Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Trying to get heat with keystone API v3 and trusts to work

Hello

As the title says I am trying to get this to work but I am unable to. I have migrated my test setup to keystone API V3 and all services are OK, but the heat service doesn't work as intended.

I have set my stack_user_domain_id and stack_domain_admin. I also have deferred_auth_method = trusts trusts_delegated_roles = heat_stack_owner set. I have a separate domain called heat in which my stack_domain_admin has the admin and heat-stack_owner role

openstack user list --domain heat

+----------------------------------+-------------+
| ID                               | Name        |
+----------------------------------+-------------+
| 415db3f35e8445b085676c6eb73e94eb | stack_admin |
+----------------------------------+-------------+

openstack role list --domain heat

+----------------------------------+------------------+
| ID                               | Name             |
+----------------------------------+------------------+
| 1effcb0a91d0408a9b71098ac3bb98c7 | project_admin    |
| 3424d73431f84d6090a934854c596e96 | heat_stack_user  |
| 80db8ad3599d4603b16bd80983b90cda | heat_stack_owner |
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_         |
| a7599f32de514ddab3d93c8380e4aec6 | admin            |
| e1143e6bb70344d68c115d4652462014 | image_admin      |
+----------------------------------+------------------+

openstack role assignment list -c Role -c User --domain heat

+----------------------------------+----------------------------------+
| Role                             | User                             |
+----------------------------------+----------------------------------+
| 80db8ad3599d4603b16bd80983b90cda | 415db3f35e8445b085676c6eb73e94eb |
| a7599f32de514ddab3d93c8380e4aec6 | 415db3f35e8445b085676c6eb73e94eb |
| a7599f32de514ddab3d93c8380e4aec6 | admin                            |
+----------------------------------+----------------------------------+

My own user is also heat-stack_owner in the project I am member of in my default domain.

However, if I try to deploy a heat stack I am getting an error ERROR: Remote error: BadRequest Expecting to find id or name in user (full debug output here: http://pastebin.com/N0R0c29i) This looks to me like the trusts are not working. Especially since I can deploy this stack if I switch to password as deferred_auth_method.

Can anyone shed some light on what I might be missing there?