OpenStack Heat

keystone role assignment failed

Bug #1614400 reported by Ethan Lynn on 2016-08-18

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Heat	Fix Released	Medium	Rabi Mishra	OpenStack Heat newton-3 "n3"

Bug Description

I'm using mitaka version heat

Using following template:
heat_template_version: 2015-04-30
resources:
  user:
    type: OS::Keystone::UserRoleAssignment
    properties:
      roles: [ {"project": ucd3, "role": admin}]
      user: "ucduser3"

Following errors happened:
2016-08-18 07:29:05.543 13929 INFO heat.engine.resource [-] CREATE: KeystoneUserRoleAssignment "user" Stack "role" [c4f04298-2caa-4540-a452-57f3b2db855b]
2016-08-18 07:29:05.543 13929 ERROR heat.engine.resource Traceback (most recent call last):
2016-08-18 07:29:05.543 13929 ERROR heat.engine.resource File "/usr/lib/python2.7/dist-packages/heat/engine/resource.py", line 709, in _action_recorder
2016-08-18 07:29:05.543 13929 ERROR heat.engine.resource yield
2016-08-18 07:29:05.543 13929 ERROR heat.engine.resource File "/usr/lib/python2.7/dist-packages/heat/engine/resource.py", line 780, in _do_action
2016-08-18 07:29:05.543 13929 ERROR heat.engine.resource yield self.action_handler_task(action, args=handler_args)
2016-08-18 07:29:05.543 13929 ERROR heat.engine.resource File "/usr/lib/python2.7/dist-packages/heat/engine/scheduler.py", line 311, in wrapper
2016-08-18 07:29:05.543 13929 ERROR heat.engine.resource step = next(subtask)
2016-08-18 07:29:05.543 13929 ERROR heat.engine.resource File "/usr/lib/python2.7/dist-packages/heat/engine/resource.py", line 751, in action_handler_task
2016-08-18 07:29:05.543 13929 ERROR heat.engine.resource handler_data = handler(*args)
2016-08-18 07:29:05.543 13929 ERROR heat.engine.resource File "/usr/lib/python2.7/dist-packages/heat/engine/resources/openstack/keystone/role_assignments.py", line 354, in handle_create
2016-08-18 07:29:05.543 13929 ERROR heat.engine.resource self.create_assignment(user_id=self.user_id)
2016-08-18 07:29:05.543 13929 ERROR heat.engine.resource File "/usr/lib/python2.7/dist-packages/heat/engine/resources/openstack/keystone/role_assignments.py", line 250, in create_assignment
2016-08-18 07:29:05.543 13929 ERROR heat.engine.resource self.properties.get(self.ROLES))
2016-08-18 07:29:05.543 13929 ERROR heat.engine.resource File "/usr/lib/python2.7/dist-packages/heat/engine/resources/openstack/keystone/role_assignments.py", line 114, in _add_role_assignments_to_user
2016-08-18 07:29:05.543 13929 ERROR heat.engine.resource self.client().roles.grant(
2016-08-18 07:29:05.543 13929 ERROR heat.engine.resource AttributeError: 'KeystoneClientV3' object has no attribute 'roles'
2016-08-18 07:29:05.543 13929 ERROR heat.engine.resource
2016-08-18 07:29:05.575 13929 INFO heat.engine.service [-] Stack create failed, status FAILED
2016-08-18 07:29:05.598 13929 INFO heat.engine.stack [-] Stack CREATE FAILED (role): Resource CREATE failed: AttributeError: resources.user: 'KeystoneClientV3' object has no attribute 'roles'

Tags:

Revision history for this message

Rabi Mishra (rabi) wrote on 2016-08-18:

I think this is reproducible on master too. I'll have a look.

Changed in heat:
importance:	Undecided → Medium
assignee:	nobody → Rabi Mishra (rabi)

Revision history for this message

Ethan Lynn (ethanlynn) wrote on 2016-08-18:

Rabi, thanks :)

Revision history for this message

Perry (panxia6679) wrote on 2016-08-18:

After updating https://github.com/openstack/heat/blob/stable/mitaka/heat/engine/resources/openstack/keystone/role_assignments.py#L114 to self.client()._client.roles.grant(, the problem is gone.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-18: Fix proposed to heat (master)

Fix proposed to branch: master
Review: https://review.openstack.org/357013

Changed in heat:
status:	New → In Progress

Rabi Mishra (rabi) on 2016-08-18

summary:	- create keystone roles failed + keystone role assignment failed
tags:	added: mitaka-backport-potential

Revision history for this message

Ethan Lynn (ethanlynn) wrote on 2016-08-18:

Another problem I found is that if I delete the user first, then this stack can't be deleted.

Delete_Failed: Resource DELETE failed: EntityNotFound: resources.user: The KeystoneUser (ucduser3) could not be found.

Revision history for this message

Rabi Mishra (rabi) wrote on 2016-08-18:

That's the issue of creating the RoleAssignment as separate resource. Deleting a user deletes it's role assignments. So we probably have to check for the existence of the user before going for doing any add/remove roles.

Revision history for this message

Niraj Patel (nirajdp) wrote on 2016-08-18:

There are other use cases where one is not able to delete a Failed Stack.

Assume the initial stack deployment failure can be due to any of the following reasons
- failed to assign role to a user for a given project

Now, when you try to delete the failed stack it tries to revoke the role that is not even assigned as stack deploy had failed prior to reach that step.

So we should extend delete stack / unassign role to account for this as well and let stack deletion complete successfully.

Thanks

Revision history for this message

Rabi Mishra (rabi) wrote on 2016-08-19:

I would suggest we raise separate bug report for other issues.

Changed in heat:
milestone:	none → newton-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-19: Related fix proposed to heat (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/357621

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-22: Fix merged to heat (master)

#10

Reviewed: https://review.openstack.org/357013
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=cba109872b2fe26ef9e8f307f74e87c7d2fbc0c3
Submitter: Jenkins
Branch: master

commit cba109872b2fe26ef9e8f307f74e87c7d2fbc0c3
Author: rabi <email address hidden>
Date: Thu Aug 18 13:52:58 2016 +0530

Override client() for RoleAssignment resources

It seems we've missed to override client() methods for some
keystone resource plugins.

This also fixes the tests for all keystone resources.

Change-Id: I97e4d4f0bbc9575109d9c8f59fe4795313d2f525
Closes-Bug: #1614400

Changed in heat:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-23: Fix proposed to heat (stable/mitaka)

#11

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/358975

Revision history for this message

Perry (panxia6679) wrote on 2016-08-23:

#12

Thanks Rabi and Ethan for your quick help.

I just cherry picked the commit to stable/mitaka. Please review. Thanks.

Revision history for this message

Perry (panxia6679) wrote on 2016-08-23:

#13

As per comment #7 and #8, I created another bug to track it: https://bugs.launchpad.net/heat/+bug/1615947

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-23: Related fix merged to heat (master)

#14

Reviewed: https://review.openstack.org/357621
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=1bb21c5bb3e1612cf4478465c1aa5a022b45f983
Submitter: Jenkins
Branch: master

commit 1bb21c5bb3e1612cf4478465c1aa5a022b45f983
Author: rabi <email address hidden>
Date: Fri Aug 19 10:27:55 2016 +0530

Delete RoleAssignment if user/group does not exist

    Currently deleting a user/group directly results
    in stack containing RoleAssignment resource stuck
    in DELETE_FAILED, when deleting the stack.This patch
    fixes it.

Change-Id: I48d5e1a92b99fa7e495c6bb2f131f169b9cf8076
Related-Bug: #1614400

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-25: Fix merged to heat (stable/mitaka)

#15

Reviewed: https://review.openstack.org/358975
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=55fc41a3d873de8cdaa10937d28192028d435e9f
Submitter: Jenkins
Branch: stable/mitaka

commit 55fc41a3d873de8cdaa10937d28192028d435e9f
Author: rabi <email address hidden>
Date: Thu Aug 18 13:52:58 2016 +0530

Override client() for RoleAssignment resources

It seems we've missed to override client() methods for some
keystone resource plugins.

This also fixes the tests for all keystone resources.

    Change-Id: I97e4d4f0bbc9575109d9c8f59fe4795313d2f525
    Closes-Bug: #1614400
    (cherry picked from commit cba109872b2fe26ef9e8f307f74e87c7d2fbc0c3)

tags:

added: in-stable-mitaka

Revision history for this message

Perry (panxia6679) wrote on 2016-08-27:

#16

@Rabi, I tried to cherry pick your commit https://git.openstack.org/cgit/openstack/heat/commit/?id=1bb21c5bb3e1612cf4478465c1aa5a022b45f983 to stable/mitaka, but I found that there is some conflict due to commit e0e92b9d6de8a2900a5faf07c4c9c86404db5601 in stable/mitaka. Would you mind rebasing/submitting it to stable/mitaka? Thanks!

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-09-01: Fix included in openstack/heat 7.0.0.0b3

#17

This issue was fixed in the openstack/heat 7.0.0.0b3 development milestone.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-09-05: Related fix proposed to heat (stable/mitaka)

#18

Related fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/365447

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-09-06: Fix included in openstack/heat 6.1.0

#19

This issue was fixed in the openstack/heat 6.1.0 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-09-13: Change abandoned on heat (stable/mitaka)

#20

Change abandoned by Perry (<email address hidden>) on branch: stable/mitaka
Review: https://review.openstack.org/365447

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-09-27: Related fix proposed to heat (stable/mitaka)

#21

Related fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/377670

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-11-10: Fix included in openstack/heat 6.1.0

#22

This issue was fixed in the openstack/heat 6.1.0 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-11: Related fix merged to heat (stable/mitaka)

#23

Reviewed: https://review.openstack.org/377670
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=7a387b8a53b2ebc3d169572d79f3141e72bde7dc
Submitter: Jenkins
Branch: stable/mitaka

commit 7a387b8a53b2ebc3d169572d79f3141e72bde7dc
Author: rabi <email address hidden>
Date: Fri Aug 19 10:27:55 2016 +0530

Delete RoleAssignment if user/group does not exist

    Currently deleting a user/group directly results
    in stack containing RoleAssignment resource stuck
    in DELETE_FAILED, when deleting the stack.This patch
    fixes it.

Related-Bug: #1614400
(cherry picked from commit 1bb21c5bb3e1612cf4478465c1aa5a022b45f983)

Change-Id: Ib62d1898ed105f599a8d852885f69bc45bd420b4

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.