[Openstack] [heat] How to use 'heat stack-list -g' in Juno

Steven Hardy shardy at redhat.com
Thu May 28 09:55:26 UTC 2015


On Wed, May 27, 2015 at 10:37:13AM +0000, ashish.jain14 at wipro.com wrote:
>    Hi,
> 
>    When I run the command 'heat stack-list -g' as an 'admin' user, I get
>    unauthorized. Heat policy.json says "stacks:global_index":
>    "rule:deny_everybody". How can I make this work?

You'll have to modify the rule in policy.json, it's deliberately disabled
by default due to the potential for misuse, particularly give this
long-standing keystone bug[1]

If you're prepared for any admin in any project to have global visibility
of all stacks, you could just s/deny_everybody/context_is_admin on that
line.

A potentially more secure solution for real deployments would be to create
a new role which is only given to operator/service admins who you want to
grant global list access to.

[1] https://bugs.launchpad.net/keystone/+bug/968696




More information about the Openstack mailing list