On Fri, Dec 04, 2015 at 09:02:39PM +0000, Haller, John H (John) wrote:
> - deferred_auth_method = trusts is the default (since kilo)
> - heat_stack_owner is no longer required because by default we delegate
> all roles, since Launchpad bug #1376562 was fixed.
You also need to configure heat to use keystone v3. Packstack,
at least as of Kilo, was still configuring keystone v2.0 by default,
see
https://bugs.launchpad.net/packstack/+bug/1464371 (my bug report)
Trust delegation requires the v3 API, unless I've missed something.
You need to have keystone v3 enabled in the keystone service, but heat
works around endpoints with the v2.0 path transparently, so there's nothing
to do with packstack etc AFAIK.
You don't have to do anything at all to configure heat to use keystone v3,
except ensure you haven't disabled it in the keystone configuration.
A lot of folks get confused between keystone v3 being enabled
(keystone.conf option, defaulted to on), and the v2.0 endpoint in the
catalog, which is irelevant to heat, because we've been s/v2.0/v3 where
appropriate since we started using trusts in 2013.
Steve