Drop heat_stack_owner role

this role is not actually required since ~Kilo I3f1b70b78b91bfac9af5fadb71140679b208c999 plus the heat chart already sets the trusts_delegated_roles option for Heat to pass all roles to the trust Change-Id: Icf900f318d3173d63c5967857d96f7d2a7f9aa5b
2019-02-05 17:30:33 +02:00 · 2019-02-05 17:30:33 +02:00 · 776f4a8297
commit 776f4a8297
parent 5648754f50
2 changed files with 2 additions and 16 deletions
--- a/heat/values.yaml
+++ b/heat/values.yaml
@ -572,13 +572,10 @@ bootstrap:
  enabled: true
  ks_user: admin
  script: |
-    #NOTE(portdirect): required for all users who operate heat stacks
-    openstack role create --or-show heat_stack_owner
-
    #NOTE(portdirect): The Orchestration service automatically assigns the
    # 'heat_stack_user' role to users that it creates during stack deployment.
    # By default, this role restricts API operations. To avoid conflicts, do
-    # not add this role to users with the heat_stack_owner role.
+    # not add this role to actual users.
    openstack role create --or-show heat_stack_user

 dependencies:
@ -766,9 +763,7 @@ endpoints:
        user_domain_name: default
        project_domain_name: default
      heat:
-        role:
-          - admin
-          - heat_stack_owner
+        role: admin
        region_name: RegionOne
        username: heat
        password: password
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@ -64,15 +64,6 @@ bootstrap:
          --project="${OS_PROJECT_NAME}" \
          "member"

-    #NOTE(portdirect): required for all users who operate heat stacks
-    openstack role create --or-show heat_stack_owner
-    openstack role add \
-          --user="${OS_USERNAME}" \
-          --user-domain="${OS_USER_DOMAIN_NAME}" \
-          --project-domain="${OS_PROJECT_DOMAIN_NAME}" \
-          --project="${OS_PROJECT_NAME}" \
-          "heat_stack_owner"
-
 network:
  api:
    ingress: