Merge "Transition Keystone admin user to system scope"

This commit is contained in:
Zuul 2021-09-30 09:33:10 +00:00 committed by Gerrit Code Review
commit 9e380bf11c
17 changed files with 97 additions and 96 deletions

View File

@ -884,9 +884,8 @@ openstack_auth:
auth_url: "{{ keystone_admin_url }}"
username: "{{ keystone_admin_user }}"
password: "{{ keystone_admin_password }}"
project_name: "{{ keystone_admin_project }}"
domain_name: "default"
user_domain_name: "default"
user_domain_name: "{{ default_user_domain_name }}"
system_scope: "all"
#######################
# Glance options

View File

@ -7,7 +7,7 @@
--os-auth-url={{ openstack_auth.auth_url }} \
--os-password={{ openstack_auth.password }} \
--os-username={{ openstack_auth.username }} \
--os-project-name={{ openstack_auth.project_name }} \
--os-system-scope={{ openstack_auth.system_scope }}
secret store -f value -p kolla | head -1
register: barbican_store_secret
run_once: True
@ -20,7 +20,7 @@
--os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }}
--os-project-name={{ openstack_auth.project_name }}
--os-system-scope={{ openstack_auth.system_scope }}
secret get -f value -p {{ barbican_store_secret.stdout }}
register: barbican_get_secret
failed_when: barbican_get_secret.stdout != 'kolla'
@ -34,7 +34,7 @@
--os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }}
--os-project-name={{ openstack_auth.project_name }}
--os-system-scope={{ openstack_auth.system_scope }}
secret delete {{ barbican_store_secret.stdout }}
run_once: True
when: kolla_enable_sanity_barbican | bool

View File

@ -15,8 +15,10 @@ jobs_dir = /etc/freezer/scheduler/conf.d
os_username = {{ openstack_auth.username }}
os_password = {{ openstack_auth.password }}
os_auth_url = {{ openstack_auth.auth_url }}/v3
os_project_name = {{ openstack_auth.project_name }}
os_project_name = {{ keystone_admin_project }}
os_project_domain_name = {{ openstack_auth.domain_name }}
# TODO: transition to system scoped token when freezer supports that
# configuration option
os_user_domain_name = {{ openstack_auth.user_domain_name }}
{% endif %}

View File

@ -219,7 +219,7 @@ heat_ks_roles:
- "{{ heat_stack_user_role }}"
heat_ks_user_roles:
- project: "{{ openstack_auth.project_name }}"
- project: "{{ keystone_admin_project }}"
user: "{{ openstack_auth.username }}"
role: "{{ heat_stack_owner_role }}"

View File

@ -15,7 +15,8 @@
OS_INTERFACE: "internal"
OS_USERNAME: "{{ openstack_auth.username }}"
OS_PASSWORD: "{{ openstack_auth.password }}"
OS_PROJECT_NAME: "{{ openstack_auth.project_name }}"
OS_USER_DOMAIN_NAME: "{{ openstack_auth.user_domain_name }}"
OS_SYSTEM_SCOPE: "{{ openstack_auth.system_scope }}"
OS_REGION_NAME: "{{ openstack_region_name }}"
OS_CACERT: "{{ openstack_cacert | default(omit) }}"
HEAT_DOMAIN_ADMIN_PASSWORD: "{{ heat_domain_admin_password }}"

View File

@ -75,7 +75,7 @@ memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_addres
[cinder]
auth_url = {{ keystone_admin_url }}
auth_type = password
project_domain_id = default
project_domain_id = {{ default_project_domain_id }}
user_domain_id = default
project_name = service
username = {{ ironic_keystone_user }}
@ -89,7 +89,7 @@ cafile = {{ openstack_cacert }}
[glance]
auth_url = {{ keystone_admin_url }}
auth_type = password
project_domain_id = default
project_domain_id = {{ default_project_domain_id }}
user_domain_id = default
project_name = service
username = {{ ironic_keystone_user }}
@ -103,7 +103,7 @@ cafile = {{ openstack_cacert }}
[neutron]
auth_url = {{ keystone_admin_url }}
auth_type = password
project_domain_id = default
project_domain_id = {{ default_project_domain_id }}
user_domain_id = default
project_name = service
username = {{ ironic_keystone_user }}
@ -118,7 +118,7 @@ cafile = {{ openstack_cacert }}
[nova]
auth_url = {{ keystone_admin_url }}
auth_type = password
project_domain_id = default
project_domain_id = {{ default_project_domain_id }}
user_domain_id = default
project_name = service
username = {{ ironic_keystone_user }}
@ -146,7 +146,7 @@ cafile = {{ openstack_cacert }}
{% if ironic_enable_keystone_integration | bool %}
auth_url = {{ keystone_admin_url }}
auth_type = password
project_domain_id = default
project_domain_id = {{ default_project_domain_id }}
user_domain_id = default
project_name = service
username = {{ ironic_keystone_user }}
@ -163,7 +163,7 @@ endpoint_override = {{ ironic_inspector_internal_endpoint }}
{% if ironic_enable_keystone_integration | bool %}
auth_url = {{ keystone_admin_url }}
auth_type = password
project_domain_id = default
project_domain_id = {{ default_project_domain_id }}
user_domain_id = default
project_name = service
username = {{ ironic_keystone_user }}

