AIUI, and this may have changed a *LOT* since I was hacking on ansible modules, but if the authentication parameters are not defined to be overridden, then they are attempted to be loaded from a clouds.yaml file based on OS_CLOUD environment variables. Different modules may behave slightly differently, but the SDK shouldn't be attaching a project_id to everything. If it is, then it is a bug. On Tue, Jul 20, 2021 at 7:01 AM James Kirsch <generalfuzz@gmail.com> wrote:
I'm working on adding the option to enable enforce_scope in keystone during Kolla-Ansible deployment. I've revived this transaction to complete this work:
https://review.opendev.org/c/openstack/kolla-ansible/+/692179
As part of that effort, I would like to also enable enforce_new_defaults in keystone. Deployment currently fails because the nova keystone user roles created during Kolla-Ansible deployment requires system scope.
I can currently get around this using python-openstack:
openstack role add --system all --user d7512be612454eff8a7f5bf5476b1531 admin
Kolla-ansible relies on the OpenStack Ansible modules to create users and roles for deployment. Looking around the repositories, it does not appear that the openstack ansible module nor the openstacksdk supports granting system scope to a user role. Please let me know if this is not the case or if it is in current development. Otherwise, I could use guidance on what the next steps I could take or who I should talk to so I can move this forward.
Thanks, James
my awesome background music: http://www.generalfuzz.net about me: http://www.headphonejames.com