puppet-heat

Updates required for stack domain users

Bug #1288880 reported by Steven Hardy on 2014-03-06

This bug affects 5 people

Affects		Status	Importance	Assigned to	Milestone
	puppet-heat	Fix Released	High	Unassigned

Bug Description

Recent changes landed under the instance-users BP require some updates to the heat installation procedure, specifically:

1. Create a keystone domain and set the id in heat.conf (stack_user_domain)
2. Create a keystone user, and make them a domain admin (admin role in the domain created above)
3. Update heat.conf with the username and password of the domain-admin user (stack_domain_admin and stack_domain_admin_password)

This is the BP:
https://blueprints.launchpad.net/heat/+spec/instance-users

These are the commits which added the options, and include python-openstack commands to create the domain/user:
https://review.openstack.org/#/c/73978/
https://review.openstack.org/#/c/76035/

These are the associated devstack changes (now merged):
https://review.openstack.org/#/c/73324/
https://review.openstack.org/#/c/75424/
https://review.openstack.org/#/c/76036/

Note this introduces a dependency on python-openstackclient, because the "keystone" CLI tool provided by python-keystoneclient is deprecated and does not support the v3 keystone API, ref this discussion:
http://lists.openstack.org/pipermail/openstack-dev/2014-January/025629.html

In the event python-openstackclient is not available, heat provides a helper script which can be used to create the domain/user, but it's probably preferable to use openstackclient like devstack if available:
https://review.openstack.org/#/c/78048/

Revision history for this message

Steven Hardy (shardy) wrote on 2014-04-04:

Download full text (5.3 KiB)

I've been asked for steps to validate this, so these are the steps I'd use to ensure heat is correctly configured to use domain users:

1. Review heat.conf

[DEFAULT]
stack_domain_admin_password = apassword
stack_domain_admin = heat_domain_admin
stack_user_domain = 7e4f6598443b4f5e8ac3010728885329

These three entries should exist with values set appropriately in the DEFAULT section of the heat.conf

2. Ensure the heat domain and heat_domain_admin user exist in keystone:

3. Ensure stack domain users can be created and deleted via a stack, and that they end up in the heat stack domain

-bash-4.2$ cat user_access2.yaml
heat_template_version: 2013-05-23

resources:
user:
type: AWS::IAM::User

  access:
    type: AWS::IAM::AccessKey
    properties:
      UserName: { get_resource : user }

-bash-4.2$ heat stack-create ua2 -f user_access2.yaml
+--------------------------------------+------------+--------------------+----------------------+
| id | stack_name | stack_status | creation_time |
+--------------------------------------+------------+--------------------+----------------------+
| 769f96d4-6351-453f-b00c-7b06aa7b93ce | ua2 | CREATE_IN_PROGRESS | 2014-04-04T17:07:36Z |
+--------------------------------------+------------+--------------------+----------------------+

-bash-4.2$ openstack --os-identity-api-version=3 --os-url=http://127.0.0.1:5000/v3 --os-token foobar user list | grep ua2
| 53750398d9b1465e9e813b933fb45e2e | ua2-user-wf2s2eld3qnw |

I've been asked for steps to validate this, so these are the steps I'd use to ensure heat is correctly configured to use domain users:

1. Review heat.conf

[DEFAULT]
stack_domain_admin_password = apassword
stack_domain_admin = heat_domain_admin
stack_user_domain = 7e4f6598443b4f5e8ac3010728885329

These three entries should exist with values set appropriately in the DEFAULT section of the heat.conf

2. Ensure the heat domain and heat_domain_admin user exist in keystone:

3. Ensure stack domain users can be created and deleted via a stack, and that they end up in the heat stack domain

-bash-4.2$ cat user_access2.yaml 
heat_template_version: 2013-05-23

resources:
  user:
    type: AWS::IAM::User

access:
    type: AWS::IAM::AccessKey
    properties:
      UserName: { get_resource : user }

