Ask Your Question

Revision history [back]

In principle it can be anything.

In practice you'll want to think carefully about authentication. Heat can always authenticate to OpenStack services with the user's Keystone credentials. With a non-Keystone-authenticated service, you have a number of options, none of which are especially good:

  • Don't have any authentication on the service
  • Have Heat itself authenticate, so any Heat user can access the service (i.e. non-multitenant)
  • Put the user's credentials in the template (as properties to the resource)

All of those have security implications that you may or may not be willing to accept depending on your own particular circumstances.