nova ironic-hypevisor - support scoped auth config
The Secure RBAC effort has updated Ironic such that it
can support a mode where it is scope enforcing for all
interactions with the API. Due to the design, and operating
nature of Ironic's API, services speaking with it must
authenticate with a system scope to have a full picture
of the universe.
In this case, we need to update the nova configuration
accordingly such that the compute service understands
how to talk to ironic so that it can see the nodes under
management.
Ironic will likely update this again at a later point in
time to enable a "hybrid" mixed-mode as the operating model
and related permissions *should* allow nova to use a project
scoped "owner" account with Ironic, in order to access
and command nodes to deploy. But at this time, we're
focusing on the exclusive operating mode.
Change-Id: I1946725ce08c495178c419eaf38829f921c91bbe
Needed-By: https://review.opendev.org/c/openstack/ironic/+/778957
diff --git a/lib/nova_plugins/hypervisor-ironic b/lib/nova_plugins/hypervisor-ironic
index bda6ef6..f058e9b 100644
--- a/lib/nova_plugins/hypervisor-ironic
+++ b/lib/nova_plugins/hypervisor-ironic
@@ -47,9 +47,13 @@
iniset $NOVA_CONF ironic username admin
iniset $NOVA_CONF ironic password $ADMIN_PASSWORD
iniset $NOVA_CONF ironic auth_url $KEYSTONE_SERVICE_URI
- iniset $NOVA_CONF ironic project_domain_id default
+ if is_ironic_enforce_scope; then
+ iniset $NOVA_CONF ironic system_scope all
+ else
+ iniset $NOVA_CONF ironic project_domain_id default
+ iniset $NOVA_CONF ironic project_name demo
+ fi
iniset $NOVA_CONF ironic user_domain_id default
- iniset $NOVA_CONF ironic project_name demo
iniset $NOVA_CONF ironic region_name $REGION_NAME
# These are used with crufty legacy ironicclient
@@ -82,7 +86,6 @@
:
}
-
# Restore xtrace
$_XTRACE_HYP_IRONIC