Configure domain and Heat roles

Follow changes were made according operator's doc (http://docs.openstack.org/project-install-guide/orchestration/ newton/install-ubuntu.html): - Add Heat domain - Add heat_domain_admin user in Heat domain - Add roles: heat_stack_owner, heat_stack_user Change-Id: I2f905a9786bfc4b66d66697a9dcfcd21feb4cb4a
2016-11-23 07:37:36 +00:00 · 2016-11-23 07:37:36 +00:00 · 8a4d4d86b2
commit 8a4d4d86b2
parent e97389a945
3 changed files with 42 additions and 1 deletions
--- a/service/files/defaults.yaml
+++ b/service/files/defaults.yaml
@ -10,6 +10,12 @@ configs:

    user: heat
    password: password
+    domain:
+      password: password
+      # it is strongly recommended don't change this value
+      name: heat
+      # it is strongly recommended don't change this value
+      user: heat_domain_admin

    debug: false

--- a/service/files/heat.conf.j2
+++ b/service/files/heat.conf.j2
@ -5,6 +5,9 @@ use_stderr = True
 use_forwarded_for = True
 region_name_for_services = RegionOne
 rpc_backend = rabbit
+stack_domain_admin = {{ heat.domain.user }}
+stack_domain_admin_password = {{ heat.domain.password }}
+stack_user_domain_name = {{ heat.domain.name }}

 [database]
 connection = mysql+pymysql://{{ heat.db.username }}:{{ heat.db.password }}@{{ address(service.database) }}/{{ heat.db.name }}
--- a/service/heat-api.yaml
+++ b/service/heat-api.yaml
@ -33,7 +33,7 @@ service:
          type: single
          command:
            openstack user create --domain default --password {{ heat.password }} {{ heat.user }}
-        - name: heat-role-add
+        - name: heat-admin-role-add
          dependencies:
            - heat-user-create
          type: single
@ -63,6 +63,38 @@ service:
          type: single
          command:
            openstack endpoint create --region RegionOne orchestration admin {{ address('heat-api', heat.api_port, with_scheme=True) }}/v1/%\(tenant_id\)s
+        # Orchestration requires additional information in the Identity service to manage stacks.
+        # For detailed explanation see: http://docs.openstack.org/project-install-guide/orchestration/newton/install-ubuntu.html
+        - name: keystone-create-heat-domain
+          type: single
+          command:
+            openstack domain create --description "Owns users and projects created by heat" {{ heat.domain.name }}
+        - name: heat-domain-admin-user-create
+          type: single
+          command:
+            openstack user create --domain {{ heat.domain.name }} --password {{ heat.domain.password }}  {{ heat.domain.user }}
+          dependencies:
+            - keystone-create-heat-domain
+        - name: grant-doman-user-admin-privileges
+          type: single
+          command:
+            openstack role add --domain {{ heat.domain.name }} --user-domain {{ heat.domain.name }} --user {{ heat.domain.user }} admin
+          dependencies:
+            - heat-domain-admin-user-create
+        # You must add the heat_stack_owner role to each user that manages stacks after addinf new users.
+        - name: heat-stack-owner-role-create
+          type: single
+          command:
+            openstack role create heat_stack_owner
+          dependencies:
+            - grant-doman-user-admin-privileges
+        # The Orchestration service automatically assigns the heat_stack_user role to users that it creates during stack deployment.
+        - name: heat-stack-user-role-create
+          type: single
+          command:
+            openstack role create heat_stack_user
+          dependencies:
+            - grant-doman-user-admin-privileges
      daemon:
        dependencies:
          - rabbitmq