e377658586
If you set up heat with trusts enabled, heat fails to create remote stack since by default it creates trusts with turned off redelegation. This commit adds a new option `allow_trusts_redelegation` (False by default) which, when enabled together with `reauthentication_auth_method` set to `trusts` will make Heat to create trusts with allow_redelegation=True, both for trusts used for deferred auth and for long creating stacks. Change-Id: I73e73455139a87fb798fd8a4651c075a91be75fd Story: #2005062 Task: 29606 Task: 17266
20 lines
980 B
YAML
20 lines
980 B
YAML
---
|
|
features:
|
|
- |
|
|
Added new config option ``[DEFAULT]allow_trusts_redelegation`` (``False``
|
|
by default). When enabled and ``reauthentication_auth_method`` is set to
|
|
``trusts``, Heat will always create trusts with enabled redelegation,
|
|
for both trusts used for long running stacks and for trusts used for
|
|
deferred authentication.
|
|
security:
|
|
- |
|
|
With both ``reauthentication_auth_method`` set to ``trusts`` and
|
|
``allow_trusts_redelegation`` set to ``True`` (new config option, ``False``
|
|
by default), Heat will always create trusts with enabled redelegation,
|
|
for both trusts used for long running stacks and for trusts used for
|
|
deferred authentication. This have security implications and is only
|
|
recommended when Heat is set to use trust and you experience problems
|
|
with other services Heat consumes that also require to create trusts
|
|
from token being passed by Heat (examples are Aodh and Heat running in
|
|
another region).
|