)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"53879e1363e663ffbbc63bad3fbb59eddfd6b8f4","unresolved":true,"context_lines":[{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Update configuration for [keystone_authtoken] section in all"},{"line_number":10,"context_line":"Openstack services to use system scoped tokens when authenticating"},{"line_number":11,"context_line":"with Keystone."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Change-Id: I42957ce6f7eeff89085d5ea71d241ee6740fe356"},{"line_number":14,"context_line":"Signed-off-by: James Kirsch \u003cgeneralfuzz@gmail.com\u003e"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":23,"id":"13351a74_bb988bce","line":11,"updated":"2021-12-22 15:35:18.000000000","message":"Let\u0027s link to the etherpad again.\n\nhttps://etherpad.opendev.org/p/enabling-system-scope-in-kolla-ansible\n\nIt should also be updated to include the plan for yoga (and beyond, if we can think/plan that far ahead).","commit_id":"189a04d70a7c5aef8678645be868b3015339a415"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"3311dd146eb35367308e77754790bac3d001ef82","unresolved":false,"context_lines":[{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Update configuration for [keystone_authtoken] section in all"},{"line_number":10,"context_line":"Openstack services to use system scoped tokens when authenticating"},{"line_number":11,"context_line":"with Keystone."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Change-Id: I42957ce6f7eeff89085d5ea71d241ee6740fe356"},{"line_number":14,"context_line":"Signed-off-by: James Kirsch \u003cgeneralfuzz@gmail.com\u003e"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":23,"id":"ced7f09b_9038bcd7","line":11,"in_reply_to":"13351a74_bb988bce","updated":"2024-02-06 11:12:49.000000000","message":"Done","commit_id":"189a04d70a7c5aef8678645be868b3015339a415"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"65556d5fa585a3a8017c5a1a8d1401c81b445853","unresolved":true,"context_lines":[{"line_number":11,"context_line":"with Keystone."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Change-Id: I42957ce6f7eeff89085d5ea71d241ee6740fe356"},{"line_number":14,"context_line":"Signed-off-by: James Kirsch \u003cgeneralfuzz@gmail.com\u003e"},{"line_number":15,"context_line":"Signed-off-by: james kirsch \u003cgeneralfuzz@gmail.com\u003e"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":23,"id":"afdba2db_068c6d50","line":15,"range":{"start_line":14,"start_character":0,"end_line":15,"end_character":51},"updated":"2021-12-20 13:32:24.000000000","message":"Twice?","commit_id":"189a04d70a7c5aef8678645be868b3015339a415"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"3311dd146eb35367308e77754790bac3d001ef82","unresolved":false,"context_lines":[{"line_number":11,"context_line":"with Keystone."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Change-Id: I42957ce6f7eeff89085d5ea71d241ee6740fe356"},{"line_number":14,"context_line":"Signed-off-by: James Kirsch \u003cgeneralfuzz@gmail.com\u003e"},{"line_number":15,"context_line":"Signed-off-by: james kirsch \u003cgeneralfuzz@gmail.com\u003e"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":23,"id":"da18d146_7877f084","line":15,"range":{"start_line":14,"start_character":0,"end_line":15,"end_character":51},"in_reply_to":"afdba2db_068c6d50","updated":"2024-02-06 11:12:49.000000000","message":"Done","commit_id":"189a04d70a7c5aef8678645be868b3015339a415"},{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"30b59294b7ea15cd437442a417f6b4121a3c5bab","unresolved":true,"context_lines":[{"line_number":10,"context_line":"policy validation as part of the RBAC efforts. [1]"},{"line_number":11,"context_line":""},{"line_number":12,"context_line":"The wiki doc describing the work to support RBAC and system scope"},{"line_number":13,"context_line":"in Kolla-Ansible. [2]"},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"[1] https://opendev.org/openstack/governance/src/commit/e2a47de10a689a78c31765fd1b020f17c0d3109c/goals/selected/consistent-and-secure-rbac.rst#phase-2"},{"line_number":16,"context_line":"[2] https://etherpad.opendev.org/p/enabling-system-scope-in-kolla-ansible"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":41,"id":"517af8c5_2da64050","line":13,"updated":"2024-02-07 11:09:50.000000000","message":"That\u0027s not a wiki but an etherpad, and it severely out of date in comparison to the content of this patch.","commit_id":"ed4e93ead3d13d160264de5225036c34d68d9098"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"e550f870541f853b4c3adc6f02b4980a6f49a445","unresolved":true,"context_lines":[{"line_number":10,"context_line":"policy validation as part of the RBAC efforts. [1]"},{"line_number":11,"context_line":""},{"line_number":12,"context_line":"The wiki doc describing the work to support RBAC and system scope"},{"line_number":13,"context_line":"in Kolla-Ansible. [2]"},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"[1] https://opendev.org/openstack/governance/src/commit/e2a47de10a689a78c31765fd1b020f17c0d3109c/goals/selected/consistent-and-secure-rbac.rst#phase-2"},{"line_number":16,"context_line":"[2] https://etherpad.opendev.org/p/enabling-system-scope-in-kolla-ansible"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":41,"id":"b80edce5_9803a4a0","line":13,"in_reply_to":"517af8c5_2da64050","updated":"2024-02-07 11:18:55.000000000","message":"This is from initial patch. I wanted to remove it, however I left it in WIP stage just to have some context. Will remove it soon","commit_id":"ed4e93ead3d13d160264de5225036c34d68d9098"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"dc0103c4d240d68fe9babc29f6df47b1ae4db698","unresolved":false,"context_lines":[{"line_number":10,"context_line":"policy validation as part of the RBAC efforts. [1]"},{"line_number":11,"context_line":""},{"line_number":12,"context_line":"The wiki doc describing the work to support RBAC and system scope"},{"line_number":13,"context_line":"in Kolla-Ansible. [2]"},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"[1] https://opendev.org/openstack/governance/src/commit/e2a47de10a689a78c31765fd1b020f17c0d3109c/goals/selected/consistent-and-secure-rbac.rst#phase-2"},{"line_number":16,"context_line":"[2] https://etherpad.opendev.org/p/enabling-system-scope-in-kolla-ansible"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":41,"id":"e9d74b0e_619d615c","line":13,"in_reply_to":"b80edce5_9803a4a0","updated":"2024-02-07 11:28:27.000000000","message":"Done","commit_id":"ed4e93ead3d13d160264de5225036c34d68d9098"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":30810,"name":"James Kirsch","email":"generalfuzz@gmail.com","username":"generalfuzz"},"change_message_id":"df2a7dd181ba36bae0827034b5672184ccbdf244","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":13,"id":"f569f44b_ec9985d5","updated":"2021-11-09 00:21:44.000000000","message":"recheck","commit_id":"86bef10cf17d15cf05c941c632f47f8a585ae2aa"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"3311dd146eb35367308e77754790bac3d001ef82","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":13,"id":"1de5e752_83019651","in_reply_to":"f569f44b_ec9985d5","updated":"2024-02-06 11:12:49.000000000","message":"Done","commit_id":"86bef10cf17d15cf05c941c632f47f8a585ae2aa"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"4b003278d7e1688a382d9bef30a58562d27745f8","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":22,"id":"22250724_e10958f2","updated":"2021-12-15 18:22:12.000000000","message":"I think we need to split this problem into smaller chunks. The easiest way I can think of doing that is to now do the enforce_scope_check\u003dTrue thing yet. Lets focus instead on enforce_new_defaults.\n\nI am bit worried the keystone roles are not as we expected for the transition plan that has been agreed, and may need tweaking, but that should be easier without enforce_scope_check.","commit_id":"f7288aab2bfd68a73a4f59396ad0217a0044413b"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"53879e1363e663ffbbc63bad3fbb59eddfd6b8f4","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":23,"id":"751c71ec_36742b4f","updated":"2021-12-22 15:35:18.000000000","message":"Looking at the yoga timeline, trying to work out what we need to do in kolla.\n\nhttps://opendev.org/openstack/governance/src/branch/master/goals/selected/consistent-and-secure-rbac.rst#yoga-timeline-7th-mar-2022\n\n* keystone will create the service role AFAICT, we should not need to do it.\n  * TODO: Need to check that there is a DB migration that adds it for upgrades.\n* Keystone sets keystone.conf [oslo_policy] enforce_scope \u003d True, and removes deprecated policies\n  * We need to ensure that we are ready for this. All use of keystone from that point will need to be using the correct scope.\n  * We can test it by setting the two oslo_policy flags to true in keystone.conf. As JG says, we don\u0027t need to get there in one go.\n  * The majority of this patch is about token validation (keystone_authtoken). I\u0027d suggest we restrict it to that and split other things out.\n  * Using the new service role seems like a good approach. I\u0027m a little unclear on whether it should be system-scoped or project-scoped though. The current patch is using the service project. The policy docs allow any scope for identity:validate_token. We will need to provide some support for upgrades to add any new role assignments.\n  * The current patch adds the new role assignments, but we\u0027ll also need to determine how and when to remove the admin role from service users.","commit_id":"189a04d70a7c5aef8678645be868b3015339a415"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"58c1dab2a05cf2b40c791d7d688e0cef2cfc9616","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":23,"id":"91b2a23b_01510c93","updated":"2021-12-22 15:49:28.000000000","message":"Once we have a rough plan for yoga, it might be worth sharing and comparing with other deployment projects on the mailing list.","commit_id":"189a04d70a7c5aef8678645be868b3015339a415"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"58c1dab2a05cf2b40c791d7d688e0cef2cfc9616","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":23,"id":"0db98819_528daead","in_reply_to":"751c71ec_36742b4f","updated":"2021-12-22 15:49:28.000000000","message":"Dropping the admin role from service users that are only used for token validation might be a good way to validate this change. Service users that do things other than token validation might be more difficult (e.g. nova). Again, need to consider upgrades.","commit_id":"189a04d70a7c5aef8678645be868b3015339a415"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"e56e493f976397032f9327a31c47ae2a3bc54c1a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":27,"id":"dfc939fd_a41267bf","updated":"2022-01-17 10:12:45.000000000","message":"Still need to determine whether this should be in the service project, or with system scope.","commit_id":"76ade34e1cfa45ecd9e4085099730c421e222c49"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"3ee53d77a5ccc2fd126dc00d9dc3d618829798a9","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":27,"id":"46a89dc2_65e3008e","in_reply_to":"0d960939_3fb0ddcc","updated":"2022-01-19 09:59:28.000000000","message":"The RBAC spec suggests that the service role will be used for \u0027service to service communication. It\u0027s not clear exactly what will be included in that. I think it\u0027s really a \u0027phase 2\u0027 thing, which is beyond Yoga. I\u0027d certainly expect it to include token validation. When we\u0027re talking about creating and owning resources (networks, etc.), it seems likely we might be required to put them in a project.\n\nI think it\u0027s worth noting that we\u0027re adding role assignments here - only when we try to remove the admin role will we find which users may need additional roles.\n\nI suggest that while we try to get an answer for the project vs system scope question, we push on with other parts we need for Yoga.\n\nThe main thing that I see biting us is when keystone changes the default of enforce_scope (and enforce_new_defaults?). We need another patch, based on this one, that changes those defaults (unconditionally, since there will be no way back in yoga AFAIK), and makes any changes required for it to work. I think we had some of that code in here at some point.","commit_id":"76ade34e1cfa45ecd9e4085099730c421e222c49"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"935267ff45ab30666763f72561cfb5ea52fc6a62","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":27,"id":"8a6b6007_fcf1dd3a","in_reply_to":"46a89dc2_65e3008e","updated":"2022-01-19 10:49:53.000000000","message":"I sent a message to the mailing list. Feel free to reply.\n\nhttp://lists.openstack.org/pipermail/openstack-discuss/2022-January/026777.html","commit_id":"76ade34e1cfa45ecd9e4085099730c421e222c49"},{"author":{"_account_id":30810,"name":"James Kirsch","email":"generalfuzz@gmail.com","username":"generalfuzz"},"change_message_id":"5bda3bcf998f46b7e1b16ca6dd3185b6a15e0ceb","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":27,"id":"0d960939_3fb0ddcc","in_reply_to":"533058c0_78fa947e","updated":"2022-01-19 01:51:41.000000000","message":"Point of clarification - are we trying to determine for each service:\n1. if the \"service\" role requires a project (vs system scope role)? \n2. if the service user requires \"admin\" role (also determining if project vs system scope) ?\n \nIt seems like each service might need a different set of roles - \"service\" role likely doesn\u0027t give enough access for nova, etc.","commit_id":"76ade34e1cfa45ecd9e4085099730c421e222c49"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"04e47947c47bbdac66782d8561cd67752456f762","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":27,"id":"533058c0_78fa947e","in_reply_to":"6c4288b4_0729b43b","updated":"2022-01-18 10:02:21.000000000","message":"That\u0027s true. It certainly applies in some cases (e.g. octavia). In many cases however the service will only need to do token validation.\n\nMaybe it\u0027s time to start a discussion on the mailing list?","commit_id":"76ade34e1cfa45ecd9e4085099730c421e222c49"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"3311dd146eb35367308e77754790bac3d001ef82","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":27,"id":"6bec19dc_7d1a359b","in_reply_to":"8a6b6007_fcf1dd3a","updated":"2024-02-06 11:12:49.000000000","message":"as system scope don\u0027t need to be used currently, I\u0027m marking it as resolved.","commit_id":"76ade34e1cfa45ecd9e4085099730c421e222c49"},{"author":{"_account_id":30810,"name":"James Kirsch","email":"generalfuzz@gmail.com","username":"generalfuzz"},"change_message_id":"d488255385f1e79a192bbd604b7c80463e9e7c78","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":27,"id":"6c4288b4_0729b43b","in_reply_to":"dfc939fd_a41267bf","updated":"2022-01-18 00:11:43.000000000","message":"We know that certain actions require a project, like making a network. \n\nhttps://github.com/openstack/neutron-lib/blob/master/neutron_lib/api/attributes.py#L266\n\n\"Running without keystone AuthN requires that tenant_id is specified\"","commit_id":"76ade34e1cfa45ecd9e4085099730c421e222c49"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"0b1abb504d319df19d89a6c882914382c9dbaf23","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":30,"id":"cb61407a_d0238d38","updated":"2022-01-19 10:51:05.000000000","message":"Lint failed","commit_id":"dced429fc1f7282cff5456932bf438a95d25f1b6"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"64d060e630cfce2ed02a3aae7a91eb2f60a8c293","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":31,"id":"621a9f70_13b4d56a","updated":"2022-01-20 09:25:25.000000000","message":"Code looks good, assuming the service role is project-scoped. -1 until we get agreement on that (although I\u0027m personally leaning towards system-scope and one ML response agreed).