<div dir="ltr">Hi Florian,<div><br></div><div>great to hear that your problem is solved.</div><div><br></div><div>As I pointed out, in Liberty you actually do not need the "heat_stack_owner" role at all. Just make sure that in your heat.conf the following option is set to empty value (which AFAIK is default in Liberty):</div><div><br></div><div><div># Subset of trustor roles to be delegated to heat. If left unset, all roles of</div><div># a user will be delegated to heat when creating a stack. (list value) trusts_delegated_roles =</div></div><div><br></div><div>(that's new line right after after "=", for oslo_cfg to parse empty ListOpt).</div><div><br></div><div>At some point, heat_stack_owner role was used by default as a single role to be passed via trust, but now we can pass all roles at once without a need of a special role.</div><div><br></div><div>So to avoid future confusion, you can consider deleting the heat_stack_owner role and strictly advise people to not use heat_stack_user role for actual (human) OpenStack users (this one is internal for Heat). You could also rename that role to anything less confusing (like "heat_internal_do_not_use" :) ) and reconfigure heat.conf and heat's policy.json to use that name as a role for Heat-internal users.</div><div><br></div><div>Cheers,</div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr">Dr. Pavlo Shchelokovskyy<div>Senior Software Engineer</div><div>Mirantis Inc</div><div><a href="http://www.mirantis.com" target="_blank">www.mirantis.com</a></div></div></div></div></div></div>
<br><div class="gmail_quote">On Tue, May 17, 2016 at 5:29 PM, Florian Rommel <span dir="ltr"><<a href="mailto:florian.rommel@datalounges.com" target="_blank">florian.rommel@datalounges.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">Hi, thank you for pointing it out, apparently you need to have one of the roles applied in Liberty (which is what we used), but my demo user had both applied. If then chooses the lower level access, hence no access. Once I gave the user only heat_stack_owner i could deploy stacks within the normal projects as normal users.<div><br></div><div>Thank you again.</div><span class="HOEnZb"><font color="#888888"><div><br></div></font></span><div><span class="HOEnZb"><font color="#888888">//Florian</font></span><div><div class="h5"><br><div><blockquote type="cite"><div>On 17 May 2016, at 16:37, Pavlo Shchelokovskyy <<a href="mailto:pshchelokovskyy@mirantis.com" target="_blank">pshchelokovskyy@mirantis.com</a>> wrote:</div><br><div><div dir="ltr">Hi,<div><br></div><div>are you sure that's "heat_stack_owner" and _not_ "heat_stack_user" role that is assigned to your normal, non-admin user? These are frequently confused, but there's a great deal of difference between them, the latter role indeed has almost no access to Heat API.</div><div><br></div><div>Also, what OpenStack version are you using? AFAIR starting from Kilo (or may be even later maintenance releases of Juno) one does not actually need the heat_stack_owner role altogether, all user roles should be passed via trust by default (you have to make sure Heat is configured to use Keystone V3 for that).</div><div><br></div><div>Cheers,</div></div><div class="gmail_extra"><br clear="all"><div><div><div dir="ltr"><div><div dir="ltr">Dr. Pavlo Shchelokovskyy<div>Senior Software Engineer</div><div>Mirantis Inc</div><div><a href="http://www.mirantis.com/" target="_blank">www.mirantis.com</a></div></div></div></div></div></div>
<br><div class="gmail_quote">On Tue, May 17, 2016 at 4:19 PM, Florian Rommel <span dir="ltr"><<a href="mailto:florian.rommel@datalounges.com" target="_blank">florian.rommel@datalounges.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi, all, most of our major hurdles are now gone with Openstack and it looks almost all great now..<br>
<br>
Now the tricky part. I have gotten into HEAT and have written many templates and actually very complex ones too and I would love for normal users and other tenants to be able to use them but I keep getting an error retrieving stack list.<br>
The user has heat stack owner assigned to him and i can see orchestration in the dashboard but no stacks can be retrieved nor looked at the resource types. What exactly kind of permissions/groups does the user need to be in?<br>
Thanks again for any help already.<br>
when i source the demo rc file i get:<br>
<br>
root@control:~ # source .opendemo<br>
root@control:~ # heat stack-list<br>
ERROR: You are not authorized to use index.<br>
root@control:~ #<br>
<br>
while the admin rc gives:<br>
<br>
root@control:~ # heat stack-list<br>
+--------------------------------------+------------+-----------------+----------------------------+--------------+<br>
| id | stack_name | stack_status | creation_time | updated_time |<br>
+--------------------------------------+------------+-----------------+----------------------------+--------------+<br>
| e7ca31f9-cd14-4f98-9f71-566ef69809c0 | Test4 | CREATE_COMPLETE | 2016-05-17T12:37:33.684783 | None |<br>
+--------------------------------------+------------+-----------------+----------------------------+--------------+<br>
root@control:~ #<br>
<br>
only difference is the project name and username/password.<br>
<br>
Best regards,<br>
//FR<br>
_______________________________________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
</blockquote></div><br></div>
</div></blockquote></div><br></div></div></div></div></blockquote></div><br></div>