Admin can't create/update stack with nova flavor
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Heat |
Fix Released
|
High
|
huangtianhua |
Bug Description
1. create a stack with nova flavor resource, the user has the role 'admin'
2. the stack create successful
3. modify the conf to enable reauth: reauthenticatio
4. restart the heat-engine
5. update the stack, then an error raised: You are not authorized to use OS::Nova::Flavor
6. create a new stack with the same template(with nova flavor), an error raised: Policy doesn't allow os_compute_
Then I checked the conf of my devstack, found out the conf as bellow:
deferred_
trusts_
reauthenticatio
I think this bug introduced by #1306294
https:/
https:/
As above codes, if we enable reauth, we reload the stack after storing it, and will use the new trust-context, but the trust we only delegate '_member_' role, so the policy did not allow to operate the resources which only allow administrator, in this case for nova flavor resource.
Changed in heat: | |
assignee: | nobody → huangtianhua (huangtianhua) |
importance: | Undecided → High |
Changed in heat: | |
milestone: | none → mitaka-2 |
Changed in heat: | |
assignee: | Steven Hardy (shardy) → huangtianhua (huangtianhua) |
Changed in heat: | |
status: | Fix Released → In Progress |
Hi. I'm not sure that this is a bug. Please see this line https:/ /github. com/openstack/ heat/blob/ master/ heat/common/ heat_keystonecl ient.py# L219 . So if you put reauthenticatio n_auth_ method= trusts in your conf you need to ensure that you set trusts_ delegated_ roles properly. Also such problem can arise in any case where you use stored_context, not necessary if you set deferred_ auth_method= trusts.
The most simple and quick solution may be to insert one more check here https:/ /github. com/openstack/ heat/blob/ master/ heat/common/ heat_keystonecl ient.py# L219 if we decide that this actually a bug.