\n\nIf you\u0027re looking for something to do, it might be sensible to get a patch together that adds support for assigning roles with system scope in service-ks-register. Ideally we\u0027d use the ansible module, but we\u0027ve not pushed that forward. Most of the code should be present in previous patchsets. It would probably use input data like this:\n\n# project-scoped\n- username: foo\n  project: bar\n  role: baz\n\n# system-scoped\n- username: foo\n  system: all\n  role: baz","commit_id":"d819babd30cd3f56e450ad19234556d3f43eb73e"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"3311dd146eb35367308e77754790bac3d001ef82","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":31,"id":"ef61599c_b7bb5d13","in_reply_to":"539c281b_967c4af8","updated":"2024-02-06 11:12:49.000000000","message":"as system scope don\u0027t need to be used currently, I\u0027m marking it as resolved.","commit_id":"d819babd30cd3f56e450ad19234556d3f43eb73e"},{"author":{"_account_id":30810,"name":"James Kirsch","email":"generalfuzz@gmail.com","username":"generalfuzz"},"change_message_id":"71a44f95c2019bdb1a11dbbf123b680477448368","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":31,"id":"c9f413de_84e7482b","in_reply_to":"621a9f70_13b4d56a","updated":"2022-01-20 16:39:02.000000000","message":"FYI: I\u0027m pushing forward in openstacksdk for system scope role, hopefully landing in yoga timeframe. https://review.opendev.org/c/openstack/openstacksdk/+/824470","commit_id":"d819babd30cd3f56e450ad19234556d3f43eb73e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"26d51f6feb84e8d70c836f13dde430ce4defda18","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":31,"id":"539c281b_967c4af8","in_reply_to":"c9f413de_84e7482b","updated":"2022-01-21 09:06:42.000000000","message":"Awesome 😊\n\nWill there be a corresponding ansible module change?","commit_id":"d819babd30cd3f56e450ad19234556d3f43eb73e"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"3311dd146eb35367308e77754790bac3d001ef82","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":37,"id":"480c91e5_54322bfd","updated":"2024-02-06 11:12:49.000000000","message":"applying and resolving old and done review comments (not needed anymore - system-scope)","commit_id":"68c34d00ae8d2b6524da4bced399c7d90f71e1e8"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"0f5ef1f6ee5db6f0eef6ad6e25e63e28b0136a4b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":37,"id":"f20a4f8f_c41665ca","updated":"2024-02-06 11:15:52.000000000","message":"good reading here","commit_id":"68c34d00ae8d2b6524da4bced399c7d90f71e1e8"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"196ee4a2ed85d91736c64aadf4d09d7a46457ac1","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":37,"id":"0572560b_cffcf668","in_reply_to":"f20a4f8f_c41665ca","updated":"2024-02-06 11:16:06.000000000","message":"https://etherpad.opendev.org/p/rbac-goal-tracking#L48","commit_id":"68c34d00ae8d2b6524da4bced399c7d90f71e1e8"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"815b55c6e5e0e2b3d5aa55e91e61bd44d045f4e2","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":40,"id":"ab719dcd_9a2e8571","updated":"2024-02-07 09:20:56.000000000","message":"After typo will be fixed, it will be OK from me.","commit_id":"fadaf1925cc7941c89f701653639c205a2948b8f"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"092fb06c534423a879cebedeca5b524d54257943","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":41,"id":"22844f58_0c1d7241","updated":"2024-02-07 10:58:43.000000000","message":"wouldn\u0027t it be much simpler to just change the (kolla) default from the empty list, to contain \"service\"? see the code here:\n\nhttps://github.com/openstack/kolla-ansible/blob/master/ansible/roles/service-ks-register/defaults/main.yml#L36\n\nif we add the service role to each service user we should maybe do it centralized?\n\nthen we don\u0027t need to append the role to each service?\n\nalso this should already be upstreams default. Maybe this is also a problem on how we use this, setting this to an empty list as a default.\n\nI\u0027m sure I have overlooked something why this can\u0027t work. 😐","commit_id":"ed4e93ead3d13d160264de5225036c34d68d9098"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"dc0103c4d240d68fe9babc29f6df47b1ae4db698","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":41,"id":"c6365b8f_c2b6df26","in_reply_to":"22844f58_0c1d7241","updated":"2024-02-07 11:28:27.000000000","message":"the role meant to be generic - i.e. not forcing any role - maybe some users needs to have this role, and some not. And we\u0027re adding each user in each openstack project\u0027s ansible role - depends on which project is enabled in kolla.\nProblem is that not all openstack projects support service role yet - that\u0027s why still using admin role by default - https://etherpad.opendev.org/p/rbac-goal-tracking#L48","commit_id":"ed4e93ead3d13d160264de5225036c34d68d9098"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"09476b4202ff34b7218f90d5826b757cd4e1ff21","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":41,"id":"61af67d0_bec52f66","in_reply_to":"c6365b8f_c2b6df26","updated":"2024-02-07 14:17:48.000000000","message":"then I would suggest to maybe split that up?\n\nBecause if this is globally configurable by the user they will end up shooting themselves in the foot by accidentally using a to broad scope.\n\nTurned out we shot ourselves in the foot to begin with. So I doubt a user can handle this very tricky stuff better then we do (I\u0027m referring to the cinder bug which currently has admin scope, wrongly).\n\nBut I really don\u0027t know if this should be configurable in the first place, from a security perspective. Mhm. Are there end users that actually use this feature?","commit_id":"ed4e93ead3d13d160264de5225036c34d68d9098"}],"ansible/group_vars/all.yml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"07d332802461fff60d0c9394b639e91de27ea747","unresolved":true,"context_lines":[{"line_number":881,"context_line":"enable_keystone_system_scoped_policy: \"no\""},{"line_number":882,"context_line":""},{"line_number":883,"context_line":"# use system scoped token for roles authenticating with Keystone"},{"line_number":884,"context_line":"keystone_system_scoped_tokens: \"yes\""},{"line_number":885,"context_line":""},{"line_number":886,"context_line":"# OpenStack authentication string. You should only need to override these if you"},{"line_number":887,"context_line":"# are changing the admin tenant/project or user."}],"source_content_type":"text/x-yaml","patch_set":17,"id":"5d31b284_ba1fe75e","line":884,"range":{"start_line":884,"start_character":0,"end_line":884,"end_character":29},"updated":"2021-11-17 11:33:55.000000000","message":"Are there any cases where you\u0027d need to set this to false?","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":30810,"name":"James Kirsch","email":"generalfuzz@gmail.com","username":"generalfuzz"},"change_message_id":"d26c9d450bba7331054ae73dd6ccf073474c1413","unresolved":true,"context_lines":[{"line_number":881,"context_line":"enable_keystone_system_scoped_policy: \"no\""},{"line_number":882,"context_line":""},{"line_number":883,"context_line":"# use system scoped token for roles authenticating with Keystone"},{"line_number":884,"context_line":"keystone_system_scoped_tokens: \"yes\""},{"line_number":885,"context_line":""},{"line_number":886,"context_line":"# OpenStack authentication string. You should only need to override these if you"},{"line_number":887,"context_line":"# are changing the admin tenant/project or user."}],"source_content_type":"text/x-yaml","patch_set":17,"id":"b1bca721_7e0cbae6","line":884,"range":{"start_line":884,"start_character":0,"end_line":884,"end_character":29},"in_reply_to":"5d31b284_ba1fe75e","updated":"2021-11-19 00:08:13.000000000","message":"Upgrade fails if this is not set to false.","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"3311dd146eb35367308e77754790bac3d001ef82","unresolved":false,"context_lines":[{"line_number":881,"context_line":"enable_keystone_system_scoped_policy: \"no\""},{"line_number":882,"context_line":""},{"line_number":883,"context_line":"# use system scoped token for roles authenticating with Keystone"},{"line_number":884,"context_line":"keystone_system_scoped_tokens: \"yes\""},{"line_number":885,"context_line":""},{"line_number":886,"context_line":"# OpenStack authentication string. You should only need to override these if you"},{"line_number":887,"context_line":"# are changing the admin tenant/project or user."}],"source_content_type":"text/x-yaml","patch_set":17,"id":"ded88cce_334446d5","line":884,"range":{"start_line":884,"start_character":0,"end_line":884,"end_character":29},"in_reply_to":"b1bca721_7e0cbae6","updated":"2024-02-06 11:12:49.000000000","message":"Done","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"65556d5fa585a3a8017c5a1a8d1401c81b445853","unresolved":true,"context_lines":[{"line_number":877,"context_line":"fernet_key_rotation_interval: \"{{ fernet_token_expiry + fernet_token_allow_expired_window }}\""},{"line_number":878,"context_line":""},{"line_number":879,"context_line":"keystone_default_user_role: \"_member_\""},{"line_number":880,"context_line":"keystone_service_user_role: \"service\""},{"line_number":881,"context_line":""},{"line_number":882,"context_line":"# Enable system scoped policy in services"},{"line_number":883,"context_line":"enable_keystone_system_scoped_policy: \"yes\""}],"source_content_type":"text/x-yaml","patch_set":23,"id":"a0b44383_c4e563cf","line":880,"range":{"start_line":880,"start_character":29,"end_line":880,"end_character":36},"updated":"2021-12-20 13:32:24.000000000","message":"Is this a new role?","commit_id":"189a04d70a7c5aef8678645be868b3015339a415"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"a295b382c9a92303d0c603f87a9199b22a82ad10","unresolved":true,"context_lines":[{"line_number":877,"context_line":"fernet_key_rotation_interval: \"{{ fernet_token_expiry + fernet_token_allow_expired_window }}\""},{"line_number":878,"context_line":""},{"line_number":879,"context_line":"keystone_default_user_role: \"_member_\""},{"line_number":880,"context_line":"keystone_service_user_role: \"service\""},{"line_number":881,"context_line":""},{"line_number":882,"context_line":"# Enable system scoped policy in services"},{"line_number":883,"context_line":"enable_keystone_system_scoped_policy: \"yes\""}],"source_content_type":"text/x-yaml","patch_set":23,"id":"a1fa28bb_49f58d69","line":880,"range":{"start_line":880,"start_character":29,"end_line":880,"end_character":36},"in_reply_to":"8136bd1c_819a3734","updated":"2021-12-22 12:35:30.000000000","message":"Ah, I wasn\u0027t aware of the service role. Seems that I should read that doc.","commit_id":"189a04d70a7c5aef8678645be868b3015339a415"},{"author":{"_account_id":30810,"name":"James Kirsch","email":"generalfuzz@gmail.com","username":"generalfuzz"},"change_message_id":"407dfe00ce9686d30fb72497d9e7dd0f94d0ea2e","unresolved":true,"context_lines":[{"line_number":877,"context_line":"fernet_key_rotation_interval: \"{{ fernet_token_expiry + fernet_token_allow_expired_window }}\""},{"line_number":878,"context_line":""},{"line_number":879,"context_line":"keystone_default_user_role: \"_member_\""},{"line_number":880,"context_line":"keystone_service_user_role: \"service\""},{"line_number":881,"context_line":""},{"line_number":882,"context_line":"# Enable system scoped policy in services"},{"line_number":883,"context_line":"enable_keystone_system_scoped_policy: \"yes\""}],"source_content_type":"text/x-yaml","patch_set":23,"id":"8136bd1c_819a3734","line":880,"range":{"start_line":880,"start_character":29,"end_line":880,"end_character":36},"in_reply_to":"a0b44383_c4e563cf","updated":"2021-12-20 22:50:22.000000000","message":"The latest RBAC Conversations determined that system scope role has no project associated with it. After discussing with John G, to move toward the goals in https://opendev.org/openstack/governance/src/branch/master/goals/selected/consistent-and-secure-rbac.rst, we are trying to move service users to have service role and enabling enforce new defaults in keystone. This is part of phase 2 - Isolate service-to-service APIs to the service role. Adding the service role allows service users to validate tokens in keystone API  (https://docs.openstack.org/keystone/latest/configuration/policy.html). We are determining what the gaps are in the default Keystone policy from failing tests.","commit_id":"189a04d70a7c5aef8678645be868b3015339a415"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"53879e1363e663ffbbc63bad3fbb59eddfd6b8f4","unresolved":true,"context_lines":[{"line_number":877,"context_line":"fernet_key_rotation_interval: \"{{ fernet_token_expiry + fernet_token_allow_expired_window }}\""},{"line_number":878,"context_line":""},{"line_number":879,"context_line":"keystone_default_user_role: \"_member_\""},{"line_number":880,"context_line":"keystone_service_user_role: \"service\""},{"line_number":881,"context_line":""},{"line_number":882,"context_line":"# Enable system scoped policy in services"},{"line_number":883,"context_line":"enable_keystone_system_scoped_policy: \"yes\""}],"source_content_type":"text/x-yaml","patch_set":23,"id":"dbdeb1c8_36169b52","line":880,"range":{"start_line":880,"start_character":29,"end_line":880,"end_character":36},"in_reply_to":"a1fa28bb_49f58d69","updated":"2021-12-22 15:35:18.000000000","message":"I read through that doc again, it seems to have grown since I last read it. It is at least a bit more clear now though.","commit_id":"189a04d70a7c5aef8678645be868b3015339a415"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"3311dd146eb35367308e77754790bac3d001ef82","unresolved":false,"context_lines":[{"line_number":877,"context_line":"fernet_key_rotation_interval: \"{{ fernet_token_expiry + fernet_token_allow_expired_window }}\""},{"line_number":878,"context_line":""},{"line_number":879,"context_line":"keystone_default_user_role: \"_member_\""},{"line_number":880,"context_line":"keystone_service_user_role: \"service\""},{"line_number":881,"context_line":""},{"line_number":882,"context_line":"# Enable system scoped policy in services"},{"line_number":883,"context_line":"enable_keystone_system_scoped_policy: \"yes\""}],"source_content_type":"text/x-yaml","patch_set":23,"id":"8fd8b36e_715a99e5","line":880,"range":{"start_line":880,"start_character":29,"end_line":880,"end_character":36},"in_reply_to":"dbdeb1c8_36169b52","updated":"2024-02-06 11:12:49.000000000","message":"Done","commit_id":"189a04d70a7c5aef8678645be868b3015339a415"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"1152c0517fdacfdb49184a2cdd33866be88e7878","unresolved":true,"context_lines":[{"line_number":879,"context_line":"keystone_default_user_role: \"_member_\""},{"line_number":880,"context_line":"keystone_service_user_role: \"service\""},{"line_number":881,"context_line":""},{"line_number":882,"context_line":"# Enable system scoped policy in services"},{"line_number":883,"context_line":"enable_keystone_system_scoped_policy: \"yes\""},{"line_number":884,"context_line":""},{"line_number":885,"context_line":"# use system scoped token for roles authenticating with Keystone"},{"line_number":886,"context_line":"keystone_system_scoped_tokens: \"yes\""},{"line_number":887,"context_line":""},{"line_number":888,"context_line":"# OpenStack authentication string. You should only need to override these if you"},{"line_number":889,"context_line":"# are changing the admin tenant/project or user."}],"source_content_type":"text/x-yaml","patch_set":27,"id":"a8393309_52b801ca","line":886,"range":{"start_line":882,"start_character":0,"end_line":886,"end_character":36},"updated":"2022-01-17 10:11:20.000000000","message":"I don\u0027t think these make sense in this patch - split out?","commit_id":"76ade34e1cfa45ecd9e4085099730c421e222c49"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"3311dd146eb35367308e77754790bac3d001ef82","unresolved":false,"context_lines":[{"line_number":879,"context_line":"keystone_default_user_role: \"_member_\""},{"line_number":880,"context_line":"keystone_service_user_role: \"service\""},{"line_number":881,"context_line":""},{"line_number":882,"context_line":"# Enable system scoped policy in services"},{"line_number":883,"context_line":"enable_keystone_system_scoped_policy: \"yes\""},{"line_number":884,"context_line":""},{"line_number":885,"context_line":"# use system scoped token for roles authenticating with Keystone"},{"line_number":886,"context_line":"keystone_system_scoped_tokens: \"yes\""},{"line_number":887,"context_line":""},{"line_number":888,"context_line":"# OpenStack authentication string. You should only need to override these if you"},{"line_number":889,"context_line":"# are changing the admin tenant/project or user."