On 16/06/17 05:09, Kaz Shinohara wrote:
I still takes `deferred _auth_method=password` behalf of trusts because
we don't enable trusts in the Keystone side due to some internal reason.
Free advice: whatever reason you have for not enabling trusts, storing
user passwords in the Heat database is 100x worse.
The issues what you pointed are correct(e.g. user_domain_id), we don't
use the domain well and also added some patches to skip those issues.
Why aren't those upstream?
But I guess that the majority of heat users already moved to trusts and
it is obviously better solution in terms of security and granular role
As the edge case(perhaps), if a user want to take password auth, it
would be too tricky for them to introduce it, therefore I agree your 2nd
If we will remove the `deferred_auth_method=password` from heat.conf,
should we keep `deferred_auth_method` self or will replace it to a new
config option just to specify the trusts enable/disable ? Do you have
any idea on this?
Also I'm thinking that `reauthentication_method` also might be
2017-06-16 14:11 GMT+09:00 Rabi Mishra <ramis...@redhat.com
I'm not sure whether this works with keystone v2 and anyone is using
it or not. Keeping in mind that heat-cli is deprecated and keystone
v3 is now the default, we've 2 options
1. Continue to support 'deferred_auth_method=passsword' option and
fix all the above issues.
2. Remove/deprecate the option in pike itlsef.
I would prefer option 2, but probably I miss some history and use
cases for it.
Am I right in thinking that any user (i.e. not just the [heat] service
user) can create a trust? I still see occasional requests about
'standalone mode' for clouds that don't have Heat available to users
(which I suspect is broken, otherwise people wouldn't be asking), and
I'm guessing that standalone mode has heretofore required
So if we're going to remove the option then we should probably either
officially disown standalone mode or rewrite the instructions such that
it can be used with the trusts method.
OpenStack Development Mailing List (not for usage questions)