tripleo

  1. Bug #1983342
  2. Comment #0

Comment 0 for bug 1983342

Revision history for this message
Takashi Kajinami (kajinamit) wrote :

Description
===========
The heat-engine service requires access to policy rules so that it can enforce policy rules for resource types.
 https://bugs.launchpad.net/puppet-heat/+bug/1983340

However currently the heat::policy class is not loaded when generating config files for heat-engine service, and the oslo.policy options are not rendered into the heat.conf file for heat-engine.

This prevents users from setting resource type policy rules by HeatApiPolicies.

Steps to reproduce
==================
* Create an environment file to define a resource type policy by HeatApiPolicies.

  parameter_defaults:
    HeatApiPolicies:
      'resource_types:OS::Nova::Flavor': ''

* Deploy overcloud/standalone with the environment file

* Create a stack with the flavor by a non-admin user

Expected result
===============
* Stack creation succeeds without error

Actual result
=============
* Stack creation fails because the user is not allowed to create a flavor resource

Environment
===========
* This issue was initially found in our downstream product based on stable/train

Logs & Configs
==============
N/A