[Openstack] [heat] How to use 'heat stack-list -g' in Juno
Steven Hardy
shardy at redhat.com
Thu May 28 09:55:26 UTC 2015
On Wed, May 27, 2015 at 10:37:13AM +0000, ashish.jain14 at wipro.com wrote:
> Hi,
>
> When I run the command 'heat stack-list -g' as an 'admin' user, I get
> unauthorized. Heat policy.json says "stacks:global_index":
> "rule:deny_everybody". How can I make this work?
You'll have to modify the rule in policy.json, it's deliberately disabled
by default due to the potential for misuse, particularly give this
long-standing keystone bug[1]
If you're prepared for any admin in any project to have global visibility
of all stacks, you could just s/deny_everybody/context_is_admin on that
line.
A potentially more secure solution for real deployments would be to create
a new role which is only given to operator/service admins who you want to
grant global list access to.
[1] https://bugs.launchpad.net/keystone/+bug/968696
More information about the Openstack
mailing list