[Rdo-list] Autoscaling stack croaks warning messages about trustee

Steven Hardy shardy at redhat.com
Fri Dec 4 19:08:43 UTC 2015

On Fri, Dec 04, 2015 at 11:21:24AM +0900, Takenaka Kazuhiro wrote:
> Hi, All
> I have tried to run an autoscaling stack by Heat
> on the Openstack Liberty environment.
> The environment consists of the RHEL7.1 nodes and
> Openstack Liberty was installed by PackStack.
> At the first time I ran an autoscaling stack, it didn't work
> because of an installation problem; python-redis had not been 
> installed.
> After installation of python-redis, I tried again and the
> autoscaling stack is working now. 
> But I found another problem. The following message 
> periodically appears in /var/log/heat/heat-engine.log
> 2015-12-01 17:23:25.034 6231 WARNING heat.common.context [req-22848a8b-892b-4996-bf12-56d17181d878 - f023b311e4364188be9dc2ca33726467] Using the keystone_authtoken user as the heat trustee user directly is deprecated. Please add the trustee credentials you need to the trustee section of your heat.conf file.
> I looked /etc/heat/heat.conf made by PackStack and
> confirmed no trustee section is in it.
> I also compared the content of my heat.conf with the following
> web page.
> http://docs.openstack.org/draft/install-guide-rdo/heat-install.html
> I noticed the following things besides the trustee section issue.
> (A) My heat.conf has some definitions in below
>     which aren't used in the DEFAULT section of 
>     the draft web page.
>     deferred_auth_method = trusts
>     trusts_delegated_roles = heat_stack_owner

Yes these entries are no longer required:
 - deferred_auth_method = trusts is the default (since kilo)
 - heat_stack_owner is no longer required because by default we delegate
   all roles, since Launchpad bug #1376562 was fixed.

> (B) The keystone_authtoken sections have many differences.
>   My heat.conf:
>     [keystone_authtoken]
>     admin_user=heat
>     admin_password=***
>     admin_tenant_name=services
>     identity_uri=
>     auth_uri=
>   Draft Page:
>     auth_uri = http://controller:5000
>     auth_url = http://controller:35357
>     auth_plugin = password
>     project_domain_id = default
>     user_domain_id = default
>     project_name = service
>     username = heat
>     password = HEAT_PASS

Not sure about this - IIRC authtoken supports several argument formats for
backwards compatibility, so we need to ensure we're documenting the
currently preferred one.

> My questions is
> Can I configure the heat-engine service not to croak
> the warning message about trustee?

Yes, you need to configure the "trustee" section in heat.conf, which means
heat will no longer use the keystone_authtoken to initialize the auth
plugin associated with deferred authentication via trusts.

Unfortunately, this isn't currently documented or exposed in our sample
config.  I'm working on a patch to fix that which I hope to post soon, you
can follow progress here:



More information about the dev mailing list