[Openstack] heat-watch problem

Michaël Van de Borne michael.vandeborne at cetic.be
Wed Jul 3 15:25:16 UTC 2013


As Steven told me on IRC, the problem was that the user associated with 
my EC2 creds had the heat_stack_user role in keystone.
This role is intended to be used only for the in-instance users, created 
as part of the stack, not real human users. This is described in policy.json

thanks Steven,

btw: any idea about the first problem?

m.


Michaël Van de Borne
R&D Engineer, SOA team, CETIC
Phone: +32 (0)71 49 07 45 Mobile: +32 (0)472 69 57 16, Skype: mikemowgli
www.cetic.be, rue des Frères Wright, 29/3, B-6041 Charleroi

Le 03/07/2013 16:21, Michaël Van de Borne a écrit :
> Hello Steven,
> I'm mikemowgli from IRC. As requested, here are the logs.
>
>
> 1. First, here's a stack trace I*get in my shell periodically (once 
> per minute approximately), but not in the logs: *
> http://pastebin.com/kPswnGNL
> (this might not be related to cloudwatch as I got this permanently)
>
>
> 2. Then, here is the error I get when I perform a heat-watch command. 
> The logs of engine and cloudwatch are in attachment. In order to 
> minimize their size, I launched and killed the daemons for this single 
> heat-watch command.
>
> It seems that my AWS creds are accepted, but that the user does have 
> enough permissions. However, in keystone, the heat user is admin of 
> the service tenant. The config files of engine, cloudwatch and boto 
> (2.9.0) are also in attachment.
>
> grizzly at leonard:~$ heat-watch -d describe
> DEBUG:Debug level logging enabled
> INFO:No AlarmName passed, getting results for ALL alarms
> DEBUG:Using access key found in config file.
> DEBUG:Using secret key found in config file.
> DEBUG:Got CW connection object OK
> DEBUG:Method: GET
> DEBUG:Path: /v1/
> DEBUG:Data:
> DEBUG:Headers: {}
> DEBUG:Host: 192.168.202.103:8003
> DEBUG:Params: {'Action': 'DescribeAlarms', 'Version': '2010-08-01', 
> 'AlarmNames.member.1': None}
> DEBUG:establishing HTTP connection: kwargs={'timeout': 70}
> DEBUG:Token: None
> DEBUG:using _calc_signature_2
> DEBUG:query string: 
> AWSAccessKeyId=88da7b10ddbe4f4cad198477352ef9fc&Action=DescribeAlarms&AlarmNames.member.1=None&SignatureMethod=HmacSHA256&SignatureVersion=2&Timestamp=2013-07-03T14%3A08%3A54Z&Version=2010-08-01
> DEBUG:string_to_sign: GET
> 192.168.202.103:8003
> /v1/
> AWSAccessKeyId=88da7b10ddbe4f4cad198477352ef9fc&Action=DescribeAlarms&AlarmNames.member.1=None&SignatureMethod=HmacSHA256&SignatureVersion=2&Timestamp=2013-07-03T14%3A08%3A54Z&Version=2010-08-01
> DEBUG:len(b64)=44
> DEBUG:base64 encoded digest: UaFV/v+FEOEIStrQR7BAH2ci0uGjlWP+p1TwLO8FVM0=
> DEBUG:query_string: 
> AWSAccessKeyId=88da7b10ddbe4f4cad198477352ef9fc&Action=DescribeAlarms&AlarmNames.member.1=None&SignatureMethod=HmacSHA256&SignatureVersion=2&Timestamp=2013-07-03T14%3A08%3A54Z&Version=2010-08-01 
> Signature: UaFV/v+FEOEIStrQR7BAH2ci0uGjlWP+p1TwLO8FVM0=
> DEBUG:<ErrorResponse><Error><Message>User is not authorized to perform 
> action:Action DescribeAlarms not allowed for 
> user</Message><Code>AccessDenied</Code><Type>Sender</Type></Error></ErrorResponse>
> ERROR:403 AccessDenied
> ERROR:<ErrorResponse><Error><Message>User is not authorized to perform 
> action:Action DescribeAlarms not allowed for 
> user</Message><Code>AccessDenied</Code><Type>Sender</Type></Error></ErrorResponse>
> Traceback (most recent call last):
>   File "/usr/local/bin/heat-watch", line 281, in <module>
>     main()
>   File "/usr/local/bin/heat-watch", line 268, in main
>     result = cmd(opts, args)
>   File 
> "/usr/local/lib/python2.7/dist-packages/heat/cfn_client/utils.py", 
> line 32, in wrapper
>     ret = func(*arguments, **kwargs)
>   File "/usr/local/bin/heat-watch", line 65, in alarm_describe
>     result = c.describe_alarm(**parameters)
>   File 
> "/usr/local/lib/python2.7/dist-packages/heat/cfn_client/boto_client_cloudwatch.py", 
> line 57, in describe_alarm
>     alarm_names=[name])
>   File 
> "/usr/local/lib/python2.7/dist-packages/boto/ec2/cloudwatch/__init__.py", 
> line 393, in describe_alarms
>     [('MetricAlarms', MetricAlarms)])
>   File "/usr/local/lib/python2.7/dist-packages/boto/connection.py", 
> line 1049, in get_list
>     raise self.ResponseError(response.status, response.reason, body)
> boto.exception.BotoServerError: BotoServerError: 403 AccessDenied
> <ErrorResponse><Error><Message>User is not authorized to perform 
> action:Action DescribeAlarms not allowed for 
> user</Message><Code>AccessDenied</Code><Type>Sender</Type></Error></ErrorResponse>
>
>
> thank you for your help,
>
> michaël
>
>
> -- 
> Michaël Van de Borne
> R&D Engineer, SOA team, CETIC
> Phone: +32 (0)71 49 07 45 Mobile: +32 (0)472 69 57 16, Skype: mikemowgli
> www.cetic.be, rue des Frères Wright, 29/3, B-6041 Charleroi
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130703/2793990d/attachment.html>


More information about the Openstack mailing list