| 2022-08-02 07:35:57 |
Takashi Kajinami |
bug |
|
|
added bug |
| 2022-08-02 07:36:34 |
Takashi Kajinami |
description |
Description
===========
The heat-engine service requires access to policy rules so that it can enforce policy rules for resource types.
https://bugs.launchpad.net/puppet-heat/+bug/1983340
However currently the heat::policy class is not loaded when generating config files for heat-engine service, and the oslo.policy options are not rendered into the heat.conf file for heat-engine.
This prevents users from setting resource type policy rules by HeatApiPolicies.
Steps to reproduce
==================
* Create an environment file to define a resource type policy by HeatApiPolicies.
parameter_defaults:
HeatApiPolicies:
'resource_types:OS::Nova::Flavor': ''
* Deploy overcloud/standalone with the environment file
* Create a stack with the flavor by a non-admin user
Expected result
===============
* Stack creation succeeds without error
Actual result
=============
* Stack creation fails because the user is not allowed to create a flavor resource
Environment
===========
* This issue was initially found in our downstream product based on stable/train
Logs & Configs
==============
N/A |
Description
===========
This was initially reported in https://bugzilla.redhat.com/show_bug.cgi?id=2113819 .
The heat-engine service requires access to policy rules so that it can enforce policy rules for resource types.
https://bugs.launchpad.net/puppet-heat/+bug/1983340
However currently the heat::policy class is not loaded when generating config files for heat-engine service, and the oslo.policy options are not rendered into the heat.conf file for heat-engine.
This prevents users from setting resource type policy rules by HeatApiPolicies.
Steps to reproduce
==================
* Create an environment file to define a resource type policy by HeatApiPolicies.
parameter_defaults:
HeatApiPolicies:
'resource_types:OS::Nova::Flavor': ''
* Deploy overcloud/standalone with the environment file
* Create a stack with the flavor by a non-admin user
Expected result
===============
* Stack creation succeeds without error
Actual result
=============
* Stack creation fails because the user is not allowed to create a flavor resource
Environment
===========
* This issue was initially found in our downstream product based on stable/train
Logs & Configs
==============
N/A |
|
| 2022-08-02 07:36:59 |
Takashi Kajinami |
tripleo: importance |
Undecided |
High |
|
| 2022-08-02 07:37:02 |
Takashi Kajinami |
tripleo: assignee |
|
Takashi Kajinami (kajinamit) |
|
| 2022-08-02 07:37:07 |
Takashi Kajinami |
tripleo: milestone |
|
zed-1 |
|
| 2022-08-02 07:37:16 |
Takashi Kajinami |
tags |
|
train-backport-potential wallaby-backport-potential |
|
| 2022-08-02 07:37:25 |
Takashi Kajinami |
tripleo: status |
New |
In Progress |
|
| 2022-08-29 05:44:33 |
OpenStack Infra |
tripleo: status |
In Progress |
Fix Released |
|
| 2022-10-12 10:45:46 |
OpenStack Infra |
tags |
train-backport-potential wallaby-backport-potential |
in-stable-wallaby train-backport-potential wallaby-backport-potential |
|
| 2022-10-20 08:41:05 |
OpenStack Infra |
tags |
in-stable-wallaby train-backport-potential wallaby-backport-potential |
in-stable-train in-stable-wallaby train-backport-potential wallaby-backport-potential |
|
