We're moving more and more OpenStack data out of ldap and into proper OpenStack services. That's good, but it means that public ldap credentials are no longer adequate to do things like enumerate all instances in all projects. This has broken several tools -- for example, watroles.
There are a few hacks to provide this information, most obviously the 'wikitech API'. The right solution, though, is just to provide access to OpenStack APIs from within labs.
[x] implement login ACLs so that labs machines can get tokens only for select users (for the time being, just novaobserver)
[] Open up firewalls, routes, etc so that labs instances can hit the non-admin Nova and Keystone APIs. (and maybe other services as well, but I'm not sure that's as useful.)
[] Insert a 'novaobserver' account into every project
[] Provide PUBLIC username/password credentials for the novaobserver account
With this setup users will also be able to use their horizon login to manipulate projects from within Labs. I'm pretty sure that's a feature and not a bug, although it will provide a way to bypass 2fa for such operations. /Maybe/ we want to enforce 2fa for all users that aren't novaadmin or novaobserver.