use-usercreds-in-heat-operations

In order to perform heat operations upon receipt of a github trigger, Solum needs to pass heat's authentication. One approach to do this is to use keystone trusts, whereby a trust is generated for the Solum service user (which happens to be 'solum' on devstack setup), and use that to generate a 'trust token' which can be used in performing heat operations. This approach has been implemented in Solum. However, it is not working. Even when a trust token is used, Heat throws a 'Action is Fordibben' exception. As part of investigation of the root cause of the Forbidden exception and to possibly address it, we tried to start heat services using the same user as that used for running solum services (namely, the 'solum' service user). But that did not help. We also tried to add the 'heat_stack_owner' role when generating the trust as mentioned in [2]. But that did not help either. So since trust and trust token are not working, we have to consider other options.

One option that the Heat project had used in its initial stages was to store and use user creds to generate a user token when performing resource actions (on resources such as nova servers). User creds are sent in as part of request headers and encrypted before storing in the db on the service side. This bug is to implement similar functionality in Solum.

References:

[1] https://elmiko.github.io/2014/06/10/keystone-trust-delegation.html

[2] http://hardysteven.blogspot.com/2014/04/heat-auth-model-updates-part-1-trusts.html

[3] http://blogs.rdoproject.org/5858/role-delegation-in-keystone-trusts

[4] http://adam.younglogic.com/2013/03/trusts-and-oauth/