}],"source_content_type":"text/x-yaml","patch_set":27,"id":"ad2a795e_5bfc859a","line":886,"range":{"start_line":882,"start_character":0,"end_line":886,"end_character":36},"in_reply_to":"a8393309_52b801ca","updated":"2024-02-06 11:12:49.000000000","message":"Done","commit_id":"76ade34e1cfa45ecd9e4085099730c421e222c49"},{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"30b59294b7ea15cd437442a417f6b4121a3c5bab","unresolved":true,"context_lines":[{"line_number":1018,"context_line":""},{"line_number":1019,"context_line":"keystone_admin_user: \"admin\""},{"line_number":1020,"context_line":"keystone_admin_project: \"admin\""},{"line_number":1021,"context_line":"keystone_service_project: \"service\""},{"line_number":1022,"context_line":""},{"line_number":1023,"context_line":"default_project_domain_name: \"Default\""},{"line_number":1024,"context_line":"default_project_domain_id: \"default\""}],"source_content_type":"text/x-yaml","patch_set":41,"id":"e026be0a_2843b7e8","line":1021,"updated":"2024-02-07 11:09:50.000000000","message":"I don\u0027t think it is feasible/useful to make this configurable","commit_id":"ed4e93ead3d13d160264de5225036c34d68d9098"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"3e0120b7047be25841b45686a64f6e51643d7a27","unresolved":true,"context_lines":[{"line_number":1018,"context_line":""},{"line_number":1019,"context_line":"keystone_admin_user: \"admin\""},{"line_number":1020,"context_line":"keystone_admin_project: \"admin\""},{"line_number":1021,"context_line":"keystone_service_project: \"service\""},{"line_number":1022,"context_line":""},{"line_number":1023,"context_line":"default_project_domain_name: \"Default\""},{"line_number":1024,"context_line":"default_project_domain_id: \"default\""}],"source_content_type":"text/x-yaml","patch_set":41,"id":"17f70778_644b251f","line":1021,"in_reply_to":"2eaa4272_c9ff3fbe","updated":"2024-02-07 15:11:20.000000000","message":"which one do use \"services\"? I guess it would be good to have that list documented (sorry if I overlooked it somewhere).","commit_id":"ed4e93ead3d13d160264de5225036c34d68d9098"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"e550f870541f853b4c3adc6f02b4980a6f49a445","unresolved":true,"context_lines":[{"line_number":1018,"context_line":""},{"line_number":1019,"context_line":"keystone_admin_user: \"admin\""},{"line_number":1020,"context_line":"keystone_admin_project: \"admin\""},{"line_number":1021,"context_line":"keystone_service_project: \"service\""},{"line_number":1022,"context_line":""},{"line_number":1023,"context_line":"default_project_domain_name: \"Default\""},{"line_number":1024,"context_line":"default_project_domain_id: \"default\""}],"source_content_type":"text/x-yaml","patch_set":41,"id":"2eaa4272_c9ff3fbe","line":1021,"in_reply_to":"e026be0a_2843b7e8","updated":"2024-02-07 11:18:55.000000000","message":"you\u0027re probably right, however I\u0027ve seen that some projects are using `services` name.","commit_id":"ed4e93ead3d13d160264de5225036c34d68d9098"},{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"30b59294b7ea15cd437442a417f6b4121a3c5bab","unresolved":true,"context_lines":[{"line_number":1037,"context_line":"fernet_key_rotation_interval: \"{{ fernet_token_expiry + fernet_token_allow_expired_window }}\""},{"line_number":1038,"context_line":""},{"line_number":1039,"context_line":"keystone_default_user_role: \"member\""},{"line_number":1040,"context_line":"keystone_service_user_role: \"service\""},{"line_number":1041,"context_line":""},{"line_number":1042,"context_line":"# OpenStack authentication string. You should only need to override these if you"},{"line_number":1043,"context_line":"# are changing the admin tenant/project or user."}],"source_content_type":"text/x-yaml","patch_set":41,"id":"4111ee7a_2023e6e4","line":1040,"updated":"2024-02-07 11:09:50.000000000","message":"I think this role name is pretty much hardcoded into the specs and policies, no need to make it configurable","commit_id":"ed4e93ead3d13d160264de5225036c34d68d9098"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"d4be2abc8cfe89459165732e7f622b695a139c66","unresolved":true,"context_lines":[{"line_number":1037,"context_line":"fernet_key_rotation_interval: \"{{ fernet_token_expiry + fernet_token_allow_expired_window }}\""},{"line_number":1038,"context_line":""},{"line_number":1039,"context_line":"keystone_default_user_role: \"member\""},{"line_number":1040,"context_line":"keystone_service_user_role: \"service\""},{"line_number":1041,"context_line":""},{"line_number":1042,"context_line":"# OpenStack authentication string. You should only need to override these if you"},{"line_number":1043,"context_line":"# are changing the admin tenant/project or user."}],"source_content_type":"text/x-yaml","patch_set":41,"id":"88ac3927_b427d24a","line":1040,"in_reply_to":"4111ee7a_2023e6e4","updated":"2024-02-07 11:17:47.000000000","message":"It\u0027s not, it\u0027s configurable via service_tokens_roles_required","commit_id":"ed4e93ead3d13d160264de5225036c34d68d9098"}],"ansible/post-deploy.yml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"1152c0517fdacfdb49184a2cdd33866be88e7878","unresolved":true,"context_lines":[{"line_number":11,"context_line":"        group: \"{{ ansible_facts.user_gid }}\""},{"line_number":12,"context_line":"        mode: 0600"},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"    - name: Template out admin-openrc-system-scope.sh"},{"line_number":15,"context_line":"      become: true"},{"line_number":16,"context_line":"      template:"},{"line_number":17,"context_line":"        src: \"roles/common/templates/admin-openrc-system-scope.sh.j2\""},{"line_number":18,"context_line":"        dest: \"{{ node_config }}/admin-openrc-system-scope.sh\""},{"line_number":19,"context_line":"        owner: \"{{ ansible_facts.user_uid }}\""},{"line_number":20,"context_line":"        group: \"{{ ansible_facts.user_gid }}\""},{"line_number":21,"context_line":"        mode: 0600"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"    - import_role:"},{"line_number":24,"context_line":"        name: octavia"}],"source_content_type":"text/x-yaml","patch_set":27,"id":"6985d49f_9a2673da","line":21,"range":{"start_line":14,"start_character":0,"end_line":21,"end_character":18},"updated":"2022-01-17 10:11:20.000000000","message":"Ditto - separate patch","commit_id":"76ade34e1cfa45ecd9e4085099730c421e222c49"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"3311dd146eb35367308e77754790bac3d001ef82","unresolved":false,"context_lines":[{"line_number":11,"context_line":"        group: \"{{ ansible_facts.user_gid }}\""},{"line_number":12,"context_line":"        mode: 0600"},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"    - name: Template out admin-openrc-system-scope.sh"},{"line_number":15,"context_line":"      become: true"},{"line_number":16,"context_line":"      template:"},{"line_number":17,"context_line":"        src: \"roles/common/templates/admin-openrc-system-scope.sh.j2\""},{"line_number":18,"context_line":"        dest: \"{{ node_config }}/admin-openrc-system-scope.sh\""},{"line_number":19,"context_line":"        owner: \"{{ ansible_facts.user_uid }}\""},{"line_number":20,"context_line":"        group: \"{{ ansible_facts.user_gid }}\""},{"line_number":21,"context_line":"        mode: 0600"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"    - import_role:"},{"line_number":24,"context_line":"        name: octavia"}],"source_content_type":"text/x-yaml","patch_set":27,"id":"b8c9c978_a7e9f923","line":21,"range":{"start_line":14,"start_character":0,"end_line":21,"end_character":18},"in_reply_to":"6985d49f_9a2673da","updated":"2024-02-06 11:12:49.000000000","message":"Done","commit_id":"76ade34e1cfa45ecd9e4085099730c421e222c49"}],"ansible/roles/aodh/defaults/main.yml":[{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"30b59294b7ea15cd437442a417f6b4121a3c5bab","unresolved":true,"context_lines":[{"line_number":242,"context_line":"  - project: \"service\""},{"line_number":243,"context_line":"    user: \"{{ aodh_keystone_user }}\""},{"line_number":244,"context_line":"    password: \"{{ aodh_keystone_password }}\""},{"line_number":245,"context_line":"    role: \"admin\""},{"line_number":246,"context_line":""},{"line_number":247,"context_line":"aodh_ks_user_roles:"},{"line_number":248,"context_line":"  - project: \"{{ keystone_service_project }}\""}],"source_content_type":"text/x-yaml","patch_set":41,"id":"819e8d4b_845d1e7e","line":245,"updated":"2024-02-07 11:09:50.000000000","message":"Why can\u0027t we replace the admin role with service? As long as the user still needs to be admin, this whole service role thing seems useless to me.","commit_id":"ed4e93ead3d13d160264de5225036c34d68d9098"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"e550f870541f853b4c3adc6f02b4980a6f49a445","unresolved":true,"context_lines":[{"line_number":242,"context_line":"  - project: \"service\""},{"line_number":243,"context_line":"    user: \"{{ aodh_keystone_user }}\""},{"line_number":244,"context_line":"    password: \"{{ aodh_keystone_password }}\""},{"line_number":245,"context_line":"    role: \"admin\""},{"line_number":246,"context_line":""},{"line_number":247,"context_line":"aodh_ks_user_roles:"},{"line_number":248,"context_line":"  - project: \"{{ keystone_service_project }}\""}],"source_content_type":"text/x-yaml","patch_set":41,"id":"999f4d96_1d3ba620","line":245,"in_reply_to":"819e8d4b_845d1e7e","updated":"2024-02-07 11:18:55.000000000","message":"we probably could test it, however not all openstack projects implemented service role yet - https://etherpad.opendev.org/p/rbac-goal-tracking#L48","commit_id":"ed4e93ead3d13d160264de5225036c34d68d9098"}],"ansible/roles/aodh/tasks/upgrade.yml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"1152c0517fdacfdb49184a2cdd33866be88e7878","unresolved":true,"context_lines":[{"line_number":6,"context_line":"- import_tasks: bootstrap_service.yml"},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"- import_role:"},{"line_number":9,"context_line":"    name: service-ks-register-role"},{"line_number":10,"context_line":"  vars:"},{"line_number":11,"context_line":"    service_ks_register_auth: \"{{ openstack_aodh_auth }}\""},{"line_number":12,"context_line":"    service_ks_register_user_roles: \"{{ aodh_ks_user_roles }}\""}],"source_content_type":"text/x-yaml","patch_set":27,"id":"0994130b_e752962e","line":9,"range":{"start_line":9,"start_character":29,"end_line":9,"end_character":34},"updated":"2022-01-17 10:11:20.000000000","message":"If you use the original service-ks-register role, the defaults should be empty. The unnecessary tasks should skip through pretty quickly.","commit_id":"76ade34e1cfa45ecd9e4085099730c421e222c49"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"88bf259f43d07711d5c3502161be9b37a8ac9cf8","unresolved":false,"context_lines":[{"line_number":6,"context_line":"- import_tasks: bootstrap_service.yml"},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"- import_role:"},{"line_number":9,"context_line":"    name: service-ks-register-role"},{"line_number":10,"context_line":"  vars:"},{"line_number":11,"context_line":"    service_ks_register_auth: \"{{ openstack_aodh_auth }}\""},{"line_number":12,"context_line":"    service_ks_register_user_roles: \"{{ aodh_ks_user_roles }}\""}],"source_content_type":"text/x-yaml","patch_set":27,"id":"a9b4260f_035b5550","line":9,"range":{"start_line":9,"start_character":29,"end_line":9,"end_character":34},"in_reply_to":"0994130b_e752962e","updated":"2024-02-06 11:15:13.000000000","message":"Done","commit_id":"76ade34e1cfa45ecd9e4085099730c421e222c49"}],"ansible/roles/aodh/templates/aodh.conf.j2":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"53879e1363e663ffbbc63bad3fbb59eddfd6b8f4","unresolved":true,"context_lines":[{"line_number":20,"context_line":"memcache_secret_key \u003d {{ memcache_secret_key }}"},{"line_number":21,"context_line":"memcached_servers \u003d {% for host in groups[\u0027memcached\u0027] %}{{ \u0027api\u0027 | kolla_address(host) | put_address_in_context(\u0027memcache\u0027) }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}"},{"line_number":22,"context_line":"www_authenticate_uri \u003d {{ keystone_internal_url }}"},{"line_number":23,"context_line":"project_domain_id \u003d {{ default_project_domain_id }}"},{"line_number":24,"context_line":"project_name \u003d service"},{"line_number":25,"context_line":"user_domain_name \u003d {{ default_user_domain_name }}"},{"line_number":26,"context_line":"username \u003d {{ aodh_keystone_user }}"}],"source_content_type":"text/x-jinja2","patch_set":23,"id":"7a2aac41_d9d61f64","line":23,"updated":"2021-12-22 15:35:18.000000000","message":"What\u0027s this for?","commit_id":"189a04d70a7c5aef8678645be868b3015339a415"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"3311dd146eb35367308e77754790bac3d001ef82","unresolved":false,"context_lines":[{"line_number":20,"context_line":"memcache_secret_key \u003d {{ memcache_secret_key }}"},{"line_number":21,"context_line":"memcached_servers \u003d {% for host in groups[\u0027memcached\u0027] %}{{ \u0027api\u0027 | kolla_address(host) | put_address_in_context(\u0027memcache\u0027) }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}"},{"line_number":22,"context_line":"www_authenticate_uri \u003d {{ keystone_internal_url }}"},{"line_number":23,"context_line":"project_domain_id \u003d {{ default_project_domain_id }}"},{"line_number":24,"context_line":"project_name \u003d service"},{"line_number":25,"context_line":"user_domain_name \u003d {{ default_user_domain_name }}"},{"line_number":26,"context_line":"username \u003d {{ aodh_keystone_user }}"}],"source_content_type":"text/x-jinja2","patch_set":23,"id":"f0e43853_35974d04","line":23,"in_reply_to":"7a2aac41_d9d61f64","updated":"2024-02-06 11:12:49.000000000","message":"Done","commit_id":"189a04d70a7c5aef8678645be868b3015339a415"}],"ansible/roles/barbican/tasks/upgrade.yml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"1152c0517fdacfdb49184a2cdd33866be88e7878","unresolved":true,"context_lines":[{"line_number":8,"context_line":"- name: Flush handlers"},{"line_number":9,"context_line":"  meta: flush_handlers"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"- import_role:"},{"line_number":12,"context_line":"    name: service-ks-register-role"},{"line_number":13,"context_line":"  vars:"},{"line_number":14,"context_line":"    service_ks_register_auth: \"{{ openstack_barbican_auth }}\""},{"line_number":15,"context_line":"    service_ks_register_user_roles: \"{{ barbican_ks_user_roles }}\""}],"source_content_type":"text/x-yaml","patch_set":27,"id":"73ca2591_6f0340da","line":15,"range":{"start_line":11,"start_character":0,"end_line":15,"end_character":66},"updated":"2022-01-17 10:11:20.000000000","message":"Wouldn\u0027t it be better to do this before the services are restarted? i.e. before handlers are flushed. In deploy.yml, usually register.yml is the first import.","commit_id":"76ade34e1cfa45ecd9e4085099730c421e222c49"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"3311dd146eb35367308e77754790bac3d001ef82","unresolved":false,"context_lines":[{"line_number":8,"context_line":"- name: Flush handlers"},{"line_number":9,"context_line":"  meta: flush_handlers"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"- import_role:"},{"line_number":12,"context_line":"    name: service-ks-register-role"},{"line_number":13,"context_line":"  vars:"},{"line_number":14,"context_line":"    service_ks_register_auth: \"{{ openstack_barbican_auth }}\""},{"line_number":15,"context_line":"    service_ks_register_user_roles: \"{{ barbican_ks_user_roles }}\""}],"source_content_type":"text/x-yaml","patch_set":27,"id":"39a0251f_8eb3d490","line":15,"range":{"start_line":11,"start_character":0,"end_line":15,"end_character":66},"in_reply_to":"73ca2591_6f0340da","updated":"2024-02-06 11:12:49.000000000","message":"Done","commit_id":"76ade34e1cfa45ecd9e4085099730c421e222c49"}],"ansible/roles/blazar/templates/blazar.conf.j2":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"1152c0517fdacfdb49184a2cdd33866be88e7878","unresolved":true,"context_lines":[{"line_number":23,"context_line":"www_authenticate_uri \u003d {{ keystone_internal_url }}/v3"},{"line_number":24,"context_line":"auth_url \u003d {{ keystone_admin_url }}/v3"},{"line_number":25,"context_line":"auth_type \u003d password"},{"line_number":26,"context_line":"project_domain_id \u003d {{ default_project_domain_id }}"},{"line_number":27,"context_line":"user_domain_id \u003d default"},{"line_number":28,"context_line":"project_name \u003d service"},{"line_number":29,"context_line":"username \u003d {{ blazar_keystone_user }}"}],"source_content_type":"text/x-jinja2","patch_set":27,"id":"97ffe85f_481c6434","line":26,"updated":"2022-01-17 10:11:20.000000000","message":"Unrelated? Separate patch?","commit_id":"76ade34e1cfa45ecd9e4085099730c421e222c49"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"3311dd146eb35367308e77754790bac3d001ef82","unresolved":false,"context_lines":[{"line_number":23,"context_line":"www_authenticate_uri \u003d {{ keystone_internal_url }}/v3"},{"line_number":24,"context_line":"auth_url \u003d {{ keystone_admin_url }}/v3"},{"line_number":25,"context_line":"auth_type \u003d password"},{"line_number":26,"context_line":"project_domain_id \u003d {{ default_project_domain_id }}"},{"line_number":27,"context_line":"user_domain_id \u003d default"},{"line_number":28,"context_line":"project_name \u003d service"},{"line_number":29,"context_line":"username \u003d {{ blazar_keystone_user }}"}],"source_content_type":"text/x-jinja2","patch_set":27,"id":"be33f024_a51c2b39","line":26,"in_reply_to":"97ffe85f_481c6434","updated":"2024-02-06 11:12:49.000000000","message":"Done","commit_id":"76ade34e1cfa45ecd9e4085099730c421e222c49"}],"ansible/roles/common/templates/admin-openrc-system-scope.sh.j2":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"07d332802461fff60d0c9394b639e91de27ea747","unresolved":true,"context_lines":[{"line_number":9,"context_line":"export OS_PROJECT_DOMAIN_NAME\u003dDefault"},{"line_number":10,"context_line":"export OS_PROJECT_NAME\u003d{{ keystone_admin_project }}"},{"line_number":11,"context_line":"{% endif %}"},{"line_number":12,"context_line":"export OS_TENANT_NAME\u003d{{ keystone_admin_project }}"},{"line_number":13,"context_line":"export OS_USERNAME\u003d{{ keystone_admin_user }}"},{"line_number":14,"context_line":"export OS_PASSWORD\u003d{{ keystone_admin_password }}"},{"line_number":15,"context_line":"export OS_AUTH_URL\u003d{{ keystone_admin_url }}/v3"}],"source_content_type":"text/x-jinja2","patch_set":17,"id":"f475bdad_7be6fb15","line":12,"updated":"2021-11-17 