kolla-ansible/ansible/roles/murano/tasks/import_library_packages.yml
Ghanshyam Mann 283fa242ca Remove system scope token to access services
As per the RBAC new direction in Zed cycle, we have dropped the
system scope from API policies and all the policies are hardcoded
to project scoped so that any user accessing APIs using system scope
will get 403 error. It is dropped from all the OpenStack services
except for the Ironic service which will have system scope and to
support ironic only deployment, we are keeping system as well as project
scope in Keystone.

Complete discussion and direction can be found in the below gerrit
change and TC goal direction:

- https://review.opendev.org/c/openstack/governance/+/847418
- https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#the-issues-we-are-facing-with-scope-concept

As phase-2 of RBAC goal, services will start enabling the new
defaults and project scope by default. For example: Nova did in
- https://review.opendev.org/c/openstack/nova/+/866218

Kolla who start accessing the services using system scope token
- https://review.opendev.org/c/openstack/kolla-ansible/+/692179

This commit partially revert the above change except keeping
system scope usage for Keystone and Ironic. Rest all services are changed
to use the project scope token.

And enable the scope and new defaults for Nova which was disabled
by https://review.opendev.org/c/openstack/kolla-ansible/+/870804

Change-Id: I0adbe0a6c39e11d7c9542569085fc5d580f26c9d
2023-01-26 17:52:00 -06:00

62 lines
2.3 KiB
YAML

---
- name: Waiting for Murano API service to be ready on first node
wait_for:
host: "{{ api_interface_address }}"
port: "{{ murano_api_port }}"
connect_timeout: 1
timeout: 60
run_once: True
register: check_murano_port
until: check_murano_port is success
retries: 10
delay: 6
delegate_to: "{{ groups['murano-api'][0] }}"
- name: Checking if Murano core and applications library packages exist
become: true
command: >
{{ kolla_container_engine }} exec murano_api murano
--os-username {{ openstack_auth.username }}
--os-password {{ openstack_auth.password }}
--os-project-name {{ openstack_auth.project_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
--os-auth-url {{ openstack_auth.auth_url }}
--murano-url {{ murano_internal_endpoint }}
package-list
register: status
changed_when: False
run_once: True
delegate_to: "{{ groups['murano-api'][0] }}"
- name: Importing Murano core library package
become: true
command: >
{{ kolla_container_engine }} exec murano_api murano
--os-username {{ openstack_auth.username }}
--os-password {{ openstack_auth.password }}
--os-project-name {{ openstack_auth.project_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
--os-auth-url {{ openstack_auth.auth_url }}
--murano-url {{ murano_internal_endpoint }}
package-import --exists-action u --is-public /io.murano.zip
run_once: True
delegate_to: "{{ groups['murano-api'][0] }}"
when:
- status.stdout.find("io.murano") == -1 or kolla_action == "upgrade"
- name: Importing Murano applications library package
become: true
command: >
{{ kolla_container_engine }} exec murano_api murano
--os-username {{ openstack_auth.username }}
--os-password {{ openstack_auth.password }}
--os-project-name {{ openstack_auth.project_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
--os-auth-url {{ openstack_auth.auth_url }}
--murano-url {{ murano_internal_endpoint }}
package-import --exists-action u --is-public /io.murano.applications.zip
run_once: True
delegate_to: "{{ groups['murano-api'][0] }}"
when:
- status.stdout.find("io.murano.applications") == -1 or kolla_action == "upgrade"