Policy doesn't allow os_compute_api:os-cloudpipe to be performed
Bug #1693257 reported by
kunthar
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
OS Version: Ocata
Ubuntu 16.04
openstack 3.8.1
Problem is related to cloudpipe. There are cloudpipe commands in nova and config params in CONF.nova, but we can't be sure if it is still in use and compatible with Ocata.
There is no clean documentation about what is happening to cloudpipe or which way is better to supply vpn client service. As a side note, there is no proper way for now to use vpnaas since it is unmaintained.
Here is the full error log:
https:/
In short:
Forbidden: Policy doesn't allow os_compute_
Why because tenant_id is project_id now.
To post a comment you must log in.
The cloudpipe API extension was deprecated in Ocata:
https:/ /developer. openstack. org/api- ref/compute/ #cloudpipe- os-cloudpipe- deprecated
And it was actually removed in the 16.0.0 Pike release:
https:/ /specs. openstack. org/openstack/ nova-specs/ specs/pike/ approved/ remove- nova-cert. html
Therefore I don't see much point in fixing this, the code is literally gone on the master branch (Pike). We could try to fix the policy defaults in Ocata but I'm not sure that it's worth it, plus policy can be modified/overridden in a deployment.