review.fuel-infra Code Review - openstack-build/heat-build.git/commit

author	Steven Hardy <shardy@redhat.com>
	Mon, 2 Sep 2013 15:32:40 +0000 (16:32 +0100)
committer	Steven Hardy <shardy@redhat.com>
	Tue, 3 Sep 2013 23:12:07 +0000 (00:12 +0100)
commit	e686699b00ee2ca190946261677d89641707e6c6
tree	4b97fa0d2968e82f67180ad04cd5072b6fc2cf92	tree \| snapshot
parent	ff0122f83f13082b3a89f38fe2aa0b52c7e6d492	commit \| diff

Migrate stored credentials to keystone trusts

Migrate the stored user_creds, which currently only supports
storing username/password credentials to use the keystone v3
API OS-TRUST extension, which allows explicit impersonation of
users calling heat (trustors) by the heat service user (the
trustee)

Note this feature is made optional via a new config option,
defaulted to off, and it requires the following patches to
keystoneclient (in 0.3.2 release) and keystone to work:

https://review.openstack.org/#/c/39899/
https://review.openstack.org/#/c/42456/

Also note that if the feature is enabled, by setting
deferred_auth_method=trusts in heat.conf, you must add
a keystone_authtoken section, which is also used by the
keystoneclient auth_token middleware.

blueprint heat-trusts

Change-Id: I288114d827481bc0a24eba4556400d98b1a44c09

etc/heat/heat.conf.sample		diff \| blob \| history
heat/common/config.py		diff \| blob \| history
heat/common/heat_keystoneclient.py		diff \| blob \| history
heat/engine/service.py		diff \| blob \| history
heat/tests/fakes.py		diff \| blob \| history
heat/tests/test_ceilometer_alarm.py		diff \| blob \| history
heat/tests/test_engine_service.py		diff \| blob \| history
heat/tests/test_heatclient.py		diff \| blob \| history
heat/tests/test_metadata_refresh.py		diff \| blob \| history
heat/tests/test_signal.py		diff \| blob \| history
heat/tests/utils.py		diff \| blob \| history
requirements.txt		diff \| blob \| history