<div dir="ltr"><span style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap">I'm working on adding the option to enable enforce_scope in keystone during Kolla-Ansible deployment. I've revived this transaction to complete this work:</span><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><a rel="nofollow" target="_blank" href="https://review.opendev.org/c/openstack/kolla-ansible/+/692179" style="font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap">https://review.opendev.org/c/openstack/kolla-ansible/+/692179</a><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><span style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap">As part of that effort, I would like to also enable enforce_new_defaults in keystone. Deployment currently fails because the nova keystone user roles created during Kolla-Ansible deployment requires system scope.</span><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><span style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap">I can currently get around this using python-openstack:</span><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><span style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap">openstack role add --system all  --user d7512be612454eff8a7f5bf5476b1531 admin</span><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><span style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap">Kolla-ansible relies on the OpenStack Ansible modules to create users and roles for deployment. Looking around the repositories,  it does not appear that the openstack ansible module nor the openstacksdk supports granting system scope to a user role. Please let me know if this is not the case or if it is in current development. Otherwise, I could use guidance on what the next steps I could take or who I should talk to so I can move this forward. </span><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><span style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap">Thanks,</span><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><span style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap">James</span><div><font color="#202124" face="Roboto, Arial, sans-serif"><span style="font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><br clear="all"></span></font><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><img src="https://docs.google.com/uc?export=download&id=1Ea5lSrAVM7Z_03hfqhTipzkTZPyUCocQ&revid=0BxXox6kIXIdtOWI2ZXNlY2g2bWxxb21zSHV0MzNreUVqYkhJPQ" width="96" height="96"><br></div><div><br></div><div><img src="https://docs.google.com/uc?export=download&id=1LvC5-t3NPaq4jp9dl5odz69mAzQ5hVOZ&revid=0BxXox6kIXIdtQTBCSzgzUEd3R2ZtTlY0bDNIWlRNNm9hYWtNPQ" width="96" height="21"> <br></div><div><div><br></div></div><div>my awesome background music: <a href="http://www.generalfuzz.net" target="_blank">http://www.generalfuzz.net</a></div><div>about me: <a href="http://www.headphonejames.com" target="_blank">http://www.headphonejames.com</a></div></div></div></div></div></div>