[openstack-dev] [magnum] Use Keystone trusts in Magnum?
jgrassler at suse.de
Wed Jul 6 13:40:26 UTC 2016
I submitted https://review.openstack.org/#/c/326428 a while ago to get around
having to configure Heat's policy.json in a very permissive manner. I
naively only tested it as one user, but gating caught that omission and
dutifully failed (a user cannot stack-get another user's Heat stack, even if
it's the Magnum service user). Ordinarily, that is.
Beyond the ordinary, Heat uses Keystone trusts to handle what is
basically the same problem (acting on a user's behalf way past the time of the
stack-create when the token used for the stack-create may have expired
I propose doing the same thing in Magnum to get the Magnum service user the
ability to perform a stack-get on all of its bays' stacks. That way the hairy
problems with the wide-open permissions neccessary for a global stack-list can
be avoided entirely.
I'd be willing to implement this, either as part of the existing change
referenced above or with a blueprint and all the bells and whistles.
So I have two questions:
1) Is this an acceptable way to handle the issue?
2) If so, is it blueprint material or can I get away with adding the code
required for Keystone trusts to the existing change?
 See Steven Hardy's excellent dissection of the problem at the root of it:
Johannes Grassler, Cloud Developer
SUSE Linux GmbH, HRB 21284 (AG Nürnberg)
GF: Felix Imendörffer, Jane Smithard, Graham Norton
Maxfeldstr. 5, 90409 Nürnberg, Germany
More information about the OpenStack-dev