From 283fa242caffe058ec770941da7889e6e1fbff5b Mon Sep 17 00:00:00 2001
From: Ghanshyam Mann <gmann@ghanshyammann.com>
Date: Tue, 17 Jan 2023 21:10:25 -0600
Subject: [PATCH] Remove system scope token to access services
As per the RBAC new direction in Zed cycle, we have dropped the
system scope from API policies and all the policies are hardcoded
to project scoped so that any user accessing APIs using system scope
will get 403 error. It is dropped from all the OpenStack services
except for the Ironic service which will have system scope and to
support ironic only deployment, we are keeping system as well as project
scope in Keystone.
Complete discussion and direction can be found in the below gerrit
change and TC goal direction:
- https://review.opendev.org/c/openstack/governance/+/847418
- https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#the-issues-we-are-facing-with-scope-concept
As phase-2 of RBAC goal, services will start enabling the new
defaults and project scope by default. For example: Nova did in
- https://review.opendev.org/c/openstack/nova/+/866218
Kolla who start accessing the services using system scope token
- https://review.opendev.org/c/openstack/kolla-ansible/+/692179
This commit partially revert the above change except keeping
system scope usage for Keystone and Ironic. Rest all services are changed
to use the project scope token.
And enable the scope and new defaults for Nova which was disabled
by https://review.opendev.org/c/openstack/kolla-ansible/+/870804
Change-Id: I0adbe0a6c39e11d7c9542569085fc5d580f26c9d
---
ansible/group_vars/all.yml | 5 +++--
.../roles/freezer/templates/freezer.conf.j2 | 4 +---
ansible/roles/heat/defaults/main.yml | 2 +-
.../roles/heat/tasks/bootstrap_service.yml | 2 +-
ansible/roles/ironic/tasks/upgrade.yml | 2 +-
ansible/roles/keystone/tasks/register.yml | 2 +-
.../tasks/register_identity_providers.yml | 22 +++++++++----------
.../murano/tasks/import_library_packages.yml | 6 ++---
.../tasks/wait_discover_computes.yml | 3 ++-
ansible/roles/nova/templates/nova.conf.j2 | 3 ---
doc/source/user/multi-regions.rst | 3 ++-
...g-system-scope-token-328a64927dc0fb2e.yaml | 9 ++++++++
12 files changed, 35 insertions(+), 28 deletions(-)
create mode 100644 releasenotes/notes/stop-using-system-scope-token-328a64927dc0fb2e.yaml
diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index 8eebaa19db..7be989f87f 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -883,8 +883,9 @@ openstack_auth:
auth_url: "{{ keystone_internal_url }}"
username: "{{ keystone_admin_user }}"
password: "{{ keystone_admin_password }}"
- user_domain_name: "{{ default_user_domain_name }}"
- system_scope: "all"
+ project_name: "{{ keystone_admin_project }}"
+ domain_name: "default"
+ user_domain_name: "default"
#######################
# Glance options
diff --git a/ansible/roles/freezer/templates/freezer.conf.j2 b/ansible/roles/freezer/templates/freezer.conf.j2
index 3da301ceff..a64c464895 100644
--- a/ansible/roles/freezer/templates/freezer.conf.j2
+++ b/ansible/roles/freezer/templates/freezer.conf.j2
@@ -15,9 +15,7 @@ jobs_dir = /etc/freezer/scheduler/conf.d
os_username = {{ openstack_auth.username }}
os_password = {{ openstack_auth.password }}
os_auth_url = {{ openstack_auth.auth_url }}
-os_project_name = {{ keystone_admin_project }}
-# TODO: transition to system scoped token when freezer supports that
-# configuration option, os_project_domain_name should be removed.
+os_project_name = {{ openstack_auth.project_name }}
os_project_domain_name = {{ default_project_domain_name }}
os_user_domain_name = {{ openstack_auth.user_domain_name }}
{% endif %}
diff --git a/ansible/roles/heat/defaults/main.yml b/ansible/roles/heat/defaults/main.yml
index d4b630df1c..bead3e918d 100644
--- a/ansible/roles/heat/defaults/main.yml
+++ b/ansible/roles/heat/defaults/main.yml
@@ -235,7 +235,7 @@ heat_ks_roles:
- "{{ heat_stack_user_role }}"
heat_ks_user_roles:
- - project: "{{ keystone_admin_project }}"
+ - project: "{{ openstack_auth.project_name }}"
user: "{{ openstack_auth.username }}"
role: "{{ heat_stack_owner_role }}"
diff --git a/ansible/roles/heat/tasks/bootstrap_service.yml b/ansible/roles/heat/tasks/bootstrap_service.yml
index 4aa7ea9132..dc7038c12f 100644
--- a/ansible/roles/heat/tasks/bootstrap_service.yml
+++ b/ansible/roles/heat/tasks/bootstrap_service.yml
@@ -15,8 +15,8 @@
OS_INTERFACE: "internal"
OS_USERNAME: "{{ openstack_auth.username }}"
OS_PASSWORD: "{{ openstack_auth.password }}"
+ OS_PROJECT_NAME: "{{ openstack_auth.project_name }}"
OS_USER_DOMAIN_NAME: "{{ openstack_auth.user_domain_name }}"
- OS_SYSTEM_SCOPE: "{{ openstack_auth.system_scope }}"
OS_REGION_NAME: "{{ openstack_region_name }}"
OS_CACERT: "{{ openstack_cacert | default(omit) }}"
HEAT_DOMAIN_ADMIN_PASSWORD: "{{ heat_domain_admin_password }}"
diff --git a/ansible/roles/ironic/tasks/upgrade.yml b/ansible/roles/ironic/tasks/upgrade.yml
index e4e268f4a0..0e020b9df0 100644
--- a/ansible/roles/ironic/tasks/upgrade.yml
+++ b/ansible/roles/ironic/tasks/upgrade.yml
@@ -9,7 +9,7 @@
--os-password {{ openstack_auth.password }}
--os-identity-api-version 3
--os-user-domain-name {{ openstack_auth.user_domain_name }}
- --os-system-scope {{ openstack_auth.system_scope }}
+ --os-system-scope "all"
--os-region-name {{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
baremetal node list --format json --column "Provisioning State"
diff --git a/ansible/roles/keystone/tasks/register.yml b/ansible/roles/keystone/tasks/register.yml
index 9640088948..d3b15fe6fd 100644
--- a/ansible/roles/keystone/tasks/register.yml
+++ b/ansible/roles/keystone/tasks/register.yml
@@ -3,7 +3,7 @@
become: true
command: >
{{ kolla_container_engine }} exec keystone kolla_keystone_bootstrap
- {{ openstack_auth.username }} {{ openstack_auth.password }} {{ keystone_admin_project }}
+ {{ openstack_auth.username }} {{ openstack_auth.password }} {{ openstack_auth.project_name }}
admin {{ keystone_internal_url }} {{ keystone_public_url }} {{ item }}
register: keystone_bootstrap
changed_when: (keystone_bootstrap.stdout | from_json).changed
diff --git a/ansible/roles/keystone/tasks/register_identity_providers.yml b/ansible/roles/keystone/tasks/register_identity_providers.yml
index 4695ab2576..180f9e9607 100644
--- a/ansible/roles/keystone/tasks/register_identity_providers.yml
+++ b/ansible/roles/keystone/tasks/register_identity_providers.yml
@@ -7,7 +7,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface={{ openstack_interface }}
- --os-system-scope={{ openstack_auth.system_scope }}
+ --os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
@@ -28,9 +28,9 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface={{ openstack_interface }}
- --os-system-scope={{ openstack_auth.system_scope }}
+ --os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
- --os-system-scope={{ openstack_auth.system_scope }}
+ --os-system-scope="all"
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
mapping delete {{ item }}
@@ -64,7 +64,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface {{ openstack_interface }}
- --os-system-scope={{ openstack_auth.system_scope }}
+ --os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
@@ -85,7 +85,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface={{ openstack_interface }}
- --os-system-scope={{ openstack_auth.system_scope }}
+ --os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
@@ -106,7 +106,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface={{ openstack_interface }}
- --os-system-scope={{ openstack_auth.system_scope }}
+ --os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
@@ -127,7 +127,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface={{ openstack_interface }}
- --os-system-scope={{ openstack_auth.system_scope }}
+ --os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
@@ -147,7 +147,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface={{ openstack_interface }}
- --os-system-scope={{ openstack_auth.system_scope }}
+ --os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
@@ -170,7 +170,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface {{ openstack_interface }}
- --os-system-scope {{ openstack_auth.system_scope }}
+ --os-system-scope "all"
