Scalar stack_owner_role where heat supports multiple roles

Bug #1559078 reported by Johannes Grassler on 2016-03-18
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tempest
Undecided
Thomas Bechtold

Bug Description

Tempest only supports a single value for its stack_owner_role setting (used by `tempest account-generator`). Heat, on the other hand supports multiple values for the corresponding trusts_delegated_roles setting[0]:

   # Subset of trustor roles to be delegated to heat. If left unset, all roles of
   # a user will be delegated to heat when creating a stack. (list value)
   trusts_delegated_roles = heat_stack_owner

A user must have _all_ of these roles to be able to work with Heat stacks. If a cloud operator configures multiple roles in Heat, e.g. creates a setting like this in heat.conf...

   # Subset of trustor roles to be delegated to heat. If left unset, all roles of
   # a user will be delegated to heat when creating a stack. (list value)
   trusts_delegated_roles = heat_stack_owner,other_random_role

...they will break the stack_owner_role setting in Tempest. It is still possible to use the tempest_roles setting in Tempest to add other_random_role in this case, but this may have undesirable side effects (e.g. assigning unneeded roles to users in non-Heat contexts, causing tests to pass that would have failed without them).

Footnotes:

[0] Details what's behind this setting: http://hardysteven.blogspot.de/2014/04/heat-auth-model-updates-part-1-trusts.html

Fix proposed to branch: master
Review: https://review.openstack.org/299868

Changed in tempest:
assignee: nobody → Thomas Bechtold (toabctl)
status: New → In Progress

Change abandoned by Thomas Bechtold (<email address hidden>) on branch: master
Review: https://review.openstack.org/299868

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers