OpenStack Heat

Always requiring password on create is too restrictive

Bug #1217617 reported by Steve Baker
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Heat
Fix Released
High
Steve Baker
OpenStack Heat 2013.2 "havana"

Bug Description

Some stacks do not need to do any deferred operations (no wait conditions, signals, alarms or metadata updates) so it is not always necessary to create tokens throughout the lifecycle of a stack.

In addition, it is difficult to provide a password for some use cases (such as using heat for higher-level orchestration APIs like Trove or Savannah

EngineService._validate_mandatory_credentials should either:
- introspect the template to decide whether a password is needed, or
- check for an "I know what I'm doing" flag to switch off password validation

Steve Baker (steve-stevebaker)
Changed in heat:
importance: Undecided → High
assignee: nobody → Steve Baker (steve-stevebaker)
milestone: none → havana-3
status: New → Confirmed
Steve Baker (steve-stevebaker)
Changed in heat:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to heat (master)

Fix proposed to branch: master
Review: https://review.openstack.org/44400

Thierry Carrez (ttx)
Changed in heat:
milestone: havana-3 → havana-rc1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to heat (master)

Reviewed: https://review.openstack.org/44400
Committed: http://github.com/openstack/heat/commit/af238fbd081f7c14016d923c3924a648963fdeca
Submitter: Jenkins
Branch: master

commit af238fbd081f7c14016d923c3924a648963fdeca
Author: Steve Baker <email address hidden>
Date: Fri Aug 30 17:21:56 2013 +1200

    Only validate credentials on create based on resources

    This change relaxes the validation which checked for credentials
    on stack create and update.

    As implemented, having any of the following resources
    in the template will result in credentials being mandatory
    on create and update:
    * AWS::AutoScaling::ScalingPolicy
    * OS::Heat::HARestarter
    * AWS::CloudFormation::WaitConditionHandle

    For all other templates, credentials are not needed.

    When trusts are merged, this logic could also be used to decide
    whether a trust token needs to be created at all.

    Fixes bug: #1217617

    Change-Id: I3e4b8698d3712053dc3c0851433ef0cbbadbdfed

Changed in heat:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in heat:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in heat:
milestone: havana-rc1 → 2013.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.