Browse code
Add heat_stack_owner role for heat trusts usage
Heat supports deferred operations via keystone trusts,
and we'd like to make that the default. To do this, we
require a new role, which is the default role specified
in heat.conf trusts_delegated_roles, heat_stack_owner.
Add the role to the admin/demo users so they can create
heat stacks when we make deferred_auth_method=trusts the
default.
Change-Id: Idfc70ee89428c23f5965e643486ff2ad9566471c
Related-Bug: #1286157
Steven Hardy authored on 2014/03/04 03:07:33Showing 1 changed files
| ... | ... |
@@ -240,6 +240,19 @@ function create_heat_accounts {
|
| 240 | 240 |
# heat_stack_user role is for users created by Heat |
| 241 | 241 |
openstack role create heat_stack_user |
| 242 | 242 |
|
| 243 |
+ # heat_stack_owner role is given to users who create Heat stacks, |
|
| 244 |
+ # it's the default role used by heat to delegate to the heat service |
|
| 245 |
+ # user (for performing deferred operations via trusts), see heat.conf |
|
| 246 |
+ HEAT_OWNER_ROLE=$(openstack role create \ |
|
| 247 |
+ heat_stack_owner \ |
|
| 248 |
+ | grep " id " | get_field 2) |
|
| 249 |
+ |
|
| 250 |
+ # Give the role to the demo and admin users so they can create stacks |
|
| 251 |
+ # in either of the projects created by devstack |
|
| 252 |
+ openstack role add $HEAT_OWNER_ROLE --project demo --user demo |
|
| 253 |
+ openstack role add $HEAT_OWNER_ROLE --project demo --user admin |
|
| 254 |
+ openstack role add $HEAT_OWNER_ROLE --project admin --user admin |
|
| 255 |
+ |
|
| 243 | 256 |
# Note we have to pass token/endpoint here because the current endpoint and |
| 244 | 257 |
# version negotiation in OSC means just --os-identity-api-version=3 won't work |
| 245 | 258 |
KS_ENDPOINT_V3="$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v3" |