Fix admin requirement in trust middleware
Due to default policy.json settings in Keystone, a non-admin user is not allowed to call 'list_users' or 'get_user' APIs. However, Senlin only knows the user name but it needs a user ID to create the trust between service requester and the 'senlin' user. The only workaround today is to have Senlin query its own user ID using its user name. After this is done, the trust middleware will use the service requester's credential to raise the 'trust create' request to Keystone. This necessitates two changes to the current code, one is to relax Keystone's policy setting to allow a user with 'service' role to do user list and user get (proposed here: https://review.openstack.org/181298); the other one is to have Senlin trust middleware to raise user ID checking request using 'senlin' credential. This patch contains the second part. Since devstack doesn't provide a function to modify default policy settings, we will wait to see if the patch to Keystone will be accepted. If Keystone refuse to accept that change, we need to hack the devstack plugin and 'setup-service' tool to modify the policy.json file. Anyway, we need 'senlin' user to have a 'service' role in the requester's domain (default to 'demo'). Change-Id: I87146a54f79e32a9175755f42da1e4406842c0b7
This commit is contained in:
tengqm
@@ -36,6 +36,12 @@ openstack user create \
|
||||
senlin
|
||||
|
||||
openstack role add \
|
||||
service \
|
||||
admin \
|
||||
--user senlin \
|
||||
--project service
|
||||
|
||||
# make sure 'senlin' has 'service' role in 'demo' project
|
||||
openstack role add \
|
||||
service \
|
||||
--user senlin \
|
||||
--project demo
|
||||
|
||||
Reference in New Issue
Block a user