Mirantis OpenStack

Enable Heat to use Keystone v3 domains

Registered by Pavlo Shchelokovskyy on 2015-02-02

SInce Icehouse Heat supports (and since Juno suggests as default deployment configuration) using Keystone v3 and its features like domains and trusts for internal auth. It greatly improves Heat usability by not requiring admin rights to create resources that create an internal Heat-specific Keystone users, and not polluting the Keystone user-space with such internal users. Also full user credentials (including password) no longer must be stored in Heat's DB, which improves security.

Blueprint information

Status:: Complete

Approver:: ruhe

Priority:: High

Drafter:: Pavlo Shchelokovskyy

Direction:: Approved

Assignee:: Igor Yozhikov

Definition:: Approved

Series goal:: Accepted for 6.1.x

Implementation:: Implemented

Milestone target:: 6.1

Started by: Igor Yozhikov on 2015-03-06

Completed by: Sergey Kraynev on 2015-04-13

Related branches

Related bugs

Bug #1428700: Heat should use trust-based auth by default

Fix Released

Sprints

Whiteboard

That is how Heat in DevStack is configured to use Keystone domains and trusts using python-openstackclient
[1] https://github.com/openstack-dev/devstack/blob/master/lib/heat#L247
RELATED BUG = https://bugs.launchpad.net/mos/+bug/1428700
heat-common package update = https://review.fuel-infra.org/#/c/4391/
fuel-library = https://review.openstack.org/#/c/161807/

(?)

Work Items

Work items:
Create Heat-specific domains and users in Keystone at deply time using python-openstackclient (see [1] on how it is done in devstack): TODO
Use values obtained at previous step to configure heat.conf on all controllers: TODO

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information

Everyone can see this information.

Subscribers

No subscribers.