[Openstack] Heat autoscaling: heat.engine.resource Forbidden: You are not authorized to perform the requested action.
Pavlo Shchelokovskyy
pshchelokovskyy at mirantis.com
Tue May 10 18:03:49 UTC 2016
Hi,
no, "heat_stack_owner" role is actually not needed in MOS 8.0. Earlier it
was used as a special role to pass via trusts, but now all roles are passed
via trust by default. You also do not have to be "admin" either, priviledge
"escalation" is handled by Heat using Keystone V3 trusts and domains which
should have been set up automatically during deployment.
One question though - Is by any chance the "heat_stack_user" role assigned
to the actual ("human") user who is accessing Heat API? It _must_not_ be -
this is a special role used by internal Heat-created users (implementation
detail), and it has _very_ limited privileges in regard Heat API access.
Also, could you show the template you are testing autoscaling with? just in
case...
Cheers,
Dr. Pavlo Shchelokovskyy
Senior Software Engineer
Mirantis Inc
www.mirantis.com
On Tue, May 10, 2016 at 6:52 PM, magicboiz at hotmail.com <
magicboiz at hotmail.com> wrote:
> Hi again,
>
> these are the roles I have :
>
> #openstack role list
> +----------------------------------+-----------------+
> | ID | Name |
> +----------------------------------+-----------------+
> | 0d77782f1ae54fa799b0585b267fb746 | ResellerAdmin |
> | 2c0a5b381f2b4f10b42aaa09678210a5 | heat_stack_user |
> | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
> | d819d32c0eba4c86a99241e741c241c1 | admin |
> | e0729bbb6f8544268fd371e50682754a | SwiftOperator |
>
>
> So, there is no "heat_stack_owner" role defined in my environment, but
> you're right, in
> http://docs.openstack.org/draft/install-guide-ubuntu/heat-install.html
> docs says:
>
> *Add the **heat_stack_owner** role to the **demo** project and user to
> enable stack management by the **demo** user:*
>
> *$** openstack role add --project demo --user demo heat_stack_owner*
>
>
> Is this a bug in Mirantis MOS 8.0?
>
>
> On 10/05/16 17:05, magicboiz at hotmail.com wrote:
>
> Hi Raghavendra,
>
>
> how can I check those privileges? Even with "admin" user, I get the same
> error..... :(
>
> Best regards
>
> J.
> On 10/05/16 13:23, <raghavendra.lad at accenture.com>
> raghavendra.lad at accenture.com wrote:
>
> Hi Mag,
>
>
>
> Please check if you have provided the *heat-stack-owner* and *admin *privileges
> to the tenant then try to spin up the Heat stack.
>
>
>
> Regards,
>
> Raghavendra Lad
>
>
>
> *From:* magicboiz at hotmail.com [mailto:magicboiz at hotmail.com
> <magicboiz at hotmail.com>]
> *Sent:* Tuesday, May 10, 2016 4:30 PM
> *To:* openstack at lists.openstack.org
> *Subject:* [Openstack] Heat autoscaling: heat.engine.resource Forbidden:
> You are not authorized to perform the requested action.
>
>
>
> Hi
>
> testing Openstack Mitaka (deployed with Mirantis FUEL 8.0), when testing
> Heat Autoscaling, I get this error:
>
> *heat.engine.resource Forbidden: You are not authorized to perform the
> requested action.*
>
>
>
> Any ideas on what's going on?
>
>
>
> Thanks in advance.
>
> J
>
>
>
>
>
> ------------------------------
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you have
> received it in error, please notify the sender immediately and delete the
> original. Any other use of the e-mail by you is prohibited. Where allowed
> by local law, electronic communications with Accenture and its affiliates,
> including e-mail and instant messaging (including content), may be scanned
> by our systems for the purposes of information security and assessment of
> internal compliance with Accenture policy.
>
> ______________________________________________________________________________________
>
> www.accenture.com
>
>
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160510/8f51dca3/attachment.html>
More information about the Openstack
mailing list