OpenStack-Ansible

Heat policy.json file needs to be updated for Kilo

Bug #1428451 reported by Kevin Carter
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
Medium
Kevin Carter
OpenStack-Ansible 11.0.0

Bug Description

The heat policy.json file needs to be updated in order to allow heat to fully run within the Kilo code base as deployed from master.

Our heat policy file should be replaced with the upstream file. The file to be replaced is:
https://github.com/stackforge/os-ansible-deployment/blob/master/playbooks/roles/os_heat/files/policy.json

The upstream file used that was tested as working is:
https://github.com/openstack/heat/blob/master/etc/heat/policy.json

Without the update heat will not allow any access and will provide the following error:

-- Heat error --
{
    "code": 403,
    "error": {
        "message": "You are not authorized to complete this action.",
        "traceback": "Traceback (most recent call last):\n File \"/usr/local/lib/python2.7/dist-packages/heat/api/middleware/fault.py\", line 147, in process_request\n return req.get_response(self.application)\n File \"/usr/local/lib/python2.7/dist-packages/webob/request.py\", line 1320, in send\n application, catch_exc_info=False)\n File \"/usr/local/lib/python2.7/dist-packages/webob/request.py\", line 1284, in call_application\n app_iter = application(self.environ, start_response)\n File \"/usr/local/lib/python2.7/dist-packages/webob/dec.py\", line 130, in __call__\n resp = self.call_func(req, *args, **self.kwargs)\n File \"/usr/local/lib/python2.7/dist-packages/webob/dec.py\", line 195, in call_func\n return self.func(req, *args, **kwargs)\n File \"/usr/local/lib/python2.7/dist-packages/heat/common/wsgi.py\", line 397, in __call__\n response = req.get_response(self.application)\n File \"/usr/local/lib/python2.7/dist-packages/webob/request.py\", line 1320, in send\n application, catch_exc_info=False)\n File \"/usr/local/lib/python2.7/dist-packages/webob/request.py\", line 1284, in call_application\n app_iter = application(self.environ, start_response)\n File \"/usr/local/lib/python2.7/dist-packages/webob/dec.py\", line 130, in __call__\n resp = self.call_func(req, *args, **self.kwargs)\n File \"/usr/local/lib/python2.7/dist-packages/webob/dec.py\", line 195, in call_func\n return self.func(req, *args, **kwargs)\n File \"/usr/local/lib/python2.7/dist-packages/heat/common/wsgi.py\", line 397, in __call__\n response = req.get_response(self.application)\n File \"/usr/local/lib/python2.7/dist-packages/webob/request.py\", line 1320, in send\n application, catch_exc_info=False)\n File \"/usr/local/lib/python2.7/dist-packages/webob/request.py\", line 1284, in call_application\n app_iter = application(self.environ, start_response)\n File \"/usr/local/lib/python2.7/dist-packages/webob/dec.py\", line 130, in __call__\n resp = self.call_func(req, *args, **self.kwargs)\n File \"/usr/local/lib/python2.7/dist-packages/webob/dec.py\", line 195, in call_func\n return self.func(req, *args, **kwargs)\n File \"/usr/local/lib/python2.7/dist-packages/heat/common/wsgi.py\", line 397, in __call__\n response = req.get_response(self.application)\n File \"/usr/local/lib/python2.7/dist-packages/webob/request.py\", line 1320, in send\n application, catch_exc_info=False)\n File \"/usr/local/lib/python2.7/dist-packages/webob/request.py\", line 1284, in call_application\n app_iter = application(self.environ, start_response)\n File \"/usr/local/lib/python2.7/dist-packages/keystonemiddleware/auth_token.py\", line 823, in __call__\n return self._call_app(env, start_response)\n File \"/usr/local/lib/python2.7/dist-packages/keystonemiddleware/auth_token.py\", line 758, in _call_app\n return self._app(env, _fake_start_response)\n File \"/usr/local/lib/python2.7/dist-packages/webob/dec.py\", line 130, in __call__\n resp = self.call_func(req, *args, **self.kwargs)\n File \"/usr/local/lib/python2.7/dist-packages/webob/dec.py\", line 195, in call_func\n return self.func(req, *args, **kwargs)\n File \"/usr/local/lib/python2.7/dist-packages/heat/common/wsgi.py\", line 397, in __call__\n response = req.get_response(self.application)\n File \"/usr/local/lib/python2.7/dist-packages/webob/request.py\", line 1320, in send\n application, catch_exc_info=False)\n File \"/usr/local/lib/python2.7/dist-packages/webob/request.py\", line 1284, in call_application\n app_iter = application(self.environ, start_response)\n File \"/usr/local/lib/python2.7/dist-packages/webob/dec.py\", line 144, in __call__\n return resp(environ, start_response)\n File \"/usr/local/lib/python2.7/dist-packages/routes/middleware.py\", line 136, in __call__\n response = self.app(environ, start_response)\n File \"/usr/local/lib/python2.7/dist-packages/webob/dec.py\", line 144, in __call__\n return resp(environ, start_response)\n File \"/usr/local/lib/python2.7/dist-packages/webob/dec.py\", line 130, in __call__\n resp = self.call_func(req, *args, **self.kwargs)\n File \"/usr/local/lib/python2.7/dist-packages/webob/dec.py\", line 195, in call_func\n return self.func(req, *args, **kwargs)\n File \"/usr/local/lib/python2.7/dist-packages/heat/common/wsgi.py\", line 687, in __call__\n raise translate_exception(err, request.best_match_language())\nForbidden: You are not authorized to complete this action.\n",
        "type": "Forbidden"
    },
    "explanation": "Access was denied to this resource.",
    "title": "Forbidden"
}

