So, with those two patches, it should now be possible to use a trust-scoped token for all heat actions other than create.
To allow create to work we need to do one or more of:
- Always create a stack with the initial non-trust scoped token (even if it's empty)
- Implement explicit support for trust chaining in keystone (I'm looking into this)
- Add a field to the create body, which enables a pre-created trust_id to be passed in (this would require either Solum to create the trust instead of heat and pass it in, which seems conceptually messy but would probably work).
So, with those two patches, it should now be possible to use a trust-scoped token for all heat actions other than create.
To allow create to work we need to do one or more of:
- Always create a stack with the initial non-trust scoped token (even if it's empty)
- Implement explicit support for trust chaining in keystone (I'm looking into this)
- Add a field to the create body, which enables a pre-created trust_id to be passed in (this would require either Solum to create the trust instead of heat and pass it in, which seems conceptually messy but would probably work).