Sahara

Bug #1300246
Comment #24

Comment 24 for bug 1300246

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-12-22: Fix merged to heat (master)

#24

Reviewed: https://review.openstack.org/254145
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=67f12e5e24eb9ec06e609f4399008b9d704128a1
Submitter: Jenkins
Branch: master

commit 67f12e5e24eb9ec06e609f4399008b9d704128a1
Author: Steven Hardy <email address hidden>
Date: Mon Dec 7 11:20:25 2015 +0000

Add trustee config group to sample config

    Some time ago, we added support for a new "trustee" config section,
    aimed at allowing independent configuration of the credentials used
    to obtain trust-scoped tokens for deferred authentication. One of the
    main reasons for this was to avoid incorrectly using the keystone
    auth_token section, and as such a deprecation warning was added when
    we fall back to using that config section for heat.

    Unfortunately we didn't capture this new section in the sample config
    because it's registered via keystoneclient.auth, so this adds support
    for this section to the sample config generated via tox -e genconfig,
    and adds some notes clarifying usage to the auth_plugin option.

    To move to the new config syntax, but maintain the current behavior,
    which is to delegate to the heat service user, you can add this section
    to your heat.conf

    [trustee]
    auth_plugin = password
    auth_url = http://<keystone hostname or IP>:35357
    username = heat
    password = password
    user_domain_id = default

    The generated config documents many more options, all of those supported
    by the keystoneclient v3 Password auth plugin, but these are the minimum
    to enable delegation to the heat service user in the default domain.

    In new deployments this could be set to some other user (such as one created
    in the heat domain), but note that the trustee should not be changed for
    existing deployments where stacks exist, as the trust stored inside heat
    defines a relationship between the stack owner (trustor) and a specific
    trustee (which will be the heat service user if the deployment is using
    the deprecated path that steals credentials from keystone auth_token).

Change-Id: I30aeb765a2246ce54b10972ae7187655d85cde1f
Partial-Bug: #1300246

Reviewed:  https://review.openstack.org/254145
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=67f12e5e24eb9ec06e609f4399008b9d704128a1
Submitter: Jenkins
Branch:    master

commit 67f12e5e24eb9ec06e609f4399008b9d704128a1
Author: Steven Hardy <shardy@redhat.com>
Date:   Mon Dec 7 11:20:25 2015 +0000

Add trustee config group to sample config
    
    Some time ago, we added support for a new "trustee" config section,
    aimed at allowing independent configuration of the credentials used
    to obtain trust-scoped tokens for deferred authentication.  One of the
    main reasons for this was to avoid incorrectly using the keystone
    auth_token section, and as such a deprecation warning was added when
    we fall back to using that config section for heat.
    
    Unfortunately we didn't capture this new section in the sample config
    because it's registered via keystoneclient.auth, so this adds support
    for this section to the sample config generated via tox -e genconfig,
    and adds some notes clarifying usage to the auth_plugin option.
    
    To move to the new config syntax, but maintain the current behavior,
    which is to delegate to the heat service user, you can add this section
    to your heat.conf
    
    [trustee]
    auth_plugin = password
    auth_url = http://<keystone hostname or IP>:35357
    username = heat
    password = password
    user_domain_id = default
    
    The generated config documents many more options, all of those supported
    by the keystoneclient v3 Password auth plugin, but these are the minimum
    to enable delegation to the heat service user in the default domain.
    
    In new deployments this could be set to some other user (such as one created
    in the heat domain), but note that the trustee should not be changed for
    existing deployments where stacks exist, as the trust stored inside heat
    defines a relationship between the stack owner (trustor) and a specific
    trustee (which will be the heat service user if the deployment is using
    the deprecated path that steals credentials from keystone auth_token).
    
    Change-Id: I30aeb765a2246ce54b10972ae7187655d85cde1f
    Partial-Bug: #1300246