[Openstack] heat-watch problem

Michaël Van de Borne michael.vandeborne at cetic.be
Wed Jul 3 14:21:38 UTC 2013 

Hello Steven,
I'm mikemowgli from IRC. As requested, here are the logs.


1. First, here's a stack trace I*get in my shell periodically (once per 
minute approximately), but not in the logs: *
http://pastebin.com/kPswnGNL
(this might not be related to cloudwatch as I got this permanently)


2. Then, here is the error I get when I perform a heat-watch command. 
The logs of engine and cloudwatch are in attachment. In order to 
minimize their size, I launched and killed the daemons for this single 
heat-watch command.

It seems that my AWS creds are accepted, but that the user does have 
enough permissions. However, in keystone, the heat user is admin of the 
service tenant. The config files of engine, cloudwatch and boto (2.9.0) 
are also in attachment.

grizzly at leonard:~$ heat-watch -d describe
DEBUG:Debug level logging enabled
INFO:No AlarmName passed, getting results for ALL alarms
DEBUG:Using access key found in config file.
DEBUG:Using secret key found in config file.
DEBUG:Got CW connection object OK
DEBUG:Method: GET
DEBUG:Path: /v1/
DEBUG:Data:
DEBUG:Headers: {}
DEBUG:Host: 192.168.202.103:8003
DEBUG:Params: {'Action': 'DescribeAlarms', 'Version': '2010-08-01', 
'AlarmNames.member.1': None}
DEBUG:establishing HTTP connection: kwargs={'timeout': 70}
DEBUG:Token: None
DEBUG:using _calc_signature_2
DEBUG:query string: 
AWSAccessKeyId=88da7b10ddbe4f4cad198477352ef9fc&Action=DescribeAlarms&AlarmNames.member.1=None&SignatureMethod=HmacSHA256&SignatureVersion=2&Timestamp=2013-07-03T14%3A08%3A54Z&Version=2010-08-01
DEBUG:string_to_sign: GET
192.168.202.103:8003
/v1/
AWSAccessKeyId=88da7b10ddbe4f4cad198477352ef9fc&Action=DescribeAlarms&AlarmNames.member.1=None&SignatureMethod=HmacSHA256&SignatureVersion=2&Timestamp=2013-07-03T14%3A08%3A54Z&Version=2010-08-01
DEBUG:len(b64)=44
DEBUG:base64 encoded digest: UaFV/v+FEOEIStrQR7BAH2ci0uGjlWP+p1TwLO8FVM0=
DEBUG:query_string: 
AWSAccessKeyId=88da7b10ddbe4f4cad198477352ef9fc&Action=DescribeAlarms&AlarmNames.member.1=None&SignatureMethod=HmacSHA256&SignatureVersion=2&Timestamp=2013-07-03T14%3A08%3A54Z&Version=2010-08-01 
Signature: UaFV/v+FEOEIStrQR7BAH2ci0uGjlWP+p1TwLO8FVM0=
DEBUG:<ErrorResponse><Error><Message>User is not authorized to perform 
action:Action DescribeAlarms not allowed for 
user</Message><Code>AccessDenied</Code><Type>Sender</Type></Error></ErrorResponse>
ERROR:403 AccessDenied
ERROR:<ErrorResponse><Error><Message>User is not authorized to perform 
action:Action DescribeAlarms not allowed for 
user</Message><Code>AccessDenied</Code><Type>Sender</Type></Error></ErrorResponse>
Traceback (most recent call last):
   File "/usr/local/bin/heat-watch", line 281, in <module>
     main()
   File "/usr/local/bin/heat-watch", line 268, in main
     result = cmd(opts, args)
   File 
"/usr/local/lib/python2.7/dist-packages/heat/cfn_client/utils.py", line 
32, in wrapper
     ret = func(*arguments, **kwargs)
   File "/usr/local/bin/heat-watch", line 65, in alarm_describe
     result = c.describe_alarm(**parameters)
   File 
"/usr/local/lib/python2.7/dist-packages/heat/cfn_client/boto_client_cloudwatch.py", 
line 57, in describe_alarm
     alarm_names=[name])
   File 
"/usr/local/lib/python2.7/dist-packages/boto/ec2/cloudwatch/__init__.py", line 
393, in describe_alarms
     [('MetricAlarms', MetricAlarms)])
   File "/usr/local/lib/python2.7/dist-packages/boto/connection.py", 
line 1049, in get_list
     raise self.ResponseError(response.status, response.reason, body)
boto.exception.BotoServerError: BotoServerError: 403 AccessDenied
<ErrorResponse><Error><Message>User is not authorized to perform 
action:Action DescribeAlarms not allowed for 
user</Message><Code>AccessDenied</Code><Type>Sender</Type></Error></ErrorResponse>


thank you for your help,

michaël


-- 
Michaël Van de Borne
R&D Engineer, SOA team, CETIC
Phone: +32 (0)71 49 07 45 Mobile: +32 (0)472 69 57 16, Skype: mikemowgli
www.cetic.be, rue des Frères Wright, 29/3, B-6041 Charleroi

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130703/c61f99c5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: api-cloudwatch.log
Type: text/x-log
Size: 55283 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130703/c61f99c5/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: engine.log
Type: text/x-log
Size: 60934 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130703/c61f99c5/attachment-0001.bin>
-------------- next part --------------
[DEFAULT]
# Show more verbose log output (sets INFO log level output)
verbose = True

# Show debugging output in logs (sets DEBUG log level output)
debug = True

# Turn off standard error logging
use_stderr = False

# Log to this file. Make sure the user running heat-api has
# permissions to write to this file!
log_file = /var/log/heat/api-cloudwatch.log

# Send logs to syslog (/dev/log) instead of to file specified
# by `log_file`
use_syslog = False

# Facility to use. If unset defaults to LOG_USER.
# syslog_log_facility = LOG_LOCAL0

# Address to bind the server to
bind_host = 0.0.0.0

# Port the bind the server to
bind_port = 8003

rpc_backend=heat.openstack.common.rpc.impl_kombu
rabbit_password=grizzly

[keystone_authtoken]
auth_host = 192.168.202.103
auth_port = 35357
auth_protocol = http
auth_uri = http://192.168.202.103:5000/v2.0

# These must be set to your local values in order for the token
# authentication to work.
admin_tenant_name = service
admin_user = heat
admin_password = grizzly

[ec2authtoken]
auth_uri = http://192.168.202.103:5000/v2.0
keystone_ec2_uri = http://192.168.202.103:5000/v2.0/ec2tokens
-------------- next part --------------
[DEFAULT]
# Show more verbose log output (sets INFO log level output)
verbose = True

# Show debugging output in logs (sets DEBUG log level output)
debug = True

# Turn off standard error logging
use_stderr = False

# Log to this file. Make sure the user running heat-api has
# permissions to write to this file!
log_file = /var/log/heat/engine.log

# Send logs to syslog (/dev/log) instead of to file specified
# by `log_file`
use_syslog = False

# Facility to use. If unset defaults to LOG_USER.
# syslog_log_facility = LOG_LOCAL0

# Keystone role for heat template-defined users
heat_stack_user_role = heat_stack_user

# Make instances connect to the heat services via https
# default to off since it will require images and host
# to be configured correctly to support ssl connections
instance_connection_is_secure = 0

# If is_secure is set to 1, certificate validation can
# be enabled or disabled
instance_connection_https_validate_certificates = 1

# The default user that heat creates in users for ssh
# administration is `ec2-user`, which is compatible with
# AWS CloudFormation. You can change it with instance_user
# instance_user = heat-admin

# URL for instances to connect for metadata
# ie the IP of the bridge device connecting the
# instances with the host and the bind_port of
# the CFN API
# NOTE : change this from 127.0.0.1 !!
heat_metadata_server_url = http://192.168.202.103:8000

# URL for instances to connect for notification
# of waitcondition events (ie via cfn-signal)
# e.g the IP of the bridge device connecting the
# instances with the host and the bind_port of
# the CFN API
# NOTE : change this from 127.0.0.1 !!
heat_waitcondition_server_url = http://192.168.202.103:8000/v1/waitcondition

# URL for instances to connect for publishing metric
# data (ie via cfn-push-stats)
# e.g the IP of the bridge device connecting the
# instances with the host and the bind_port of
# the heat-api-cloudwatch API
# NOTE : change this from 127.0.0.1 !!
heat_watch_server_url = http://192.168.202.103:8003

# The namespace for the custom backend. Must provide class Clients which will be
# imported. Defaults to OpenStack if none provided.
# cloud_backend=deltacloud_heat.client

sql_connection = mysql://heat:heat@localhost/heat

db_backend=heat.db.sqlalchemy.api

rpc_backend=heat.openstack.common.rpc.impl_kombu
rabbit_password=grizzly

auth_encryption_key=691112bcfca7ce71663cdf58b3f6d98f
-------------- next part --------------
[Credentials]
# AWS credentials, from keystone ec2-credentials-list
# Note this section should only be uncommented for per-user
# boto config files, copy this file to ~/.boto
# Alternatively the credentials can be passed into the boto
# client at constructor-time in your code
aws_access_key_id = 88da7b10ddbe4f4cad198477352ef9fc 
aws_secret_access_key = ea565d63813b412cb69db37a9df533e3

[Boto]
# Make boto output verbose debugging information
debug = 0

# Disable https connections
is_secure = 0

# Override the default AWS endpoint to connect to heat on localhost
cfn_region_name = heat
cfn_region_endpoint = 192.168.202.103

cloudwatch_region_name = heat
cloudwatch_region_endpoint = 192.168.202.103

# Set the client retries to 1, or errors connecting to heat repeat
# which is not useful when debugging API issues
num_retries = 1

More information about the Openstack mailing list