OpenStack Heat

Problem with creation stack from new user and tenant

Bug #1306665 reported by Sergey Kraynev on 2014-04-11

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Heat	Fix Released	Medium	Steven Hardy	OpenStack Heat 2014.2 "juno"

Bug Description

Devstack automatically creates demo and admin users and then adds them role heat_stack_owner.
In case when you create other new tenant with user, you could forget to add the role.
As a result you will get user who may do stack-list (without any error) and could not execute stack-create. Such error will be displayed in cli
ERROR: Remote error: NotFound Could not find role, 7131470220f646b3b1ee153b31529e34. (HTTP 404)
where 7131470220f646b3b1ee153b31529e34 is id of heat_stack_owner role.

Solution in this case is adding role to your created user.

According to discussion in IRC we have some bullet points related with this situation:
* will be good to improve documentation (to describe this specific behavior of using heat)
* also will be good improve error message and point users on problem (that he should add role)

Pavlo Shchelokovskyy (pshchelo) on 2014-04-15

Changed in heat:
assignee:	nobody → Pavlo Shchelokovskyy (pshchelo)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-04-15: Fix proposed to heat (master)

Fix proposed to branch: master
Review: https://review.openstack.org/87555

Changed in heat:
status:	New → In Progress

Steve Baker (steve-stevebaker) on 2014-04-15

Changed in heat:
importance:	Undecided → Medium
milestone:	none → juno-1

Revision history for this message

Openstack Gerrit (openstack-gerrit) wrote on 2014-04-16: Fix merged to heat (master)

Reviewed: https://review.openstack.org/87555
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=becd011215e092f1e32374371f916a476164f996
Submitter: Jenkins
Branch: master

commit becd011215e092f1e32374371f916a476164f996
Author: Pavlo Shchelokovskyy <email address hidden>
Date: Tue Apr 15 10:30:52 2014 +0300

Add hint on creating new user for Heat in DevStack

Mention heat_stack_owner role in the docs for DevStack.

Change-Id: I5f3e0405684fffa0aa05d1552ca0f6e7074471aa
Partial-Bug: #1306665

Pavlo Shchelokovskyy (pshchelo) on 2014-05-05

Changed in heat:
assignee:	Pavlo Shchelokovskyy (pshchelo) → nobody

Revision history for this message

Steven Hardy (shardy) wrote on 2014-05-21:

I'll look at improving the error message when this happens

Changed in heat:
assignee:	nobody → Steven Hardy (shardy)

Thierry Carrez (ttx) on 2014-06-11

Changed in heat:
milestone:	juno-1 → juno-2

Steven Hardy (shardy) on 2014-07-21

Changed in heat:
milestone:	juno-2 → juno-3

Steven Hardy (shardy) on 2014-09-02

Changed in heat:
milestone:	juno-3 → juno-rc1

Revision history for this message

Steven Hardy (shardy) wrote on 2014-09-05:

Actually, having considered this for a while, I propose two changes:

1. Stop using heat_stack_owner, and instead delegate _member_, which is the default role created by keystone since grizzly and used to indicated project membership (thus all users should already have it, avoiding this situation)

2. Improve the error message, so if some non-default combination of roles is used, users get a clue that some role in the list specified in heat.conf doesn't exist in the user's roles.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-05: Fix proposed to heat (master)

Fix proposed to branch: master
Review: https://review.openstack.org/119406

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-05: Related fix proposed to heat (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/119415

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-13: Fix merged to heat (master)

Reviewed: https://review.openstack.org/119406
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=4e0538e2145b4db79c2489cbb1fb5e286a05ecd3
Submitter: Jenkins
Branch: master

commit 4e0538e2145b4db79c2489cbb1fb5e286a05ecd3
Author: Steven Hardy <email address hidden>
Date: Fri Sep 5 16:51:03 2014 +0100

Clarify NotFound error when creating trust

    If a user creates a stack without the heat_stack_owner role, we
    try to create the trust and then fail somewhat cryptically by
    letting the NotFound exception from keystoneclient get exposed to
    the user. This is confusing, as it doesn't even mention the role
    name (only the ID).

Instead, we can catch the NotFound and propagate a MissingCredential
error, with a list of the role names we need to create the trust.

    This error is already correctly mapped to a bad request in the native
    API, but not in the CFN exception map, so add it there to avoid 500
    errors if this happens via heat-api-cfn.

Now, if a user lacks the required role, they will see an error like:

Missing required credential: roles ['heat_stack_owner']

Which is hopefully somewhat clearer.

Change-Id: Ief4956bdb76ddf0cdb0a642721b63c63b0d007d8
Closes-Bug: #1306665

Changed in heat:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2014-10-02

Changed in heat:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-10-16

Changed in heat:
milestone:	juno-rc1 → 2014.2

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-20: Change abandoned on heat (master)

Change abandoned by Steven Hardy (<email address hidden>) on branch: master
Review: https://review.openstack.org/119415
Reason: Obsoleted by https://review.openstack.org/#/c/128509/

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.