Cannot create a new resource from non-admin user, using Heat template
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Mirantis OpenStack |
Fix Released
|
High
|
Igor Yozhikov | ||
| 6.0.x |
Invalid
|
High
|
Igor Yozhikov | ||
| 6.1.x |
Fix Released
|
High
|
Igor Yozhikov | ||
Bug Description
VERSION:
feature_groups:
- mirantis
production: "docker"
release: "6.1"
api: "1.0"
build_number: "200"
build_id: "2015-03-
nailgun_sha: "713e6684f9f54e
python-
astute_sha: "93e427ac49109f
fuellib_sha: "553cb0cffa40a5
ostf_sha: "e86c961ceacfa5
fuelmain_sha: "c97fd8a789645b
ENVIRONMENT:
HA mode, CentOS, Neutron with GRE segmentation, Cinder LVM, Sahara and Ceilometer are enabled, 3 (controller + mongo), 1 (compute + cinder)
HOW TO REPRODUCE:
Log into one of the controllers and execute the following commands:
# . openrc
# keystone tenant-create --name demo
# keystone user-create --tenant demo --name demo --pass demo
Now go to the OpenStack dashboard.
Log in as "demo" user.
Create a Heat stack, using the following template http://
EXPECTED RESULT:
The heat stack has been successfully created.
ACTUAL RESULT:
The heat stack has not been created and has status "Failed". See screenshot-1.
HOW TO FIX THE ISSUE:
First of all you should execute the following commands on the controller:
# keystone role-create --name heat_stack_owner
# keystone user-role-add --role heat_stack_owner --user demo --tenant demo
Further you should edit file /etc/heat/heat.conf on all controllers: comment the option "trusts_
pcs resource disable p_openstack-
pcs resource enable p_openstack-
Now try to create the same stack. The stack will be successfully created. See screenshot-2.
| Yaroslav Lobankov (ylobankov) wrote | #1 |
| Yaroslav Lobankov (ylobankov) wrote | #2 |
| Yaroslav Lobankov (ylobankov) wrote | #3 |
| description: | updated |
| summary: |
- Cannot create a new user from non-admin user, using Heat template + Cannot create a new resource from non-admin user, using Heat template |
| description: | updated |
| Pavlo Shchelokovskyy (pshchelo) wrote | #4 |
| Anastasia Kuznetsova (akuznetsova) wrote | #5 |
| Changed in mos: | |
| assignee: | Pavlo Shchelokovskyy (pshchelo) → Igor Yozhikov (iyozhikov) |
| Changed in mos: | |
| status: | New → Confirmed |
| Yaroslav Lobankov (ylobankov) wrote | #6 |
| Anastasia Kuznetsova (akuznetsova) wrote | #7 |
The heat_stack_owner role is a relic from the past. Everything should work without it in Juno, with __member__ role being enough to create such stacks via trusts delegation. I have tested our current code on a 6.1 deployed env, and after heat-engine restart everything seem to work as expected. Probably we are setting these trusts-related options too late during the deployment, so that additional heat-engine restart is needed.