From 4f8a32470d476b45a4de3f9ec66d39b4021914eb Mon Sep 17 00:00:00 2001 From: darrenchan Date: Tue, 16 Dec 2014 14:50:51 +1100 Subject: [PATCH] Clarify heat roles in the Installation Guide 1. Added a brief description of the heat_stack_owner and heat_stack_user roles 2. Added a warning not to assign heat_stack_owner and heat_stack_user roles to the same user. Change-Id: Ic180902bfe2d2e66eb8739f7ef41f6dd96b11d6b backport: Juno Closes-Bug: #1401668 --- doc/install-guide/section_heat-install.xml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/doc/install-guide/section_heat-install.xml b/doc/install-guide/section_heat-install.xml index 45bdce3121..2744498c75 100644 --- a/doc/install-guide/section_heat-install.xml +++ b/doc/install-guide/section_heat-install.xml @@ -72,11 +72,20 @@ - Create the heat_stack_user and heat_stack_owner roles: + Create the heat_stack_user and + heat_stack_owner roles: $ keystone role-create --name heat_stack_user $ keystone role-create --name heat_stack_owner By default, users created by Orchestration use the heat_stack_user role. + The heat_stack_user role is for users + created by heat, and is restricted to specific API actions. + The heat_stack_owner role is assigned to + users who create heat stacks. + Because the heat_stack_owner + role has limited operational access to heat, you must never + assign this role to a user with a heat_stack_user + role. Create the heat and