[openstack-dev] [Heat] Admin operations on all tenants
Steven Hardy
shardy at redhat.com
Mon Nov 9 16:30:28 UTC 2015
On Mon, Nov 09, 2015 at 11:00:10AM +0000, Bruno Bompastor wrote:
> Hello,
>
> I was looking to enable admin operations for heat stacks on all tenants. This is useful to do support operations and debug stacks owned by different users.
>
> I came across the “heat stack-list -g” command that allows to see all stacks but after that is not possible to “heat stack-show” or “heat template-show” based on ID (even if you allow that operation for admins on the policy.json).
>
> Does anyone has a solution for this? Is it even possible?
Currently it's not possible, stack-list -g is the only "global" API
supported, and that is disabled by default in the policy.json.
This was discussed in the operator feedback session at summit, ref this
bug:
https://bugs.launchpad.net/heat/+bug/1466694
It sounds like there is a desire to see a general solution to this, but so
far we've resisted embracing the "global admin" concept, because it seemed
like several other projects made assumptions relating to the scope of the
admin role, ref https://bugs.launchpad.net/keystone/+bug/968696
I'll triage the heat bug mentioned above and we can continue discussion
there.
Steve
More information about the OpenStack-dev
mailing list