Due to default policy.json settings in Keystone, a non-admin user is not
allowed to call 'list_users' or 'get_user' APIs. However, Senlin only
knows the user name but it needs a user ID to create the trust between
service requester and the 'senlin' user. The only workaround today is to
have Senlin query its own user ID using its user name. After this is
done, the trust middleware will use the service requester's credential
to raise the 'trust create' request to Keystone.
This necessitates two changes to the current code, one is to relax
Keystone's policy setting to allow a user with 'service' role to do user
list and user get (proposed here: https://review.openstack.org/181298);
the other one is to have Senlin trust middleware to raise user ID
checking request using 'senlin' credential. This patch contains the
second part.
Since devstack doesn't provide a function to modify default policy
settings, we will wait to see if the patch to Keystone will be accepted.
If Keystone refuse to accept that change, we need to hack the devstack
plugin and 'setup-service' tool to modify the policy.json file.
Anyway, we need 'senlin' user to have a 'service' role in the
requester's domain (default to 'demo').
Change-Id: I87146a54f79e32a9175755f42da1e4406842c0b7
9c14bb6d60