--os-user-domain-name {{ openstack_auth.user_domain_name }}
--os-region-name {{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
@@ -192,7 +192,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface={{ openstack_interface }}
- --os-system-scope={{ openstack_auth.system_scope }}
+ --os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
@@ -214,7 +214,7 @@
--os-username={{ openstack_auth.username }}
--os-identity-api-version=3
--os-interface={{ openstack_interface }}
- --os-system-scope={{ openstack_auth.system_scope }}
+ --os-system-scope="all"
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
diff --git a/ansible/roles/murano/tasks/import_library_packages.yml b/ansible/roles/murano/tasks/import_library_packages.yml
index ba8ce43e3b..4b9df1cbeb 100644
--- a/ansible/roles/murano/tasks/import_library_packages.yml
+++ b/ansible/roles/murano/tasks/import_library_packages.yml
@@ -18,7 +18,7 @@
{{ kolla_container_engine }} exec murano_api murano
--os-username {{ openstack_auth.username }}
--os-password {{ openstack_auth.password }}
- --os-system-scope {{ openstack_auth.system_scope }}
+ --os-project-name {{ openstack_auth.project_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
--os-auth-url {{ openstack_auth.auth_url }}
--murano-url {{ murano_internal_endpoint }}
@@ -34,7 +34,7 @@
{{ kolla_container_engine }} exec murano_api murano
--os-username {{ openstack_auth.username }}
--os-password {{ openstack_auth.password }}
- --os-system-scope {{ openstack_auth.system_scope }}
+ --os-project-name {{ openstack_auth.project_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
--os-auth-url {{ openstack_auth.auth_url }}
--murano-url {{ murano_internal_endpoint }}
@@ -50,7 +50,7 @@
{{ kolla_container_engine }} exec murano_api murano
--os-username {{ openstack_auth.username }}
--os-password {{ openstack_auth.password }}
- --os-system-scope {{ openstack_auth.system_scope }}
+ --os-project-name {{ openstack_auth.project_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
--os-auth-url {{ openstack_auth.auth_url }}
--murano-url {{ murano_internal_endpoint }}
diff --git a/ansible/roles/nova-cell/tasks/wait_discover_computes.yml b/ansible/roles/nova-cell/tasks/wait_discover_computes.yml
index 1729eed390..4e6bb2417b 100644
--- a/ansible/roles/nova-cell/tasks/wait_discover_computes.yml
+++ b/ansible/roles/nova-cell/tasks/wait_discover_computes.yml
@@ -11,11 +11,12 @@
{{ kolla_container_engine }} exec kolla_toolbox openstack
--os-interface {{ openstack_interface }}
--os-auth-url {{ openstack_auth.auth_url }}
+ --os-project-domain-name {{ openstack_auth.domain_name }}
+ --os-project-name {{ openstack_auth.project_name }}
--os-username {{ openstack_auth.username }}
--os-password {{ openstack_auth.password }}
--os-identity-api-version 3
--os-user-domain-name {{ openstack_auth.user_domain_name }}
- --os-system-scope {{ openstack_auth.system_scope }}
--os-region-name {{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
compute service list --format json --column Host --service nova-compute
diff --git a/ansible/roles/nova/templates/nova.conf.j2 b/ansible/roles/nova/templates/nova.conf.j2
index 7b12e7aa6b..06a635e960 100644
--- a/ansible/roles/nova/templates/nova.conf.j2
+++ b/ansible/roles/nova/templates/nova.conf.j2
@@ -149,9 +149,6 @@ amqp_durable_queues = true
{% endif %}
[oslo_policy]
-# TODO(priteau): Remove enforce_* once secure RBAC is supported
-enforce_new_defaults = False
-enforce_scope = False
{% if service_name in nova_services_require_policy_json and nova_policy_file is defined %}
policy_file = {{ nova_policy_file }}
{% endif %}
diff --git a/doc/source/user/multi-regions.rst b/doc/source/user/multi-regions.rst
index 5485bb3246..dcee26d162 100644
--- a/doc/source/user/multi-regions.rst
+++ b/doc/source/user/multi-regions.rst
@@ -76,7 +76,8 @@ the value of ``kolla_internal_fqdn`` in RegionOne:
username: "{{ keystone_admin_user }}"
password: "{{ keystone_admin_password }}"
user_domain_name: "{{ default_user_domain_name }}"
- system_scope: "all"
+ project_name: "{{ keystone_admin_project }}"
+ domain_name: "default"
.. note::
diff --git a/releasenotes/notes/stop-using-system-scope-token-328a64927dc0fb2e.yaml b/releasenotes/notes/stop-using-system-scope-token-328a64927dc0fb2e.yaml
new file mode 100644
index 0000000000..d790a39fb0
--- /dev/null
+++ b/releasenotes/notes/stop-using-system-scope-token-328a64927dc0fb2e.yaml
@@ -0,0 +1,9 @@
+---
+upgrade:
+ - |
+ OpenStack services (except Ironic and Keystone) stopped supporting
+ the system scope in their API policy. Kolla who started using the
+ system scope token during the OpenStack Xena release needs to revert
+ it and use the project scope token to perform those services API
+ operations. The Ironic and Keystone operations are still performed
+ using the system scope token.