Browse Source

Add trustee config group to sample config

Some time ago, we added support for a new "trustee" config section,
aimed at allowing independent configuration of the credentials used
to obtain trust-scoped tokens for deferred authentication.  One of the
main reasons for this was to avoid incorrectly using the keystone
auth_token section, and as such a deprecation warning was added when
we fall back to using that config section for heat.

Unfortunately we didn't capture this new section in the sample config
because it's registered via keystoneclient.auth, so this adds support
for this section to the sample config generated via tox -e genconfig,
and adds some notes clarifying usage to the auth_plugin option.

To move to the new config syntax, but maintain the current behavior,
which is to delegate to the heat service user, you can add this section
to your heat.conf

auth_plugin = password
auth_url = http://<keystone hostname or IP>:35357
username = heat
password = password
user_domain_id = default

The generated config documents many more options, all of those supported
by the keystoneclient v3 Password auth plugin, but these are the minimum
to enable delegation to the heat service user in the default domain.

In new deployments this could be set to some other user (such as one created
in the heat domain), but note that the trustee should not be changed for
existing deployments where stacks exist, as the trust stored inside heat
defines a relationship between the stack owner (trustor) and a specific
trustee (which will be the heat service user if the deployment is using
the deprecated path that steals credentials from keystone auth_token).

Change-Id: I30aeb765a2246ce54b10972ae7187655d85cde1f
Partial-Bug: #1300246
Steven Hardy 6 years ago
  1. 1
  2. 19
  3. 1


@ -2,6 +2,7 @@
output_file = etc/heat/heat.conf.sample
wrap_width = 79
namespace = heat.common.config
namespace = heat.common.context
namespace = heat.common.crypt
namespace = heat.common.heat_keystoneclient
namespace = heat.common.wsgi


@ -34,10 +34,28 @@ from heat.engine import clients
LOG = logging.getLogger(__name__)
# Note, we yield the options via list_opts to enable generation of the
# sample heat.conf, but we don't register these options directly via
# cfg.CONF.register*, it's done via auth.register_conf_options
# Note, only auth_plugin = v3password is expected to work, example config:
# [trustee]
# auth_plugin = password
# auth_url =
# username = heat
# password = password
# user_domain_id = default
V3_PASSWORD_PLUGIN = 'v3password'
auth.register_conf_options(cfg.CONF, TRUSTEE_CONF_GROUP)
def list_opts():
trustee_opts = auth.conf.get_common_conf_options()
yield TRUSTEE_CONF_GROUP, trustee_opts
class RequestContext(context.RequestContext):
"""Stores information about the security context.
@ -151,6 +169,7 @@ class RequestContext(context.RequestContext):
cfg.CONF, TRUSTEE_CONF_GROUP, trust_id=self.trust_id)
if self._trusts_auth_plugin:
LOG.warn(_LW('SHDEBUG NOT Using the keystone_authtoken'))
return self._trusts_auth_plugin
LOG.warn(_LW('Using the keystone_authtoken user as the heat '


@ -41,6 +41,7 @@ wsgi_scripts =
oslo.config.opts =
heat.common.config = heat.common.config:list_opts
heat.common.context = heat.common.context:list_opts
heat.common.crypt = heat.common.crypt:list_opts
heat.common.heat_keystoneclient = heat.common.heat_keystoneclient:list_opts
heat.common.wsgi = heat.common.wsgi:list_opts