<div dir="ltr">AIUI, and this may have changed a *LOT* since I was hacking on ansible modules, but if the authentication parameters are not defined to be overridden, then they are attempted to be loaded from a clouds.yaml file based on OS_CLOUD environment variables. Different modules may behave slightly differently, but the SDK shouldn't be attaching a project_id to everything. If it is, then it is a bug.</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jul 20, 2021 at 7:01 AM James Kirsch <<a href="mailto:generalfuzz@gmail.com">generalfuzz@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><span style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap">I'm working on adding the option to enable enforce_scope in keystone during Kolla-Ansible deployment. I've revived this transaction to complete this work:</span><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><a rel="nofollow" href="https://review.opendev.org/c/openstack/kolla-ansible/+/692179" style="font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap" target="_blank">https://review.opendev.org/c/openstack/kolla-ansible/+/692179</a><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><span style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap">As part of that effort, I would like to also enable enforce_new_defaults in keystone. Deployment currently fails because the nova keystone user roles created during Kolla-Ansible deployment requires system scope.</span><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><span style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap">I can currently get around this using python-openstack:</span><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><span style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap">openstack role add --system all  --user d7512be612454eff8a7f5bf5476b1531 admin</span><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><span style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap">Kolla-ansible relies on the OpenStack Ansible modules to create users and roles for deployment. Looking around the repositories,  it does not appear that the openstack ansible module nor the openstacksdk supports granting system scope to a user role. Please let me know if this is not the case or if it is in current development. Otherwise, I could use guidance on what the next steps I could take or who I should talk to so I can move this forward. </span><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><span style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap">Thanks,</span><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><span style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap">James</span><div><font color="#202124" face="Roboto, Arial, sans-serif"><span style="font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><br clear="all"></span></font><div><div dir="ltr"><div dir="ltr"><div><img src="https://docs.google.com/uc?export=download&id=1Ea5lSrAVM7Z_03hfqhTipzkTZPyUCocQ&revid=0BxXox6kIXIdtOWI2ZXNlY2g2bWxxb21zSHV0MzNreUVqYkhJPQ" width="96" height="96"><br></div><div><br></div><div><img src="https://docs.google.com/uc?export=download&id=1LvC5-t3NPaq4jp9dl5odz69mAzQ5hVOZ&revid=0BxXox6kIXIdtQTBCSzgzUEd3R2ZtTlY0bDNIWlRNNm9hYWtNPQ" width="96" height="21"> <br></div><div><div><br></div></div><div>my awesome background music: <a href="http://www.generalfuzz.net" target="_blank">http://www.generalfuzz.net</a></div><div>about me: <a href="http://www.headphonejames.com" target="_blank">http://www.headphonejames.com</a></div></div></div></div></div></div>
</blockquote></div>