-system-scope={{ openstack_auth.system_scope }} + --os-user-domain-name={{ openstack_auth.user_domain_name }} + --os-region-name={{ openstack_region_name }} + {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %} federation protocol create --mapping {{ item.attribute_mapping }} --identity-provider {{ item.name }} @@ -219,13 +211,12 @@ --os-auth-url={{ openstack_auth.auth_url }} --os-password={{ openstack_auth.password }} --os-username={{ openstack_auth.username }} - --os-project-name={{ openstack_auth.project_name }} --os-identity-api-version=3 - --os-interface {{ openstack_interface }} - --os-project-domain-name {{ openstack_auth.domain_name }} - --os-user-domain-name {{ openstack_auth.domain_name }} - --os-region-name {{ openstack_region_name }} - {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %} + --os-interface={{ openstack_interface }} + --os-system-scope={{ openstack_auth.system_scope }} + --os-user-domain-name={{ openstack_auth.user_domain_name }} + --os-region-name={{ openstack_region_name }} + {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %} federation protocol set --identity-provider {{ item.name }} --mapping {{ item.attribute_mapping }} diff --git a/ansible/roles/murano/tasks/import_library_packages.yml b/ansible/roles/murano/tasks/import_library_packages.yml index 615bfa5124..438455c44e 100644 --- a/ansible/roles/murano/tasks/import_library_packages.yml +++ b/ansible/roles/murano/tasks/import_library_packages.yml @@ -17,8 +17,8 @@ command: > docker exec murano_api murano --os-username {{ openstack_auth.username }} - --os-password {{ keystone_admin_password }} - --os-project-name {{ openstack_auth.project_name }} + --os-password {{ openstack_auth.password }} + --os-system-scope {{ openstack_auth.system_scope }} {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %} --os-auth-url {{ keystone_admin_url }} --murano-url {{ murano_admin_endpoint }} @@ -33,10 +33,10 @@ command: > docker exec murano_api murano --os-username {{ openstack_auth.username }} - --os-password {{ keystone_admin_password }} - --os-project-name {{ openstack_auth.project_name }} + --os-password {{ openstack_auth.password }} + --os-system-scope {{ openstack_auth.system_scope }} {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %} - --os-auth-url {{ keystone_admin_url }} + --os-auth-url {{ openstack_auth.auth_url }} --murano-url {{ murano_admin_endpoint }} package-import --exists-action u --is-public /io.murano.zip run_once: True @@ -49,10 +49,10 @@ command: > docker exec murano_api murano --os-username {{ openstack_auth.username }} - --os-password {{ keystone_admin_password }} - --os-project-name {{ openstack_auth.project_name }} + --os-password {{ openstack_auth.password }} + --os-system-scope {{ openstack_auth.system_scope }} {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %} - --os-auth-url {{ keystone_admin_url }} + --os-auth-url {{ openstack_auth.auth_url }} --murano-url {{ murano_admin_endpoint }} package-import --exists-action u --is-public /io.murano.applications.zip run_once: True diff --git a/ansible/roles/nova-cell/tasks/discover_computes.yml b/ansible/roles/nova-cell/tasks/discover_computes.yml index 1ee0e1c0ec..d13589cca8 100644 --- a/ansible/roles/nova-cell/tasks/discover_computes.yml +++ b/ansible/roles/nova-cell/tasks/discover_computes.yml @@ -28,13 +28,12 @@ command: > docker exec kolla_toolbox openstack --os-interface {{ openstack_interface }} - --os-auth-url {{ keystone_admin_url }} - --os-identity-api-version 3 - --os-project-domain-name {{ openstack_auth.domain_name }} - --os-project-name {{ openstack_auth.project_name }} + --os-auth-url {{ openstack_auth.auth_url }} --os-username {{ openstack_auth.username }} - --os-password {{ keystone_admin_password }} - --os-user-domain-name {{ openstack_auth.domain_name }} + --os-password {{ openstack_auth.password }} + --os-identity-api-version 3 + --os-user-domain-name {{ openstack_auth.user_domain_name }} + --os-system-scope {{ openstack_auth.system_scope }} --os-region-name {{ openstack_region_name }} {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %} compute service list --format json --column Host --service nova-compute diff --git a/ansible/roles/skydive/defaults/main.yml b/ansible/roles/skydive/defaults/main.yml index b2ac934499..2d7175132c 100644 --- a/ansible/roles/skydive/defaults/main.yml +++ b/ansible/roles/skydive/defaults/main.yml @@ -41,7 +41,7 @@ skydive_analyzer_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{ skydive_analyzer_tag: "{{ skydive_tag }}" skydive_analyzer_image_full: "{{ skydive_analyzer_image }}:{{ skydive_analyzer_tag }}" -skydive_admin_tenant_name: "{{ openstack_auth['project_name'] }}" +skydive_admin_tenant_name: "{{ keystone_admin_project }}" skydive_agent_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ skydive_install_type }}-skydive-agent" skydive_agent_tag: "{{ skydive_tag }}" skydive_agent_image_full: "{{ skydive_agent_image }}:{{ skydive_agent_tag }}" diff --git a/ansible/roles/skydive/templates/skydive-agent.conf.j2 b/ansible/roles/skydive/templates/skydive-agent.conf.j2 index 15cda502a2..34dba6716c 100644 --- a/ansible/roles/skydive/templates/skydive-agent.conf.j2 +++ b/ansible/roles/skydive/templates/skydive-agent.conf.j2 @@ -45,11 +45,12 @@ agent: - ovsdb {% endif %} +### TODO migrate from tenant_name to system_scope when supported in skydive neutron: auth_url: {{ keystone_internal_url }}/v3 username: {{ openstack_auth['username'] }} password: {{ openstack_auth['password'] }} - tenant_name: {{ openstack_auth['project_name'] }} + tenant_name: {{ skydive_admin_tenant_name }} region_name: {{ openstack_region_name }} domain_name: Default endpoint_type: internal diff --git a/ansible/roles/skydive/templates/skydive-analyzer.conf.j2 b/ansible/roles/skydive/templates/skydive-analyzer.conf.j2 index 549bafff22..551b8dc65a 100644 --- a/ansible/roles/skydive/templates/skydive-analyzer.conf.j2 +++ b/ansible/roles/skydive/templates/skydive-analyzer.conf.j2 @@ -1,5 +1,6 @@ ### Skydive analyzer config file +### TODO migrate from tenant_name to system_scope when supported in skydive auth: keystone: type: keystone diff --git a/ansible/roles/vitrage/templates/vitrage.conf.j2 b/ansible/roles/vitrage/templates/vitrage.conf.j2 index 3fdaa2f9fb..1482f8278a 100644 --- a/ansible/roles/vitrage/templates/vitrage.conf.j2 +++ b/ansible/roles/vitrage/templates/vitrage.conf.j2 @@ -52,7 +52,7 @@ memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_addres auth_url = {{ keystone_internal_url }}/v3 region_name = {{ openstack_region_name }} auth_type = password -project_domain_id = default +project_domain_id = {{ default_project_domain_id }} user_domain_id = default project_name = admin password = {{ vitrage_keystone_password }} diff --git a/doc/source/user/multi-regions.rst b/doc/source/user/multi-regions.rst index e2a4da6c04..98fd5a7599 100644 --- a/doc/source/user/multi-regions.rst +++ b/doc/source/user/multi-regions.rst @@ -73,11 +73,11 @@ the value of ``kolla_internal_fqdn`` in RegionOne: keystone_internal_url: "{{ internal_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_public_port }}" openstack_auth: - auth_url: "{{ admin_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_admin_port }}" - username: "admin" + auth_url: "{{ keystone_admin_url }}" + username: "{{ keystone_admin_user }}" password: "{{ keystone_admin_password }}" - project_name: "admin" - domain_name: "default" + user_domain_name: "{{ default_user_domain_name }}" + system_scope: "all" .. note:: diff --git a/releasenotes/notes/move-keystone-user-auth-to-system-scope-900db3265861ebde.yaml b/releasenotes/notes/move-keystone-user-auth-to-system-scope-900db3265861ebde.yaml new file mode 100644 index 0000000000..ae7909d08b --- /dev/null +++ b/releasenotes/notes/move-keystone-user-auth-to-system-scope-900db3265861ebde.yaml @@ -0,0 +1,8 @@ +--- +features: + - Transitions to using system-scoped tokens when authenticating as the + Keystone admin user. This is a necessary step towards being able to + enable the updated oslo policies in services that allow finer grained + access to system-level resources and APIs. Since Queens, the admin role + is assigned to the admin user with system scope as well as in the admin + project. diff --git a/tools/init-runonce b/tools/init-runonce index b4b8739917..f8d7b1c179 100755 --- a/tools/init-runonce +++ b/tools/init-runonce @@ -95,7 +95,6 @@ if [[ $ENABLE_EXT_NET -eq 1 ]]; then fi # Get admin user and tenant IDs -ADMIN_USER_ID=$($KOLLA_OPENSTACK_COMMAND user list | awk '/ admin / {print $2}') ADMIN_PROJECT_ID=$($KOLLA_OPENSTACK_COMMAND project list | awk '/ admin / {print $2}') ADMIN_SEC_GROUP=$($KOLLA_OPENSTACK_COMMAND security group list --project ${ADMIN_PROJECT_ID} | awk '/ default / {print $2}')