[Rdo-list] Autoscaling stack croaks warning messages about trustee

Haller, John H (John) john.haller at alcatel-lucent.com
Fri Dec 4 21:02:39 UTC 2015 

>  - deferred_auth_method = trusts is the default (since kilo)
>  - heat_stack_owner is no longer required because by default we delegate
>    all roles, since Launchpad bug #1376562 was fixed.

You also need to configure heat to use keystone v3. Packstack,
at least as of Kilo, was still configuring keystone v2.0 by default,
see https://bugs.launchpad.net/packstack/+bug/1464371 (my bug report)
Trust delegation requires the v3 API, unless I've missed something.

There appear to be a number of issues with globally enabling keystone v3
being addressed in Red Hat OpenStack Liberty version, many of the bugs
in this query are related to keystone v3 bugs:
https://bugzilla.redhat.com/buglist.cgi?quicksearch=keystone%20v3

It doesn't look like you want to globally set Keystone v3 while these
are bugs outstanding, but you can change it in the Heat config file directly
to only affect the Heat service.

> 
> > (B) The keystone_authtoken sections have many differences.
> >
> >   My heat.conf:
> >     [keystone_authtoken]
> >     admin_user=heat
> >     admin_password=***
> >     admin_tenant_name=services
> >     identity_uri=http://10.0.2.11:35357
> >     auth_uri=http://10.0.2.11:5000/v2.0
                                       ^^^^
Trust delegation requires the v3 API in the line above

> >   Draft Page:
> >     auth_uri = http://controller:5000
> >     auth_url = http://controller:35357
> >     auth_plugin = password
> >     project_domain_id = default
> >     user_domain_id = default
> >     project_name = service
> >     username = heat
> >     password = HEAT_PASS
> 
> Not sure about this - IIRC authtoken supports several argument formats
> for backwards compatibility, so we need to ensure we're documenting the
> currently preferred one.
> 
> > My questions is
> >
> > Can I configure the heat-engine service not to croak the warning
> > message about trustee?
> 
> Yes, you need to configure the "trustee" section in heat.conf, which
> means heat will no longer use the keystone_authtoken to initialize the
> auth plugin associated with deferred authentication via trusts.
> 
> Unfortunately, this isn't currently documented or exposed in our sample
> config.  I'm working on a patch to fix that which I hope to post soon,
> you can follow progress here:
> 
> https://bugs.launchpad.net/heat/+bug/1300246
> 
> Steve
> 


Regards,
John Haller

More information about the dev mailing list