Heat should use trusts by default
Bug #1286157 reported by
Steven Hardy
This bug affects 4 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Heat |
Fix Released
|
Medium
|
Ethan Lynn |
Bug Description
We should switch to using deferred_
- It's more secure, we won't have to store username/password anymore
- It's better for users, because they won't have to provide a username/password anymore, e.g the box in horizon where we force them to enter a password even though horizon is already passing us a token.
The trusts functionality was merged back in Havana, and IME it's ready, so we should get things passing in the gate with the updated default, and check if updates are required to avoid breaking existing heat users (e.g tripleo)
Changed in heat: | |
assignee: | nobody → Steven Hardy (shardy) |
milestone: | none → icehouse-3 |
Changed in heat: | |
milestone: | icehouse-3 → icehouse-rc1 |
Changed in heat: | |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in heat: | |
milestone: | ongoing → juno-3 |
Changed in heat: | |
milestone: | juno-3 → juno-rc1 |
Changed in heat: | |
milestone: | juno-rc1 → kilo-1 |
Changed in heat: | |
milestone: | kilo-1 → kilo-2 |
Changed in heat: | |
milestone: | kilo-2 → kilo-3 |
Changed in heat: | |
assignee: | Steven Hardy (shardy) → Ethan Lynn (ethanlynn) |
Changed in heat: | |
milestone: | kilo-3 → kilo-rc1 |
Changed in heat: | |
status: | Fix Committed → Fix Released |
Changed in heat: | |
milestone: | kilo-rc1 → 2015.1.0 |
To post a comment you must log in.
So action plan to get this in:
1. Get the rest of the instance-users patches reviewed/merged
https:/ /review. openstack. org/#/q/ status: open+project: openstack/ heat+branch: master+ topic:bug/ 1089261, n,z
2. Get stevebakers tempest change in which moves the heat tests to use the demo user:
https:/ /review. openstack. org/#/c/ 76981/
3. Get a devstack change in which creates the heat_stack_owner role and gives it to the demo user (this is the role we delegate via the trust by default in heat.conf)
4. Get a heat change in which flips the default (easy in theory but there's test fallout to deal with, perhaps we set the default back to password for most of the unit tests)
5. Get a patch into horizon which makes the password box optional (defaulted to off, to match the new heat default)