Inherit roles for create_trust_context()

This change the default value of the option 'trusts_delegated_roles' to []. And delegate all of the trustor roles when create the trust unless user set the option to subset roles. Change-Id: I3f1b70b78b91bfac9af5fadb71140679b208c999 Closes-bug: #1376562
2014-10-15 11:41:45 +08:00 · 2014-10-15 11:41:45 +08:00 · aab01c00ff
commit aab01c00ff
parent 6b9a2b54c7
5 changed files with 36 additions and 10 deletions
--- a/etc/heat/heat.conf.sample
+++ b/etc/heat/heat.conf.sample
@ -35,9 +35,10 @@
 # (string value)
 #deferred_auth_method=password

-# Subset of trustor roles to be delegated to heat. (list
-# value)
-#trusts_delegated_roles=heat_stack_owner
+# Subset of trustor roles to be delegated to heat. If left
+# unset, all roles of a user will be delegated to heat when
+# creating a stack. (list value)
+#trusts_delegated_roles=

 # Maximum resources allowed per top-level stack. (integer
 # value)
--- a/heat/common/config.py
+++ b/heat/common/config.py
@ -105,8 +105,10 @@ engine_opts = [
               help=_('Select deferred auth method, '
                      'stored password or trusts.')),
    cfg.ListOpt('trusts_delegated_roles',
-                default=['heat_stack_owner'],
-                help=_('Subset of trustor roles to be delegated to heat.')),
+                default=[],
+                help=_('Subset of trustor roles to be delegated to heat.'
+                       ' If left unset, all roles of a user will be'
+                       ' delegated to heat when creating a stack.')),
    cfg.IntOpt('max_resources_per_stack',
               default=1000,
               help=_('Maximum resources allowed per top-level stack.')),
--- a/heat/common/heat_keystoneclient.py
+++ b/heat/common/heat_keystoneclient.py
@ -275,7 +275,11 @@ class KeystoneClientV3(object):
        trustee_user_id = self.admin_client.auth_ref.user_id
        trustor_user_id = self.client.auth_ref.user_id
        trustor_project_id = self.client.auth_ref.project_id
-        roles = cfg.CONF.trusts_delegated_roles
+        # inherit the roles of the trustor, unless set trusts_delegated_roles
+        if cfg.CONF.trusts_delegated_roles:
+            roles = cfg.CONF.trusts_delegated_roles
+        else:
+            roles = self.context.roles
        try:
            trust = self.client.trusts.create(trustor_user=trustor_user_id,
                                              trustee_user=trustee_user_id,
--- a/heat/engine/service.py
+++ b/heat/engine/service.py
@ -371,6 +371,14 @@ class EngineService(service.Service):
                          'deprecated and will be removed in the Juno '
                          'release.', DeprecationWarning)

+        if cfg.CONF.trusts_delegated_roles:
+            warnings.warn('The default value of "trusts_delegated_roles" '
+                          'option in heat.conf is changed to [] in Kilo '
+                          'and heat will delegate all roles of trustor. '
+                          'Please keep the same if you do not want to '
+                          'delegate subset roles when upgrading.',
+                          Warning)
+
    def create_periodic_tasks(self):
        LOG.debug("Starting periodic watch tasks pid=%s" % os.getpid())
        # Note with multiple workers, the parent process hasn't called start()
--- a/heat/tests/test_heatclient.py
+++ b/heat/tests/test_heatclient.py
@ -492,7 +492,14 @@ class KeystoneClientTest(HeatTestCase):
        trust_context = heat_ks_client.create_trust_context()
        self.assertEqual(ctx.to_dict(), trust_context.to_dict())

-    def test_create_trust_context_trust_create(self):
+    def test_create_trust_context_trust_create_deletegate_subset_roles(self):
+        delegate_roles = ['heat_stack_owner']
+        self._test_create_trust_context_trust_create(delegate_roles)
+
+    def test_create_trust_context_trust_create_deletegate_all_roles(self):
+        self._test_create_trust_context_trust_create()
+
+    def _test_create_trust_context_trust_create(self, delegate_roles=None):

        """Test create_trust_context when creating a trust."""

@ -503,22 +510,26 @@ class KeystoneClientTest(HeatTestCase):

        self._stubs_v3()
        cfg.CONF.set_override('deferred_auth_method', 'trusts')
-        cfg.CONF.set_override('trusts_delegated_roles', ['heat_stack_owner'])
+        if delegate_roles:
+            cfg.CONF.set_override('trusts_delegated_roles', delegate_roles)

+        trustor_roles = ['heat_stack_owner', 'admin', '__member__']
+        trustee_roles = delegate_roles or trustor_roles
        self.mock_ks_v3_client.auth_ref = self.m.CreateMockAnything()
        self.mock_ks_v3_client.auth_ref.user_id = '5678'
        self.mock_ks_v3_client.auth_ref.project_id = '42'
        self.mock_ks_v3_client.trusts = self.m.CreateMockAnything()
+
        self.mock_ks_v3_client.trusts.create(
            trustor_user='5678',
            trustee_user='1234',
            project='42',
            impersonation=True,
-            role_names=['heat_stack_owner']).AndReturn(MockTrust())
+            role_names=trustee_roles).AndReturn(MockTrust())

        self.m.ReplayAll()

-        ctx = utils.dummy_context()
+        ctx = utils.dummy_context(roles=trustor_roles)
        ctx.trust_id = None
        heat_ks_client = heat_keystoneclient.KeystoneClient(ctx)
        trust_context = heat_ks_client.create_trust_context()