<div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, 20 Jul 2021 at 19:33, Julia Kreger <<a href="mailto:juliaashleykreger@gmail.com">juliaashleykreger@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">AIUI, and this may have changed a *LOT* since I was hacking on ansible modules, but if the authentication parameters are not defined to be overridden, then they are attempted to be loaded from a clouds.yaml file based on OS_CLOUD environment variables. Different modules may behave slightly differently, but the SDK shouldn't be attaching a project_id to everything. If it is, then it is a bug.</div></blockquote><div><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">As far as I can tell, the authentication is working when passing auth parameters to Ansible OpenStack modules with system scope. It's using this:</div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">auth_type: password</div><div class="gmail_default" style="font-family:verdana,sans-serif">auth:<br>  auth_url: "{{ keystone_admin_url }}"<br>  username: "{{ keystone_admin_user }}"<br>  password: "{{ keystone_admin_password }}"<br>  user_domain_name: "{{ default_user_domain_name }}"<br>  system_scope: "all"<br></div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">The part that isn't working is granting roles with system scope via the cloud.openstack.role_assignment module. I checked the Ansible module code [1], and the underlying openstacksdk grant_role code [2] it looks like it might need to add a system argument to grant_role, and allow passing it in from the Ansible module.</div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">[1] <a href="https://opendev.org/openstack/ansible-collections-openstack/src/branch/master/plugins/modules/role_assignment.py">https://opendev.org/openstack/ansible-collections-openstack/src/branch/master/plugins/modules/role_assignment.py</a></div><div class="gmail_default" style="font-family:verdana,sans-serif">[2] <a href="https://opendev.org/openstack/openstacksdk/src/branch/master/openstack/cloud/_identity.py#L1342">https://opendev.org/openstack/openstacksdk/src/branch/master/openstack/cloud/_identity.py#L1342</a></div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">I don't think it's a huge amount of work, but might be more difficult if not familiar with the code.</div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">Mark</div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jul 20, 2021 at 7:01 AM James Kirsch <<a href="mailto:generalfuzz@gmail.com" target="_blank">generalfuzz@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><span style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap">I'm working on adding the option to enable enforce_scope in keystone during Kolla-Ansible deployment. I've revived this transaction to complete this work:</span><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><a rel="nofollow" href="https://review.opendev.org/c/openstack/kolla-ansible/+/692179" style="font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap" target="_blank">https://review.opendev.org/c/openstack/kolla-ansible/+/692179</a><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><span style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap">As part of that effort, I would like to also enable enforce_new_defaults in keystone. Deployment currently fails because the nova keystone user roles created during Kolla-Ansible deployment requires system scope.</span><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><span style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap">I can currently get around this using python-openstack:</span><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><span style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap">openstack role add --system all  --user d7512be612454eff8a7f5bf5476b1531 admin</span><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><span style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap">Kolla-ansible relies on the OpenStack Ansible modules to create users and roles for deployment. Looking around the repositories,  it does not appear that the openstack ansible module nor the openstacksdk supports granting system scope to a user role. Please let me know if this is not the case or if it is in current development. Otherwise, I could use guidance on what the next steps I could take or who I should talk to so I can move this forward. </span><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><span style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap">Thanks,</span><br style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><span style="color:rgb(32,33,36);font-family:Roboto,Arial,sans-serif;font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap">James</span><div><font color="#202124" face="Roboto, Arial, sans-serif"><span style="font-size:16px;font-variant-ligatures:none;letter-spacing:0.1px;white-space:pre-wrap"><br clear="all"></span></font><div><div dir="ltr"><div dir="ltr"><div><img src="https://docs.google.com/uc?export=download&id=1Ea5lSrAVM7Z_03hfqhTipzkTZPyUCocQ&revid=0BxXox6kIXIdtOWI2ZXNlY2g2bWxxb21zSHV0MzNreUVqYkhJPQ" width="96" height="96"><br></div><div><br></div><div><img src="https://docs.google.com/uc?export=download&id=1LvC5-t3NPaq4jp9dl5odz69mAzQ5hVOZ&revid=0BxXox6kIXIdtQTBCSzgzUEd3R2ZtTlY0bDNIWlRNNm9hYWtNPQ" width="96" height="21"> <br></div><div><div><br></div></div><div>my awesome background music: <a href="http://www.generalfuzz.net" target="_blank">http://www.generalfuzz.net</a></div><div>about me: <a href="http://www.headphonejames.com" target="_blank">http://www.headphonejames.com</a></div></div></div></div></div></div>
</blockquote></div>
</blockquote></div></div>