> (A) My heat.conf has some definitions in below > which aren't used in the DEFAULT section of > the draft web page. > > deferred_auth_method = trusts > trusts_delegated_roles = heat_stack_owner Yes these entries are no longer required: - deferred_auth_method = trusts is the default (since kilo) - heat_stack_owner is no longer required because by default we delegate all roles, since Launchpad bug #1376562 was fixed.

> My questions is > > Can I configure the heat-engine service not to croak > the warning message about trustee? Yes, you need to configure the "trustee" section in heat.conf, which means heat will no longer use the keystone_authtoken to initialize the auth plugin associated with deferred authentication via trusts. Unfortunately, this isn't currently documented or exposed in our sample config. I'm working on a patch to fix that which I hope to post soon, you can follow progress here: https://bugs.launchpad.net/heat/+bug/1300246

I found from one of my coworkers that the v2.0 API supports trusts, but only from the external API endpoint, not the internal. If the VM has a route to the external API, you can use v2.0, but otherwise need v3. So, I did miss something.