<div dir="ltr"><div><div><div>Hi,<br><br></div>no, "heat_stack_owner" role is actually not needed in MOS 8.0. Earlier it was used as a special role to pass via trusts, but now all roles are passed via trust by default. You also do not have to be "admin" either, priviledge "escalation" is handled by Heat using Keystone V3 trusts and domains which should have been set up automatically during deployment.<br><br>One question though - Is by any chance the "heat_stack_user" role assigned to the actual ("human") user who is accessing Heat API? It _must_not_ be - this is a special role used by internal Heat-created users (implementation detail), and it has _very_ limited privileges in regard Heat API access.<br><br></div><div>Also, could you show the template you are testing autoscaling with? just in case...<br></div><br></div>Cheers,<br></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr">Dr. Pavlo Shchelokovskyy<div>Senior Software Engineer</div><div>Mirantis Inc</div><div><a href="http://www.mirantis.com" target="_blank">www.mirantis.com</a></div></div></div></div></div></div>
<br><div class="gmail_quote">On Tue, May 10, 2016 at 6:52 PM, <a href="mailto:magicboiz@hotmail.com">magicboiz@hotmail.com</a> <span dir="ltr"><<a href="mailto:magicboiz@hotmail.com" target="_blank">magicboiz@hotmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Hi again,</p>
<p>these are the roles I have :</p>
<p>#openstack role
list <br>
+----------------------------------+-----------------+<br>
| ID | Name |<br>
+----------------------------------+-----------------+<br>
| 0d77782f1ae54fa799b0585b267fb746 | ResellerAdmin |<br>
| 2c0a5b381f2b4f10b42aaa09678210a5 | heat_stack_user |<br>
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |<br>
| d819d32c0eba4c86a99241e741c241c1 | admin |<br>
| e0729bbb6f8544268fd371e50682754a | SwiftOperator |<br>
</p>
<p><br>
</p>
<p>So, there is no "<tt><span>heat_stack_owner"</span></tt>
role defined in my environment, but you're right, in
<a href="http://docs.openstack.org/draft/install-guide-ubuntu/heat-install.html" target="_blank">http://docs.openstack.org/draft/install-guide-ubuntu/heat-install.html</a>
docs says:</p>
<p><font size="-1"><i>Add the </i><i><tt><span>heat_stack_owner</span></tt></i><i>
role to the </i><i><tt><span>demo</span></tt></i><i> project and user to
enable stack management by the </i><i><tt><span>demo</span></tt></i><i> user:</i></font></p>
<font size="-1"><i>
</i></font>
<div>
<div>
<pre><font size="-1"><i><span></span></i><i><span>$</span></i><i> openstack role add --project demo --user demo heat_stack_owner</i></font>
</pre>
</div>
<br>
Is this a bug in Mirantis MOS 8.0? <br>
<br>
</div><div><div class="h5">
<p><br>
</p>
<div>On 10/05/16 17:05,
<a href="mailto:magicboiz@hotmail.com" target="_blank">magicboiz@hotmail.com</a> wrote:<br>
</div>
</div></div><blockquote type="cite"><div><div class="h5">
<p>Hi <span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Raghavendra,</span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><br>
</span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">how
can I check those privileges? Even with "admin" user, I get
the same error..... :(</span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Best
regards</span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">J.<br>
</span></p>
<div>On 10/05/16 13:23, <a href="mailto:raghavendra.lad@accenture.com" target="_blank"></a><a href="mailto:raghavendra.lad@accenture.com" target="_blank">raghavendra.lad@accenture.com</a>
wrote:<br>
</div>
<blockquote type="cite">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Hi
Mag,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Please
check if you have provided the <b>heat-stack-owner</b>
and <b>admin </b>privileges to the tenant then try to
spin up the Heat stack.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Regards,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Raghavendra
Lad<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<div>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">
<a href="mailto:magicboiz@hotmail.com" target="_blank">magicboiz@hotmail.com</a>
[<a href="mailto:magicboiz@hotmail.com" target="_blank">mailto:magicboiz@hotmail.com</a>]
<br>
<b>Sent:</b> Tuesday, May 10, 2016 4:30 PM<br>
<b>To:</b> <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br>
<b>Subject:</b> [Openstack] Heat autoscaling:
heat.engine.resource Forbidden: You are not authorized
to perform the requested action.<u></u><u></u></span></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<p>Hi<u></u><u></u></p>
<p>testing Openstack Mitaka (deployed with Mirantis FUEL 8.0),
when testing Heat Autoscaling, I get this error:<u></u><u></u></p>
<p><i><span style="font-size:10.0pt">heat.engine.resource
Forbidden: You are not authorized to perform the
requested action.</span></i><u></u><u></u></p>
<p><u></u> <u></u></p>
<p>Any ideas on what's going on?<u></u><u></u></p>
<p><u></u> <u></u></p>
<p>Thanks in advance.<u></u><u></u></p>
<p>J<u></u><u></u></p>
<p><u></u> <u></u></p>
<p><u></u> <u></u></p>
</div>
<br>
<hr> <font color="Gray" face="Arial" size="1"><br>
This message is for the designated recipient only and may
contain privileged, proprietary, or otherwise confidential
information. If you have received it in error, please notify
the sender immediately and delete the original. Any other use
of the e-mail by you is prohibited. Where allowed by local
law, electronic communications with Accenture and its
affiliates, including e-mail and instant messaging (including
content), may be scanned by our systems for the purposes of
information security and assessment of internal compliance
with Accenture policy. <br>
______________________________________________________________________________________<br>
<br>
<a href="http://www.accenture.com" target="_blank">www.accenture.com</a><br>
</font> </blockquote>
<br>
<br>
<fieldset></fieldset>
<br>
</div></div><span class=""><pre>_______________________________________________
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
</pre>
</span></blockquote>
<br>
</div>
<br>_______________________________________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
<br></blockquote></div><br></div>