View File

@ -3,7 +3,7 @@
become: true
command: >
docker exec keystone kolla_keystone_bootstrap
{{ openstack_auth.username }} {{ openstack_auth.password }} {{ openstack_auth.project_name }}
{{ openstack_auth.username }} {{ openstack_auth.password }} {{ keystone_admin_project }}
admin {{ keystone_admin_url }} {{ keystone_internal_url }} {{ keystone_public_url }} {{ item }}
register: keystone_bootstrap
changed_when: (keystone_bootstrap.stdout | from_json).changed

View File

@ -5,13 +5,12 @@
--os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }}
--os-project-name={{ openstack_auth.project_name }}
--os-identity-api-version=3
--os-interface {{ openstack_interface }}
--os-project-domain-name {{ openstack_auth.domain_name }}
--os-user-domain-name {{ openstack_auth.domain_name }}
--os-region-name {{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
--os-interface={{ openstack_interface }}
--os-system-scope={{ openstack_auth.system_scope }}
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
mapping list -c ID --format value
run_once: True
become: True
@ -27,13 +26,13 @@
--os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }}
--os-project-name={{ openstack_auth.project_name }}
--os-identity-api-version=3
--os-interface {{ openstack_interface }}
--os-project-domain-name {{ openstack_auth.domain_name }}
--os-user-domain-name {{ openstack_auth.domain_name }}
--os-region-name {{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
--os-interface={{ openstack_interface }}
--os-system-scope={{ openstack_auth.system_scope }}
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-system-scope={{ openstack_auth.system_scope }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
mapping delete {{ item }}
run_once: True
become: true
@ -62,13 +61,12 @@
--os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }}
--os-project-name={{ openstack_auth.project_name }}
--os-identity-api-version=3
--os-interface {{ openstack_interface }}
--os-project-domain-name {{ openstack_auth.domain_name }}
--os-user-domain-name {{ openstack_auth.domain_name }}
--os-region-name {{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
--os-system-scope={{ openstack_auth.system_scope }}
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
mapping create
--rules "{{ keystone_container_federation_oidc_attribute_mappings_folder }}/{{ item.file | basename }}"
{{ item.name }}
@ -84,15 +82,14 @@
--os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }}
--os-project-name={{ openstack_auth.project_name }}
--os-identity-api-version=3
--os-interface {{ openstack_interface }}
--os-project-domain-name {{ openstack_auth.domain_name }}
--os-user-domain-name {{ openstack_auth.domain_name }}
--os-region-name {{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
--os-interface={{ openstack_interface }}
--os-system-scope={{ openstack_auth.system_scope }}
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
mapping set
--rules "{{ keystone_container_federation_oidc_attribute_mappings_folder }}/{{ item.file | basename }}"
--rules="{{ keystone_container_federation_oidc_attribute_mappings_folder }}/{{ item.file | basename }}"
{{ item.name }}
run_once: True
when:
@ -106,13 +103,12 @@
--os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }}
--os-project-name={{ openstack_auth.project_name }}
--os-identity-api-version=3
--os-interface {{ openstack_interface }}
--os-project-domain-name {{ openstack_auth.domain_name }}
--os-user-domain-name {{ openstack_auth.domain_name }}
--os-region-name {{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
--os-interface={{ openstack_interface }}
--os-system-scope={{ openstack_auth.system_scope }}
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %}
identity provider list -c ID --format value
run_once: True
register: existing_idps_register
@ -128,13 +124,12 @@
--os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }}
--os-project-name={{ openstack_auth.project_name }}
--os-identity-api-version=3
--os-interface {{ openstack_interface }}
--os-project-domain-name {{ openstack_auth.domain_name }}
--os-user-domain-name {{ openstack_auth.domain_name }}
--os-region-name {{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
--os-interface={{ openstack_interface }}
--os-system-scope={{ openstack_auth.system_scope }}
