Comment 15 for bug 1356084

Deliang Fan (vanderliang) wrote :

1. heat stack-create -f bug-1356084.yaml a
    an instance and a first user is created.

2. heat stack-update -f bug-1356084.yaml -P user_data=two bug-1356084
    After a new instance and the second user have been created, the primary instance and the first user will be deleted. But there comes the 403 failure from keystone during deleting the first user, which cause the failure of updating stack.

The primary cause of failure when updating the userdata of instance during stack update is that stack.stack_user_project_id is None when deleting the primary stack domain user. See in heat/engine/resources/stack_user.py

    def _delete_user(self):
        user_id = self._get_user_id()
        if user_id is None:
            return
        try:
            self.keystone().delete_stack_domain_user(
                user_id=user_id, project_id=self.stack.stack_user_project_id)
        except kc_exception.NotFound:
            pass
        except ValueError:
            # FIXME(shardy): This is a legacy delete path for backwards
            # compatibility with resources created before the migration
            # to stack_user.StackUser domain users. After an appropriate
            # transitional period, this should be removed.
            LOG.warn(_LW('Reverting to legacy user delete path'))
            try:
                self.keystone().delete_stack_user(user_id)
            except kc_exception.NotFound:
                pass

Because self.stack.stack_user_project_id is None, then delete_stack_domain_user fails and self.keystone().delete_stack_user(user_id) is to be called. The member role of demo user causes 403 failure from keystone during delete user.

So pass the stack_user_project_id to updated_stack, oldstack and backup_stack, then updates succeessfully.