From a68e08cb4728474d981fb3013985199ced294555 Mon Sep 17 00:00:00 2001
From: tengqm <tengqim@cn.ibm.com>
Date: Sat, 9 Aug 2014 21:49:30 +0800
Subject: [PATCH] Privilege checking for heat-keystone-setup-domain

This patch added additional exception handling so that a non-admin user
will understand why his/her attempt to run this script failed.

Change-Id: I20a593f613931de0b3c13094a2e0b6c2f2b0eea1
Closes-Bug: 1354687
---
 bin/heat-keystone-setup-domain | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/bin/heat-keystone-setup-domain b/bin/heat-keystone-setup-domain
index 72ac4eb7c9..40dc3ee9bd 100755
--- a/bin/heat-keystone-setup-domain
+++ b/bin/heat-keystone-setup-domain
@@ -79,6 +79,11 @@ def main():
             logger.error("Unexpected filtered list response, please upgrade "
                          "keystoneclient to >= 0.5")
             sys.exit(1)
+    except kc_exception.Forbidden:
+        logger.error("User '%s' is not authorized to perform this "
+                     "operation, please try with other OS_USERNAME setting." %
+                     USERNAME)
+        sys.exit(1)
 
     # Create heat domain admin user
     if not HEAT_DOMAIN_PASSWORD: