OpenStack Heat

You are not authorized to perform the requested action: identity:list_endpoints

Bug #1660395 reported by Jack Ivanov on 2017-01-30

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Heat	Expired	Undecided	Unassigned

Bug Description

Hello!

I'm trying to deploy a cluster with Sahara and have some problems with heat waitcontidion features.
When an instance tries to execute a waitcondition request I got this error: nova compute endpoint is not in service catalog:
# curl --insecure -i -X POST -H 'X-Auth-Token: 0c497be675c14780aa01db4352ed494b' -H 'Content-Type: application/json' -H 'Accept: application/json' https://heat.domain.com/v1/c43d7563acdc4859b5b19937265f8c1c/stacks/saharatest5baa6814-vanilla-default-worker-lo5z7atnb6pw-2-pzes3ukcdmzl/a501bc0a-e130-4909-a423-90ca364b2532/resources/vanilla-default-worker-wc-handle/signal --insecure --data-binary '{"status": "SUCCESS"}'; echo
.....
{"explanation": "The server could not comply with the request since it is either malformed or otherwise incorrect.", "code": 400, "error": {"message": "HEAT-E99001 Service nova is not available for resource type OS::Nova::Server, reason: nova compute endpoint is not in service catalog.", "traceback": null, "type": "ResourceTypeUnavailable"}, "title": "Bad Request"}

I was trying to get endpoints with the same AuthToken:
curl -g -i -X GET https://keystone.domain.com/v3/endpoints -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: 0c497be675c14780aa01db4352ed494b"
....
{"error": {"message": "You are not authorized to perform the requested action: identity:list_endpoints", "code": 403, "title": "Forbidden"}}

The AuthToken applies to the `heat_stack_user` role.
(The Orchestration service automatically assigns the heat_stack_user role to users that it creates during stack deployment. By default, this role restricts API <Application Programming Interface (API)> operations. To avoid conflicts, do not add this role to users with the heat_stack_owner role.)

Look at policy.json:
# grep list_endpoints /etc/keystone/policy.json
    "identity:list_endpoints": "rule:admin_required",
    "identity:list_endpoints_for_project": "rule:admin_required",
    "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
    "identity:list_endpoints_for_policy": "rule:admin_required",

I see that admin_required is performed, but there are no any mentions in docs about this.

Packages:
openstack-heat-api-cfn-7.0.1-1.el7.noarch
python2-heatclient-1.5.0-1.el7.noarch
openstack-heat-engine-7.0.1-1.el7.noarch
openstack-heat-api-7.0.1-1.el7.noarch
openstack-heat-common-7.0.1-1.el7.noarch

The expected result:
1. The error message in a waitcondition request should be more informative
2. The workaround should be reflected in the docs

See original description

Jack Ivanov (gunph1ld) on 2017-01-30

description:

updated

Revision history for this message

Rabi Mishra (rabi) wrote on 2017-01-31:

Seems like a keystone configuration issue. How is your keystone deployed? I don't think you can do list_endpoint with the stack_user token. Also, it's very difficult to know what's going on with the above information. Can you provide the complete heat engine log?

Changed in heat:
status:	New → Incomplete

Revision history for this message

Jack Ivanov (gunph1ld) wrote on 2017-01-31:

It's not a keystone configuration issue, openstack-keystone-10.0.0 in Newton by default uses those restictions - https://github.com/openstack/keystone/blob/339e7cc798aed24b7697980eb7cf8e20498d436d/etc/policy.json#L26

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-04-02:

[Expired for heat because there has been no activity for 60 days.]

Changed in heat:
status:	Incomplete → Expired

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.