Remove system scope token to access services
As per the RBAC new direction in Zed cycle, we have dropped the system scope from API policies and all the policies are hardcoded to project scoped so that any user accessing APIs using system scope will get 403 error. It is dropped from all the OpenStack services except for the Ironic service which will have system scope and to support ironic only deployment, we are keeping system as well as project scope in Keystone. Complete discussion and direction can be found in the below gerrit change and TC goal direction: - https://review.opendev.org/c/openstack/governance/+/847418 - https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#the-issues-we-are-facing-with-scope-concept As phase-2 of RBAC goal, services will start enabling the new defaults and project scope by default. For example: Nova did in - https://review.opendev.org/c/openstack/nova/+/866218 Kolla who start accessing the services using system scope token - https://review.opendev.org/c/openstack/kolla-ansible/+/692179 This commit partially revert the above change except keeping system scope usage for Keystone and Ironic. Rest all services are changed to use the project scope token. And enable the scope and new defaults for Nova which was disabled by https://review.opendev.org/c/openstack/kolla-ansible/+/870804 Change-Id: I0adbe0a6c39e11d7c9542569085fc5d580f26c9d
Showing
- ansible/group_vars/all.yml 3 additions, 2 deletionsansible/group_vars/all.yml
- ansible/roles/freezer/templates/freezer.conf.j2 1 addition, 3 deletionsansible/roles/freezer/templates/freezer.conf.j2
- ansible/roles/heat/defaults/main.yml 1 addition, 1 deletionansible/roles/heat/defaults/main.yml
- ansible/roles/heat/tasks/bootstrap_service.yml 1 addition, 1 deletionansible/roles/heat/tasks/bootstrap_service.yml
- ansible/roles/ironic/tasks/upgrade.yml 1 addition, 1 deletionansible/roles/ironic/tasks/upgrade.yml
- ansible/roles/keystone/tasks/register.yml 1 addition, 1 deletionansible/roles/keystone/tasks/register.yml
- ansible/roles/keystone/tasks/register_identity_providers.yml 11 additions, 11 deletionsansible/roles/keystone/tasks/register_identity_providers.yml
- ansible/roles/murano/tasks/import_library_packages.yml 3 additions, 3 deletionsansible/roles/murano/tasks/import_library_packages.yml
- ansible/roles/nova-cell/tasks/wait_discover_computes.yml 2 additions, 1 deletionansible/roles/nova-cell/tasks/wait_discover_computes.yml
- ansible/roles/nova/templates/nova.conf.j2 0 additions, 3 deletionsansible/roles/nova/templates/nova.conf.j2
- doc/source/user/multi-regions.rst 2 additions, 1 deletiondoc/source/user/multi-regions.rst
- releasenotes/notes/stop-using-system-scope-token-328a64927dc0fb2e.yaml 9 additions, 0 deletions...notes/stop-using-system-scope-token-328a64927dc0fb2e.yaml
Loading
Please register or sign in to comment