Clarify heat roles in the Installation Guide

1. Added a brief description of the heat_stack_owner and heat_stack_user roles
2. Added a warning not to assign heat_stack_owner and heat_stack_user roles to the same user.

Change-Id: Ic180902bfe2d2e66eb8739f7ef41f6dd96b11d6b
backport: Juno
Closes-Bug: #1401668
This commit is contained in:
darrenchan 2014-12-16 14:50:51 +11:00
parent bc24396c3c
commit 4f8a32470d

View File

@ -72,11 +72,20 @@
</note> </note>
</step> </step>
<step> <step>
<para>Create the <literal>heat_stack_user</literal> and <literal>heat_stack_owner</literal> roles:</para> <para>Create the <literal>heat_stack_user</literal> and
<literal>heat_stack_owner</literal> roles:</para>
<screen><prompt>$</prompt> <userinput>keystone role-create --name heat_stack_user</userinput> <screen><prompt>$</prompt> <userinput>keystone role-create --name heat_stack_user</userinput>
<prompt>$</prompt> <userinput>keystone role-create --name heat_stack_owner</userinput></screen> <prompt>$</prompt> <userinput>keystone role-create --name heat_stack_owner</userinput></screen>
<para>By default, users created by Orchestration use the <para>By default, users created by Orchestration use the
<literal>heat_stack_user</literal> role.</para> <literal>heat_stack_user</literal> role.</para>
<para>The <literal>heat_stack_user</literal> role is for users
created by heat, and is restricted to specific API actions.
The <literal>heat_stack_owner</literal> role is assigned to
users who create heat stacks.</para>
<warning><para>Because the <literal>heat_stack_owner</literal>
role has limited operational access to heat, you must never
assign this role to a user with a <literal>heat_stack_user</literal>
role.</para></warning>
</step> </step>
<step> <step>
<para>Create the <literal>heat</literal> and <para>Create the <literal>heat</literal> and