diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index 8eebaa19db..7be989f87f 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -883,8 +883,9 @@ openstack_auth:
auth_url: "{{ keystone_internal_url }}"
username: "{{ keystone_admin_user }}"
password: "{{ keystone_admin_password }}"
- user_domain_name: "{{ default_user_domain_name }}"
- system_scope: "all"
+ project_name: "{{ keystone_admin_project }}"
+ domain_name: "default"
+ user_domain_name: "default"
#######################
# Glance options
diff --git a/ansible/roles/freezer/templates/freezer.conf.j2 b/ansible/roles/freezer/templates/freezer.conf.j2
index 3da301ceff..a64c464895 100644
--- a/ansible/roles/freezer/templates/freezer.conf.j2
+++ b/ansible/roles/freezer/templates/freezer.conf.j2
@@ -15,9 +15,7 @@ jobs_dir = /etc/freezer/scheduler/conf.d
os_username = {{ openstack_auth.username }}
os_password = {{ openstack_auth.password }}
os_auth_url = {{ openstack_auth.auth_url }}
-os_project_name = {{ keystone_admin_project }}
-# TODO: transition to system scoped token when freezer supports that
-# configuration option, os_project_domain_name should be removed.
+os_project_name = {{ openstack_auth.project_name }}
os_project_domain_name = {{ default_project_domain_name }}
os_user_domain_name = {{ openstack_auth.user_domain_name }}
{% endif %}
diff --git a/ansible/roles/heat/defaults/main.yml b/ansible/roles/heat/defaults/main.yml
index d4b630df1c..bead3e918d 100644
--- a/ansible/roles/heat/defaults/main.yml
+++ b/ansible/roles/heat/defaults/main.yml
@@ -235,7 +235,7 @@ heat_ks_roles:
- "{{ heat_stack_user_role }}"
heat_ks_user_roles:
- - project: "{{ keystone_admin_project }}"
+ - project: "{{ openstack_auth.project_name }}"
user: "{{ openstack_auth.username }}"
role: "{{ heat_stack_owner_role }}"
diff --git a/ansible/roles/heat/tasks/bootstrap_service.yml b/ansible/roles/heat/tasks/bootstrap_service.yml
index 4aa7ea9132..dc7038c12f 100644
--- a/ansible/roles/heat/tasks/bootstrap_service.yml
+++ b/ansible/roles/heat/tasks/bootstrap_service.yml
@@ -15,8 +15,8 @@
OS_INTERFACE: "internal"
OS_USERNAME: "{{ openstack_auth.username }}"
OS_PASSWORD: "{{ openstack_auth.password }}"
+ OS_PROJECT_NAME: "{{ openstack_auth.project_name }}"
OS_USER_DOMAIN_NAME: "{{ openstack_auth.user_domain_name }}"
- OS_SYSTEM_SCOPE: "{{ openstack_auth.system_scope }}"
OS_REGION_NAME: "{{ openstack_region_name }}"
OS_CACERT: "{{ openstack_cacert | default(omit) }}"
HEAT_DOMAIN_ADMIN_PASSWORD: "{{ heat_domain_admin_password }}"
diff --git a/ansible/roles/ironic/tasks/upgrade.yml b/ansible/roles/ironic/tasks/upgrade.yml
index e4e268f4a0..0e020b9df0 100644
--- a/ansible/roles/ironic/tasks/upgrade.yml
+++ b/ansible/roles/ironic/tasks/upgrade.yml
@@ -9,7 +9,7 @@
--os-password {{ openstack_auth.password }}
--os-identity-api-version 3
--os-user-domain-name {{ openstack_auth.user_domain_name }}
- --os-system-scope {{ openstack_auth.system_scope }}
+ --os-system-scope "all"
--os-region-name {{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
baremetal node list --format json --column "Provisioning State"
diff --git a/ansible/roles/keystone/tasks/register.yml b/ansible/roles/keystone/tasks/register.yml
index 9640088948..d3b15fe6fd 100644
--- a/ansible/roles/keystone/tasks/register.yml
+++ b/ansible/roles/keystone/tasks/register.yml
@@ -3,7 +3,7 @@
become: true
command: >
{{ kolla_container_engine }} exec keystone kolla_keystone_bootstrap
- {{ openstack_auth.username }} {{ openstack_auth.password }} {{ keystone_admin_project }}
+ {{ openstack_auth.username }} {{ openstack_auth.password }} {{ openstack_auth.project_name }}
admin {{ keystone_internal_url }} {{ keystone_public_url }} {{ item }}
register: keystone_bootstrap
changed_when: (keystone_bootstrap.stdout | from_json).changed
diff --git a/ansible/roles/keystone/tasks/register_identity_providers.yml b/ansible/roles/keystone/tasks/register_identity_providers.yml
index 4695ab2576..180f9e9607 100644
--- a/ansible/roles/keystone/tasks/register_identity_providers.yml
+++ b/ansible/roles/keystone/tasks/register_identity_providers.yml
@@ -7,7 +7,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface={{ openstack_interface }}
- --os-system-scope={{ openstack_auth.system_scope }}
+ --os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
@@ -28,9 +28,9 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface={{ openstack_interface }}
- --os-system-scope={{ openstack_auth.system_scope }}
+ --os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
- --os-system-scope={{ openstack_auth.system_scope }}
+ --os-system-scope="all"
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
mapping delete {{ item }}
@@ -64,7 +64,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface {{ openstack_interface }}
- --os-system-scope={{ openstack_auth.system_scope }}
+ --os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
@@ -85,7 +85,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface={{ openstack_interface }}
- --os-system-scope={{ openstack_auth.system_scope }}
+ --os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
@@ -106,7 +106,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface={{ openstack_interface }}
- --os-system-scope={{ openstack_auth.system_scope }}
+ --os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
