[Openstack] [heat] identity:create_domain failed (403)

Steven Hardy shardy at redhat.com
Tue Sep 9 10:29:54 UTC 2014


On Mon, Sep 08, 2014 at 11:07:57PM +0000, David Hill wrote:
>    Hi guys,
> 
>     
> 
>                    I have 2 environments that are almost identical but one of
>    them gives me this:
> 
>     
> 
>    keystoneclient.openstack.common.apiclient.exceptions.Forbidden: You are
>    not authorized to perform the requested action, identity:create_domain.
>    (HTTP 403)
> 
>     
> 
>    When I try to run:
> 
>     
> 
>    heat-keystone-setup-domain --stack-domain-admin stack_admin
>    --stack-domain-admin-password $password --stack-user-domain-name heat
> 
>     
> 
>    The problem is that I'm using the same policy everywhere and one works but
>    the other doesn't. I'm out of ideas!

I think heat-keystone-setup-domain is just the messenger here, and that
either the credentials used lack sufficient roles to create the domain, or
you have issues with the keystone configuration.

I'd suggest installing python-openstackclient and testing creating a domain
with that:

openstack --os-token atoken --os-url=http://127.0.0.1:5000/v3 \
--os-identity-api-version=3 domain create test123

You can actually use python-openstackclient to do all the domain
configuration, heat-keystone-setup-domain is just a convenience script for
some folks who didn't have it in their environments, instructions here:

http://hardysteven.blogspot.co.uk/2014/04/heat-auth-model-updates-part-2-stack.html

Steve




More information about the Openstack mailing list