11:33:55.000000000","message":"Shouldn\u0027t have this with system scope","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":30810,"name":"James Kirsch","email":"generalfuzz@gmail.com","username":"generalfuzz"},"change_message_id":"d26c9d450bba7331054ae73dd6ccf073474c1413","unresolved":false,"context_lines":[{"line_number":9,"context_line":"export OS_PROJECT_DOMAIN_NAME\u003dDefault"},{"line_number":10,"context_line":"export OS_PROJECT_NAME\u003d{{ keystone_admin_project }}"},{"line_number":11,"context_line":"{% endif %}"},{"line_number":12,"context_line":"export OS_TENANT_NAME\u003d{{ keystone_admin_project }}"},{"line_number":13,"context_line":"export OS_USERNAME\u003d{{ keystone_admin_user }}"},{"line_number":14,"context_line":"export OS_PASSWORD\u003d{{ keystone_admin_password }}"},{"line_number":15,"context_line":"export OS_AUTH_URL\u003d{{ keystone_admin_url }}/v3"}],"source_content_type":"text/x-jinja2","patch_set":17,"id":"e944a794_f0340d5e","line":12,"in_reply_to":"f475bdad_7be6fb15","updated":"2021-11-19 00:08:13.000000000","message":"Done","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"1152c0517fdacfdb49184a2cdd33866be88e7878","unresolved":true,"context_lines":[{"line_number":26,"context_line":"export OS_AUTH_PLUGIN\u003dpassword"},{"line_number":27,"context_line":"{% if kolla_admin_openrc_cacert is not none and kolla_admin_openrc_cacert | length \u003e 0 %}"},{"line_number":28,"context_line":"export OS_CACERT\u003d{{ kolla_admin_openrc_cacert }}"},{"line_number":29,"context_line":"{% endif %}"}],"source_content_type":"text/x-jinja2","patch_set":27,"id":"835a6df2_f4dbd490","line":29,"updated":"2022-01-17 10:11:20.000000000","message":"Separate patch","commit_id":"76ade34e1cfa45ecd9e4085099730c421e222c49"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"3311dd146eb35367308e77754790bac3d001ef82","unresolved":false,"context_lines":[{"line_number":26,"context_line":"export OS_AUTH_PLUGIN\u003dpassword"},{"line_number":27,"context_line":"{% if kolla_admin_openrc_cacert is not none and kolla_admin_openrc_cacert | length \u003e 0 %}"},{"line_number":28,"context_line":"export OS_CACERT\u003d{{ kolla_admin_openrc_cacert }}"},{"line_number":29,"context_line":"{% endif %}"}],"source_content_type":"text/x-jinja2","patch_set":27,"id":"49850289_a6a3d612","line":29,"in_reply_to":"835a6df2_f4dbd490","updated":"2024-02-06 11:12:49.000000000","message":"Done","commit_id":"76ade34e1cfa45ecd9e4085099730c421e222c49"}],"ansible/roles/glance/tasks/register.yml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"04e47947c47bbdac66782d8561cd67752456f762","unresolved":true,"context_lines":[{"line_number":5,"context_line":"    service_ks_register_auth: \"{{ openstack_glance_auth }}\""},{"line_number":6,"context_line":"    service_ks_register_services: \"{{ glance_ks_services }}\""},{"line_number":7,"context_line":"    service_ks_register_users: \"{{ glance_ks_users }}\""},{"line_number":8,"context_line":"    service_ks_register_user_roles: \"{{ glance_ks_user_roles }}\""}],"source_content_type":"text/x-yaml","patch_set":27,"id":"07016c2c_4f24537a","line":8,"range":{"start_line":8,"start_character":4,"end_line":8,"end_character":64},"updated":"2022-01-18 10:02:21.000000000","message":"I think this is still required for new deployments","commit_id":"76ade34e1cfa45ecd9e4085099730c421e222c49"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"3311dd146eb35367308e77754790bac3d001ef82","unresolved":false,"context_lines":[{"line_number":5,"context_line":"    service_ks_register_auth: \"{{ openstack_glance_auth }}\""},{"line_number":6,"context_line":"    service_ks_register_services: \"{{ glance_ks_services }}\""},{"line_number":7,"context_line":"    service_ks_register_users: \"{{ glance_ks_users }}\""},{"line_number":8,"context_line":"    service_ks_register_user_roles: \"{{ glance_ks_user_roles }}\""}],"source_content_type":"text/x-yaml","patch_set":27,"id":"e6b44f7d_82c0629b","line":8,"range":{"start_line":8,"start_character":4,"end_line":8,"end_character":64},"in_reply_to":"07016c2c_4f24537a","updated":"2024-02-06 11:12:49.000000000","message":"Done","commit_id":"76ade34e1cfa45ecd9e4085099730c421e222c49"}],"ansible/roles/glance/tasks/upgrade.yml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"04e47947c47bbdac66782d8561cd67752456f762","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"- include_tasks: rolling_upgrade.yml"},{"line_number":3,"context_line":"  when: glance_enable_rolling_upgrade | bool"},{"line_number":4,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":29,"id":"31e7e39e_5beb3ef2","line":1,"updated":"2022-01-18 10:02:21.000000000","message":"Move up to here?","commit_id":"eee69f2e644c75e4a24b8046d66c6d3fb199edf1"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"3311dd146eb35367308e77754790bac3d001ef82","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"- include_tasks: rolling_upgrade.yml"},{"line_number":3,"context_line":"  when: glance_enable_rolling_upgrade | bool"},{"line_number":4,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":29,"id":"08adc290_39bf0a12","line":1,"in_reply_to":"31e7e39e_5beb3ef2","updated":"2024-02-06 11:12:49.000000000","message":"Done","commit_id":"eee69f2e644c75e4a24b8046d66c6d3fb199edf1"}],"ansible/roles/gnocchi/tasks/upgrade.yml":[{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"7057fc32b0280056cfa492e9e6ffe2baadf60bfb","unresolved":true,"context_lines":[{"line_number":9,"context_line":"- import_role:"},{"line_number":10,"context_line":"    name: service-ks-register"},{"line_number":11,"context_line":"  vars:"},{"line_number":12,"context_line":"    service_ks_register_auth: \"{{ openstack_gnoochi_auth }}\""},{"line_number":13,"context_line":"    service_ks_register_user_roles: \"{{ gnoochi_ks_user_roles }}\""},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"- name: Flush handlers"},{"line_number":16,"context_line":"  meta: flush_handlers"}],"source_content_type":"text/x-yaml","patch_set":40,"id":"08d82e62_03f210de","line":13,"range":{"start_line":12,"start_character":0,"end_line":13,"end_character":65},"updated":"2024-02-07 09:20:02.000000000","message":"typo","commit_id":"fadaf1925cc7941c89f701653639c205a2948b8f"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"c6548ea4d9268817c20afd92ff27e9c3ddd82564","unresolved":false,"context_lines":[{"line_number":9,"context_line":"- import_role:"},{"line_number":10,"context_line":"    name: service-ks-register"},{"line_number":11,"context_line":"  vars:"},{"line_number":12,"context_line":"    service_ks_register_auth: \"{{ openstack_gnoochi_auth }}\""},{"line_number":13,"context_line":"    service_ks_register_user_roles: \"{{ gnoochi_ks_user_roles }}\""},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"- name: Flush handlers"},{"line_number":16,"context_line":"  meta: flush_handlers"}],"source_content_type":"text/x-yaml","patch_set":40,"id":"bf4470de_f8bb3338","line":13,"range":{"start_line":12,"start_character":0,"end_line":13,"end_character":65},"in_reply_to":"08d82e62_03f210de","updated":"2024-02-07 10:25:01.000000000","message":"Done","commit_id":"fadaf1925cc7941c89f701653639c205a2948b8f"}],"ansible/roles/keystone/files/policy.yaml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"53879e1363e663ffbbc63bad3fbb59eddfd6b8f4","unresolved":true,"context_lines":[{"line_number":1,"context_line":"# List projects."},{"line_number":2,"context_line":"# GET  /v3/projects"},{"line_number":3,"context_line":"# Intended scope(s): system, domain"},{"line_number":4,"context_line":"\"identity:list_projects\": \"(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s) or (role:service)\""}],"source_content_type":"text/x-yaml","patch_set":23,"id":"324490f3_acc578db","line":4,"updated":"2021-12-22 15:35:18.000000000","message":"Why do we need this?","commit_id":"189a04d70a7c5aef8678645be868b3015339a415"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"3311dd146eb35367308e77754790bac3d001ef82","unresolved":false,"context_lines":[{"line_number":1,"context_line":"# List projects."},{"line_number":2,"context_line":"# GET  /v3/projects"},{"line_number":3,"context_line":"# Intended scope(s): system, domain"},{"line_number":4,"context_line":"\"identity:list_projects\": \"(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s) or (role:service)\""}],"source_content_type":"text/x-yaml","patch_set":23,"id":"24099bca_deb5417a","line":4,"in_reply_to":"324490f3_acc578db","updated":"2024-02-06 11:12:49.000000000","message":"Done","commit_id":"189a04d70a7c5aef8678645be868b3015339a415"}],"ansible/roles/keystone/tasks/register.yml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"53879e1363e663ffbbc63bad3fbb59eddfd6b8f4","unresolved":true,"context_lines":[{"line_number":30,"context_line":"      region_name: \"{{ openstack_region_name }}\""},{"line_number":31,"context_line":"  run_once: True"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"- name: Creating service user role"},{"line_number":34,"context_line":"  become: true"},{"line_number":35,"context_line":"  kolla_toolbox:"},{"line_number":36,"context_line":"    module_name: \"os_keystone_role\""}],"source_content_type":"text/x-yaml","patch_set":23,"id":"2e470fe2_e0ac93ba","line":33,"updated":"2021-12-22 15:35:18.000000000","message":"Keystone should create this eventually.","commit_id":"189a04d70a7c5aef8678645be868b3015339a415"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"3311dd146eb35367308e77754790bac3d001ef82","unresolved":false,"context_lines":[{"line_number":30,"context_line":"      region_name: \"{{ openstack_region_name }}\""},{"line_number":31,"context_line":"  run_once: True"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"- name: Creating service user role"},{"line_number":34,"context_line":"  become: true"},{"line_number":35,"context_line":"  kolla_toolbox:"},{"line_number":36,"context_line":"    module_name: \"os_keystone_role\""}],"source_content_type":"text/x-yaml","patch_set":23,"id":"ef322faa_72e50398","line":33,"in_reply_to":"2e470fe2_e0ac93ba","updated":"2024-02-06 11:12:49.000000000","message":"Done","commit_id":"189a04d70a7c5aef8678645be868b3015339a415"}],"ansible/roles/keystone/tasks/upgrade.yml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"65556d5fa585a3a8017c5a1a8d1401c81b445853","unresolved":true,"context_lines":[{"line_number":48,"context_line":"    - inventory_hostname \u003d\u003d groups[\u0027keystone\u0027][-1]"},{"line_number":49,"context_line":"    - not use_preconfigured_databases | bool"},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"- name: Creating service user role"},{"line_number":52,"context_line":"  become: true"},{"line_number":53,"context_line":"  kolla_toolbox:"},{"line_number":54,"context_line":"    module_name: \"os_keystone_role\""},{"line_number":55,"context_line":"    module_args:"},{"line_number":56,"context_line":"      name: \"{{ keystone_service_user_role }}\""},{"line_number":57,"context_line":"      auth: \"{{ openstack_keystone_auth }}\""},{"line_number":58,"context_line":"      endpoint_type: \"{{ openstack_interface }}\""},{"line_number":59,"context_line":"      cacert: \"{{ openstack_cacert }}\""},{"line_number":60,"context_line":"      region_name: \"{{ openstack_region_name }}\""},{"line_number":61,"context_line":"  run_once: True"}],"source_content_type":"text/x-yaml","patch_set":23,"id":"92a011c3_4f6da184","line":61,"range":{"start_line":51,"start_character":0,"end_line":61,"end_character":16},"updated":"2021-12-20 13:32:24.000000000","message":"Why?","commit_id":"189a04d70a7c5aef8678645be868b3015339a415"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"3311dd146eb35367308e77754790bac3d001ef82","unresolved":false,"context_lines":[{"line_number":48,"context_line":"    - inventory_hostname \u003d\u003d groups[\u0027keystone\u0027][-1]"},{"line_number":49,"context_line":"    - not use_preconfigured_databases | bool"},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"- name: Creating service user role"},{"line_number":52,"context_line":"  become: true"},{"line_number":53,"context_line":"  kolla_toolbox:"},{"line_number":54,"context_line":"    module_name: \"os_keystone_role\""},{"line_number":55,"context_line":"    module_args:"},{"line_number":56,"context_line":"      name: \"{{ keystone_service_user_role }}\""},{"line_number":57,"context_line":"      auth: \"{{ openstack_keystone_auth }}\""},{"line_number":58,"context_line":"      endpoint_type: \"{{ openstack_interface }}\""},{"line_number":59,"context_line":"      cacert: \"{{ openstack_cacert }}\""},{"line_number":60,"context_line":"      region_name: \"{{ openstack_region_name }}\""},{"line_number":61,"context_line":"  run_once: True"}],"source_content_type":"text/x-yaml","patch_set":23,"id":"1debc87e_88bccaaf","line":61,"range":{"start_line":51,"start_character":0,"end_line":61,"end_character":16},"in_reply_to":"61b7bf59_9446a939","updated":"2024-02-06 11:12:49.000000000","message":"Done","commit_id":"189a04d70a7c5aef8678645be868b3015339a415"},{"author":{"_account_id":30810,"name":"James Kirsch","email":"generalfuzz@gmail.com","username":"generalfuzz"},"change_message_id":"407dfe00ce9686d30fb72497d9e7dd0f94d0ea2e","unresolved":true,"context_lines":[{"line_number":48,"context_line":"    - inventory_hostname \u003d\u003d groups[\u0027keystone\u0027][-1]"},{"line_number":49,"context_line":"    - not use_preconfigured_databases | bool"},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"- name: Creating service user role"},{"line_number":52,"context_line":"  become: true"},{"line_number":53,"context_line":"  kolla_toolbox:"},{"line_number":54,"context_line":"    module_name: \"os_keystone_role\""},{"line_number":55,"context_line":"    module_args:"},{"line_number":56,"context_line":"      name: \"{{ keystone_service_user_role }}\""},{"line_number":57,"context_line":"      auth: \"{{ openstack_keystone_auth }}\""},{"line_number":58,"context_line":"      endpoint_type: \"{{ openstack_interface }}\""},{"line_number":59,"context_line":"      cacert: \"{{ openstack_cacert }}\""},{"line_number":60,"context_line":"      region_name: \"{{ openstack_region_name }}\""},{"line_number":61,"context_line":"  run_once: True"}],"source_content_type":"text/x-yaml","patch_set":23,"id":"9d9308e9_7f349014","line":61,"range":{"start_line":51,"start_character":0,"end_line":61,"end_character":16},"in_reply_to":"92a011c3_4f6da184","updated":"2021-12-20 22:50:22.000000000","message":"Upgrade was failing when I set the service users to have service role and enabled enforce new defaults. This was an attempt to fix that, however this approach isn\u0027t working either, since none of the services will register this role for the service user as part of the upgrade task. If assigning service users the service role is the approach we are going to take, upgrade task will also have to assign the service role to the user.","commit_id":"189a04d70a7c5aef8678645be868b3015339a415"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"a295b382c9a92303d0c603f87a9199b22a82ad10","unresolved":true,"context_lines":[{"line_number":48,"context_line":"    - inventory_hostname \u003d\u003d groups[\u0027keystone\u0027][-1]"},{"line_number":49,"context_line":"    - not use_preconfigured_databases | bool"},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"- name: Creating service user role"},{"line_number":52,"context_line":"  become: true"},{"line_number":53,"context_line":"  kolla_toolbox:"},{"line_number":54,"context_line":"    module_name: \"os_keystone_role\""},{"line_number":55,"context_line":"    module_args:"},{"line_number":56,"context_line":"      name: \"{{ keystone_service_user_role }}\""},{"line_number":57,"context_line":"      auth: \"{{ openstack_keystone_auth }}\""},{"line_number":58,"context_line":"      endpoint_type: \"{{ openstack_interface }}\""},{"line_number":59,"context_line":"      cacert: \"{{ openstack_cacert }}\""},{"line_number":60,"context_line":"      region_name: \"{{ openstack_region_name }}\""},{"line_number":61,"context_line":"  run_once: True"}],"source_content_type":"text/x-yaml","patch_set":23,"id":"61b7bf59_9446a939","line":61,"range":{"start_line":51,"start_character":0,"end_line":61,"end_character":16},"in_reply_to":"9d9308e9_7f349014","updated":"2021-12-22 12:35:30.000000000","message":"Indeed - we will need some extra step during upgrade to register any new role assignments that are necessary.","commit_id":"189a04d70a7c5aef8678645be868b3015339a415"}],"ansible/roles/keystone/templates/keystone.conf.j2":[{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"4b003278d7e1688a382d9bef30a58562d27745f8","unresolved":true,"context_lines":[{"line_number":12,"context_line":""},{"line_number":13,"context_line":"[oslo_policy]"},{"line_number":14,"context_line":"{% if enable_keystone_system_scoped_policy | bool %}"},{"line_number":15,"context_line":"enforce_scope \u003d True"},{"line_number":16,"context_line":"enforce_new_defaults \u003d True"},{"line_number":17,"context_line":"{% endif %}"},{"line_number":18,"context_line":"{% if keystone_policy_file is defined %}"}],"source_content_type":"text/x-jinja2","patch_set":21,"id":"6d19742b_0dcea99f","line":15,"updated":"2021-12-15 18:22:12.000000000","message":"Lets split this into two, lets just get \"enforce_new_defaults \u003d True\" working first. Then loop back and add enforce_scope as a second change.","commit_id":"98c66f99a8111d26c29c5811f1d83b836858f92f"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"3311dd146eb35367308e77754790bac3d001ef82","unresolved":false,"context_lines":[{"line_number":12,"context_line":""},{"line_number":13,"context_line":"[oslo_policy]"},{"line_number":14,"context_line":"{% if enable_keystone_system_scoped_policy | bool %}"},{"line_number":15,"context_line":"enforce_scope \u003d True"},{"line_number":16,"context_line":"enforce_new_defaults \u003d True"},{"line_number":17,"context_line":"{% endif %}"},{"line_number":18,"context_line":"{% if keystone_policy_file is defined %}"}],"source_content_type":"text/x-jinja2","patch_set":21,"id":"35dec41c_6ddd4481","line":15,"in_reply_to":"6d19742b_0dcea99f","updated":"2024-02-06 11:12:49.000000000","message":"Done","commit_id":"98c66f99a8111d26c29c5811f1d83b836858f92f"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"1152c0517fdacfdb49184a2cdd33866be88e7878","unresolved":true,"context_lines":[{"line_number":11,"context_line":"enable_proxy_headers_parsing \u003d True"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"[oslo_policy]"},{"line_number":14,"context_line":"{% if enable_keystone_system_scoped_policy | bool %}"},{"line_number":15,"context_line":"enforce_new_defaults \u003d True"},{"line_number":16,"context_line":"{% endif %}"},{"line_number":17,"context_line":"{% if keystone_policy_file is defined %}"},{"line_number":18,"context_line":"policy_file \u003d {{ keystone_policy_file }}"},{"line_number":19,"context_line":"{% endif %}"}],"source_content_type":"text/x-jinja2","patch_set":27,"id":"19f8dd77_a3ec57c1","line":16,"range":{"start_line":14,"start_character":0,"end_line":16,"end_character":11},"updated":"2022-01-17 10:11:20.000000000","message":"Separate patch","commit_id":"76ade34e1cfa45ecd9e4085099730c421e222c49"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"3311dd146eb35367308e77754790bac3d001ef82","unresolved":false,"context_lines":[{"line_number":11,"context_line":"enable_proxy_headers_parsing \u003d True"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"[oslo_policy]"},{"line_number":14,"context_line":"{% if enable_keystone_system_scoped_policy | bool %}"},{"line_number":15,"context_line":"enforce_new_defaults \u003d True"},{"line_number":16,"context_line":"{% endif %}"},{"line_number":17,"context_line":"{% if keystone_policy_file is defined %}"},{"line_number":18,"context_line":"policy_file \u003d {{ keystone_policy_file }}"},{"line_number":19,"context_line":"{% endif %}"}],"source_content_type":"text/x-jinja2","patch_set":27,"id":"4726046b_614633f2","line":16,"range":{"start_line":14,"start_character":0,"end_line":16,"end_character":11},"in_reply_to":"19f8dd77_a3ec57c1","updated":"2024-02-06 11:12:49.000000000","message":"Done","commit_id":"76ade34e1cfa45ecd9e4085099730c421e222c49"}],"ansible/roles/octavia/tasks/prepare.yml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"65556d5fa585a3a8017c5a1a8d1401c81b445853","unresolved":true,"context_lines":[{"line_number":4,"context_line":"  kolla_toolbox:"},{"line_number":5,"context_line":"    module_name: os_nova_flavor"},{"line_number":6,"context_line":"    module_args:"},{"line_number":7,"context_line":"      auth: \"{{ openstack_octavia_auth }}\""},{"line_number":8,"context_line":"      cacert: \"{{ openstack_cacert }}\""},{"line_number":9,"context_line":"      endpoint_type: \"{{ openstack_interface }}\""},{"line_number":10,"context_line":"      region_name: \"{{ openstack_region_name }}\""}],"source_content_type":"text/x-yaml","patch_set":23,"id":"15e02220_742de132","line":7,"range":{"start_line":7,"start_character":16,"end_line":7,"end_character":38},"updated":"2021-12-20 13:32:24.000000000","message":"Why change this?","commit_id":"189a04d70a7c5aef8678645be868b3015339a415"},{"author":{"_account_id":30810,"name":"James Kirsch","email":"generalfuzz@gmail.com","username":"generalfuzz"},"change_message_id":"407dfe00ce9686d30fb72497d9e7dd0f94d0ea2e","unresolved":true,"context_lines":[{"line_number":4,"context_line":"  kolla_toolbox:"},{"line_number":5,"context_line":"    module_name: os_nova_flavor"},{"line_number":6,"context_line":"    module_args:"},{"line_number":7,"context_line":"      auth: \"{{ openstack_octavia_auth }}\""},{"line_number":8,"context_line":"      cacert: \"{{ openstack_cacert }}\""},{"line_number":9,"context_line":"      endpoint_type: \"{{ openstack_interface }}\""},{"line_number":10,"context_line":"      region_name: \"{{ openstack_region_name }}\""}],"source_content_type":"text/x-yaml","patch_set":23,"id":"d83ac562_65ee0405","line":7,"range":{"start_line":7,"start_character":16,"end_line":7,"end_character":38},"in_reply_to":"15e02220_742de132","updated":"2021-12-20 22:50:22.000000000","message":"This was necessary to have proper scope auth when enforce_new_defaults is enabled. The tests were failing with invalid Keystone API access prior to this - John G suggested these changes, and now the test passes.","commit_id":"189a04d70a7c5aef8678645be868b3015339a415"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"53879e1363e663ffbbc63bad3fbb59eddfd6b8f4","unresolved":true,"context_lines":[{"line_number":4,"context_line":"  kolla_toolbox:"},{"line_number":5,"context_line":"    module_name: os_nova_flavor"},{"line_number":6,"context_line":"    module_args:"},{"line_number":7,"context_line":"      auth: \"{{ openstack_octavia_auth }}\""},{"line_number":8,"context_line":"      cacert: \"{{ openstack_cacert }}\""},{"line_number":9,"context_line":"      endpoint_type: \"{{ openstack_interface }}\""},{"line_number":10,"context_line":"      region_name: \"{{ openstack_region_name }}\""}],"source_content_type":"text/x-yaml","patch_set":23,"id":"cf7b8cbf_269b9c34","line":7,"range":{"start_line":7,"start_character":16,"end_line":7,"end_character":38},"in_reply_to":"5e0b66eb_2c65089b","updated":"2021-12-22 15:35:18.000000000","message":"hmm, still not sure I follow what broke here. The nova flavor API is system-scoped, but should still allow project-scope until the new defaults/scope is enforced in nova.conf.\n\nAnyway, suggest we split this and any changes to enforce_scope/new_defaults into separate patches.","commit_id":"189a04d70a7c5aef8678645be868b3015339a415"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"3311dd146eb35367308e77754790bac3d001ef82","unresolved":false,"context_lines":[{"line_number":4,"context_line":"  kolla_toolbox:"},{"line_number":5,"context_line":"    module_name: os_nova_flavor"},{"line_number":6,"context_line":"    module_args:"},{"line_number":7,"context_line":"      auth: \"{{ openstack_octavia_auth }}\""},{"line_number":8,"context_line":"      cacert: \"{{ openstack_cacert }}\""},{"line_number":9,"context_line":"      endpoint_type: \"{{ openstack_interface }}\""},{"line_number":10,"context_line":"      region_name: \"{{ openstack_region_name }}\""}],"source_content_type":"text/x-yaml","patch_set":23,"id":"6a276fae_b97ad8ec","line":7,"range":{"start_line":7,"start_character":16,"end_line":7,"end_character":38},"in_reply_to":"cf7b8cbf_269b9c34","updated":"2024-02-06 11:12:49.000000000","message":"Done","commit_id":"189a04d70a7c5aef8678645be868b3015339a415"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"a295b382c9a92303d0c603f87a9199b22a82ad10","unresolved":true,"context_lines":[{"line_number":4,"context_line":"  kolla_toolbox:"},{"line_number":5,"context_line":"    module_name: os_nova_flavor"},{"line_number":6,"context_line":"    module_args:"},{"line_number":7,"context_line":"      auth: \"{{ openstack_octavia_auth }}\""},{"line_number":8,"context_line":"      cacert: \"{{ openstack_cacert }}\""},{"line_number":9,"context_line":"      endpoint_type: \"{{ openstack_interface }}\""},{"line_number":10,"context_line":"      region_name: \"{{ openstack_region_name }}\""}],"source_content_type":"text/x-yaml","patch_set":23,"id":"5e0b66eb_2c65089b","line":7,"range":{"start_line":7,"start_character":16,"end_line":7,"end_character":38},"in_reply_to":"d83ac562_65ee0405","updated":"2021-12-22 12:35:30.000000000","message":"It will need some care around upgrades if we change anything here. Currently we register these resources in the service project.\n\nopenstack_octavia_auth defaults to openstack_auth which has system scope. Are we sure that these resources should be registered using system scoped auth?","commit_id":"189a04d70a7c5aef8678645be868b3015339a415"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"53879e1363e663ffbbc63bad3fbb59eddfd6b8f4","unresolved":true,"context_lines":[{"line_number":42,"context_line":"  kolla_toolbox:"},{"line_number":43,"context_line":"    module_name: os_project_info"},{"line_number":44,"context_line":"    module_args:"},{"line_number":45,"context_line":"      auth: \"{{ openstack_octavia_auth }}\""},{"line_number":46,"context_line":"      cacert: \"{{ openstack_cacert }}\""},{"line_number":47,"context_line":"      endpoint_type: \"{{ openstack_interface }}\""},{"line_number":48,"context_line":"      region_name: \"{{ openstack_region_name }}\""}],"source_content_type":"text/x-yaml","patch_set":23,"id":"cf0fd55e_c1bfa588","line":45,"range":{"start_line":45,"start_character":16,"end_line":45,"end_character":38},"updated":"2021-12-22 15:35:18.000000000","message":"Again, getting a project should work if you are auth\u0027d in that project.","commit_id":"189a04d70a7c5aef8678645be868b3015339a415"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"3311dd146eb35367308e77754790bac3d001ef82","unresolved":false,"context_lines":[{"line_number":42,"context_line":"  kolla_toolbox:"},{"line_number":43,"context_line":"    module_name: os_project_info"},{"line_number":44,"context_line":"    module_args:"},{"line_number":45,"context_line":"      auth: \"{{ openstack_octavia_auth }}\""},{"line_number":46,"context_line":"      cacert: \"{{ openstack_cacert }}\""},{"line_number":47,"context_line":"      endpoint_type: \"{{ openstack_interface }}\""},{"line_number":48,"context_line":"      region_name: \"{{ openstack_region_name }}\""}],"source_content_type":"text/x-yaml","patch_set":23,"id":"729953f5_784daa58","line":45,"range":{"start_line":45,"start_character":16,"end_line":45,"end_character":38},"in_reply_to":"cf0fd55e_c1bfa588","updated":"2024-02-06 11:12:49.000000000","message":"Done","commit_id":"189a04d70a7c5aef8678645be868b3015339a415"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"1152c0517fdacfdb49184a2cdd33866be88e7878","unresolved":true,"context_lines":[{"line_number":96,"context_line":"    module_name: os_network"},{"line_number":97,"context_line":"    module_args:"},{"line_number":98,"context_line":"      auth: \"{{ octavia_user_auth }}\""},{"line_number":99,"context_line":"      project: \"{{ octavia_service_auth_project }}\""},{"line_number":100,"context_line":"      cacert: \"{{ openstack_cacert }}\""},{"line_number":101,"context_line":"      endpoint_type: \"{{ openstack_interface }}\""},{"line_number":102,"context_line":"      region_name: \"{{ openstack_region_name }}\""}],"source_content_type":"text/x-yaml","patch_set":27,"id":"1e369579_2569d264","line":99,"range":{"start_line":99,"start_character":19,"end_line":99,"end_character":47},"updated":"2022-01-17 10:11:20.000000000","message":"Unrelated","commit_id":"76ade34e1cfa45ecd9e4085099730c421e222c49"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"3311dd146eb35367308e77754790bac3d001ef82","unresolved":false,"context_lines":[{"line_number":96,"context_line":"    module_name: os_network"},{"line_number":97,"context_line":"    module_args:"},{"line_number":98,"context_line":"      auth: \"{{ octavia_user_auth }}\""},{"line_number":99,"context_line":"      project: \"{{ octavia_service_auth_project }}\""},{"line_number":100,"context_line":"      cacert: \"{{ openstack_cacert }}\""},{"line_number":101,"context_line":"      endpoint_type: \"{{ openstack_interface }}\""},{"line_number":102,"context_line":"      region_name: \"{{ openstack_region_name }}\""}],"source_content_type":"text/x-yaml","patch_set":27,"id":"48da3a02_f2281275","line":99,"range":{"start_line":99,"start_character":19,"end_line":99,"end_character":47},"in_reply_to":"1e369579_2569d264","updated":"2024-02-06 11:12:49.000000000","message":"Done","commit_id":"76ade34e1cfa45ecd9e4085099730c421e222c49"}],"ansible/roles/service-ks-register/tasks/main.yml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"07d332802461fff60d0c9394b639e91de27ea747","unresolved":true,"context_lines":[{"line_number":101,"context_line":""},{"line_number":102,"context_line":"    - name: \"{{ project_name }} | Granting user roles\""},{"line_number":103,"context_line":"      kolla_toolbox:"},{"line_number":104,"context_line":"        module_name: \"os_user_role\""},{"line_number":105,"context_line":"        module_args:"},{"line_number":106,"context_line":"          user: \"{{ item.user }}\""},{"line_number":107,"context_line":"          role: \"{{ item.role }}\""}],"source_content_type":"text/x-yaml","patch_set":17,"id":"2c4510c3_bd645f34","line":104,"range":{"start_line":104,"start_character":22,"end_line":104,"end_character":34},"updated":"2021-11-17 11:33:55.000000000","message":"We\u0027re near the start of the cycle, there should be time to support this in the os_user_role module.","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"5631f3227c0b86bfd444869e88253c8c6b53246f","unresolved":true,"context_lines":[{"line_number":101,"context_line":""},{"line_number":102,"context_line":"    - name: \"{{ project_name }} | Granting user roles\""},{"line_number":103,"context_line":"      kolla_toolbox:"},{"line_number":104,"context_line":"        module_name: \"os_user_role\""},{"line_number":105,"context_line":"        module_args:"},{"line_number":106,"context_line":"          user: \"{{ item.user }}\""},{"line_number":107,"context_line":"          role: \"{{ item.role }}\""}],"source_content_type":"text/x-yaml","patch_set":17,"id":"72628965_2a074457","line":104,"range":{"start_line":104,"start_character":22,"end_line":104,"end_character":34},"in_reply_to":"01524e59_d61c17d4","updated":"2021-11-24 18:03:35.000000000","message":"I\u0027m not convinced it\u0027s that huge an effort, but maybe I\u0027m missing something.","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":30810,"name":"James Kirsch","email":"generalfuzz@gmail.com","username":"generalfuzz"},"change_message_id":"d26c9d450bba7331054ae73dd6ccf073474c1413","unresolved":true,"context_lines":[{"line_number":101,"context_line":""},{"line_number":102,"context_line":"    - name: \"{{ project_name }} | Granting user roles\""},{"line_number":103,"context_line":"      kolla_toolbox:"},{"line_number":104,"context_line":"        module_name: \"os_user_role\""},{"line_number":105,"context_line":"        module_args:"},{"line_number":106,"context_line":"          user: \"{{ item.user }}\""},{"line_number":107,"context_line":"          role: \"{{ item.role }}\""}],"source_content_type":"text/x-yaml","patch_set":17,"id":"01524e59_d61c17d4","line":104,"range":{"start_line":104,"start_character":22,"end_line":104,"end_character":34},"in_reply_to":"2c4510c3_bd645f34","updated":"2021-11-19 00:08:13.000000000","message":"This means we need to support in the openstack sdk too, since it calls through to that module. I wanted to verify that it is worth the big effort to support this.","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":30810,"name":"James Kirsch","email":"generalfuzz@gmail.com","username":"generalfuzz"},"change_message_id":"fdef7bbf0c699e9e80f4bbbdb47635076b275ced","unresolved":true,"context_lines":[{"line_number":101,"context_line":""},{"line_number":102,"context_line":"    - name: \"{{ project_name }} | Granting user roles\""},{"line_number":103,"context_line":"      kolla_toolbox:"},{"line_number":104,"context_line":"        module_name: \"os_user_role\""},{"line_number":105,"context_line":"        module_args:"},{"line_number":106,"context_line":"          user: \"{{ item.user }}\""},{"line_number":107,"context_line":"          role: \"{{ item.role }}\""}],"source_content_type":"text/x-yaml","patch_set":17,"id":"dc751a23_a34f664c","line":104,"range":{"start_line":104,"start_character":22,"end_line":104,"end_character":34},"in_reply_to":"72628965_2a074457","updated":"2021-11-24 23:28:57.000000000","message":"I am attempting to dig through the openstack SDK to support changes. The changes around grant_role and revoke_role in _identity.py may be straightforward, but the unit / functional testing changes to support this are very challenging to understand. The unit test suite seems predicated on a base role json that is scoped to a project (base.py, then eventually to test_identity_roles.py). I need help understanding how to approach and implement this. Some of these files have not been touched in years.","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"3311dd146eb35367308e77754790bac3d001ef82","unresolved":false,"context_lines":[{"line_number":101,"context_line":""},{"line_number":102,"context_line":"    - name: \"{{ project_name }} | Granting user roles\""},{"line_number":103,"context_line":"      kolla_toolbox:"},{"line_number":104,"context_line":"        module_name: \"os_user_role\""},{"line_number":105,"context_line":"        module_args:"},{"line_number":106,"context_line":"          user: \"{{ item.user }}\""},{"line_number":107,"context_line":"          role: \"{{ item.role }}\""}],"source_content_type":"text/x-yaml","patch_set":17,"id":"4de73355_23826711","line":104,"range":{"start_line":104,"start_character":22,"end_line":104,"end_character":34},"in_reply_to":"73ce1f3d_fac1b8ba","updated":"2024-02-06 11:12:49.000000000","message":"Done","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"314fbbbc07717b7341cf7b4c2afcb29e152f8ef4","unresolved":true,"context_lines":[{"line_number":101,"context_line":""},{"line_number":102,"context_line":"    - name: \"{{ project_name }} | Granting user roles\""},{"line_number":103,"context_line":"      kolla_toolbox:"},{"line_number":104,"context_line":"        module_name: \"os_user_role\""},{"line_number":105,"context_line":"        module_args:"},{"line_number":106,"context_line":"          user: \"{{ item.user }}\""},{"line_number":107,"context_line":"          role: \"{{ item.role }}\""}],"source_content_type":"text/x-yaml","patch_set":17,"id":"73ce1f3d_fac1b8ba","line":104,"range":{"start_line":104,"start_character":22,"end_line":104,"end_character":34},"in_reply_to":"dc751a23_a34f664c","updated":"2021-11-25 11:58:21.000000000","message":"I expect if you were to propose a code change via gerrit, the openstacksdk team would be able to help you through the unit tests. I could try to help, although I\u0027m not familiar with the codebase.","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"07d332802461fff60d0c9394b639e91de27ea747","unresolved":true,"context_lines":[{"line_number":122,"context_line":"      retries: \"{{ service_ks_register_retries }}\""},{"line_number":123,"context_line":"      delay: \"{{ service_ks_register_delay }}\""},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"    - name: \"{{ project_name }} | Grant user role system scope\""},{"line_number":126,"context_line":"      command: \u003e"},{"line_number":127,"context_line":"        docker exec -t kolla_toolbox openstack"},{"line_number":128,"context_line":"        --os-auth-url\u003d{{ openstack_auth.auth_url }}"}],"source_content_type":"text/x-yaml","patch_set":17,"id":"03c068cf_5b81b8fa","line":125,"range":{"start_line":125,"start_character":34,"end_line":125,"end_character":39},"updated":"2021-11-17 11:33:55.000000000","message":"Granting user roles with system scope","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":30810,"name":"James Kirsch","email":"generalfuzz@gmail.com","username":"generalfuzz"},"change_message_id":"d26c9d450bba7331054ae73dd6ccf073474c1413","unresolved":false,"context_lines":[{"line_number":122,"context_line":"      retries: \"{{ service_ks_register_retries }}\""},{"line_number":123,"context_line":"      delay: \"{{ service_ks_register_delay }}\""},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"    - name: \"{{ project_name }} | Grant user role system scope\""},{"line_number":126,"context_line":"      command: \u003e"},{"line_number":127,"context_line":"        docker exec -t kolla_toolbox openstack"},{"line_number":128,"context_line":"        --os-auth-url\u003d{{ openstack_auth.auth_url }}"}],"source_content_type":"text/x-yaml","patch_set":17,"id":"9c09e3cf_73b2d7d3","line":125,"range":{"start_line":125,"start_character":34,"end_line":125,"end_character":39},"in_reply_to":"03c068cf_5b81b8fa","updated":"2021-11-19 00:08:13.000000000","message":"Done","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"07d332802461fff60d0c9394b639e91de27ea747","unresolved":true,"context_lines":[{"line_number":125,"context_line":"    - name: \"{{ project_name }} | Grant user role system scope\""},{"line_number":126,"context_line":"      command: \u003e"},{"line_number":127,"context_line":"        docker exec -t kolla_toolbox openstack"},{"line_number":128,"context_line":"        --os-auth-url\u003d{{ openstack_auth.auth_url }}"},{"line_number":129,"context_line":"        --os-password\u003d{{ openstack_auth.password }}"},{"line_number":130,"context_line":"        --os-username\u003d{{ openstack_auth.username }}"},{"line_number":131,"context_line":"        --os-user-domain-name {{ openstack_auth.user_domain_name }}"}],"source_content_type":"text/x-yaml","patch_set":17,"id":"fe4680d3_c9927d9e","line":128,"range":{"start_line":128,"start_character":25,"end_line":128,"end_character":48},"updated":"2021-11-17 11:33:55.000000000","message":"Use the service_ks_register_ variables","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":30810,"name":"James Kirsch","email":"generalfuzz@gmail.com","username":"generalfuzz"},"change_message_id":"d26c9d450bba7331054ae73dd6ccf073474c1413","unresolved":false,"context_lines":[{"line_number":125,"context_line":"    - name: \"{{ project_name }} | Grant user role system scope\""},{"line_number":126,"context_line":"      command: \u003e"},{"line_number":127,"context_line":"        docker exec -t kolla_toolbox openstack"},{"line_number":128,"context_line":"        --os-auth-url\u003d{{ openstack_auth.auth_url }}"},{"line_number":129,"context_line":"        --os-password\u003d{{ openstack_auth.password }}"},{"line_number":130,"context_line":"        --os-username\u003d{{ openstack_auth.username }}"},{"line_number":131,"context_line":"        --os-user-domain-name {{ openstack_auth.user_domain_name }}"}],"source_content_type":"text/x-yaml","patch_set":17,"id":"66507d27_9e221b8e","line":128,"range":{"start_line":128,"start_character":25,"end_line":128,"end_character":48},"in_reply_to":"fe4680d3_c9927d9e","updated":"2021-11-19 00:08:13.000000000","message":"Done","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"07d332802461fff60d0c9394b639e91de27ea747","unresolved":true,"context_lines":[{"line_number":130,"context_line":"        --os-username\u003d{{ openstack_auth.username }}"},{"line_number":131,"context_line":"        --os-user-domain-name {{ openstack_auth.user_domain_name }}"},{"line_number":132,"context_line":"        --os-system-scope {{ openstack_auth.system_scope }}"},{"line_number":133,"context_line":"        {% if openstack_cacert !\u003d \u0027\u0027 %}--os-cacert {{ openstack_cacert }}{% endif %}"},{"line_number":134,"context_line":"        role add --system all --user {{ item.user }} {{ keystone_admin_user }}"},{"line_number":135,"context_line":"      register: nova_grant_system_scope"},{"line_number":136,"context_line":"      with_items: \"{{ service_ks_register_users }}\""}],"source_content_type":"text/x-yaml","patch_set":17,"id":"3742cfeb_f30684ec","line":133,"updated":"2021-11-17 11:33:55.000000000","message":"Missing region name and interface","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":30810,"name":"James Kirsch","email":"generalfuzz@gmail.com","username":"generalfuzz"},"change_message_id":"d26c9d450bba7331054ae73dd6ccf073474c1413","unresolved":false,"context_lines":[{"line_number":130,"context_line":"        --os-username\u003d{{ openstack_auth.username }}"},{"line_number":131,"context_line":"        --os-user-domain-name {{ openstack_auth.user_domain_name }}"},{"line_number":132,"context_line":"        --os-system-scope {{ openstack_auth.system_scope }}"},{"line_number":133,"context_line":"        {% if openstack_cacert !\u003d \u0027\u0027 %}--os-cacert {{ openstack_cacert }}{% endif %}"},{"line_number":134,"context_line":"        role add --system all --user {{ item.user }} {{ keystone_admin_user }}"},{"line_number":135,"context_line":"      register: nova_grant_system_scope"},{"line_number":136,"context_line":"      with_items: \"{{ service_ks_register_users }}\""}],"source_content_type":"text/x-yaml","patch_set":17,"id":"011c5d1b_a6f1d245","line":133,"in_reply_to":"3742cfeb_f30684ec","updated":"2021-11-19 00:08:13.000000000","message":"Done","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"07d332802461fff60d0c9394b639e91de27ea747","unresolved":true,"context_lines":[{"line_number":131,"context_line":"        --os-user-domain-name {{ openstack_auth.user_domain_name }}"},{"line_number":132,"context_line":"        --os-system-scope {{ openstack_auth.system_scope }}"},{"line_number":133,"context_line":"        {% if openstack_cacert !\u003d \u0027\u0027 %}--os-cacert {{ openstack_cacert }}{% endif %}"},{"line_number":134,"context_line":"        role add --system all --user {{ item.user }} {{ keystone_admin_user }}"},{"line_number":135,"context_line":"      register: nova_grant_system_scope"},{"line_number":136,"context_line":"      with_items: \"{{ service_ks_register_users }}\""},{"line_number":137,"context_line":"      run_once: True"}],"source_content_type":"text/x-yaml","patch_set":17,"id":"4abc5e01_283ce31e","line":134,"range":{"start_line":134,"start_character":56,"end_line":134,"end_character":75},"updated":"2021-11-17 11:33:55.000000000","message":"item.role","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":30810,"name":"James Kirsch","email":"generalfuzz@gmail.com","username":"generalfuzz"},"change_message_id":"d26c9d450bba7331054ae73dd6ccf073474c1413","unresolved":false,"context_lines":[{"line_number":131,"context_line":"        --os-user-domain-name {{ openstack_auth.user_domain_name }}"},{"line_number":132,"context_line":"        --os-system-scope {{ openstack_auth.system_scope }}"},{"line_number":133,"context_line":"        {% if openstack_cacert !\u003d \u0027\u0027 %}--os-cacert {{ openstack_cacert }}{% endif %}"},{"line_number":134,"context_line":"        role add --system all --user {{ item.user }} {{ keystone_admin_user }}"},{"line_number":135,"context_line":"      register: nova_grant_system_scope"},{"line_number":136,"context_line":"      with_items: \"{{ service_ks_register_users }}\""},{"line_number":137,"context_line":"      run_once: True"}],"source_content_type":"text/x-yaml","patch_set":17,"id":"dabf45fc_39ca8e5c","line":134,"range":{"start_line":134,"start_character":56,"end_line":134,"end_character":75},"in_reply_to":"4abc5e01_283ce31e","updated":"2021-11-19 00:08:13.000000000","message":"Done","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"07d332802461fff60d0c9394b639e91de27ea747","unresolved":true,"context_lines":[{"line_number":132,"context_line":"        --os-system-scope {{ openstack_auth.system_scope }}"},{"line_number":133,"context_line":"        {% if openstack_cacert !\u003d \u0027\u0027 %}--os-cacert {{ openstack_cacert }}{% endif %}"},{"line_number":134,"context_line":"        role add --system all --user {{ item.user }} {{ keystone_admin_user }}"},{"line_number":135,"context_line":"      register: nova_grant_system_scope"},{"line_number":136,"context_line":"      with_items: \"{{ service_ks_register_users }}\""},{"line_number":137,"context_line":"      run_once: True"},{"line_number":138,"context_line":"      loop_control:"}],"source_content_type":"text/x-yaml","patch_set":17,"id":"feddbd01_49b8b2ec","line":135,"range":{"start_line":135,"start_character":16,"end_line":135,"end_character":20},"updated":"2021-11-17 11:33:55.000000000","message":"nova?","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":30810,"name":"James Kirsch","email":"generalfuzz@gmail.com","username":"generalfuzz"},"change_message_id":"d26c9d450bba7331054ae73dd6ccf073474c1413","unresolved":false,"context_lines":[{"line_number":132,"context_line":"        --os-system-scope {{ openstack_auth.system_scope }}"},{"line_number":133,"context_line":"        {% if openstack_cacert !\u003d \u0027\u0027 %}--os-cacert {{ openstack_cacert }}{% endif %}"},{"line_number":134,"context_line":"        role add --system all --user {{ item.user }} {{ keystone_admin_user }}"},{"line_number":135,"context_line":"      register: nova_grant_system_scope"},{"line_number":136,"context_line":"      with_items: \"{{ service_ks_register_users }}\""},{"line_number":137,"context_line":"      run_once: True"},{"line_number":138,"context_line":"      loop_control:"}],"source_content_type":"text/x-yaml","patch_set":17,"id":"af1e0ebe_3a3b815e","line":135,"range":{"start_line":135,"start_character":16,"end_line":135,"end_character":20},"in_reply_to":"feddbd01_49b8b2ec","updated":"2021-11-19 00:08:13.000000000","message":"Done","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"07d332802461fff60d0c9394b639e91de27ea747","unresolved":true,"context_lines":[{"line_number":133,"context_line":"        {% if openstack_cacert !\u003d \u0027\u0027 %}--os-cacert {{ openstack_cacert }}{% endif %}"},{"line_number":134,"context_line":"        role add --system all --user {{ item.user }} {{ keystone_admin_user }}"},{"line_number":135,"context_line":"      register: nova_grant_system_scope"},{"line_number":136,"context_line":"      with_items: \"{{ service_ks_register_users }}\""},{"line_number":137,"context_line":"      run_once: True"},{"line_number":138,"context_line":"      loop_control:"},{"line_number":139,"context_line":"        label:"}],"source_content_type":"text/x-yaml","patch_set":17,"id":"83464266_fb2877ba","line":136,"range":{"start_line":136,"start_character":22,"end_line":136,"end_character":47},"updated":"2021-11-17 11:33:55.000000000","message":"+ service_ks_register_user_roles","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":30810,"name":"James Kirsch","email":"generalfuzz@gmail.com","username":"generalfuzz"},"change_message_id":"d26c9d450bba7331054ae73dd6ccf073474c1413","unresolved":false,"context_lines":[{"line_number":133,"context_line":"        {% if openstack_cacert !\u003d \u0027\u0027 %}--os-cacert {{ openstack_cacert }}{% endif %}"},{"line_number":134,"context_line":"        role add --system all --user {{ item.user }} {{ keystone_admin_user }}"},{"line_number":135,"context_line":"      register: nova_grant_system_scope"},{"line_number":136,"context_line":"      with_items: \"{{ service_ks_register_users }}\""},{"line_number":137,"context_line":"      run_once: True"},{"line_number":138,"context_line":"      loop_control:"},{"line_number":139,"context_line":"        label:"}],"source_content_type":"text/x-yaml","patch_set":17,"id":"aa809592_a39fe3db","line":136,"range":{"start_line":136,"start_character":22,"end_line":136,"end_character":47},"in_reply_to":"83464266_fb2877ba","updated":"2021-11-19 00:08:13.000000000","message":"Done","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"07d332802461fff60d0c9394b639e91de27ea747","unresolved":true,"context_lines":[{"line_number":134,"context_line":"        role add --system all --user {{ item.user }} {{ keystone_admin_user }}"},{"line_number":135,"context_line":"      register: nova_grant_system_scope"},{"line_number":136,"context_line":"      with_items: \"{{ service_ks_register_users }}\""},{"line_number":137,"context_line":"      run_once: True"},{"line_number":138,"context_line":"      loop_control:"},{"line_number":139,"context_line":"        label:"},{"line_number":140,"context_line":"          user: \"{{ item.user }}\""}],"source_content_type":"text/x-yaml","patch_set":17,"id":"deaf2344_9d2eb9f9","line":137,"range":{"start_line":137,"start_character":6,"end_line":137,"end_character":20},"updated":"2021-11-17 11:33:55.000000000","message":"This is set at the block level below","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":30810,"name":"James Kirsch","email":"generalfuzz@gmail.com","username":"generalfuzz"},"change_message_id":"d26c9d450bba7331054ae73dd6ccf073474c1413","unresolved":false,"context_lines":[{"line_number":134,"context_line":"        role add --system all --user {{ item.user }} {{ keystone_admin_user }}"},{"line_number":135,"context_line":"      register: nova_grant_system_scope"},{"line_number":136,"context_line":"      with_items: \"{{ service_ks_register_users }}\""},{"line_number":137,"context_line":"      run_once: True"},{"line_number":138,"context_line":"      loop_control:"},{"line_number":139,"context_line":"        label:"},{"line_number":140,"context_line":"          user: \"{{ item.user }}\""}],"source_content_type":"text/x-yaml","patch_set":17,"id":"41248c98_8ff71ce7","line":137,"range":{"start_line":137,"start_character":6,"end_line":137,"end_character":20},"in_reply_to":"deaf2344_9d2eb9f9","updated":"2021-11-19 00:08:13.000000000","message":"Done","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"07d332802461fff60d0c9394b639e91de27ea747","unresolved":true,"context_lines":[{"line_number":139,"context_line":"        label:"},{"line_number":140,"context_line":"          user: \"{{ item.user }}\""},{"line_number":141,"context_line":"          role: \"{{ item.role }}\""},{"line_number":142,"context_line":"          project: \"{{ item.project }}\""},{"line_number":143,"context_line":""},{"line_number":144,"context_line":"  become: true"},{"line_number":145,"context_line":"  run_once: True"}],"source_content_type":"text/x-yaml","patch_set":17,"id":"4658a738_77fb68c7","line":142,"updated":"2021-11-17 