From 2ca3bf18dd756621f012ebb7ffb338f2fa38d6f2 Mon Sep 17 00:00:00 2001 From: Steven Hardy Date: Mon, 3 Mar 2014 18:07:33 +0000 Subject: [PATCH] Add heat_stack_owner role for heat trusts usage Heat supports deferred operations via keystone trusts, and we'd like to make that the default. To do this, we require a new role, which is the default role specified in heat.conf trusts_delegated_roles, heat_stack_owner. Add the role to the admin/demo users so they can create heat stacks when we make deferred_auth_method=trusts the default. Change-Id: Idfc70ee89428c23f5965e643486ff2ad9566471c Related-Bug: #1286157 --- lib/heat | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/lib/heat b/lib/heat index 42d1057cbd..2d9d863f0c 100644 --- a/lib/heat +++ b/lib/heat @@ -240,6 +240,19 @@ function create_heat_accounts { # heat_stack_user role is for users created by Heat openstack role create heat_stack_user + # heat_stack_owner role is given to users who create Heat stacks, + # it's the default role used by heat to delegate to the heat service + # user (for performing deferred operations via trusts), see heat.conf + HEAT_OWNER_ROLE=$(openstack role create \ + heat_stack_owner \ + | grep " id " | get_field 2) + + # Give the role to the demo and admin users so they can create stacks + # in either of the projects created by devstack + openstack role add $HEAT_OWNER_ROLE --project demo --user demo + openstack role add $HEAT_OWNER_ROLE --project demo --user admin + openstack role add $HEAT_OWNER_ROLE --project admin --user admin + # Note we have to pass token/endpoint here because the current endpoint and # version negotiation in OSC means just --os-identity-api-version=3 won't work KS_ENDPOINT_V3="$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v3"