Add heat_stack_owner role for heat trusts usage
Heat supports deferred operations via keystone trusts, and we'd like to make that the default. To do this, we require a new role, which is the default role specified in heat.conf trusts_delegated_roles, heat_stack_owner. Add the role to the admin/demo users so they can create heat stacks when we make deferred_auth_method=trusts the default. Change-Id: Idfc70ee89428c23f5965e643486ff2ad9566471c Related-Bug: #1286157
This commit is contained in:
parent
57d478d874
commit
2ca3bf18dd
13
lib/heat
13
lib/heat
@ -240,6 +240,19 @@ function create_heat_accounts {
|
||||
# heat_stack_user role is for users created by Heat
|
||||
openstack role create heat_stack_user
|
||||
|
||||
# heat_stack_owner role is given to users who create Heat stacks,
|
||||
# it's the default role used by heat to delegate to the heat service
|
||||
# user (for performing deferred operations via trusts), see heat.conf
|
||||
HEAT_OWNER_ROLE=$(openstack role create \
|
||||
heat_stack_owner \
|
||||
| grep " id " | get_field 2)
|
||||
|
||||
# Give the role to the demo and admin users so they can create stacks
|
||||
# in either of the projects created by devstack
|
||||
openstack role add $HEAT_OWNER_ROLE --project demo --user demo
|
||||
openstack role add $HEAT_OWNER_ROLE --project demo --user admin
|
||||
openstack role add $HEAT_OWNER_ROLE --project admin --user admin
|
||||
|
||||
# Note we have to pass token/endpoint here because the current endpoint and
|
||||
# version negotiation in OSC means just --os-identity-api-version=3 won't work
|
||||
KS_ENDPOINT_V3="$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v3"
|
||||
|
Loading…
Reference in New Issue
Block a user