[openstack-dev] [heat] Deprecate/Remove deferred_auth_method=password config option

Zane Bitter zbitter at redhat.com
Fri Jun 16 13:33:54 UTC 2017

On 16/06/17 05:09, Kaz Shinohara wrote:
> I still takes `deferred _auth_method=password` behalf of trusts because 
> we don't enable trusts in the Keystone side due to some internal reason.

Free advice: whatever reason you have for not enabling trusts, storing 
user passwords in the Heat database is 100x worse.

> The issues what you pointed are correct(e.g. user_domain_id), we don't 
> use the domain well and also added some patches to skip those issues.

Why aren't those upstream?

> But I guess that the majority of heat users already moved to trusts and 
> it is obviously better solution in terms of security and granular role 
> control.
> As the edge case(perhaps), if a user want to take password auth, it 
> would be too tricky for them to introduce it, therefore I agree your 2nd 
> option.
> If we will remove the `deferred_auth_method=password` from heat.conf,  
> should we keep `deferred_auth_method` self or will replace it to a new 
> config option just to specify the trusts enable/disable ?  Do you have 
> any idea on this?
> Also I'm thinking that `reauthentication_method` also might be 
> changed/merged ?
> Regards,
> Kaz Shinohara
> 2017-06-16 14:11 GMT+09:00 Rabi Mishra <ramishra at redhat.com 
> <mailto:ramishra at redhat.com>>:


>     I'm not sure whether this works with keystone v2 and anyone is using
>     it or not. Keeping in mind that heat-cli is deprecated and keystone
>     v3 is now the default, we've 2 options
>     1. Continue to support 'deferred_auth_method=passsword' option and
>     fix all the above issues.
>     2. Remove/deprecate the option in pike itlsef.
>     I would prefer option 2, but probably I miss some history and use
>     cases for it.

Am I right in thinking that any user (i.e. not just the [heat] service 
user) can create a trust? I still see occasional requests about 
'standalone mode' for clouds that don't have Heat available to users 
(which I suspect is broken, otherwise people wouldn't be asking), and 
I'm guessing that standalone mode has heretofore required 

So if we're going to remove the option then we should probably either 
officially disown standalone mode or rewrite the instructions such that 
it can be used with the trusts method.


More information about the OpenStack-dev mailing list