openstack/kolla-ansible
Code Issues Proposed changes
8c8dad0187
kolla-ansible/ansible/roles/murano/tasks
History
Ghanshyam Mann 283fa242ca Remove system scope token to access services 
As per the RBAC new direction in Zed cycle, we have dropped the
system scope from API policies and all the policies are hardcoded
to project scoped so that any user accessing APIs using system scope
will get 403 error. It is dropped from all the OpenStack services
except for the Ironic service which will have system scope and to
support ironic only deployment, we are keeping system as well as project
scope in Keystone.

Complete discussion and direction can be found in the below gerrit
change and TC goal direction:

- https://review.opendev.org/c/openstack/governance/+/847418
- https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#the-issues-we-are-facing-with-scope-concept

As phase-2 of RBAC goal, services will start enabling the new
defaults and project scope by default. For example: Nova did in
- https://review.opendev.org/c/openstack/nova/+/866218

Kolla who start accessing the services using system scope token
- https://review.opendev.org/c/openstack/kolla-ansible/+/692179

This commit partially revert the above change except keeping
system scope usage for Keystone and Ironic. Rest all services are changed
to use the project scope token.

And enable the scope and new defaults for Nova which was disabled
by https://review.opendev.org/c/openstack/kolla-ansible/+/870804

Change-Id: I0adbe0a6c39e11d7c9542569085fc5d580f26c9d
2023-01-26 17:52:00 -06:00
..
bootstrap_service.yml Fix handling of docker restart policy 2019-07-18 13:39:06 +00:00
bootstrap.yml Adding container_engine to kolla_toolbox module 2022-11-04 15:32:30 +01:00
check-containers.yml Add a job that *only* deploys updated containers 2019-09-26 17:51:14 +01:00
check.yml Enable sanity checks from kolla-ansible 2017-03-09 10:37:06 +00:00
clone.yml permission denied when enable_kolla_dev_mod 2020-06-07 19:36:42 +08:00
config_validate.yml Integrate oslo-config-validator 2022-12-21 17:19:09 +00:00
config.yml Performance: optimize genconfig 2020-10-12 19:30:06 +02:00
copy-certs.yml Refactor copy certificates task 2020-04-14 17:26:19 +00:00
deploy-containers.yml Add a job that *only* deploys updated containers 2019-09-26 17:51:14 +01:00
deploy.yml Performance: optimize genconfig 2020-10-12 19:30:06 +02:00
import_library_packages.yml Remove system scope token to access services 2023-01-26 17:52:00 -06:00
loadbalancer.yml Add loadbalancer-config role and wrap haproxy-config role inside 2022-08-09 12:15:49 +02:00
main.yml Revert "Performance: Use import_tasks in the main plays" 2020-12-14 10:36:55 +00:00
precheck.yml Fix prechecks in check mode 2023-01-12 14:27:36 +00:00
pull.yml Refactor and optimise image pulling 2021-08-10 11:57:54 +00:00
reconfigure.yml Performance: replace unconditional include_tasks with import_tasks 2020-08-28 16:12:03 +00:00
register.yml Do not set 'always' tag where unnecessary 2020-10-27 19:51:46 +01:00
stop.yml Use "name:" instead of "role:" for *_role modules 2020-03-02 10:01:17 +01:00
upgrade.yml Performance: optimize genconfig 2020-10-12 19:30:06 +02:00