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
identity provider delete {{ item }}
run_once: True
with_items: "{{ existing_idps }}"
@ -149,13 +144,12 @@
--os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }}
--os-project-name={{ openstack_auth.project_name }}
--os-identity-api-version=3
--os-interface {{ openstack_interface }}
--os-project-domain-name {{ openstack_auth.domain_name }}
--os-user-domain-name {{ openstack_auth.domain_name }}
--os-region-name {{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
--os-interface={{ openstack_interface }}
--os-system-scope={{ openstack_auth.system_scope }}
--os-user-domain-name{{ openstack_auth.user_domain_name }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
identity provider create
--description "{{ item.public_name }}"
--remote-id "{{ item.identifier }}"
@ -173,11 +167,10 @@
--os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }}
--os-project-name={{ openstack_auth.project_name }}
--os-identity-api-version=3
--os-interface {{ openstack_interface }}
--os-project-domain-name {{ openstack_auth.domain_name }}
--os-user-domain-name {{ openstack_auth.domain_name }}
--os-system-scope {{ openstack_auth.system_scope }}
--os-user-domain-name {{ openstack_auth.user_domain_name }}
--os-region-name {{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
identity provider set
@ -196,13 +189,12 @@
--os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }}
--os-project-name={{ openstack_auth.project_name }}
--os-identity-api-version=3
--os-interface {{ openstack_interface }}
--os-project-domain-name {{ openstack_auth.domain_name }}
--os-user-domain-name {{ openstack_auth.domain_name }}
--os-region-name {{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
--os-interface={{ openstack_interface }}
--os-system-scope={{ openstack_auth.system_scope }}
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
federation protocol create
--mapping {{ item.attribute_mapping }}
--identity-provider {{ item.name }}
@ -219,13 +211,12 @@
--os-auth-url={{ openstack_auth.auth_url }}
--os-password={{ openstack_auth.password }}
--os-username={{ openstack_auth.username }}
--os-project-name={{ openstack_auth.project_name }}
--os-identity-api-version=3
--os-interface {{ openstack_interface }}
--os-project-domain-name {{ openstack_auth.domain_name }}
--os-user-domain-name {{ openstack_auth.domain_name }}
--os-region-name {{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %}
--os-interface={{ openstack_interface }}
--os-system-scope={{ openstack_auth.system_scope }}
--os-user-domain-name={{ openstack_auth.user_domain_name }}
--os-region-name={{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %}
federation protocol set
--identity-provider {{ item.name }}
--mapping {{ item.attribute_mapping }}

View File

@ -17,8 +17,8 @@
command: >
docker exec murano_api murano
--os-username {{ openstack_auth.username }}
--os-password {{ keystone_admin_password }}
--os-project-name {{ openstack_auth.project_name }}
--os-password {{ openstack_auth.password }}
--os-system-scope {{ openstack_auth.system_scope }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
--os-auth-url {{ keystone_admin_url }}
--murano-url {{ murano_admin_endpoint }}
@ -33,10 +33,10 @@
command: >
docker exec murano_api murano
--os-username {{ openstack_auth.username }}
--os-password {{ keystone_admin_password }}
--os-project-name {{ openstack_auth.project_name }}
--os-password {{ openstack_auth.password }}
--os-system-scope {{ openstack_auth.system_scope }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
--os-auth-url {{ keystone_admin_url }}
--os-auth-url {{ openstack_auth.auth_url }}
--murano-url {{ murano_admin_endpoint }}
package-import --exists-action u --is-public /io.murano.zip
run_once: True
@ -49,10 +49,10 @@
command: >
docker exec murano_api murano
--os-username {{ openstack_auth.username }}
--os-password {{ keystone_admin_password }}
--os-project-name {{ openstack_auth.project_name }}
--os-password {{ openstack_auth.password }}
--os-system-scope {{ openstack_auth.system_scope }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
--os-auth-url {{ keystone_admin_url }}
--os-auth-url {{ openstack_auth.auth_url }}
--murano-url {{ murano_admin_endpoint }}
package-import --exists-action u --is-public /io.murano.applications.zip
run_once: True

