From 64b767f9f659ac6dd3b2464967ff0c4d24844761 Mon Sep 17 00:00:00 2001
From: Michal Rostecki <mrostecki@mirantis.com>
Date: Sat, 17 Oct 2015 09:50:03 +0200
Subject: [PATCH] Use trusts in heat.conf

Change-Id: Ie91b3498e9f9d0d74a502ba6945db531ef967516
Closes-Bug: #1492736
---
 ansible/roles/heat/templates/heat.conf.j2 | 14 +++++++++++++-
 docker/heat/heat-api/extend_start.sh      |  8 +++++---
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/ansible/roles/heat/templates/heat.conf.j2 b/ansible/roles/heat/templates/heat.conf.j2
index c2faa835fd..bd88341927 100644
--- a/ansible/roles/heat/templates/heat.conf.j2
+++ b/ansible/roles/heat/templates/heat.conf.j2
@@ -10,7 +10,9 @@ stack_domain_admin_password = {{ heat_domain_admin_password }}
 stack_user_domain_name = heat_user_domain
 
 rpc_backend = rabbit
-deferred_auth_method = password
+notification_driver = noop
+deferred_auth_method = trusts
+trusts_delegated_role = heat_stack_owner
 
 syslog_log_facility=LOG_LOCAL0
 use_syslog=yes
@@ -46,6 +48,16 @@ project_name = service
 username = heat
 password = {{ heat_keystone_password }}
 
+[trustee]
+auth_uri = http://{{ kolla_internal_address }}:{{ keystone_public_port }}
+auth_url = http://{{ kolla_internal_address }}:{{ keystone_admin_port }}
+auth_plugin = password
+project_domain_id = default
+user_domain_id = default
+project_name = service
+username = heat
+password = {{ heat_keystone_password }}
+
 [ec2authtoken]
 auth_uri = http://{{ kolla_internal_address }}:{{ keystone_public_port }}
 
diff --git a/docker/heat/heat-api/extend_start.sh b/docker/heat/heat-api/extend_start.sh
index 6c4fc431f6..ca4f83da58 100644
--- a/docker/heat/heat-api/extend_start.sh
+++ b/docker/heat/heat-api/extend_start.sh
@@ -4,8 +4,10 @@
 # of the KOLLA_BOOTSTRAP variable being set, including empty.
 if [[ "${!KOLLA_BOOTSTRAP[@]}" ]]; then
     heat-manage db_sync
-    openstack domain create heat_user_domain
-    openstack user create --domain heat_user_domain heat_domain_admin --password ${HEAT_DOMAIN_ADMIN_PASSWORD}
-    openstack role add --domain heat_user_domain --user heat_domain_admin admin
+    openstack domain create heat
+    openstack user create --domain heat heat_domain_admin --password ${HEAT_DOMAIN_ADMIN_PASSWORD}
+    openstack role add --domain heat --user heat_domain_admin admin
+    openstack role create heat_stack_owner
+    openstack role create heat_stack_user
     exit 0
 fi