[openstack-dev] [Heat][Keystone] Native keystone resources in Heat

Fox, Kevin M Kevin.Fox at pnnl.gov
Fri Jan 30 16:16:41 UTC 2015

I was asking earlier this week about keystone resources on the irc channel...

We're thinking about having a tenant per user on one of our clouds. We're using neutron. So setting this up involves:

 * Creating a User
 * Creating a Tenant
 * Assigning Roles
 * Creating the Tenants default Private network. (owned by the tenant)
 * Creating a Neutron Router. (owned by the tenant)
 * Setting the Router gateway.
 * Plugging in the Router to the Private network.
 * Setting some additional security group rules on the users default group. (Out of the box we want icmp and port 22 open)

We'd like to have the heat stack maintained by the admin's tenant so they are protected.

I tried but some of this stuff can't be done in heat today. I ended up having to write a shell script.

I'd love to be able to use heat for this.

From: Zane Bitter [zbitter at redhat.com]
Sent: Thursday, January 29, 2015 8:41 AM
To: openstack Development Mailing List
Subject: [openstack-dev] [Heat][Keystone] Native keystone resources in Heat

I got a question today about creating keystone users/roles/tenants in
Heat templates. We currently support creating users via the
AWS::IAM::User resource, but we don't have a native equivalent.

IIUC keystone now allows you to add users to a domain that is otherwise
backed by a read-only backend (i.e. LDAP). If this means that it's now
possible to configure a cloud so that one need not be an admin to create
users then I think it would be a really useful thing to expose in Heat.
Does anyone know if that's the case?

I think roles and tenants are likely to remain admin-only, but we have
precedent for including resources like that in /contrib... this seems
like it would be comparably useful.



OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe

More information about the OpenStack-dev mailing list