[kolla][keystone][openstack-ansible][deploy][sdk] enforcing scope in Kolla-Ansible deployment

Julia Kreger juliaashleykreger at gmail.com
Tue Jul 20 18:31:59 UTC 2021


AIUI, and this may have changed a *LOT* since I was hacking on ansible
modules, but if the authentication parameters are not defined to be
overridden, then they are attempted to be loaded from a clouds.yaml file
based on OS_CLOUD environment variables. Different modules may behave
slightly differently, but the SDK shouldn't be attaching a project_id to
everything. If it is, then it is a bug.

On Tue, Jul 20, 2021 at 7:01 AM James Kirsch <generalfuzz at gmail.com> wrote:

> I'm working on adding the option to enable enforce_scope in keystone
> during Kolla-Ansible deployment. I've revived this transaction to complete
> this work:
>
> https://review.opendev.org/c/openstack/kolla-ansible/+/692179
>
> As part of that effort, I would like to also enable enforce_new_defaults
> in keystone. Deployment currently fails because the nova keystone user
> roles created during Kolla-Ansible deployment requires system scope.
>
> I can currently get around this using python-openstack:
>
> openstack role add --system all --user d7512be612454eff8a7f5bf5476b1531
> admin
>
> Kolla-ansible relies on the OpenStack Ansible modules to create users and
> roles for deployment. Looking around the repositories, it does not appear
> that the openstack ansible module nor the openstacksdk supports granting
> system scope to a user role. Please let me know if this is not the case or
> if it is in current development. Otherwise, I could use guidance on what
> the next steps I could take or who I should talk to so I can move this
> forward.
>
> Thanks,
> James
>
>
>
>
>
> my awesome background music: http://www.generalfuzz.net
> about me: http://www.headphonejames.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210720/02e53920/attachment.html>


More information about the openstack-discuss mailing list