The Heat component of OpenStack uses an authorization model composed of mainly two types:
Password-based authorization
Authorization based on OpenStack identity trusts
This process is known as Orchestration authorization.
In this type of authorization, a password is expected from the user. This password must match with the password stored in a database by the Heat engine in an encrypted form.
The following are the steps used to generate a username/password:
A request is made to the Heat engine for a token or an authorization password. Normally, the Heat command-line client or the dashboard is used.
The validation checks will fail if the stack contains any resources under deferred operations. If everything is normal, then a username/password is provided.
The username/password are stored in the database in encrypted form.
In some cases, the Heat engine, after obtaining the credentials, requests another token on the user's behalf, and thereafter, access to all the roles of the stack owner are provided.
Keystone trusts are extensions to OpenStack identity services that are used for enabling delegation of resources. The trustor and the trustee are the two delegates used in this method. The trustor is the user who delegates and the trustee is the user who is being delegated. The following information from the trustor is required by the identity service to delegate a trustee:
The creation of a stack via an API request step can be followed to execute a trust based authorization.
A token is used to create a trust between the stack owner (the trustor) and the Heat service user (also known as the trustee in this case). A special role is delegated. This role must be predefined in the trusts_delegated_roles list inside the heat.conf file.
By default, all the available roles for the trustor are set to be available for the trustee if it is not modified using a local RBAC policy.
This trust ID is stored in an encrypted form in the database. This trust ID is retrieved from the database when an operation is required.