Puppet Openstack cannot use trusts unless something is done.
Because when Puppet runs as a daemon, which is mostly the case in production, then every time the puppet catalog would be executed, all the trusts declared in the catalog will created (added), an infinity of trusts is going to be there very quickly, this is not acceptable for puppet users. This is basically breaking idem-potency rules where the same state is guaranteed.
BTW, Puppet initial need for trusts is to configure heat properly.
Because a trust is unique only by its ID, everytime the latter is executed, a new trust to be created.
Effectively, several trusts with the same properties can exists:
$ openstack trust list -f csv
"ID","Expires At","Impersonation","Project ID","Trustee User ID","Trustor User ID"
"00cf1f149fd0463994ad62ec0939ec71","",False,"cf31bbe1ab4e4135a83b1b923d733b0d","e057d0ac9c394f5c833c6a746d76bc17","b0fa819e150a4005a10ebdfc9d1b97d4"
"0ae2d20042d6418b8f3b8832ab43360e","",False,"cf31bbe1ab4e4135a83b1b923d733b0d","e057d0ac9c394f5c833c6a746d76bc17","b0fa819e150a4005a10ebdfc9d1b97d4"
Puppet Openstack cannot use trusts unless something is done.
Because when Puppet runs as a daemon, which is mostly the case in production, then every time the puppet catalog would be executed, all the trusts declared in the catalog will created (added), an infinity of trusts is going to be there very quickly, this is not acceptable for puppet users. This is basically breaking idem-potency rules where the same state is guaranteed.
BTW, Puppet initial need for trusts is to configure heat properly.
A Puppet manifest example:
keystone_trust {'adminv3 trust for user1': :admin_ domain' , :admin_ domain' , :admin_ domain' ,
trustor => 'adminv3:
trustee => 'user1:
project => 'openstackv3:
roles => ['admin'],
impersonate => true,
ensure => present
}
Because a trust is unique only by its ID, everytime the latter is executed, a new trust to be created.
Effectively, several trusts with the same properties can exists:
$ trust create adminv3 user1 --role admin --project openstackv3 -f shell fd0463994ad62ec 0939ec71" ="False" id="cf31bbe1ab4 e4135a83b1b923d 733b0d" count=" 0" uses="None" user_id= "e057d0ac9c394f 5c833c6a746d76b c17" user_id= "b0fa819e150a40 05a10ebdfc9d1b9 7d4"
deleted_at="None"
expires_at="None"
id="00cf1f149
impersonation
project_
redelegation_
remaining_
roles="admin"
trustee_
trustor_
$ trust create adminv3 user1 --role admin --project openstackv3 -f shell 2d6418b8f3b8832 ab43360e" ="False" id="cf31bbe1ab4 e4135a83b1b923d 733b0d" count=" 0" uses="None" user_id= "e057d0ac9c394f 5c833c6a746d76b c17" user_id= "b0fa819e150a40 05a10ebdfc9d1b9 7d4"
deleted_at="None"
expires_at="None"
id="0ae2d2004
impersonation
project_
redelegation_
remaining_
roles="admin"
trustee_
trustor_
$ openstack trust list -f csv ion","Project ID","Trustee User ID","Trustor User ID" 463994ad62ec093 9ec71", "",False, "cf31bbe1ab4e41 35a83b1b923d733 b0d","e057d0ac9 c394f5c833c6a74 6d76bc17" ,"b0fa819e150a4 005a10ebdfc9d1b 97d4" 418b8f3b8832ab4 3360e", "",False, "cf31bbe1ab4e41 35a83b1b923d733 b0d","e057d0ac9 c394f5c833c6a74 6d76bc17" ,"b0fa819e150a4 005a10ebdfc9d1b 97d4"
"ID","Expires At","Impersonat
"00cf1f149fd0
"0ae2d20042d6
$ openstack trust show 00cf1f149fd0463 994ad62ec0939ec 71 -f shell 0463994ad62ec09 39ec71" "False" id="cf31bbe1ab4 e4135a83b1b923d 733b0d" count=" 0" uses="None" user_id= "e057d0ac9c394f 5c833c6a746d76b c17" user_id= "b0fa819e150a40 05a10ebdfc9d1b9 7d4"
deleted_at="None"
expires_at="None"
id="00cf1f149fd
impersonation=
project_
redelegation_
remaining_
roles="admin"
trustee_
trustor_
$ openstack trust show 0ae2d20042d6418 b8f3b8832ab4336 0e -f shell 6418b8f3b8832ab 43360e" "False" id="cf31bbe1ab4 e4135a83b1b923d 733b0d" count=" 0" uses="None" user_id= "e057d0ac9c394f 5c833c6a746d76b c17" user_id= "b0fa819e150a40 05a10ebdfc9d1b9 7d4"
deleted_at="None"
expires_at="None"
id="0ae2d20042d
impersonation=
project_
redelegation_
remaining_
roles="admin"
trustee_
trustor_