[kolla][keystone][openstack-ansible][deploy][sdk] enforcing scope in Kolla-Ansible deployment

James Kirsch generalfuzz at gmail.com
Mon Jul 19 16:15:25 UTC 2021


I'm working on adding the option to enable enforce_scope in keystone during
Kolla-Ansible deployment. I've revived this transaction to complete this
work:

https://review.opendev.org/c/openstack/kolla-ansible/+/692179

As part of that effort, I would like to also enable enforce_new_defaults in
keystone. Deployment currently fails because the nova keystone user roles
created during Kolla-Ansible deployment requires system scope.

I can currently get around this using python-openstack:

openstack role add --system all --user d7512be612454eff8a7f5bf5476b1531
admin

Kolla-ansible relies on the OpenStack Ansible modules to create users and
roles for deployment. Looking around the repositories, it does not appear
that the openstack ansible module nor the openstacksdk supports granting
system scope to a user role. Please let me know if this is not the case or
if it is in current development. Otherwise, I could use guidance on what
the next steps I could take or who I should talk to so I can move this
forward.

Thanks,
James





my awesome background music: http://www.generalfuzz.net
about me: http://www.headphonejames.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210719/ed5085b9/attachment-0001.html>


More information about the openstack-discuss mailing list