9c14bb6d60
Due to default policy.json settings in Keystone, a non-admin user is not allowed to call 'list_users' or 'get_user' APIs. However, Senlin only knows the user name but it needs a user ID to create the trust between service requester and the 'senlin' user. The only workaround today is to have Senlin query its own user ID using its user name. After this is done, the trust middleware will use the service requester's credential to raise the 'trust create' request to Keystone. This necessitates two changes to the current code, one is to relax Keystone's policy setting to allow a user with 'service' role to do user list and user get (proposed here: https://review.openstack.org/181298); the other one is to have Senlin trust middleware to raise user ID checking request using 'senlin' credential. This patch contains the second part. Since devstack doesn't provide a function to modify default policy settings, we will wait to see if the patch to Keystone will be accepted. If Keystone refuse to accept that change, we need to hack the devstack plugin and 'setup-service' tool to modify the policy.json file. Anyway, we need 'senlin' user to have a 'service' role in the requester's domain (default to 'demo'). Change-Id: I87146a54f79e32a9175755f42da1e4406842c0b7 |
||
|---|---|---|
| .. | ||
| lib | ||
| plugin.sh | ||
| README.rst | ||
Devstack Integration
This directory contains the files necessary to integrate Senlin with devstack.
Refer the quickstart guide for more information on using devstack and senlin.
To install senlin into devstack, add the following settings to enable senlin plugin: :
[[local|localrc]]
enable_plugin senlin https://github.com/stackforge/senlin master
enable_service sl-api sl-engRun devstack as normal: :
cd /opt/stack/devstack
./stack.sh