Support new nova policy regarding system scope
Since Ussuri, nova can be configured to enforce scopes, requiring special tokens to use deployment-wide admin features.
See intro and "Scope" section of: https:/
A nova service configured this way will typically have in nova.conf the following:
```
[oslo_policy]
enforce_scope = true
enforce_
```
When nova is configured this way, masakari needs to generate system-scoped tokens from keystone in order to do operations like listing hosts, enabling / disabling nova services, etc.
See the defaults in nova policy listed here: https:/
You can see for example that `os_compute_
A definition of system-scoped tokens can be found here: https:/
In the keystoneauth1 library used in masakari, when using the password plugin, it is possible to add a `system-scope` parameter to get a system-scoped token; see: https:/
Masakari could therefore have an additional configuration to allow passing this parameter to keystoneauth (by the way, the only value that seems relevant for this parameter in defaults is `all`).
To configure masakari properly and get the right token to interact with nova, one will usually have to:
- Make sure `os_privileged_
- Set the new configuration `os_system_scope` to `all`
Blueprint information
- Status:
- Complete
- Approver:
- Radosław Piliszek
- Priority:
- Low
- Drafter:
- Nautik
- Direction:
- Approved
- Assignee:
- Nautik
- Definition:
- Approved
- Series goal:
- Accepted for wallaby
- Implementation:
- Implemented
- Milestone target:
- None
- Started by
- Nautik
- Completed by
- Radosław Piliszek
Related branches
Related bugs
Sprints
Whiteboard
Implemented by: https:/