From 01a4e4060b300c1fc0b1b1634f106115e79aef2b Mon Sep 17 00:00:00 2001 From: Matthew Kassawara Date: Mon, 22 Dec 2014 15:31:49 -0600 Subject: [PATCH] Clarify heat roles Building on an earlier patch, I further clarified the purpose of the heat_stack_owner and heat_stack_user roles. Change-Id: I67804d2e7bfbd53e8f453adc251a102c6f0e39ff Closes-Bug: #1401668 backport: juno --- doc/install-guide/section_heat-install.xml | 37 ++++++++++++++-------- 1 file changed, 23 insertions(+), 14 deletions(-) diff --git a/doc/install-guide/section_heat-install.xml b/doc/install-guide/section_heat-install.xml index 2744498c75..99d0c91b14 100644 --- a/doc/install-guide/section_heat-install.xml +++ b/doc/install-guide/section_heat-install.xml @@ -72,20 +72,29 @@ - Create the heat_stack_user and - heat_stack_owner roles: - $ keystone role-create --name heat_stack_user -$ keystone role-create --name heat_stack_owner - By default, users created by Orchestration use the - heat_stack_user role. - The heat_stack_user role is for users - created by heat, and is restricted to specific API actions. - The heat_stack_owner role is assigned to - users who create heat stacks. - Because the heat_stack_owner - role has limited operational access to heat, you must never - assign this role to a user with a heat_stack_user - role. + Create the heat_stack_owner role: + $ keystone role-create --name heat_stack_owner + + + Add the heat_stack_owner role to the + demo tenant and user: + $ keystone user-role-add --user demo --tenant demo --role heat_stack_owner + + You must add the heat_stack_owner + role to users that manage stacks. + + + + Create the heat_stack_user role: + $ keystone role-create --name heat_stack_user + + The Orchestration service automatically assigns the + heat_stack_user role to users that it + creates during stack deployment. By default, this role + restricts API operations. To avoid + conflicts, do not add this role to users with the + heat_stack_owner role. + Create the heat and