We're moving more and more OpenStack data out of ldap and into proper OpenStack services. That's good, but it means that public ldap credentials are no longer adequate to do things like enumerate all instances in all projects. This has broken several tools -- for example, watroles.
There are a few hacks to provide this information, most obviously the 'wikitech API'. The right solution, though, is just to provide access to OpenStack APIs from within labs.
- implement login ACLs so that labs machines can get tokens only for select users (for the time being, just novaobserver)
- Open up firewalls, routes, etc so that labs instances can hit the non-admin Nova, Glance and Keystone APIs. (Actually the Nova api is already reachable from labs, although useless without keystone tokens)
- Insert a 'novaobserver' account into every project
- Provide PUBLIC username/password credentials for the novaobserver account
With this setup users will also be able to use their horizon login to manipulate projects from within Labs. I'm pretty sure that's a feature and not a bug, although it will provide a way to bypass 2fa for such operations. /Maybe/ we want to enforce 2fa for all users that aren't novaadmin or novaobserver.
Thanks to the ACLs, this means that individual user logins are still only useful when logging in from horizon or wikitech; they'll still be blocked from within Labs (and firewalled _and_ blocked from the rest of the internet). The only account that will work is novaobserver, which will not have any explicit roles set on any projects. That means that 'observer' creds can only be used to do things that are entirely unrestricted by nova or keystone policy.