[Openstack] [heat] How to use 'heat stack-list -g' in Juno

ashish.jain14 at wipro.com ashish.jain14 at wipro.com
Fri May 29 06:48:17 UTC 2015


Thanks Steven that is helpful.

________________________________________
From: Steven Hardy <shardy at redhat.com>
Sent: Thursday, May 28, 2015 3:25 PM
To: Ashish Jain (WT01 - BAS)
Cc: openstack at lists.openstack.org
Subject: Re: [Openstack] [heat] How to use 'heat stack-list -g' in Juno

On Wed, May 27, 2015 at 10:37:13AM +0000, ashish.jain14 at wipro.com wrote:
>    Hi,
>
>    When I run the command 'heat stack-list -g' as an 'admin' user, I get
>    unauthorized. Heat policy.json says "stacks:global_index":
>    "rule:deny_everybody". How can I make this work?

You'll have to modify the rule in policy.json, it's deliberately disabled
by default due to the potential for misuse, particularly give this
long-standing keystone bug[1]

If you're prepared for any admin in any project to have global visibility
of all stacks, you could just s/deny_everybody/context_is_admin on that
line.

A potentially more secure solution for real deployments would be to create
a new role which is only given to operator/service admins who you want to
grant global list access to.

[1] https://bugs.launchpad.net/keystone/+bug/968696
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com




More information about the Openstack mailing list