Hide Forgot
Cloned from launchpad blueprint https://blueprints.launchpad.net/heat/+spec/instance-users. Description: Currently we create a new keystone user for every WaitConditionHandle resource, and every User/AccessKey resource - this is clearly suboptimal and doesn't scale, so we need to figure out a better way, working with the keystone devs as I'm fairly sure we'll need some new keystone features to do this better (maybe the ability to create ec2 keypairs from a trust token, and the ability to create implicitly unprivileged identities based on trusts) Specification URL (additional information): None
Updating title as the upstream BP title/description changed after this was raised: Currently we create a new keystone user for every WaitConditionHandle resource, and every User/AccessKey resource, in the same tenant/project as the stack owning user. We need to remove the requirement to be a keystone admin (which is required to create the users) while still providing users who are not directly associated with the stack owning user (to limit the impact in the event of a compromised instance), so create these users in a separate heat specific domain (as the heat service user). This still provides the necessary isolation but avoids the requirement to create users in the real user domain. This could also provide a solution to the requirement for ec2 signed requests (which we don't want for native resources), e.g initially by deploying the username and a randomly generated password and in future maybe x509 certificates. Also see https://wiki.openstack.org/wiki/Heat/Blueprints/InstanceUsers, option (2) is what has been implemented.
Related bugs for additional context: Packstack updates: https://bugzilla.redhat.com/show_bug.cgi?id=1076172 Docs updates: https://bugzilla.redhat.com/show_bug.cgi?id=1076611