Project scoped auth don't have access to

list-projects and list-domains.api-server do list-domains during initialization. So using domian scoped auth parameters in contrail-keystone-auth.conf Change-Id: I29ebdbdf60ae174e2587d0108b3cd605c9f220ae Closes-Bug: 1724691
Juniper · Oct 25, 2017 · f1fbc68 · f1fbc68
1 parent 6a02e07
commit f1fbc68
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 3 deletions.
diff --git a/playbooks/roles/contrail/common/defaults/main.yml b/playbooks/roles/contrail/common/defaults/main.yml
@@ -138,7 +138,7 @@ keystone_certfile: /etc/contrailctl/ssl/server.pem
 keystone_keyfile: /etc/contrailctl/ssl/server-privkey.pem
 keystone_cafile: /etc/contrailctl/ssl/ca-cert.pem
 keystone_user_domain_name: Default
-keystone_project_domain_name: Default
+keystone_domain_id: default
 
 neutron_metadata_ip: "{{ keystone_ip }}"
 neutron_metadata_port: 8775

diff --git a/playbooks/roles/contrail/common/tasks/analytics_keystoneauth.yml b/playbooks/roles/contrail/common/tasks/analytics_keystoneauth.yml
@@ -65,7 +65,22 @@
 
 - name: configure keystone project domain name in keystone auth configuration file
   ini_file: dest={{ keystone_auth_conf }} section=KEYSTONE option=project_domain_name value={{ keystone_project_domain_name }}  create=yes
-  when: cloud_orchestrator == 'openstack' and keystone_version == 'v3'
+  when: cloud_orchestrator == 'openstack' and keystone_version == 'v3' and keystone_project_domain_name is defined
+  notify:
+    - restart analytics-api supervisord
+    - restart analytics-api systemd
+    - restart analytics collector supervisord
+    - restart analytics collector systemd
+    - restart alarm-gen supervisord
+    - restart alarm-gen systemd
+    - restart snmp-collector supervisord
+    - restart snmp-collector systemd
+    - restart topology supervisord
+    - restart topology systemd
+
+- name: configure keystone domain id in keystone auth configuration file
+  ini_file: dest={{ keystone_auth_conf }} section=KEYSTONE option=domain_id value={{ keystone_domain_id }}  create=yes
+  when: cloud_orchestrator == 'openstack' and keystone_version == 'v3' and keystone_project_domain_name is undefined
   notify:
     - restart analytics-api supervisord
     - restart analytics-api systemd

diff --git a/playbooks/roles/contrail/common/tasks/config_keystoneauth.yml b/playbooks/roles/contrail/common/tasks/config_keystoneauth.yml
@@ -40,7 +40,14 @@
 
 - name: configure keystone project domain name in keystone auth configuration file
   ini_file: dest={{ keystone_auth_conf }} section=KEYSTONE option=project_domain_name value={{ keystone_project_domain_name }}  create=yes
-  when: cloud_orchestrator == 'openstack' and keystone_version == 'v3'
+  when: cloud_orchestrator == 'openstack' and keystone_version == 'v3' and keystone_project_domain_name is defined
+  notify:
+    - restart config api supervisord
+    - restart config api systemd
+
+- name: configure keystone domain id in keystone auth configuration file
+  ini_file: dest={{ keystone_auth_conf }} section=KEYSTONE option=domain_id value={{ keystone_domain_id }}  create=yes
+  when: cloud_orchestrator == 'openstack' and keystone_version == 'v3' and keystone_project_domain_name is undefined
   notify:
     - restart config api supervisord
     - restart config api systemd