heat add HEAT_DEFERRED_AUTH option

Adds a HEAT_DEFERRED_AUTH, defaulted to trusts, so users can by default take advantage of the heat trusts functionality which provides the following benefits: - Deferred operations (e.g autoscaling) work with token-only auth - The password field in the heat page of horizon can be made optional (horizon patch pending) - It's more secure because heat no longers stores username/password credentials in the DB, only a trust ID. The previous behavior can be obtained by setting HEAT_DEFERRED_AUTH to something other than "trusts" - the value will only be set in the heat.conf if the value of "trusts" is found, otherwise the heat.conf default will be used (currently "password" which doesn't use trusts) Change-Id: I549f1e0071a082ac5d07d0f99db633f8337f3d87 Related-Bug: #1286157
2014-03-12 16:54:01 +00:00 · 2014-03-12 16:54:01 +00:00 · f83cf93618
commit f83cf93618
parent fbedabde06
1 changed files with 17 additions and 11 deletions
--- a/lib/heat
+++ b/lib/heat
@ -38,6 +38,9 @@ HEAT_CONF=$HEAT_CONF_DIR/heat.conf
 HEAT_ENV_DIR=$HEAT_CONF_DIR/environment.d
 HEAT_TEMPLATES_DIR=$HEAT_CONF_DIR/templates

+# other default options
+HEAT_DEFERRED_AUTH=${HEAT_DEFERRED_AUTH:-trusts}
+
 # Tell Tempest this project is present
 TEMPEST_SERVICES+=,heat

@ -247,18 +250,21 @@ function create_heat_accounts {
    # heat_stack_user role is for users created by Heat
    openstack role create heat_stack_user

-    # heat_stack_owner role is given to users who create Heat stacks,
-    # it's the default role used by heat to delegate to the heat service
-    # user (for performing deferred operations via trusts), see heat.conf
-    HEAT_OWNER_ROLE=$(openstack role create \
-        heat_stack_owner \
-        | grep " id " | get_field 2)
+    if [[ $HEAT_DEFERRED_AUTH == trusts ]]; then
+        # heat_stack_owner role is given to users who create Heat stacks,
+        # it's the default role used by heat to delegate to the heat service
+        # user (for performing deferred operations via trusts), see heat.conf
+        HEAT_OWNER_ROLE=$(openstack role create \
+            heat_stack_owner \
+            | grep " id " | get_field 2)

-    # Give the role to the demo and admin users so they can create stacks
-    # in either of the projects created by devstack
-    openstack role add $HEAT_OWNER_ROLE --project demo --user demo
-    openstack role add $HEAT_OWNER_ROLE --project demo --user admin
-    openstack role add $HEAT_OWNER_ROLE --project admin --user admin
+        # Give the role to the demo and admin users so they can create stacks
+        # in either of the projects created by devstack
+        openstack role add $HEAT_OWNER_ROLE --project demo --user demo
+        openstack role add $HEAT_OWNER_ROLE --project demo --user admin
+        openstack role add $HEAT_OWNER_ROLE --project admin --user admin
+        iniset $HEAT_CONF DEFAULT deferred_auth_method trusts
+    fi

    # Note we have to pass token/endpoint here because the current endpoint and
    # version negotiation in OSC means just --os-identity-api-version=3 won't work