@@ -127,7 +127,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface={{ openstack_interface }}
- --os-system-scope={{ openstack_auth.system_scope }}
+ --os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
@@ -147,7 +147,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface={{ openstack_interface }}
- --os-system-scope={{ openstack_auth.system_scope }}
+ --os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
@@ -170,7 +170,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface {{ openstack_interface }}
- --os-system-scope {{ openstack_auth.system_scope }}
+ --os-system-scope "all"
--os-user-domain-name {{ openstack_auth.user_domain_name }}
--os-region-name {{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
@@ -192,7 +192,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface={{ openstack_interface }}
- --os-system-scope={{ openstack_auth.system_scope }}
+ --os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
@@ -214,7 +214,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface={{ openstack_interface }}
- --os-system-scope={{ openstack_auth.system_scope }}
+ --os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
diff --git a/ansible/roles/murano/tasks/import_library_packages.yml b/ansible/roles/murano/tasks/import_library_packages.yml
index ba8ce43e3b..4b9df1cbeb 100644
--- a/ansible/roles/murano/tasks/import_library_packages.yml
+++ b/ansible/roles/murano/tasks/import_library_packages.yml
@@ -18,7 +18,7 @@
{{ kolla_container_engine }} exec murano_api murano
--os-username {{ openstack_auth.username }}
--os-password {{ openstack_auth.password }}
- --os-system-scope {{ openstack_auth.system_scope }}
+ --os-project-name {{ openstack_auth.project_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
--os-auth-url {{ openstack_auth.auth_url }}
--murano-url {{ murano_internal_endpoint }}
@@ -34,7 +34,7 @@
{{ kolla_container_engine }} exec murano_api murano
--os-username {{ openstack_auth.username }}
--os-password {{ openstack_auth.password }}
- --os-system-scope {{ openstack_auth.system_scope }}
+ --os-project-name {{ openstack_auth.project_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
--os-auth-url {{ openstack_auth.auth_url }}
--murano-url {{ murano_internal_endpoint }}
@@ -50,7 +50,7 @@
{{ kolla_container_engine }} exec murano_api murano
--os-username {{ openstack_auth.username }}
--os-password {{ openstack_auth.password }}
- --os-system-scope {{ openstack_auth.system_scope }}
+ --os-project-name {{ openstack_auth.project_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
--os-auth-url {{ openstack_auth.auth_url }}
--murano-url {{ murano_internal_endpoint }}
diff --git a/ansible/roles/nova-cell/tasks/wait_discover_computes.yml b/ansible/roles/nova-cell/tasks/wait_discover_computes.yml
index 1729eed390..4e6bb2417b 100644
--- a/ansible/roles/nova-cell/tasks/wait_discover_computes.yml
+++ b/ansible/roles/nova-cell/tasks/wait_discover_computes.yml
@@ -11,11 +11,12 @@
{{ kolla_container_engine }} exec kolla_toolbox openstack
--os-interface {{ openstack_interface }}
--os-auth-url {{ openstack_auth.auth_url }}
+ --os-project-domain-name {{ openstack_auth.domain_name }}
+ --os-project-name {{ openstack_auth.project_name }}
--os-username {{ openstack_auth.username }}
--os-password {{ openstack_auth.password }}
--os-identity-api-version 3
--os-user-domain-name {{ openstack_auth.user_domain_name }}
- --os-system-scope {{ openstack_auth.system_scope }}
--os-region-name {{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
compute service list --format json --column Host --service nova-compute
diff --git a/ansible/roles/nova/templates/nova.conf.j2 b/ansible/roles/nova/templates/nova.conf.j2
index 7b12e7aa6b..06a635e960 100644
--- a/ansible/roles/nova/templates/nova.conf.j2
+++ b/ansible/roles/nova/templates/nova.conf.j2
@@ -149,9 +149,6 @@ amqp_durable_queues = true
{% endif %}
[oslo_policy]
-# TODO(priteau): Remove enforce_* once secure RBAC is supported
-enforce_new_defaults = False
-enforce_scope = False
{% if service_name in nova_services_require_policy_json and nova_policy_file is defined %}
policy_file = {{ nova_policy_file }}
{% endif %}
diff --git a/doc/source/user/multi-regions.rst b/doc/source/user/multi-regions.rst
index 5485bb3246..dcee26d162 100644
--- a/doc/source/user/multi-regions.rst
+++ b/doc/source/user/multi-regions.rst
@@ -76,7 +76,8 @@ the value of ``kolla_internal_fqdn`` in RegionOne:
username: "{{ keystone_admin_user }}"
password: "{{ keystone_admin_password }}"
user_domain_name: "{{ default_user_domain_name }}"
- system_scope: "all"
+ project_name: "{{ keystone_admin_project }}"
+ domain_name: "default"
.. note::
diff --git a/releasenotes/notes/stop-using-system-scope-token-328a64927dc0fb2e.yaml b/releasenotes/notes/stop-using-system-scope-token-328a64927dc0fb2e.yaml
new file mode 100644
index 0000000000..d790a39fb0
--- /dev/null
+++ b/releasenotes/notes/stop-using-system-scope-token-328a64927dc0fb2e.yaml
@@ -0,0 +1,9 @@
+---
+upgrade:
+ - |
+ OpenStack services (except Ironic and Keystone) stopped supporting
+ the system scope in their API policy. Kolla who started using the
+ system scope token during the OpenStack Xena release needs to revert
+ it and use the project scope token to perform those services API
+ operations. The Ironic and Keystone operations are still performed
+ using the system scope token.