Updates required for stack domain users

Bug #1288880 reported by Steven Hardy on 2014-03-06
This bug affects 5 people
Affects Status Importance Assigned to Milestone
Kumari Paluru

Bug Description

Recent changes landed under the instance-users BP require some updates to the heat installation procedure, specifically:

1. Create a keystone domain and set the id in heat.conf (stack_user_domain)
2. Create a keystone user, and make them a domain admin (admin role in the domain created above)
3. Update heat.conf with the username and password of the domain-admin user (stack_domain_admin and stack_domain_admin_password)

This is the BP:

These are the commits which added the options, and include python-openstack commands to create the domain/user:

These are the associated devstack changes (now merged):

Note this introduces a dependency on python-openstackclient, because the "keystone" CLI tool provided by python-keystoneclient is deprecated and does not support the v3 keystone API, ref this discussion:

In the event python-openstackclient is not available, heat provides a helper script which can be used to create the domain/user, but it's probably preferable to use openstackclient like devstack if available:

Steven Hardy (shardy) wrote :
Download full text (5.3 KiB)

I've been asked for steps to validate this, so these are the steps I'd use to ensure heat is correctly configured to use domain users:

1. Review heat.conf

stack_domain_admin_password = apassword
stack_domain_admin = heat_domain_admin
stack_user_domain = 7e4f6598443b4f5e8ac3010728885329

These three entries should exist with values set appropriately in the DEFAULT section of the heat.conf

2. Ensure the heat domain and heat_domain_admin user exist in keystone:

-bash-4.2$ openstack --os-identity-api-version=3 --os-url= --os-token foobar domain list | grep heat
| 7e4f6598443b4f5e8ac3010728885329 | heat | True | Owns users and projects created by heat |

-bash-4.2$ openstack --os-identity-api-version=3 --os-url= --os-token foobar user list | grep heat| 50d363c7a1e245fbb337669e432eb87b | heat_domain_admin |
| 7357ce487a3e449bac41bc54aa756f52 | heat |

3. Ensure stack domain users can be created and deleted via a stack, and that they end up in the heat stack domain

-bash-4.2$ cat user_access2.yaml
heat_template_version: 2013-05-23

    type: AWS::IAM::User

    type: AWS::IAM::AccessKey
      UserName: { get_resource : user }

-bash-4.2$ heat stack-create ua2 -f user_access2.yaml
| id | stack_name | stack_status | creation_time |
| 769f96d4-6351-453f-b00c-7b06aa7b93ce | ua2 | CREATE_IN_PROGRESS | 2014-04-04T17:07:36Z |

-bash-4.2$ openstack --os-identity-api-version=3 --os-url= --os-token foobar user list | grep ua2
| 53750398d9b1465e9e813b933fb45e2e | ua2-user-wf2s2eld3qnw |

-bash-4.2$ openstack --os-identity-api-version=3 --os-url= --os-token foobar user show 53750398d9b1465e9e813b933fb45e2e
| Field | Value |
| default_project_id | c45c5e533d7a40568493dee6b4048b99 |
| domain_id | 7e4f6598443b4f5e8ac3010728885329 |
| enabled | True |
| id | 53750398d9b1465e9e813b933fb45e2e |
| links | {u'self': u'http://localhost:5000/v3/users/53750398d9b1465e9e813b933fb45e2e'} |
| name | ua2-user-wf2s2eld3qnw |


Cédric LECOMTE (ced-lecomte) wrote :

I'm looking on how to implement this but I think this : https://blueprints.launchpad.net/puppet-keystone/+spec/api-v3-support is needed to support the domain things into puppet-keystone.

Emilien Macchi (emilienm) wrote :

I confirm our work on v3 API support is WIP for now but close to be merged.

Changed in puppet-heat:
status: New → Confirmed
importance: Undecided → High
Matt Fischer (mfisch) wrote :

Is this still an issue now that we are using v3?

Changed in puppet-heat:
assignee: nobody → Kumari Paluru (kumariopenstack)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers