Merge "[skydive] fix: Use Keystone backend to authenticate API users"

ansible/roles/skydive/defaults/main.yml

@@ -37,6 +37,7 @@ skydive_analyzer_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{
 skydive_analyzer_tag: "{{ openstack_tag }}"
 skydive_analyzer_image_full: "{{ skydive_analyzer_image }}:{{ skydive_analyzer_tag }}"
 
+skydive_admin_tenant_name: "{{ openstack_auth['project_name'] }}"
 skydive_agent_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ skydive_install_type }}-skydive-agent"
 skydive_agent_tag: "{{ openstack_tag }}"
 skydive_agent_image_full: "{{ skydive_agent_image }}:{{ skydive_agent_tag }}"

ansible/roles/skydive/templates/skydive-analyzer.conf.j2

@@ -1,13 +1,11 @@
 ### Skydive analyzer config file
 
 auth:
-  type: keystone
-  analyzer_username: {{ openstack_auth['username'] }}
-  analyzer_password: {{ openstack_auth['password'] }}
-
   keystone:
+    type: keystone
     auth_url: {{ keystone_internal_url }}/v3
     region_name: {{ openstack_region_name }}
+    tenant_name: {{ skydive_admin_tenant_name }}
     domain_name: Default
 
 logging:
@@ -40,6 +38,9 @@ etcd:
 {% endif %}
 
 analyzer:
+  auth:
+    api:
+      backend: keystone
   listen: {{ api_interface_address | put_address_in_context('url') }}:{{ skydive_analyzer_port }}
   storage:
     backend: elasticsearch

releasenotes/notes/skydive-keystone-auth-0fe96463b27dd914.yaml

@@ -0,0 +1,6 @@
+---
+fixes:
+  - Skydive's API and the web UI now rely on Keystone for
+    authentication.  Only users in the Keystone project defined by
+    skydive_admin_tenant_name will be able to authenticate.  See
+    `LP#1870903 <https://launchpad.net/bugs/1870903>` for more details.