The periodic task unneccessarily lists Heat stacks in the
global tenant (across all tenants) which the Magnum service
user may lack permission for. Also, the most restrictive way
to let it use global stack-list is chose a Keystone role and
open that operation to any user in any project holding that
role.
This commit substitutes a direct lookup of all bays' stack_id
attributes for this global stack list. This direct lookup will
yield the same net result. In order to get the neccessary
permissions it will use each bay's stored Keystone trust to
act on behalf of the bay's creating user.
Co-Authored-By: Jiri Suchomel <jiri.suchomel@suse.com>
Closes-Bug: #1589955
Change-Id: I67b176c137c463e37e037970cc4e468d51db30c9
* move common prerequisities and configure in the common directory
* remove lock_path from common configuration, only rdo packages need
it -- debian, obs and ubuntu packages configure it by default
* use trust_domain_name and trust_domain_admin_name instead of id
* update finalize message in obs and rdo IGs
* fix bullet-list in filanize services
* add x509keypair configuration option
Partially-Implements: blueprint projectspecificinstallguides
Partially-Implements: blueprint magnum-installation-guide
Change-Id: I67376938f1a118c2b1f1f7326c14158178ab71ea