OpenStack Heat

Management API

Registered by Richard Lee

As an administrator of a Heat system, I should be able to pull certain information from the Heat API that is relevant to the system as a whole, or aggregate information across multiple tenants. As a system administrator, I should have the ability to restrict access to some of this information such that a general tenant (user) must not be able to access it. Note that some of this information may also be nice to expose to normal individual tenants of the system. Either using Heat configuration files, or a proxy such as REPOSE, I would like the ability to configure what keystone roles have permission to access which pieces of information.

Blueprint information

Status:
Complete
Approver:
Steve Baker
Priority:
High
Drafter:
None
Direction:
Approved
Assignee:
andersonvom
Definition:
Approved
Series goal:
Accepted for icehouse
Implementation:
Implemented
Milestone target:
milestone icon 2014.1
Started by
Steve Baker
Completed by
andersonvom

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:management_api,n,z

Addressed by: https://review.openstack.org/54651
    DRAFT: Management API - Proof of Concept

(shardy): I've been looking at the request scoping aspects of this, and have added a dep on keystone service-scoped token, and request-scoping-policy, which IMO will both be prerequisite to getting the service-wide tenant-less access which was discussed in some of the use-cases for this feature.

(dolph): this bp should really not be blocked on "service-scoped-role-definition", or any policy-impacting bp. worst case, i'd suggest that heat move forward with this bp and publish a default policy.json with a "deny all" policy protecting the new capabilities, until more desirable policy infrastructure is provided by keystone.

Addressed by: https://review.openstack.org/63039
    Add filter and pagination to stack_get_all

Addressed by: https://review.openstack.org/63041
    Unscoped List Stacks

Gerrit topic: https://review.openstack.org/#q,topic:bp/management-api,n,z

Addressed by: https://review.openstack.org/72789
    Add tenant to unscoped stack list response

Addressed by: https://review.openstack.org/70853
    Alter stack_count_all_by_tenant to stack_count_all

Addressed by: https://review.openstack.org/70852
    Replace stack_get_all_by_tenant with stack_get_all

Addressed by: https://review.openstack.org/74519
    Refactor Stack timestamps

Addressed by: https://review.openstack.org/75495
    Fix stack_get_all call on stack watcher

Addressed by: https://review.openstack.org/76644
    Change Resource timestamps to save correct info

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

Nearby

This blueprint contains Public information 
Everyone can see this information.