11:33:55.000000000","message":"Please add retries like the other tasks","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"07d332802461fff60d0c9394b639e91de27ea747","unresolved":true,"context_lines":[{"line_number":139,"context_line":"        label:"},{"line_number":140,"context_line":"          user: \"{{ item.user }}\""},{"line_number":141,"context_line":"          role: \"{{ item.role }}\""},{"line_number":142,"context_line":"          project: \"{{ item.project }}\""},{"line_number":143,"context_line":""},{"line_number":144,"context_line":"  become: true"},{"line_number":145,"context_line":"  run_once: True"}],"source_content_type":"text/x-yaml","patch_set":17,"id":"75b72d65_f53676cf","line":142,"range":{"start_line":142,"start_character":10,"end_line":142,"end_character":39},"updated":"2021-11-17 11:33:55.000000000","message":"There is no project","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":30810,"name":"James Kirsch","email":"generalfuzz@gmail.com","username":"generalfuzz"},"change_message_id":"d26c9d450bba7331054ae73dd6ccf073474c1413","unresolved":false,"context_lines":[{"line_number":139,"context_line":"        label:"},{"line_number":140,"context_line":"          user: \"{{ item.user }}\""},{"line_number":141,"context_line":"          role: \"{{ item.role }}\""},{"line_number":142,"context_line":"          project: \"{{ item.project }}\""},{"line_number":143,"context_line":""},{"line_number":144,"context_line":"  become: true"},{"line_number":145,"context_line":"  run_once: True"}],"source_content_type":"text/x-yaml","patch_set":17,"id":"617eb2d7_7fa47af8","line":142,"in_reply_to":"4658a738_77fb68c7","updated":"2021-11-19 00:08:13.000000000","message":"Done","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":30810,"name":"James Kirsch","email":"generalfuzz@gmail.com","username":"generalfuzz"},"change_message_id":"d26c9d450bba7331054ae73dd6ccf073474c1413","unresolved":false,"context_lines":[{"line_number":139,"context_line":"        label:"},{"line_number":140,"context_line":"          user: \"{{ item.user }}\""},{"line_number":141,"context_line":"          role: \"{{ item.role }}\""},{"line_number":142,"context_line":"          project: \"{{ item.project }}\""},{"line_number":143,"context_line":""},{"line_number":144,"context_line":"  become: true"},{"line_number":145,"context_line":"  run_once: True"}],"source_content_type":"text/x-yaml","patch_set":17,"id":"529bfc14_3ba8e0e4","line":142,"range":{"start_line":142,"start_character":10,"end_line":142,"end_character":39},"in_reply_to":"75b72d65_f53676cf","updated":"2021-11-19 00:08:13.000000000","message":"Done","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"07d332802461fff60d0c9394b639e91de27ea747","unresolved":true,"context_lines":[{"line_number":140,"context_line":"          user: \"{{ item.user }}\""},{"line_number":141,"context_line":"          role: \"{{ item.role }}\""},{"line_number":142,"context_line":"          project: \"{{ item.project }}\""},{"line_number":143,"context_line":""},{"line_number":144,"context_line":"  become: true"},{"line_number":145,"context_line":"  run_once: True"}],"source_content_type":"text/x-yaml","patch_set":17,"id":"2dd6d620_db51a1bd","line":143,"updated":"2021-11-17 11:33:55.000000000","message":"We should only do this when the role is admin.","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":30810,"name":"James Kirsch","email":"generalfuzz@gmail.com","username":"generalfuzz"},"change_message_id":"d26c9d450bba7331054ae73dd6ccf073474c1413","unresolved":false,"context_lines":[{"line_number":140,"context_line":"          user: \"{{ item.user }}\""},{"line_number":141,"context_line":"          role: \"{{ item.role }}\""},{"line_number":142,"context_line":"          project: \"{{ item.project }}\""},{"line_number":143,"context_line":""},{"line_number":144,"context_line":"  become: true"},{"line_number":145,"context_line":"  run_once: True"}],"source_content_type":"text/x-yaml","patch_set":17,"id":"e9681190_bbde1c68","line":143,"in_reply_to":"2dd6d620_db51a1bd","updated":"2021-11-19 00:08:13.000000000","message":"Done","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"314fbbbc07717b7341cf7b4c2afcb29e152f8ef4","unresolved":true,"context_lines":[{"line_number":130,"context_line":"        --os-username\u003d{{ service_ks_register_auth.username }}"},{"line_number":131,"context_line":"        --os-user-domain-name {{ service_ks_register_auth.user_domain_name }}"},{"line_number":132,"context_line":"        --os-system-scope {{ service_ks_register_auth.system_scope }}"},{"line_number":133,"context_line":"        --os-region-name {{ openstack_region_name }}"},{"line_number":134,"context_line":"        --os-interface {{ openstack_interface }}"},{"line_number":135,"context_line":"        {% if openstack_cacert !\u003d \u0027\u0027 %}--os-cacert {{ openstack_cacert }}{% endif %}"},{"line_number":136,"context_line":"        role add --system all --user {{ item.user }} {{ item.role }}"}],"source_content_type":"text/x-yaml","patch_set":20,"id":"79b32439_9d245627","line":133,"range":{"start_line":133,"start_character":28,"end_line":133,"end_character":49},"updated":"2021-11-25 11:58:21.000000000","message":"service_ks_register_region_name","commit_id":"b96c1b0398e69ea13336fbc879392b4bd881470b"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"3311dd146eb35367308e77754790bac3d001ef82","unresolved":false,"context_lines":[{"line_number":130,"context_line":"        --os-username\u003d{{ service_ks_register_auth.username }}"},{"line_number":131,"context_line":"        --os-user-domain-name {{ service_ks_register_auth.user_domain_name }}"},{"line_number":132,"context_line":"        --os-system-scope {{ service_ks_register_auth.system_scope }}"},{"line_number":133,"context_line":"        --os-region-name {{ openstack_region_name }}"},{"line_number":134,"context_line":"        --os-interface {{ openstack_interface }}"},{"line_number":135,"context_line":"        {% if openstack_cacert !\u003d \u0027\u0027 %}--os-cacert {{ openstack_cacert }}{% endif %}"},{"line_number":136,"context_line":"        role add --system all --user {{ item.user }} {{ item.role }}"}],"source_content_type":"text/x-yaml","patch_set":20,"id":"a12612a4_fcce971f","line":133,"range":{"start_line":133,"start_character":28,"end_line":133,"end_character":49},"in_reply_to":"79b32439_9d245627","updated":"2024-02-06 11:12:49.000000000","message":"Done","commit_id":"b96c1b0398e69ea13336fbc879392b4bd881470b"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"314fbbbc07717b7341cf7b4c2afcb29e152f8ef4","unresolved":true,"context_lines":[{"line_number":131,"context_line":"        --os-user-domain-name {{ service_ks_register_auth.user_domain_name }}"},{"line_number":132,"context_line":"        --os-system-scope {{ service_ks_register_auth.system_scope }}"},{"line_number":133,"context_line":"        --os-region-name {{ openstack_region_name }}"},{"line_number":134,"context_line":"        --os-interface {{ openstack_interface }}"},{"line_number":135,"context_line":"        {% if openstack_cacert !\u003d \u0027\u0027 %}--os-cacert {{ openstack_cacert }}{% endif %}"},{"line_number":136,"context_line":"        role add --system all --user {{ item.user }} {{ item.role }}"},{"line_number":137,"context_line":"      register: keystone_grant_system_scope"}],"source_content_type":"text/x-yaml","patch_set":20,"id":"bd0497da_7cf7c81a","line":134,"range":{"start_line":134,"start_character":26,"end_line":134,"end_character":45},"updated":"2021-11-25 11:58:21.000000000","message":"service_ks_register_interface","commit_id":"b96c1b0398e69ea13336fbc879392b4bd881470b"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"3311dd146eb35367308e77754790bac3d001ef82","unresolved":false,"context_lines":[{"line_number":131,"context_line":"        --os-user-domain-name {{ service_ks_register_auth.user_domain_name }}"},{"line_number":132,"context_line":"        --os-system-scope {{ service_ks_register_auth.system_scope }}"},{"line_number":133,"context_line":"        --os-region-name {{ openstack_region_name }}"},{"line_number":134,"context_line":"        --os-interface {{ openstack_interface }}"},{"line_number":135,"context_line":"        {% if openstack_cacert !\u003d \u0027\u0027 %}--os-cacert {{ openstack_cacert }}{% endif %}"},{"line_number":136,"context_line":"        role add --system all --user {{ item.user }} {{ item.role }}"},{"line_number":137,"context_line":"      register: keystone_grant_system_scope"}],"source_content_type":"text/x-yaml","patch_set":20,"id":"b7c043eb_56798168","line":134,"range":{"start_line":134,"start_character":26,"end_line":134,"end_character":45},"in_reply_to":"bd0497da_7cf7c81a","updated":"2024-02-06 11:12:49.000000000","message":"Done","commit_id":"b96c1b0398e69ea13336fbc879392b4bd881470b"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"314fbbbc07717b7341cf7b4c2afcb29e152f8ef4","unresolved":true,"context_lines":[{"line_number":133,"context_line":"        --os-region-name {{ openstack_region_name }}"},{"line_number":134,"context_line":"        --os-interface {{ openstack_interface }}"},{"line_number":135,"context_line":"        {% if openstack_cacert !\u003d \u0027\u0027 %}--os-cacert {{ openstack_cacert }}{% endif %}"},{"line_number":136,"context_line":"        role add --system all --user {{ item.user }} {{ item.role }}"},{"line_number":137,"context_line":"      register: keystone_grant_system_scope"},{"line_number":138,"context_line":"      with_items: \"{{ service_ks_register_users + service_ks_register_user_roles }}\""},{"line_number":139,"context_line":"      retries: \"{{ service_ks_register_retries }}\""}],"source_content_type":"text/x-yaml","patch_set":20,"id":"61aecc50_8755dc31","line":136,"updated":"2021-11-25 11:58:21.000000000","message":"Is this idempotent?","commit_id":"b96c1b0398e69ea13336fbc879392b4bd881470b"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"3311dd146eb35367308e77754790bac3d001ef82","unresolved":false,"context_lines":[{"line_number":133,"context_line":"        --os-region-name {{ openstack_region_name }}"},{"line_number":134,"context_line":"        --os-interface {{ openstack_interface }}"},{"line_number":135,"context_line":"        {% if openstack_cacert !\u003d \u0027\u0027 %}--os-cacert {{ openstack_cacert }}{% endif %}"},{"line_number":136,"context_line":"        role add --system all --user {{ item.user }} {{ item.role }}"},{"line_number":137,"context_line":"      register: keystone_grant_system_scope"},{"line_number":138,"context_line":"      with_items: \"{{ service_ks_register_users + service_ks_register_user_roles }}\""},{"line_number":139,"context_line":"      retries: \"{{ service_ks_register_retries }}\""}],"source_content_type":"text/x-yaml","patch_set":20,"id":"31b1226f_8aa1b9c3","line":136,"in_reply_to":"61aecc50_8755dc31","updated":"2024-02-06 11:12:49.000000000","message":"Done","commit_id":"b96c1b0398e69ea13336fbc879392b4bd881470b"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"314fbbbc07717b7341cf7b4c2afcb29e152f8ef4","unresolved":true,"context_lines":[{"line_number":142,"context_line":"          user: \"{{ item.user }}\""},{"line_number":143,"context_line":"          role: \"{{ item.role }}\""},{"line_number":144,"context_line":"      when:"},{"line_number":145,"context_line":"        - item.role \u003d\u003d \"admin\""},{"line_number":146,"context_line":""},{"line_number":147,"context_line":"  become: true"},{"line_number":148,"context_line":"  run_once: True"}],"source_content_type":"text/x-yaml","patch_set":20,"id":"c8095fee_f3b415c4","line":145,"updated":"2021-11-25 11:58:21.000000000","message":"Can use the same as other tasks:\n\n      register: service_ks_register_result\n      until: service_ks_register_result is success\n      retries: \"{{ service_ks_register_retries }}\"\n      delay: \"{{ service_ks_register_delay }}\"","commit_id":"b96c1b0398e69ea13336fbc879392b4bd881470b"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"3311dd146eb35367308e77754790bac3d001ef82","unresolved":false,"context_lines":[{"line_number":142,"context_line":"          user: \"{{ item.user }}\""},{"line_number":143,"context_line":"          role: \"{{ item.role }}\""},{"line_number":144,"context_line":"      when:"},{"line_number":145,"context_line":"        - item.role \u003d\u003d \"admin\""},{"line_number":146,"context_line":""},{"line_number":147,"context_line":"  become: true"},{"line_number":148,"context_line":"  run_once: True"}],"source_content_type":"text/x-yaml","patch_set":20,"id":"739d4c3e_4d605eea","line":145,"in_reply_to":"c8095fee_f3b415c4","updated":"2024-02-06 11:12:49.000000000","message":"Done","commit_id":"b96c1b0398e69ea13336fbc879392b4bd881470b"}],"contrib/demos/tacker/deploy-tacker-demo":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"1152c0517fdacfdb49184a2cdd33866be88e7878","unresolved":true,"context_lines":[{"line_number":60,"context_line":"}"},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"function deploy {"},{"line_number":63,"context_line":"    . /etc/kolla/admin-openrc-system-scope.sh"},{"line_number":64,"context_line":"    echo \"Registering sample VIM\""},{"line_number":65,"context_line":"    openstack vim register --config-file ./kolla-sample-vim.yaml --description \"kolla sample vim\" --is-default kolla-sample-vim"},{"line_number":66,"context_line":"    echo \"Creating sample VNFD\""},{"line_number":67,"context_line":"    openstack vnf descriptor create --vnfd-file ./kolla-sample-vnfd.yaml kolla-sample-vnfd"},{"line_number":68,"context_line":"    echo \"Creating sample VNF\""},{"line_number":69,"context_line":"    VNFD_ID\u003d$(openstack vnf descriptor list | awk \u0027/kolla-sample-vnfd/ { print $2 }\u0027)"},{"line_number":70,"context_line":"    openstack vnf create --vnfd-id ${VNFD_ID} kolla-sample-vnf"},{"line_number":71,"context_line":"    . /etc/kolla/admin-openrc.sh"},{"line_number":72,"context_line":"}"},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"gen_config"}],"source_content_type":"application/x-shellscript","patch_set":27,"id":"4be9feca_a2ae8530","line":71,"range":{"start_line":63,"start_character":0,"end_line":71,"end_character":32},"updated":"2022-01-17 10:11:20.000000000","message":"Separate patch","commit_id":"76ade34e1cfa45ecd9e4085099730c421e222c49"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"3311dd146eb35367308e77754790bac3d001ef82","unresolved":false,"context_lines":[{"line_number":60,"context_line":"}"},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"function deploy {"},{"line_number":63,"context_line":"    . /etc/kolla/admin-openrc-system-scope.sh"},{"line_number":64,"context_line":"    echo \"Registering sample VIM\""},{"line_number":65,"context_line":"    openstack vim register --config-file ./kolla-sample-vim.yaml --description \"kolla sample vim\" --is-default kolla-sample-vim"},{"line_number":66,"context_line":"    echo \"Creating sample VNFD\""},{"line_number":67,"context_line":"    openstack vnf descriptor create --vnfd-file ./kolla-sample-vnfd.yaml kolla-sample-vnfd"},{"line_number":68,"context_line":"    echo \"Creating sample VNF\""},{"line_number":69,"context_line":"    VNFD_ID\u003d$(openstack vnf descriptor list | awk \u0027/kolla-sample-vnfd/ { print $2 }\u0027)"},{"line_number":70,"context_line":"    openstack vnf create --vnfd-id ${VNFD_ID} kolla-sample-vnf"},{"line_number":71,"context_line":"    . /etc/kolla/admin-openrc.sh"},{"line_number":72,"context_line":"}"},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"gen_config"}],"source_content_type":"application/x-shellscript","patch_set":27,"id":"965d22aa_c8527a8c","line":71,"range":{"start_line":63,"start_character":0,"end_line":71,"end_character":32},"in_reply_to":"4be9feca_a2ae8530","updated":"2024-02-06 11:12:49.000000000","message":"Done","commit_id":"76ade34e1cfa45ecd9e4085099730c421e222c49"}],"releasenotes/notes/add-system-scoped-tokens-keystone-b9d49bcc4434f545.yaml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"07d332802461fff60d0c9394b639e91de27ea747","unresolved":true,"context_lines":[{"line_number":8,"context_line":"    enable enforcing system scope validation in Keystone."},{"line_number":9,"context_line":"upgrade:"},{"line_number":10,"context_line":"  - |"},{"line_number":11,"context_line":"    By default \"keystone_system_scoped_tokens\" is set to true. When performing"},{"line_number":12,"context_line":"    an upgrade, set this value parameter to false."}],"source_content_type":"text/x-yaml","patch_set":17,"id":"4452d89c_1967e220","line":12,"range":{"start_line":11,"start_character":0,"end_line":12,"end_character":50},"updated":"2021-11-17 11:33:55.000000000","message":"It should work with it set to true, no?","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":30810,"name":"James Kirsch","email":"generalfuzz@gmail.com","username":"generalfuzz"},"change_message_id":"d26c9d450bba7331054ae73dd6ccf073474c1413","unresolved":true,"context_lines":[{"line_number":8,"context_line":"    enable enforcing system scope validation in Keystone."},{"line_number":9,"context_line":"upgrade:"},{"line_number":10,"context_line":"  - |"},{"line_number":11,"context_line":"    By default \"keystone_system_scoped_tokens\" is set to true. When performing"},{"line_number":12,"context_line":"    an upgrade, set this value parameter to false."}],"source_content_type":"text/x-yaml","patch_set":17,"id":"d45044c3_73d1f570","line":12,"range":{"start_line":11,"start_character":0,"end_line":12,"end_character":50},"in_reply_to":"4452d89c_1967e220","updated":"2021-11-19 00:08:13.000000000","message":"It does not, as the update tests fail until it is disabled.","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"314fbbbc07717b7341cf7b4c2afcb29e152f8ef4","unresolved":true,"context_lines":[{"line_number":8,"context_line":"    enable enforcing system scope validation in Keystone."},{"line_number":9,"context_line":"upgrade:"},{"line_number":10,"context_line":"  - |"},{"line_number":11,"context_line":"    By default \"keystone_system_scoped_tokens\" is set to true. When performing"},{"line_number":12,"context_line":"    an upgrade, set this value parameter to false."}],"source_content_type":"text/x-yaml","patch_set":17,"id":"6aa9d034_37930ad5","line":12,"range":{"start_line":11,"start_character":0,"end_line":12,"end_character":50},"in_reply_to":"629bed08_c793a6ff","updated":"2021-11-25 11:58:21.000000000","message":"I see. The problem is that the users are not being assigned the necessary system-scoped roles during the upgrade, so the system-scoped API requests fail.\n\nAt some point we need to add these roles to users on existing systems. We might make that part of the upgrade process, or some operation that must be run before or after the upgrade.\n\nIf we go down the route of doing an upgrade without adding the roles, then the flag needs to default to false.","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"3311dd146eb35367308e77754790bac3d001ef82","unresolved":false,"context_lines":[{"line_number":8,"context_line":"    enable enforcing system scope validation in Keystone."},{"line_number":9,"context_line":"upgrade:"},{"line_number":10,"context_line":"  - |"},{"line_number":11,"context_line":"    By default \"keystone_system_scoped_tokens\" is set to true. When performing"},{"line_number":12,"context_line":"    an upgrade, set this value parameter to false."}],"source_content_type":"text/x-yaml","patch_set":17,"id":"830ecef6_ae5d8858","line":12,"range":{"start_line":11,"start_character":0,"end_line":12,"end_character":50},"in_reply_to":"6aa9d034_37930ad5","updated":"2024-02-06 11:12:49.000000000","message":"Done","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":30810,"name":"James Kirsch","email":"generalfuzz@gmail.com","username":"generalfuzz"},"change_message_id":"fdef7bbf0c699e9e80f4bbbdb47635076b275ced","unresolved":true,"context_lines":[{"line_number":8,"context_line":"    enable enforcing system scope validation in Keystone."},{"line_number":9,"context_line":"upgrade:"},{"line_number":10,"context_line":"  - |"},{"line_number":11,"context_line":"    By default \"keystone_system_scoped_tokens\" is set to true. When performing"},{"line_number":12,"context_line":"    an upgrade, set this value parameter to false."}],"source_content_type":"text/x-yaml","patch_set":17,"id":"629bed08_c793a6ff","line":12,"range":{"start_line":11,"start_character":0,"end_line":12,"end_character":50},"in_reply_to":"6b589421_6bf3e618","updated":"2021-11-24 23:28:57.000000000","message":"After upgrade, keystone rejects request: \"User 846d9a7d1d914ceb86cc48222dd64e43 has no access to the system _validate_system_scope\". \n\nhttps://89dc1c8ca27da6d09b96-3d6fde1a31d3bf2308736cdcb868f765.ssl.cf2.rackcdn.com/815577/19/check/kolla-ansible-ubuntu-source-upgrade/20ed6e8/primary/logs/ansible/test-core-openstack-upgrade\n\nGET call to compute for https://192.0.2.10:8774/v2.1/os-services used request id req-ff375fb2-a74f-4981-96a4-eab7b8cc29ad\nThe server is currently unavailable. Please try again at a later time.\u003cbr /\u003e\u003cbr /\u003e\nThe Keystone service is temporarily unavailable.\n\n (HTTP 503) (Request-ID: req-ff375fb2-a74f-4981-96a4-eab7b8cc29ad)\nTraceback (most recent call last):\n  File \"/home/zuul/openstackclient-venv/lib/python3.8/site-packages/cliff/app.py\", line 401, in run_subcommand\n    result \u003d cmd.run(parsed_args)\n  File \"/home/zuul/openstackclient-venv/lib/python3.8/site-packages/osc_lib/command/command.py\", line 39, in run\n    return super(Command, self).run(parsed_args)\n  File \"/home/zuul/openstackclient-venv/lib/python3.8/site-packages/cliff/display.py\", line 115, in run\n    column_names, data \u003d self.take_action(parsed_args)\n  File \"/home/zuul/openstackclient-venv/lib/python3.8/site-packages/openstackclient/compute/v2/service.py\", line 116, in take_action\n    data \u003d compute_client.services.list(parsed_args.host,\n  File \"/home/zuul/openstackclient-venv/lib/python3.8/site-packages/novaclient/v2/services.py\", line 53, in list\n    return self._list(url, \"services\")\n  File \"/home/zuul/openstackclient-venv/lib/python3.8/site-packages/novaclient/base.py\", line 253, in _list\n    resp, body \u003d self.api.client.get(url)\n  File \"/home/zuul/openstackclient-venv/lib/python3.8/site-packages/keystoneauth1/adapter.py\", line 395, in get\n    return self.request(url, \u0027GET\u0027, **kwargs)\n  File \"/home/zuul/openstackclient-venv/lib/python3.8/site-packages/novaclient/client.py\", line 78, in request\n    raise exceptions.from_response(resp, body, url, method)\nnovaclient.exceptions.ClientException: The server is currently unavailable. Please try again at a later time.\u003cbr /\u003e\u003cbr /\u003e\nThe Keystone service is temporarily unavailable.\n\nTimestamp for this log is:\n\ntest-core-openstack-upgrade\tThu Nov 18 19:35:03 2021\n\nfrom keystone log:\n\n2021-11-18 19:35:03.076 953 DEBUG keystone.models.token_model [req-a0bb958c-eb43-4ebe-b6bc-b2cb60e28a69 - - - - -] User 846d9a7d1d914ceb86cc48222dd64e43 has no access to the system _validate_system_scope /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/models/token_model.py:517\n2021-11-18 19:35:03.079 953 WARNING keystone.server.flask.application [req-a0bb958c-eb43-4ebe-b6bc-b2cb60e28a69 - - - - -] Authorization failed. The request you have made requires authentication. from 192.0.2.10: keystone.exception.Unauthorized: The request you have made requires authentication.\n\nFrom /var/log/kolla/nova/nova-api-wsgi.log:\n2021-11-18 19:35:03.096 690 CRITICAL keystonemiddleware.auth_token [req-897b5920-164a-417f-a1f9-3f13e13cdfbf - - - - -] Unable to validate token: Identity server rejected authorization necessary to fetch token data: keystonemiddleware.auth_token._exceptions.ServiceError: Identity server rejected authorization necessary to fetch token data","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"5631f3227c0b86bfd444869e88253c8c6b53246f","unresolved":true,"context_lines":[{"line_number":8,"context_line":"    enable enforcing system scope validation in Keystone."},{"line_number":9,"context_line":"upgrade:"},{"line_number":10,"context_line":"  - |"},{"line_number":11,"context_line":"    By default \"keystone_system_scoped_tokens\" is set to true. When performing"},{"line_number":12,"context_line":"    an upgrade, set this value parameter to false."}],"source_content_type":"text/x-yaml","patch_set":17,"id":"6b589421_6bf3e618","line":12,"range":{"start_line":11,"start_character":0,"end_line":12,"end_character":50},"in_reply_to":"d45044c3_73d1f570","updated":"2021-11-24 18:03:35.000000000","message":"Could you share how and why they fail?","commit_id":"9168dca86155822daf5317453bd81c7eade8423e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"1152c0517fdacfdb49184a2cdd33866be88e7878","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"features:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Adds \"keystone_system_scoped_tokens\" configuration parameter. If enabled,"},{"line_number":5,"context_line":"    the [keystone_authtoken] section in all service configuation files will"},{"line_number":6,"context_line":"    configured to use system scoped tokens instead of project scoped tokens."},{"line_number":7,"context_line":"    Adds \"enable_keystone_system_scoped_policy\" configuration parameter to"},{"line_number":8,"context_line":"    enable enforcing system scope validation in Keystone."},{"line_number":9,"context_line":"upgrade:"},{"line_number":10,"context_line":"  - |"},{"line_number":11,"context_line":"    By default \"keystone_system_scoped_tokens\" is set to true. When performing"},{"line_number":12,"context_line":"    an upgrade, set this value parameter to false."}],"source_content_type":"text/x-yaml","patch_set":27,"id":"ceacc6c4_b69fe61c","line":12,"range":{"start_line":4,"start_character":0,"end_line":12,"end_character":50},"updated":"2022-01-17 10:11:20.000000000","message":"Separate patch.\n\nNeed a different note for the service role change.","commit_id":"76ade34e1cfa45ecd9e4085099730c421e222c49"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"3311dd146eb35367308e77754790bac3d001ef82","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"features:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Adds \"keystone_system_scoped_tokens\" configuration parameter. If enabled,"},{"line_number":5,"context_line":"    the [keystone_authtoken] section in all service configuation files will"},{"line_number":6,"context_line":"    configured to use system scoped tokens instead of project scoped tokens."},{"line_number":7,"context_line":"    Adds \"enable_keystone_system_scoped_policy\" configuration parameter to"},{"line_number":8,"context_line":"    enable enforcing system scope validation in Keystone."},{"line_number":9,"context_line":"upgrade:"},{"line_number":10,"context_line":"  - |"},{"line_number":11,"context_line":"    By default \"keystone_system_scoped_tokens\" is set to true. When performing"},{"line_number":12,"context_line":"    an upgrade, set this value parameter to false."}],"source_content_type":"text/x-yaml","patch_set":27,"id":"7dc20999_cae3ade4","line":12,"range":{"start_line":4,"start_character":0,"end_line":12,"end_character":50},"in_reply_to":"ceacc6c4_b69fe61c","updated":"2024-02-06 11:12:49.000000000","message":"Done","commit_id":"76ade34e1cfa45ecd9e4085099730c421e222c49"}],"tests/check-config.sh":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"1152c0517fdacfdb49184a2cdd33866be88e7878","unresolved":true,"context_lines":[{"line_number":22,"context_line":"                -not -regex \".*ca-certificates.*\" \\"},{"line_number":23,"context_line":"                -not -path /etc/kolla \\"},{"line_number":24,"context_line":"                -not -regex .*-openrc.sh \\"},{"line_number":25,"context_line":"                -not -regex .*-openrc-system-scope.sh \\"},{"line_number":26,"context_line":"                -not -name globals.yml \\"},{"line_number":27,"context_line":"                -not -name header \\"},{"line_number":28,"context_line":"                -not -name inventory \\"}],"source_content_type":"text/x-sh","patch_set":27,"id":"a3832cc3_03c06558","line":25,"range":{"start_line":25,"start_character":14,"end_line":25,"end_character":55},"updated":"2022-01-17 10:11:20.000000000","message":"Separate patch","commit_id":"76ade34e1cfa45ecd9e4085099730c421e222c49"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"3311dd146eb35367308e77754790bac3d001ef82","unresolved":false,"context_lines":[{"line_number":22,"context_line":"                -not -regex \".*ca-certificates.*\" \\"},{"line_number":23,"context_line":"                -not -path /etc/kolla \\"},{"line_number":24,"context_line":"                -not -regex .*-openrc.sh \\"},{"line_number":25,"context_line":"                -not -regex .*-openrc-system-scope.sh \\"},{"line_number":26,"context_line":"                -not -name globals.yml \\"},{"line_number":27,"context_line":"                -not -name header \\"},{"line_number":28,"context_line":"                -not -name inventory \\"}],"source_content_type":"text/x-sh","patch_set":27,"id":"02193bef_4ebd5d61","line":25,"range":{"start_line":25,"start_character":14,"end_line":25,"end_character":55},"in_reply_to":"a3832cc3_03c06558","updated":"2024-02-06 11:12:49.000000000","message":"Done","commit_id":"76ade34e1cfa45ecd9e4085099730c421e222c49"}],"tests/templates/globals-default.j2":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"53879e1363e663ffbbc63bad3fbb59eddfd6b8f4","unresolved":true,"context_lines":[{"line_number":33,"context_line":"enable_horizon: \"{{ dashboard_enabled }}\""},{"line_number":34,"context_line":"enable_heat: \"{{ openstack_core_tested }}\""},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"# TODO(mgoddard): Remove when previous release is Xena."},{"line_number":37,"context_line":"{% if is_previous_release and previous_release \u003d\u003d \"wallaby\" and scenario !\u003d \"cephadm\" %}"},{"line_number":38,"context_line":"# NOTE(mnasiadka): Test chrony cleanup in upgrade jobs"},{"line_number":39,"context_line":"enable_chrony: \"yes\""},{"line_number":40,"context_line":"{% endif %}"},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"{% if scenario !\u003d \u0027bifrost\u0027 %}"},{"line_number":43,"context_line":"kolla_internal_vip_address: \"{{ kolla_internal_vip_address }}\""},{"line_number":44,"context_line":"neutron_external_interface: \"{{ neutron_external_interface_name }}\""}],"source_content_type":"text/x-jinja2","patch_set":23,"id":"de17e2f4_9fff0859","line":41,"range":{"start_line":36,"start_character":0,"end_line":41,"end_character":0},"updated":"2021-12-22 15:35:18.000000000","message":"Not required","commit_id":"189a04d70a7c5aef8678645be868b3015339a415"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"3311dd146eb35367308e77754790bac3d001ef82","unresolved":false,"context_lines":[{"line_number":33,"context_line":"enable_horizon: \"{{ dashboard_enabled }}\""},{"line_number":34,"context_line":"enable_heat: \"{{ openstack_core_tested }}\""},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"# TODO(mgoddard): Remove when previous release is Xena."},{"line_number":37,"context_line":"{% if is_previous_release and previous_release \u003d\u003d \"wallaby\" and scenario !\u003d \"cephadm\" %}"},{"line_number":38,"context_line":"# NOTE(mnasiadka): Test chrony cleanup in upgrade jobs"},{"line_number":39,"context_line":"enable_chrony: \"yes\""},{"line_number":40,"context_line":"{% endif %}"},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"{% if scenario !\u003d \u0027bifrost\u0027 %}"},{"line_number":43,"context_line":"kolla_internal_vip_address: \"{{ kolla_internal_vip_address }}\""},{"line_number":44,"context_line":"neutron_external_interface: \"{{ neutron_external_interface_name }}\""}],"source_content_type":"text/x-jinja2","patch_set":23,"id":"80aec7bc_d51fa009","line":41,"range":{"start_line":36,"start_character":0,"end_line":41,"end_character":0},"in_reply_to":"de17e2f4_9fff0859","updated":"2024-02-06 11:12:49.000000000","message":"Done","commit_id":"189a04d70a7c5aef8678645be868b3015339a415"}],"tests/test-ironic.sh":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"1152c0517fdacfdb49184a2cdd33866be88e7878","unresolved":true,"context_lines":[{"line_number":121,"context_line":""},{"line_number":122,"context_line":"    create_resources"},{"line_number":123,"context_line":""},{"line_number":124,"context_line":"    . /etc/kolla/admin-openrc-system-scope.sh"},{"line_number":125,"context_line":"    wait_for_placement_resources"},{"line_number":126,"context_line":"    . /etc/kolla/admin-openrc.sh"},{"line_number":127,"context_line":""},{"line_number":128,"context_line":"    echo \"TESTING: Server creation\""},{"line_number":129,"context_line":"    openstack server create --wait --image cirros --flavor baremetal --key-name mykey --network demo-net kolla_boot_test"}],"source_content_type":"text/x-sh","patch_set":27,"id":"cc453c69_01f9479d","line":126,"range":{"start_line":124,"start_character":0,"end_line":126,"end_character":32},"updated":"2022-01-17 10:11:20.000000000","message":"Separate patch","commit_id":"76ade34e1cfa45ecd9e4085099730c421e222c49"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"3311dd146eb35367308e77754790bac3d001ef82","unresolved":false,"context_lines":[{"line_number":121,"context_line":""},{"line_number":122,"context_line":"    create_resources"},{"line_number":123,"context_line":""},{"line_number":124,"context_line":"    . /etc/kolla/admin-openrc-system-scope.sh"},{"line_number":125,"context_line":"    wait_for_placement_resources"},{"line_number":126,"context_line":"    . /etc/kolla/admin-openrc.sh"},{"line_number":127,"context_line":""},{"line_number":128,"context_line":"    echo \"TESTING: Server creation\""},{"line_number":129,"context_line":"    openstack server create --wait --image cirros --flavor baremetal --key-name mykey --network demo-net kolla_boot_test"}],"source_content_type":"text/x-sh","patch_set":27,"id":"8dfe16f7_6a0fed3a","line":126,"range":{"start_line":124,"start_character":0,"end_line":126,"end_character":32},"in_reply_to":"cc453c69_01f9479d","updated":"2024-02-06 11:12:49.000000000","message":"Done","commit_id":"76ade34e1cfa45ecd9e4085099730c421e222c49"}]}