Open Stack

Excerpts from 王华's message of 2015-08-14 02:34:59 -0700:
> Hi Clint Byrum,
> 
> Trusts can solve this problem, but it may cause performance problem.
> When we want to get a stack, we need to get the trust_id from db first, and
> authenticate with the trust_id, then we can get the stack.
> 

Indeed, however the answer to this is to subscribe to notifications
and get Heat to publish the things you need so you don't have to fetch
the stack so often. I believe there's some desire to have Heat push the
things that tools like Magnum would want into Zaqar. That would likely
be the best way to deal with this (assuming consuming messages from
Zaqar ends up being more scalable than querying your DB + keystone. ;)

Going around the authentication controls by giving Magnum 100% admin
over all things is just going to turn into a mess over time. Other users
of Heat will need to do things like this, and won't have the luxury of
being operator-owned.