Pierre Riteau 3de6f73e92 Fix physical host reservation for non-admin users

Originally, Blazar was using its service user to manage objects for
physical host reservation, e.g. host aggregates, which by default
requires admin rights. Commit 16d5f67ba7020701edbbf09a747f5683b0840c21
started using a dedicated account configured with values
climate_username, climate_password, and climate_tenant_name. Commit
c9b7307cf3c97d3b48878aca6eda5b7fbc4dcfa7 removed this dedicated account
and started using trusts instead, so that operations were performed on
behalf of the user creating the lease (with the trustee being the blazar
service user).

While this works well if users creating leases are admins, non-admin
users will get errors because the default Nova policy prevents them from
running required operations associated with aggregates and hypervisors.

Since it is not clear why a dedicated account for admin operations was
required, this patch brings back the approach used before commit
16d5f67ba7020701edbbf09a747f5683b0840c21, which was to use the service
account for admin operations. This allows non-admin users to create
Blazar leases.

The nova client setup is updated to authenticate against Keystone v3.

Change-Id: Iad86bb549aec13edd662965d2f91b68c856ae06c
Closes-Bug: #1663204

2017-06-02 16:00:54 +09:00

629 B

Raw Blame History

Blazar

Overview

OpenStack Reservation Service

Prerequisites

Keystone v3 API endpoint
Service account

Configuration

Create identityv3 endpoint

For adding new endpoint for Keystone V3, use the following instructions: 1) keystone service-create --name keystonev3 --type identytiv3 --description "Keystone Identity Service v3" 2) keystone endpoint-create --region <region> --service keystonev3 --publicurl "<auth_protocol>://<auth_host>:5000/v3" --adminurl "<auth_protocol>://<auth_host>:35357/v3" --internalurl "<auth_protocol>://<auth_host>:5000/v3"