From f83cf93618ffc6e8c90c50fe567ba9329946718d Mon Sep 17 00:00:00 2001
From: Steven Hardy <shardy@redhat.com>
Date: Wed, 12 Mar 2014 16:54:01 +0000
Subject: [PATCH] heat add HEAT_DEFERRED_AUTH option

Adds a HEAT_DEFERRED_AUTH, defaulted to trusts, so users can
by default take advantage of the heat trusts functionality
which provides the following benefits:
- Deferred operations (e.g autoscaling) work with token-only auth
- The password field in the heat page of horizon can be made optional
  (horizon patch pending)
- It's more secure because heat no longers stores username/password
  credentials in the DB, only a trust ID.

The previous behavior can be obtained by setting HEAT_DEFERRED_AUTH
to something other than "trusts" - the value will only be set in
the heat.conf if the value of "trusts" is found, otherwise the
heat.conf default will be used (currently "password" which doesn't
use trusts)

Change-Id: I549f1e0071a082ac5d07d0f99db633f8337f3d87
Related-Bug: #1286157
---
 lib/heat | 28 +++++++++++++++++-----------
 1 file changed, 17 insertions(+), 11 deletions(-)

diff --git a/lib/heat b/lib/heat
index 902333e29a..7a2d764923 100644
--- a/lib/heat
+++ b/lib/heat
@@ -38,6 +38,9 @@ HEAT_CONF=$HEAT_CONF_DIR/heat.conf
 HEAT_ENV_DIR=$HEAT_CONF_DIR/environment.d
 HEAT_TEMPLATES_DIR=$HEAT_CONF_DIR/templates
 
+# other default options
+HEAT_DEFERRED_AUTH=${HEAT_DEFERRED_AUTH:-trusts}
+
 # Tell Tempest this project is present
 TEMPEST_SERVICES+=,heat
 
@@ -247,18 +250,21 @@ function create_heat_accounts {
     # heat_stack_user role is for users created by Heat
     openstack role create heat_stack_user
 
-    # heat_stack_owner role is given to users who create Heat stacks,
-    # it's the default role used by heat to delegate to the heat service
-    # user (for performing deferred operations via trusts), see heat.conf
-    HEAT_OWNER_ROLE=$(openstack role create \
-        heat_stack_owner \
-        | grep " id " | get_field 2)
+    if [[ $HEAT_DEFERRED_AUTH == trusts ]]; then
+        # heat_stack_owner role is given to users who create Heat stacks,
+        # it's the default role used by heat to delegate to the heat service
+        # user (for performing deferred operations via trusts), see heat.conf
+        HEAT_OWNER_ROLE=$(openstack role create \
+            heat_stack_owner \
+            | grep " id " | get_field 2)
 
-    # Give the role to the demo and admin users so they can create stacks
-    # in either of the projects created by devstack
-    openstack role add $HEAT_OWNER_ROLE --project demo --user demo
-    openstack role add $HEAT_OWNER_ROLE --project demo --user admin
-    openstack role add $HEAT_OWNER_ROLE --project admin --user admin
+        # Give the role to the demo and admin users so they can create stacks
+        # in either of the projects created by devstack
+        openstack role add $HEAT_OWNER_ROLE --project demo --user demo
+        openstack role add $HEAT_OWNER_ROLE --project demo --user admin
+        openstack role add $HEAT_OWNER_ROLE --project admin --user admin
+        iniset $HEAT_CONF DEFAULT deferred_auth_method trusts
+    fi
 
     # Note we have to pass token/endpoint here because the current endpoint and
     # version negotiation in OSC means just --os-identity-api-version=3 won't work