Jesse Pretorius (jesse-pretorius)
Changed in openstack-ansible:
importance: Undecided → Medium
Kevin Carter (kevin-carter)
Changed in openstack-ansible:
status: New → In Progress
assignee: nobody → Kevin Carter (kevin-carter)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to os-ansible-deployment (master)

Fix proposed to branch: master
Review: https://review.openstack.org/166986

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to os-ansible-deployment (master)

Reviewed: https://review.openstack.org/166986
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=33f0c13ef40f8972a434019514be0d504e4a22ce
Submitter: Jenkins
Branch: master

commit 33f0c13ef40f8972a434019514be0d504e4a22ce
Author: Kevin Carter <email address hidden>
Date: Sun Mar 22 09:09:53 2015 -0500

    Updated repository for minimum viable kilo install

    * Updated Keystone wsgi and paste files from upstream.
    * Updated all clients in the openstack_client.yml file.
    * Kilo services are tracking the head of master.
    * Removed pinned middleware because they're pinned else where.
    * Added additional service references for neutron vpnaas, fwaas, and
      lbaas which have now been moved into their own repos and no longer
      exist within the core neutron repository.
    * The neutron vpnaas, fwaas, and lbaas have been removed from the
      basic plugins being loaded and a comment has been added to describe
      how one might add them back in.
    * Updated rootwrap filters for neutron dhcp and l3.
    * Updated heat policy.json
    * Added the `python-libguestfs` to the nova-compute installation
      packages.
    * Updates all services to point to the latest kilo tag

    Services updated due to deprecated configs:
    * Keystone
    * Glance
    * Nova
    * Neutron (is still using the deprecated nova auth plugin)
    * Heat
    * Tempest

    Items for future work post initial release:
    * roles/os_neutron/files/post-up-checksum-rules:25:
      TODO(cloudnull) remove this script once the bug is fixed.
    * roles/rabbitmq_server/tasks/rabbitmq_cluster_join.yml:17:
      TODO(someone): implement a more robust way of checking

    Implements: blueprint minimal-kilo

    Closes-Bug: 1428421
    Closes-Bug: 1428431
    Closes-Bug: 1428437
    Closes-Bug: 1428445
    Closes-Bug: 1428451
    Closes-Bug: 1428469
    Closes-Bug: 1428639

    Change-Id: I28a305d9e40a9cf70148ef7d7b00d467a65ca076

Changed in openstack-ansible:
status: In Progress → Fix Committed
Kevin Carter (kevin-carter)
Changed in openstack-ansible:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.