[kolla][keystone][openstack-ansible][deploy][sdk] enforcing scope in Kolla-Ansible deployment

Mark Goddard mark at stackhpc.com
Thu Jul 29 10:57:01 UTC 2021 

On Tue, 20 Jul 2021 at 19:33, Julia Kreger <juliaashleykreger at gmail.com>
wrote:

> AIUI, and this may have changed a *LOT* since I was hacking on ansible
> modules, but if the authentication parameters are not defined to be
> overridden, then they are attempted to be loaded from a clouds.yaml file
> based on OS_CLOUD environment variables. Different modules may behave
> slightly differently, but the SDK shouldn't be attaching a project_id to
> everything. If it is, then it is a bug.
>

As far as I can tell, the authentication is working when passing auth
parameters to Ansible OpenStack modules with system scope. It's using this:

auth_type: password
auth:
  auth_url: "{{ keystone_admin_url }}"
  username: "{{ keystone_admin_user }}"
  password: "{{ keystone_admin_password }}"
  user_domain_name: "{{ default_user_domain_name }}"
  system_scope: "all"

The part that isn't working is granting roles with system scope via the
cloud.openstack.role_assignment module. I checked the Ansible module code
[1], and the underlying openstacksdk grant_role code [2] it looks like it
might need to add a system argument to grant_role, and allow passing it in
from the Ansible module.

[1]
https://opendev.org/openstack/ansible-collections-openstack/src/branch/master/plugins/modules/role_assignment.py
[2]
https://opendev.org/openstack/openstacksdk/src/branch/master/openstack/cloud/_identity.py#L1342

I don't think it's a huge amount of work, but might be more difficult if
not familiar with the code.

Mark


> On Tue, Jul 20, 2021 at 7:01 AM James Kirsch <generalfuzz at gmail.com>
> wrote:
>
>> I'm working on adding the option to enable enforce_scope in keystone
>> during Kolla-Ansible deployment. I've revived this transaction to complete
>> this work:
>>
>> https://review.opendev.org/c/openstack/kolla-ansible/+/692179
>>
>> As part of that effort, I would like to also enable enforce_new_defaults
>> in keystone. Deployment currently fails because the nova keystone user
>> roles created during Kolla-Ansible deployment requires system scope.
>>
>> I can currently get around this using python-openstack:
>>
>> openstack role add --system all --user d7512be612454eff8a7f5bf5476b1531
>> admin
>>
>> Kolla-ansible relies on the OpenStack Ansible modules to create users and
>> roles for deployment. Looking around the repositories, it does not appear
>> that the openstack ansible module nor the openstacksdk supports granting
>> system scope to a user role. Please let me know if this is not the case or
>> if it is in current development. Otherwise, I could use guidance on what
>> the next steps I could take or who I should talk to so I can move this
>> forward.
>>
>> Thanks,
>> James
>>
>>
>>
>>
>>
>> my awesome background music: http://www.generalfuzz.net
>> about me: http://www.headphonejames.com
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210729/9ab96fd4/attachment.html>

More information about the openstack-discuss mailing list