[kolla][keystone][openstack-ansible][deploy][sdk] enforcing scope in Kolla-Ansible deployment
I'm working on adding the option to enable enforce_scope in keystone during Kolla-Ansible deployment. I've revived this transaction to complete this work: https://review.opendev.org/c/openstack/kolla-ansible/+/692179 As part of that effort, I would like to also enable enforce_new_defaults in keystone. Deployment currently fails because the nova keystone user roles created during Kolla-Ansible deployment requires system scope. I can currently get around this using python-openstack: openstack role add --system all --user d7512be612454eff8a7f5bf5476b1531 admin Kolla-ansible relies on the OpenStack Ansible modules to create users and roles for deployment. Looking around the repositories, it does not appear that the openstack ansible module nor the openstacksdk supports granting system scope to a user role. Please let me know if this is not the case or if it is in current development. Otherwise, I could use guidance on what the next steps I could take or who I should talk to so I can move this forward. Thanks, James my awesome background music: http://www.generalfuzz.net about me: http://www.headphonejames.com
AIUI, and this may have changed a *LOT* since I was hacking on ansible modules, but if the authentication parameters are not defined to be overridden, then they are attempted to be loaded from a clouds.yaml file based on OS_CLOUD environment variables. Different modules may behave slightly differently, but the SDK shouldn't be attaching a project_id to everything. If it is, then it is a bug. On Tue, Jul 20, 2021 at 7:01 AM James Kirsch <generalfuzz@gmail.com> wrote:
I'm working on adding the option to enable enforce_scope in keystone during Kolla-Ansible deployment. I've revived this transaction to complete this work:
https://review.opendev.org/c/openstack/kolla-ansible/+/692179
As part of that effort, I would like to also enable enforce_new_defaults in keystone. Deployment currently fails because the nova keystone user roles created during Kolla-Ansible deployment requires system scope.
I can currently get around this using python-openstack:
openstack role add --system all --user d7512be612454eff8a7f5bf5476b1531 admin
Kolla-ansible relies on the OpenStack Ansible modules to create users and roles for deployment. Looking around the repositories, it does not appear that the openstack ansible module nor the openstacksdk supports granting system scope to a user role. Please let me know if this is not the case or if it is in current development. Otherwise, I could use guidance on what the next steps I could take or who I should talk to so I can move this forward.
Thanks, James
my awesome background music: http://www.generalfuzz.net about me: http://www.headphonejames.com
On Tue, 20 Jul 2021 at 19:33, Julia Kreger <juliaashleykreger@gmail.com> wrote:
AIUI, and this may have changed a *LOT* since I was hacking on ansible modules, but if the authentication parameters are not defined to be overridden, then they are attempted to be loaded from a clouds.yaml file based on OS_CLOUD environment variables. Different modules may behave slightly differently, but the SDK shouldn't be attaching a project_id to everything. If it is, then it is a bug.
As far as I can tell, the authentication is working when passing auth parameters to Ansible OpenStack modules with system scope. It's using this: auth_type: password auth: auth_url: "{{ keystone_admin_url }}" username: "{{ keystone_admin_user }}" password: "{{ keystone_admin_password }}" user_domain_name: "{{ default_user_domain_name }}" system_scope: "all" The part that isn't working is granting roles with system scope via the cloud.openstack.role_assignment module. I checked the Ansible module code [1], and the underlying openstacksdk grant_role code [2] it looks like it might need to add a system argument to grant_role, and allow passing it in from the Ansible module. [1] https://opendev.org/openstack/ansible-collections-openstack/src/branch/maste... [2] https://opendev.org/openstack/openstacksdk/src/branch/master/openstack/cloud... I don't think it's a huge amount of work, but might be more difficult if not familiar with the code. Mark
On Tue, Jul 20, 2021 at 7:01 AM James Kirsch <generalfuzz@gmail.com> wrote:
I'm working on adding the option to enable enforce_scope in keystone during Kolla-Ansible deployment. I've revived this transaction to complete this work:
https://review.opendev.org/c/openstack/kolla-ansible/+/692179
As part of that effort, I would like to also enable enforce_new_defaults in keystone. Deployment currently fails because the nova keystone user roles created during Kolla-Ansible deployment requires system scope.
I can currently get around this using python-openstack:
openstack role add --system all --user d7512be612454eff8a7f5bf5476b1531 admin
Kolla-ansible relies on the OpenStack Ansible modules to create users and roles for deployment. Looking around the repositories, it does not appear that the openstack ansible module nor the openstacksdk supports granting system scope to a user role. Please let me know if this is not the case or if it is in current development. Otherwise, I could use guidance on what the next steps I could take or who I should talk to so I can move this forward.
Thanks, James
my awesome background music: http://www.generalfuzz.net about me: http://www.headphonejames.com
participants (3)
-
James Kirsch
-
Julia Kreger
-
Mark Goddard