Inherit roles for create_trust_context()

For the stable/juno backport, the default value of
trusts_delegated_roles is left unchanged, so deployers
will see no change on upgrade, unless they explicitly
choose to update their heat.conf. Note that previously
an empty list caused an error (it's invalid to
delegate zero roles via a trust), so this is not a change
of behaviour of a previously working configuration.

Change-Id: I3f1b70b78b91bfac9af5fadb71140679b208c999
Closes-bug: #1376562
(cherry picked from commit aab01c00ff330d743fc15e97d7ae144eac5015bb)

5 files changed, 35 insertions, 7 deletions

diff --git a/etc/heat/heat.conf.sample b/etc/heat/heat.conf.sample
index 8917857e6..1ae63c8af 100644
--- a/etc/heat/heat.conf.sample
+++ b/etc/heat/heat.conf.sample
@@ -35,7 +35,9 @@
 # (string value)
 #deferred_auth_method=password
 
-# Subset of trustor roles to be delegated to heat. (list
+# Subset of trustor roles to be delegated to heat. If
+# trusts_delegated_roles is set to [], all roles of a user
+# will be delegated to heat when creating a stack. (list
 # value)
 #trusts_delegated_roles=heat_stack_owner
 
diff --git a/heat/common/config.py b/heat/common/config.py
index dfc96960d..518a2b2a1 100644
--- a/heat/common/config.py
+++ b/heat/common/config.py
@@ -105,7 +105,10 @@ engine_opts = [
                       'stored password or trusts.')),
     cfg.ListOpt('trusts_delegated_roles',
                 default=['heat_stack_owner'],
-                help=_('Subset of trustor roles to be delegated to heat.')),
+                help=_('Subset of trustor roles to be delegated to heat.'
+                       ' If trusts_delegated_roles is set to [],'
+                       ' all roles of a user will be delegated to heat'
+                       ' when creating a stack.')),
     cfg.IntOpt('max_resources_per_stack',
                default=1000,
                help='Maximum resources allowed per top-level stack.'),
diff --git a/heat/common/heat_keystoneclient.py b/heat/common/heat_keystoneclient.py
index 378cf7b48..9dd469e66 100644
--- a/heat/common/heat_keystoneclient.py
+++ b/heat/common/heat_keystoneclient.py
@@ -275,7 +275,11 @@ class KeystoneClientV3(object):
         trustee_user_id = self.admin_client.auth_ref.user_id
         trustor_user_id = self.client.auth_ref.user_id
         trustor_project_id = self.client.auth_ref.project_id
-        roles = cfg.CONF.trusts_delegated_roles
+        # inherit the roles of the trustor, unless set trusts_delegated_roles
+        if cfg.CONF.trusts_delegated_roles:
+            roles = cfg.CONF.trusts_delegated_roles
+        else:
+            roles = self.context.roles
         try:
             trust = self.client.trusts.create(trustor_user=trustor_user_id,
                                               trustee_user=trustee_user_id,
diff --git a/heat/engine/service.py b/heat/engine/service.py
index cc99b2c8e..e2c75f9e7 100644
--- a/heat/engine/service.py
+++ b/heat/engine/service.py
@@ -345,6 +345,14 @@ class EngineService(service.Service):
                           'deprecated and will be removed in the Juno '
                           'release.', DeprecationWarning)
 
+        if cfg.CONF.trusts_delegated_roles:
+            warnings.warn('If trusts_delegated_roles is set, only the subset '
+                          'of roles it specifies will be delegated to heat. '
+                          'You may wish to update your config to [], as an '
+                          'empty list means delegate all roles of the '
+                          'trustor.',
+                          Warning)
+
     def create_periodic_tasks(self):
         LOG.debug("Starting periodic watch tasks pid=%s" % os.getpid())
         # Note with multiple workers, the parent process hasn't called start()
diff --git a/heat/tests/test_heatclient.py b/heat/tests/test_heatclient.py
index 282052e6c..afceda582 100644
--- a/heat/tests/test_heatclient.py
+++ b/heat/tests/test_heatclient.py
@@ -492,7 +492,15 @@ class KeystoneClientTest(HeatTestCase):
         trust_context = heat_ks_client.create_trust_context()
         self.assertEqual(ctx.to_dict(), trust_context.to_dict())
 
-    def test_create_trust_context_trust_create(self):
+    def test_create_trust_context_trust_create_deletegate_subset_roles(self):
+        delegate_roles = ['heat_stack_owner']
+        self._test_create_trust_context_trust_create(delegate_roles)
+
+    def test_create_trust_context_trust_create_deletegate_all_roles(self):
+        delegate_roles = []
+        self._test_create_trust_context_trust_create(delegate_roles)
+
+    def _test_create_trust_context_trust_create(self, delegate_roles=None):
 
         """Test create_trust_context when creating a trust."""
 
@@ -503,22 +511,25 @@ class KeystoneClientTest(HeatTestCase):
 
         self._stubs_v3()
         cfg.CONF.set_override('deferred_auth_method', 'trusts')
-        cfg.CONF.set_override('trusts_delegated_roles', ['heat_stack_owner'])
+        cfg.CONF.set_override('trusts_delegated_roles', delegate_roles)
 
+        trustor_roles = ['heat_stack_owner', 'admin', '__member__']
+        trustee_roles = delegate_roles or trustor_roles
         self.mock_ks_v3_client.auth_ref = self.m.CreateMockAnything()
         self.mock_ks_v3_client.auth_ref.user_id = '5678'
         self.mock_ks_v3_client.auth_ref.project_id = '42'
         self.mock_ks_v3_client.trusts = self.m.CreateMockAnything()
+
         self.mock_ks_v3_client.trusts.create(
             trustor_user='5678',
             trustee_user='1234',
             project='42',
             impersonation=True,
-            role_names=['heat_stack_owner']).AndReturn(MockTrust())
+            role_names=trustee_roles).AndReturn(MockTrust())
 
         self.m.ReplayAll()
 
-        ctx = utils.dummy_context()
+        ctx = utils.dummy_context(roles=trustor_roles)
         ctx.trust_id = None
         heat_ks_client = heat_keystoneclient.KeystoneClient(ctx)
         trust_context = heat_ks_client.create_trust_context()