Add heat_stack_owner role for heat trusts usage
Heat supports deferred operations via keystone trusts,
and we'd like to make that the default. To do this, we
require a new role, which is the default role specified
in heat.conf trusts_delegated_roles, heat_stack_owner.
Add the role to the admin/demo users so they can create
heat stacks when we make deferred_auth_method=trusts the
default.
Change-Id: Idfc70ee89428c23f5965e643486ff2ad9566471c
Related-Bug: #1286157
diff --git a/lib/heat b/lib/heat
index 42d1057..2d9d863 100644
--- a/lib/heat
+++ b/lib/heat
@@ -240,6 +240,19 @@
# heat_stack_user role is for users created by Heat
openstack role create heat_stack_user
+ # heat_stack_owner role is given to users who create Heat stacks,
+ # it's the default role used by heat to delegate to the heat service
+ # user (for performing deferred operations via trusts), see heat.conf
+ HEAT_OWNER_ROLE=$(openstack role create \
+ heat_stack_owner \
+ | grep " id " | get_field 2)
+
+ # Give the role to the demo and admin users so they can create stacks
+ # in either of the projects created by devstack
+ openstack role add $HEAT_OWNER_ROLE --project demo --user demo
+ openstack role add $HEAT_OWNER_ROLE --project demo --user admin
+ openstack role add $HEAT_OWNER_ROLE --project admin --user admin
+
# Note we have to pass token/endpoint here because the current endpoint and
# version negotiation in OSC means just --os-identity-api-version=3 won't work
KS_ENDPOINT_V3="$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v3"