Subusers cannot delete stacks with software config
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Heat |
Fix Released
|
Undecided
|
Drago | ||
Bug Description
Subusers which cannot create or delete Keystone users cannot delete stacks that have Nova servers with their user_data_format set to SOFTWARE_CONFIG even though no stack users are created. User deletion should be skipped if no user has been created (based upon the existence of a user_id in the resource's data [1]), but because a user ID is *always* returned [2], Heat always attempts to delete a user through Keystone. When this call to Keystone 403s, the stack deletion fails.
To reproduce:
- Create a subuser that cannot create users itself
- Create a stack using a template like [3]
- Delete the stack using the subuser
Expected behavior:
- Stack creates and deletes successfully
Actual behavior:
- Stack creates successfully
- Stack deletion results in DELETE_FAILED
[1] https:/
[2] https:/
[3]
heat_template_
parameters:
flavor:
type: string
description: Flavor for the server to be created
default: m1.small
constraints:
- custom_constraint: nova.flavor
image:
type: string
description: Image ID or image name to use for the server
constraints:
- custom_constraint: glance.image
resources:
server:
type: OS::Nova::Server
properties:
image: { get_param: image }
flavor: { get_param: flavor }
user_
user_data: { get_resource: config }
config:
type: OS::Heat:
config: |
#!/bin/bash
echo foo
| OpenStack Infra (hudson-openstack) wrote Fix proposed to heat (master) | #1 |
| Changed in heat: | |
| assignee: | nobody → Drago (dragorosson) |
| status: | New → In Progress |
| Sergey Kraynev (skraynev) wrote | #2 |
| Changed in heat: | |
| milestone: | none → mitaka-2 |
| status: | In Progress → Fix Released |
Fix proposed to branch: master
Review: https:/