-bash-4.2$ heat stack-create ua2 -f user_access2.yaml
+--------------------------------------+------------+--------------------+----------------------+
| id                                   | stack_name | stack_status       | creation_time        |
+--------------------------------------+------------+--------------------+----------------------+
| 769f96d4-6351-453f-b00c-7b06aa7b93ce | ua2        | CREATE_IN_PROGRESS | 2014-04-04T17:07:36Z |
+--------------------------------------+------------+--------------------+----------------------+

-bash-4.2$ openstack --os-identity-api-version=3 --os-url=http://127.0.0.1:5000/v3 --os-token foobar user list | grep ua2
| 53750398d9b1465e9e813b933fb45e2e | ua2-user-wf2s2eld3qnw      |

-bash-4.2$ openstack --os-identity-api-version=3 --os-url=http://127.0.0.1:5000/v3 --os-token foobar user show 53750398d9b1465e9e813b933fb45e2e
+--------------------+-------------------------------------------------------------------------------+
| Field              | Value                                                                         |
+--------------------+-------------------------------------------------------------------------------+
| default_project_id | c45c5e533d7a40568493dee6b4048b99                                              |
| domain_id          | 7e4f6598443b4f5e8ac3010728885329                                              |
| enabled            | True                                                                          |
| id                 | 53750398d9b1465e9e813b933fb45e2e                                              |
| links              | {u'self': u'http://localhost:5000/v3/users/53750398d9b1465e9e813b933fb45e2e'} |
| name               | ua2-user-wf2s2eld3qnw                                                         |
+--------------------+-------------------------------------------------------------------------------+

-bash-4.2$ openstack --os-identity-api-version=3 --os-url=http://127.0.0.1:5000/v3 --os-token foobar domain show 7e4f6598443b4f5e8ac3010728885329
+-------------+---------------------------------------------------------------------------------+
| Field       | Value                                                                           |
+-------------+---------------------------------------------------------------------------------+
| description | Owns users and projects created by heat                                         |
| enabled     | True                                                                            |
| id          | 7e4f6598443b4f5e8ac3010728885329                                                |
| links       | {u'self': u'http://localhost:5000/v3/domains/7e4f6598443b4f5e8ac3010728885329'} |
| name        | heat                                                                            |
+-------------+---------------------------------------------------------------------------------+

-bash-4.2$ openstack --os-identity-api-version=3 --os-url=http://127.0.0.1:5000/v3 --os-token foobar project show c45c5e533d7a40568493dee6b4048b99
+-------------+----------------------------------------------------------------------------------+
| Field       | Value                                                                            |
+-------------+----------------------------------------------------------------------------------+
| description | Heat stack user project                                                          |
| domain_id   | 7e4f6598443b4f5e8ac3010728885329                                                 |
| enabled     | True                                                                             |
| id          | c45c5e533d7a40568493dee6b4048b99                                                 |
| links       | {u'self': u'http://localhost:5000/v3/projects/c45c5e533d7a40568493dee6b4048b99'} |
| name        | 048aeaa4c2714d268d669521d314c304-769f96d4-6351-453f-b00c-7b06aa7                 |
+-------------+----------------------------------------------------------------------------------+

Revision history for this message

Cédric LECOMTE (ced-lecomte) wrote on 2014-11-11:

I'm looking on how to implement this but I think this : https://blueprints.launchpad.net/puppet-keystone/+spec/api-v3-support is needed to support the domain things into puppet-keystone.

Revision history for this message

Emilien Macchi (emilienm) wrote on 2015-06-11:

I confirm our work on v3 API support is WIP for now but close to be merged.

Changed in puppet-heat:
status:	New → Confirmed
importance:	Undecided → High

Revision history for this message

Matt Fischer (mfisch) wrote on 2016-09-21:

Is this still an issue now that we are using v3?

Kumari Paluru (kumariopenstack) on 2019-09-16

Changed in puppet-heat:
assignee:	nobody → Kumari Paluru (kumariopenstack)

Revision history for this message

Takashi Kajinami (kajinamit) wrote on 2022-06-10:

This was earlier implemented by https://review.opendev.org/c/openstack/puppet-heat/+/103127

Changed in puppet-heat:
assignee:	Kumari Paluru (kumariopenstack) → nobody
status:	Confirmed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.