OpenStack Heat

Failed to create OS::Heat::Stack

Bug #1701498 reported by Ethan Lynn on 2017-06-30

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Heat	Triaged	Medium	Rabi Mishra	OpenStack Heat no-milestone-taged-bugs

Bug Description

When set reauthentication_auth_method = trusts in heat.conf, I got error "Resource CREATE failed: HTTPInternalServerError: resources.stack_one: ERROR: Remote error: Forbidden You are not authorized to perform the requested action." when create a stack from following template.

[elynn@ethan-devstack-vmware-ocata-0 ~]$ cat /tmp/region.yaml
heat_template_version: 2013-05-23
resources:
  stack_one:
    type: OS::Heat::Stack
    properties:
      context:
        region_name: RegionOne
      template: {get_file: /tmp/empty.yaml}
[elynn@ethan-devstack-vmware-ocata-0 ~]$ cat /tmp/empty.yaml
heat_template_version: 2013-05-23

comment out 'reauthentication_auth_method = trusts' in heat.conf could make it work. Any ideas about it?

Revision history for this message

Rabi Mishra (rabi) wrote on 2017-06-30:

I've not tested it, but I would guess the domain information is not being passed correctly. We do a context.to_dict() and then context.from_dict() in the RemoteStack.

May be you can try the changes L181/182 as in https://review.openstack.org/#/c/476014/3/heat/common/context.py and give it a try.

Revision history for this message

Rabi Mishra (rabi) wrote on 2017-06-30:

Ignore the comment above, I think it does not work. I'll have a look.

Rabi Mishra (rabi) on 2017-06-30

Changed in heat:
assignee:	nobody → Rabi Mishra (rabi)

Revision history for this message

Ethan Lynn (ethanlynn) wrote on 2017-07-03:

Thanks Rabi.

Revision history for this message

Rabi Mishra (rabi) wrote on 2017-07-03:

I think the issue is, when using reauth_auth_method=trusts, we reload the stack with the stored context (with trust_id) before creating the resources. Therefore, when making heap api call to create the remote stack, it would be using the trust scoped token, where again we try and create a trust for the remote stack (using that token) and it fails.

I've not fond a way around this yet.

Revision history for this message

Steven Hardy (shardy) wrote on 2017-07-03:

I think this is working as expected - keystone trusts by default don't allow a chain of delegation, to avoid unconstrained redelegation (such as the redelegation here between the parent stack and OS::Heat::Stack).

To make this work, I think you have to specify redelegation is possible at the point of creating the trust (which we don't currently support in heat, but we could add a flag to enable it)

https://specs.openstack.org/openstack/keystone-specs/specs/kilo/trusts-redelegation.html

https://docs.openstack.org/admin-guide/identity-use-trusts.html

Rico Lin (rico-lin) on 2017-07-05

Changed in heat:
status:	New → Triaged
importance:	Undecided → Medium

Revision history for this message

Ethan Lynn (ethanlynn) wrote on 2017-07-06:

Hi Steven,
Thanks for sharing this, it's useful! I still have a question, if I set allow_redelegation = True in keystone.conf, do I need to do change in heat side?

Revision history for this message

Rabi Mishra (rabi) wrote on 2017-07-06:

@Ethan,

It should have worked by setting that flag. However, there seems to be an issue with keystone when I tested.

To me it looks the redelegation_count is initialized to 0, when you get a redelegated trust with trust_id (that field does not seem persisted in db, sql driver). Hence the validation[1] for delegation_depth fails.

Commenting out the validation though makes it work.

[1] https://github.com/openstack/keystone/blob/master/keystone/trust/core.py#L65-L72

Though I may be missing something else here on why redelegation_count is not persisted.

Revision history for this message

Ethan Lynn (ethanlynn) wrote on 2017-07-07:

Maybe also set max_redelegation_count to a value larger than 0?

Revision history for this message

Rabi Mishra (rabi) wrote on 2017-07-07:

No that's the not issue, max_redelegation_count is by default 3. The issue is with keeping track of the delegation_count (which is decremented by 1 for every delegation) of the trust. That's alway initialized to 0 when the trust is fetched by the backend driver. Hence that check fails.

Rico Lin (rico-lin) on 2017-09-19

Changed in heat:
milestone:	none → queens-1

Rico Lin (rico-lin) on 2017-09-20

Changed in heat:
milestone:	queens-1 → none

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2017-10-10:

#10

Redelegation and impersonation are not designed to work together. Is the trust created with impersonation abilities?

https://developer.openstack.org/api-ref/identity/v3-ext/index.html#os-trust-api

Rico Lin (rico-lin) on 2018-05-07

Changed in heat:
milestone:	none → no-priority-tag-bugs

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.