Avoid needing admin role for stack create/delete
Bug #1089261 reported by
Steven Hardy
This bug affects 9 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Heat |
Fix Released
|
High
|
Steven Hardy |
Bug Description
Currently the AccessKey and WaitConditionHandle resources need keystone admin role to create/delete
Discussion with asalkeld indicates this is not acceptable, so we need to implement a workaround which uses the stored admin context internally, but only requires a normal keystone user to create/delete the stack.
This is only a workaround, the long-term fix will be to use the keystone on-behalf-of users (similar concept to AWS IAM:Roles) which are currently being discussed, this will hopefully avoid the need to use actual users at all for these resources.
Changed in heat: | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in heat: | |
assignee: | nobody → Steven Hardy (shardy) |
Changed in heat: | |
milestone: | none → grizzly-3 |
Changed in heat: | |
assignee: | Steven Hardy (shardy) → nobody |
Changed in heat: | |
assignee: | nobody → Steven Hardy (shardy) |
milestone: | none → havana-1 |
Changed in heat: | |
milestone: | havana-1 → havana-2 |
Changed in heat: | |
milestone: | havana-2 → havana-3 |
Changed in heat: | |
milestone: | havana-3 → ongoing |
Changed in heat: | |
milestone: | ongoing → icehouse-1 |
Changed in heat: | |
milestone: | icehouse-1 → icehouse-2 |
Changed in heat: | |
milestone: | icehouse-2 → icehouse-3 |
Changed in heat: | |
milestone: | icehouse-3 → icehouse-rc1 |
Changed in heat: | |
status: | Fix Committed → Fix Released |
Changed in heat: | |
milestone: | icehouse-rc1 → 2014.1 |
To post a comment you must log in.
Discussion now indicates we should probably postpone any action on this issue, and track the progress of the keystone blueprints for grizzly, as it looks like there are some changes which may help resolve this