9c14bb6d60
Due to default policy.json settings in Keystone, a non-admin user is not allowed to call 'list_users' or 'get_user' APIs. However, Senlin only knows the user name but it needs a user ID to create the trust between service requester and the 'senlin' user. The only workaround today is to have Senlin query its own user ID using its user name. After this is done, the trust middleware will use the service requester's credential to raise the 'trust create' request to Keystone. This necessitates two changes to the current code, one is to relax Keystone's policy setting to allow a user with 'service' role to do user list and user get (proposed here: https://review.openstack.org/181298); the other one is to have Senlin trust middleware to raise user ID checking request using 'senlin' credential. This patch contains the second part. Since devstack doesn't provide a function to modify default policy settings, we will wait to see if the patch to Keystone will be accepted. If Keystone refuse to accept that change, we need to hack the devstack plugin and 'setup-service' tool to modify the policy.json file. Anyway, we need 'senlin' user to have a 'service' role in the requester's domain (default to 'demo'). Change-Id: I87146a54f79e32a9175755f42da1e4406842c0b7 |
||
|---|---|---|
| .. | ||
| config-generator.conf | ||
| gen_pot | ||
| gen-config | ||
| README | ||
| senlin-db-recreate | ||
| setup-service | ||
Files in this directory are general developer tools or examples of how
to do certain activities.
-----
Tools
-----
+ senlin-db-recreate
- This script drops the Senlin database from mysql in the case of developer
data corruption or erasing Senlin.
- Users are expected to customize the 'MYSQL_ROOT_PW' and 'MYSQL_SENLIN_PW'
according to their deployments