From aa2e8c319a9acf7f17f979cc43fecc8d01a5ce19 Mon Sep 17 00:00:00 2001 From: Andrew Bonney Date: Tue, 2 Jul 2024 10:22:46 +0100 Subject: [PATCH] Add new RBAC parameters which are necessary from 2024.1 See https://review.opendev.org/c/openstack/ironic/+/907148 Ironic enables oslo policy RBAC changes from 2024.1 by default. Once enabled, in theory system scoped tokens are required for various actions, but in practice this doesn't necessarily work when interacting with other services. New Ironic variables provide the means to continue with a relatively standard deployment without having to make far-reaching policy changes. Change-Id: I2cb53414cce3a899a0db5f74e56798de95c6c4b1 --- defaults/main.yml | 5 +++++ templates/ironic.conf.j2 | 4 ++++ 2 files changed, 9 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 55229ac3..65dfbd23 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -122,6 +122,11 @@ ironic_service_token_roles: ironic_service_token_roles_required: "{{ openstack_service_token_roles_required | default(True) }}" ironic_service_in_ldap: "{{ service_ldap_backend_enabled | default(False) }}" +# Enable interaction with Nova and Neutron from 2024.1 with default policy +# If more than one service project name is necessary, then you may need to +# override Ironic 'service_role' policy. +ironic_service_role_elevated_access: True + # The name of the entry in container_networks for the bmaas network # This is the default provisioning / inspection / cleaning network for this role ironic_container_network_name: "bmaas_address" diff --git a/templates/ironic.conf.j2 b/templates/ironic.conf.j2 index a31b7780..9254ec8b 100644 --- a/templates/ironic.conf.j2 +++ b/templates/ironic.conf.j2 @@ -26,6 +26,10 @@ enabled_power_interfaces = {{ filtered_ironic_drivers | json_query('[*].power') enabled_console_interfaces = {{ filtered_ironic_drivers | json_query('[*].console') | unique | join(',') }} enabled_raid_interfaces = {{ filtered_ironic_drivers | json_query('[*].raid') | unique | join(',') }} +# rbac +rbac_service_role_elevated_access = {{ ironic_service_role_elevated_access }} +rbac_service_project_name = {{ ironic_service_project_name }} + [agent] [amt]