Comment 4 for bug 1529354

huangtianhua (huangtianhua) wrote :

sorry, press button error.

the logic something like:
********stack.py************
def store():
......
          defer_creds = None
          if cfg.CONF.deferred_auth_method == 'trusts':
              keystone = self.clients.client('keystone')
              trust_ctx = keystone.create_trust_context(for_deferred_action=False) ---here we inherit all roles, the default behaviour
              new_creds = ucreds_object.UserCreds.create(trust_ctx)
              if cfg.CONF.trusts_delegated_roles:
                  defer_context = keystone.create_trust_context(for_deferred_action=True) ---here we inherit subset roles
                  defer_creds = ucreds_object.UserCreds.create(defer_context)
          else:
                  new_creds = ucreds_object.UserCreds.create(self.context)
          defer_creds = defer_creds if defer_creds else new_creds
          s['user_creds_id'] = new_creds.id
          self.user_creds_id = new_creds.id
          s['defer_creds_id'] = defer_creds.id
          self.defer_creds_id = defer_creds.id

Then, when creating stack, we reload the stack, use context which inherit all roles;
When resource signal, we reload the stack, use deferred context which inherit subset of roles.