Orchestration stack domain users allows Orchestration module to authorize inside VMs booted and execute the following operations:
Orchestration provides APIs which enable all of these things, but all of those APIs require some sort of authentication. For example, credentials to access the instance agent is running on. The heat-cfntools agents use signed requests, which requires an ec2 keypair created via OpenStack Identity, which is then used to sign requests to the Orchestration CloudFormation and CloudWatch compatible APIs, which are authenticated by Orchestration via signature validation (which uses the OpenStack Identity ec2tokens extension). Stack domain users allow to encapsulate all stack-defined users (users created as a result of things contained in an Orchestration template) in a separate domain which is created specifically to contain things related only to the Orchestration stacks. A user is created which is the domain admin, and Orchestration uses that user to manage the lifecycle of the users in the stack user domain.
To configure stack domain users the following steps shall be executed:
You must complete the following steps to setup stack domain users:
Create the domain:
$OS_TOKEN refers to a token. For example, the service admin token or some other valid token for a user with sufficient roles to create users and domains. $KS_ENDPOINT_V3 refers to the v3 OpenStack Identity endpoint (for example, http://keystone_address:5000/v3 where keystone_address is the IP address or resolvable name for the OpenStack Identity service).
$ openstack --os-token $OS_TOKEN --os-url=$KS_ENDPOINT_V3 --os-\
identity-api-version=3 domain create heat --description "Owns \
users and projects created by heat"
The domain ID is returned by this command, and is referred to as $HEAT_DOMAIN_ID below.
Create the user:
$ openstack --os-token $OS_TOKEN --os-url=$KS_ENDPOINT_V3 --os-\
identity-api-version=3 user create --password $PASSWORD --domain \
$HEAT_DOMAIN_ID heat_domain_admin --description "Manages users \
and projects created by heat"
The user ID is returned by this command and is referred to as $DOMAIN_ADMIN_ID below.
Make the user a domain admin:
$ openstack --os-token $OS_TOKEN --os-url=$KS_ENDPOINT_V3 --os-\
identity-api-version=3 role add --user $DOMAIN_ADMIN_ID --domain \
$HEAT_DOMAIN_ID admin
Then you need to add the domain ID, username and password from these steps to heat.conf:
1 2 3 | stack_domain_admin_password = password
stack_domain_admin = heat_domain_admin
stack_user_domain = domain id returned from domain create above
|
The following steps will be executed during stack creation:
To clarify that last point, that means there are now two paths which can result in retrieval of the same data via the Orchestration API. The example for resource-metadata is below:
GET v1/{stack_owner_project_id}/stacks/{stack_name}/\
{stack_id}/resources/{resource_name}/metadata
or:
GET v1/{stack_domain_project_id}/stacks/{stack_name}/\
{stack_id}/resources/{resource_name}/metadata
The stack owner uses the former (via heat resource-metadata {stack_name} {resource_name}), and any agents in the instance use the latter.
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License http://creativecommons.org/licenses/by/3.0/legalcode.