heat add HEAT_DEFERRED_AUTH option
Adds a HEAT_DEFERRED_AUTH, defaulted to trusts, so users can
by default take advantage of the heat trusts functionality
which provides the following benefits:
- Deferred operations (e.g autoscaling) work with token-only auth
- The password field in the heat page of horizon can be made optional
(horizon patch pending)
- It's more secure because heat no longers stores username/password
credentials in the DB, only a trust ID.
The previous behavior can be obtained by setting HEAT_DEFERRED_AUTH
to something other than "trusts" - the value will only be set in
the heat.conf if the value of "trusts" is found, otherwise the
heat.conf default will be used (currently "password" which doesn't
use trusts)
Change-Id: I549f1e0071a082ac5d07d0f99db633f8337f3d87
Related-Bug: #1286157
Steven Hardy authored on 2014/03/13 01:54:01Showing 1 changed files
| ... | ... |
@@ -38,6 +38,9 @@ HEAT_CONF=$HEAT_CONF_DIR/heat.conf |
| 38 | 38 |
HEAT_ENV_DIR=$HEAT_CONF_DIR/environment.d |
| 39 | 39 |
HEAT_TEMPLATES_DIR=$HEAT_CONF_DIR/templates |
| 40 | 40 |
|
| 41 |
+# other default options |
|
| 42 |
+HEAT_DEFERRED_AUTH=${HEAT_DEFERRED_AUTH:-trusts}
|
|
| 43 |
+ |
|
| 41 | 44 |
# Tell Tempest this project is present |
| 42 | 45 |
TEMPEST_SERVICES+=,heat |
| 43 | 46 |
|
| ... | ... |
@@ -247,18 +250,21 @@ function create_heat_accounts {
|
| 247 | 247 |
# heat_stack_user role is for users created by Heat |
| 248 | 248 |
openstack role create heat_stack_user |
| 249 | 249 |
|
| 250 |
- # heat_stack_owner role is given to users who create Heat stacks, |
|
| 251 |
- # it's the default role used by heat to delegate to the heat service |
|
| 252 |
- # user (for performing deferred operations via trusts), see heat.conf |
|
| 253 |
- HEAT_OWNER_ROLE=$(openstack role create \ |
|
| 254 |
- heat_stack_owner \ |
|
| 255 |
- | grep " id " | get_field 2) |
|
| 250 |
+ if [[ $HEAT_DEFERRED_AUTH == trusts ]]; then |
|
| 251 |
+ # heat_stack_owner role is given to users who create Heat stacks, |
|
| 252 |
+ # it's the default role used by heat to delegate to the heat service |
|
| 253 |
+ # user (for performing deferred operations via trusts), see heat.conf |
|
| 254 |
+ HEAT_OWNER_ROLE=$(openstack role create \ |
|
| 255 |
+ heat_stack_owner \ |
|
| 256 |
+ | grep " id " | get_field 2) |
|
| 256 | 257 |
|
| 257 |
- # Give the role to the demo and admin users so they can create stacks |
|
| 258 |
- # in either of the projects created by devstack |
|
| 259 |
- openstack role add $HEAT_OWNER_ROLE --project demo --user demo |
|
| 260 |
- openstack role add $HEAT_OWNER_ROLE --project demo --user admin |
|
| 261 |
- openstack role add $HEAT_OWNER_ROLE --project admin --user admin |
|
| 258 |
+ # Give the role to the demo and admin users so they can create stacks |
|
| 259 |
+ # in either of the projects created by devstack |
|
| 260 |
+ openstack role add $HEAT_OWNER_ROLE --project demo --user demo |
|
| 261 |
+ openstack role add $HEAT_OWNER_ROLE --project demo --user admin |
|
| 262 |
+ openstack role add $HEAT_OWNER_ROLE --project admin --user admin |
|
| 263 |
+ iniset $HEAT_CONF DEFAULT deferred_auth_method trusts |
|
| 264 |
+ fi |
|
| 262 | 265 |
|
| 263 | 266 |
# Note we have to pass token/endpoint here because the current endpoint and |
| 264 | 267 |
# version negotiation in OSC means just --os-identity-api-version=3 won't work |