View File

@ -28,13 +28,12 @@
command: >
docker exec kolla_toolbox openstack
--os-interface {{ openstack_interface }}
--os-auth-url {{ keystone_admin_url }}
--os-identity-api-version 3
--os-project-domain-name {{ openstack_auth.domain_name }}
--os-project-name {{ openstack_auth.project_name }}
--os-auth-url {{ openstack_auth.auth_url }}
--os-username {{ openstack_auth.username }}
--os-password {{ keystone_admin_password }}
--os-user-domain-name {{ openstack_auth.domain_name }}
--os-password {{ openstack_auth.password }}
--os-identity-api-version 3
--os-user-domain-name {{ openstack_auth.user_domain_name }}
--os-system-scope {{ openstack_auth.system_scope }}
--os-region-name {{ openstack_region_name }}
{% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
compute service list --format json --column Host --service nova-compute

View File

@ -41,7 +41,7 @@ skydive_analyzer_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{
skydive_analyzer_tag: "{{ skydive_tag }}"
skydive_analyzer_image_full: "{{ skydive_analyzer_image }}:{{ skydive_analyzer_tag }}"
skydive_admin_tenant_name: "{{ openstack_auth['project_name'] }}"
skydive_admin_tenant_name: "{{ keystone_admin_project }}"
skydive_agent_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ skydive_install_type }}-skydive-agent"
skydive_agent_tag: "{{ skydive_tag }}"
skydive_agent_image_full: "{{ skydive_agent_image }}:{{ skydive_agent_tag }}"

View File

@ -45,11 +45,12 @@ agent:
- ovsdb
{% endif %}
### TODO migrate from tenant_name to system_scope when supported in skydive
neutron:
auth_url: {{ keystone_internal_url }}/v3
username: {{ openstack_auth['username'] }}
password: {{ openstack_auth['password'] }}
tenant_name: {{ openstack_auth['project_name'] }}
tenant_name: {{ skydive_admin_tenant_name }}
region_name: {{ openstack_region_name }}
domain_name: Default
endpoint_type: internal

View File

@ -1,5 +1,6 @@
### Skydive analyzer config file
### TODO migrate from tenant_name to system_scope when supported in skydive
auth:
keystone:
type: keystone

View File

@ -52,7 +52,7 @@ memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_addres
auth_url = {{ keystone_internal_url }}/v3
region_name = {{ openstack_region_name }}
auth_type = password
project_domain_id = default
project_domain_id = {{ default_project_domain_id }}
user_domain_id = default
project_name = admin
password = {{ vitrage_keystone_password }}

View File

@ -73,11 +73,11 @@ the value of ``kolla_internal_fqdn`` in RegionOne:
keystone_internal_url: "{{ internal_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_public_port }}"
openstack_auth:
auth_url: "{{ admin_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_admin_port }}"
username: "admin"
auth_url: "{{ keystone_admin_url }}"
username: "{{ keystone_admin_user }}"
password: "{{ keystone_admin_password }}"
project_name: "admin"
domain_name: "default"
user_domain_name: "{{ default_user_domain_name }}"
system_scope: "all"
.. note::

View File

@ -0,0 +1,8 @@
---
features:
- Transitions to using system-scoped tokens when authenticating as the
Keystone admin user. This is a necessary step towards being able to
enable the updated oslo policies in services that allow finer grained
access to system-level resources and APIs. Since Queens, the admin role
is assigned to the admin user with system scope as well as in the admin
project.

View File

@ -95,7 +95,6 @@ if [[ $ENABLE_EXT_NET -eq 1 ]]; then
fi
# Get admin user and tenant IDs
ADMIN_USER_ID=$($KOLLA_OPENSTACK_COMMAND user list | awk '/ admin / {print $2}')
ADMIN_PROJECT_ID=$($KOLLA_OPENSTACK_COMMAND project list | awk '/ admin / {print $2}')
ADMIN_SEC_GROUP=$($KOLLA_OPENSTACK_COMMAND security group list --project ${ADMIN_PROJECT_ID} | awk '/ default / {print $2}')