Allow attribute for deferred_auth_method

We should switch to using deferred_auth_method=trusts by default,
for the following reasons:
- It's more secure, we won't have to store username/password anymore
- It's better for users, because they won't have to provide a
username/password anymore, e.g the box in horizon where we force
them to enter a password even though horizon is already passing
us a token.

Change-Id: I04634d065c785a13991a9a4ac76e544d7a6f34fe
Closes-Bug: #1429722

attributes/default.rb

@@ -147,6 +147,9 @@ default['openstack']['orchestration']['stack_user_domain_name'] = nil
 # users and projects in the stack_user_domain. (string value)
 default['openstack']['orchestration']['stack_domain_admin'] = nil
 
+# Select deferred auth method, stored password or trusts.
+default['openstack']['orchestration']['deferred_auth_method'] = 'trusts'
+
 # If set, heat API service will bind to the address on this interface,
 # otherwise it will bind to the API endpoint's host.
 default['openstack']['orchestration']['api']['bind_interface'] = nil

spec/spec_helper.rb

@@ -331,6 +331,7 @@ shared_examples 'expects to create heat conf' do
           /^admin_user=heat$/,
           /^admin_password=heat-pass$/,
           /^admin_tenant_name=service$/,
+          /^deferred_auth_method=trusts$/,
           %r{^signing_dir=/var/cache/heat$},
           /^region_name_for_services=RegionOne$/
         ].each do |line|

templates/default/heat.conf.erb

@@ -35,7 +35,9 @@
 
 # Select deferred auth method, stored password or trusts.
 # (string value)
-#deferred_auth_method=password
+<% if node['openstack']['orchestration']['deferred_auth_method'] -%>
+deferred_auth_method=<%= node['openstack']['orchestration']['deferred_auth_method'] %>
+<% end -%>
 
 # Subset of trustor roles to be delegated to heat. (list
 # value)