Comment 9 for bug 1595084

> Could you clarify if this requires an admin client on the Heat side? Does the trust creation work without an admin account?

No, you just require two users, one making the API request to heat/mistral (the trustor), and some user associated with heat/mistral to delegate to (the trustee) - neither user has to be admin.

That said, by default in the heat case we do delegate to the heat service user, which typically has the admin role, but this is just for convenience as the user already exists, you could create a separate trustee user without admin rights (and this would probably be a good idea from a security standpoint).