Heat stacks can only be deployed by admin users in RHEL OSP 5
Environment
- Red Hat Enterprise Linux Openstack Platform 5 (RHEL OSP) on RHEL 6
- Red Hat Enterprise Linux Openstack Platform 5 (RHEL OSP) on RHEL 7
Issue
- Heat stacks can only be deployed by admin users in RHEL OSP 5
Resolution
This is resolved by RHEA-2014:0846
- The domain should be created via the python-openstackclient client :
# yum install python-openstackclient -y
# openstack --os-token <atoken> --os-url=http://<KS_IP>:5000/v3 \
--os-identity-api-version=3 domain create heat \
--description "Owns users and projects created by heat"
- This returns a domain ID, referred to as 'stack_user_domain id' below:
# openstack --os-token <atoken> --os-url=http://<KS_IP>:5000/v3 \
--os-identity-api-version=3 user create heat_domain_admin \
--password <password> --domain <stack_user_domain id>
# openstack --os-token <atoken> --os-url=http://<KS_IP>:5000/v3 \
--os-identity-api-version=3 role add --user heat_domain_admin \
--password <password> \
--domain <stack_user_domain id> admin
- The domain ID, username and password should be updated in heat.conf like this:
[DEFAULT]
stack_domain_admin_password = password
stack_domain_admin = heat_domain_admin
stack_user_domain = <domain id returned from domain create above>
- Restart the
openstack-heat-engineservice.
# systemctl restart openstack-heat-engine
- Now try to create the stack once again.
# . keystonerc_demo
(demo) # heat stack-create -f autoscaling.yaml -P 'database_flavor=2;image=4ca190db-ffaf-4008-a52b-c9d34f0debea;key=lyarwood;flavor=2;subnet_id=a81d243f-632e-4087-8eb0-fcf88d6e3c96;database_name=wordpress' test
[..]
(demo) # heat stack-list
+--------------------------------------+------------+-----------------+----------------------+
| id | stack_name | stack_status | creation_time |
+--------------------------------------+------------+-----------------+----------------------+
| ba02c3f2-e6b7-45d2-ad3e-8f051cf16eac | test | CREATE_COMPLETE | 2014-06-03T16:45:08Z |
+--------------------------------------+------------+-----------------+----------------------+
Root Cause
packstack requires heat update for domain users
Bugzilla 1076172 covered by RHEA-2014:0846
Diagnostic Steps
# . keystonerc_demo
(demo) # heat stack-create -f autoscaling.yaml -P 'database_flavor=2;image=4ca190db-ffaf-4008-a52b-c9d34f0debea;key=lyarwood;flavor=2;subnet_id=a81d243f-632e-4087-8eb0-fcf88d6e3c96;database_name=wordpress' test
[..]
(demo) # tailf /var/log/heat/engine.log
2014-06-03 12:13:20.902 18270 INFO heat.engine.resource [-] creating PoolMember "member" Stack "test-web_server_group-p22hg76awjsl-p7j62hiwc3yy-xuvqh6c3ovch" [ab1987da-26a1-47d2-ac6a-f385e6902026]
2014-06-03 12:13:22.661 18270 INFO heat.engine.resource [-] creating AutoScalingPolicy "web_server_scaleup_policy" Stack "test" [ad042d29-de69-4e60-bc33-e1b0a43dd959]
2014-06-03 12:13:22.668 18270 WARNING heat.common.keystoneclient [-] Falling back to legacy non-domain project, configure domain in heat.conf
2014-06-03 12:13:22.679 18270 WARNING heat.common.keystoneclient [-] Falling back to legacy non-domain user create, configure domain in heat.conf
2014-06-03 12:13:22.680 18270 INFO urllib3.connectionpool [-] Starting new HTTP connection (1): 192.168.122.74
2014-06-03 12:13:22.686 18270 ERROR heat.engine.resource [-] CREATE : AutoScalingPolicy "web_server_scaleup_policy" Stack "test" [ad042d29-de69-4e60-bc33-e1b0a43dd959]
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource Traceback (most recent call last):
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource File "/usr/lib/python2.7/site-packages/heat/engine/resource.py", line 417, in _do_action
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource handle())
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource File "/usr/lib/python2.7/site-packages/heat/engine/resources/autoscaling.py", line 967, in handle_create
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource super(ScalingPolicy, self).handle_create()
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource File "/usr/lib/python2.7/site-packages/heat/engine/signal_responder.py", line 46, in handle_create
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource super(SignalResponder, self).handle_create()
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource File "/usr/lib/python2.7/site-packages/heat/engine/stack_user.py", line 38, in handle_create
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource self._create_user()
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource File "/usr/lib/python2.7/site-packages/heat/engine/stack_user.py", line 51, in _create_user
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource project_id=self.stack.stack_user_project_id)
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource File "/usr/lib/python2.7/site-packages/heat/common/heat_keystoneclient.py", line 323, in create_stack_domain_user
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource return self.create_stack_user(username=username, password=password)
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource File "/usr/lib/python2.7/site-packages/heat/common/heat_keystoneclient.py", line 288, in create_stack_user
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource roles_list = self.client.roles.list()
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource File "/usr/lib/python2.7/site-packages/keystoneclient/utils.py", line 318, in inner
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource return func(*args, **kwargs)
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource File "/usr/lib/python2.7/site-packages/keystoneclient/v3/roles.py", line 108, in list
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource return super(RoleManager, self).list(**kwargs)
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 66, in func
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource return f(*args, **new_kwargs)
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 339, in list
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource self.collection_key)
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 106, in _list
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource resp, body = self.client.get(url)
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource File "/usr/lib/python2.7/site-packages/keystoneclient/httpclient.py", line 590, in get
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource return self._cs_request(url, 'GET', **kwargs)
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource File "/usr/lib/python2.7/site-packages/keystoneclient/httpclient.py", line 582, in _cs_request
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource return self.request(url, method, **kwargs)
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource File "/usr/lib/python2.7/site-packages/keystoneclient/httpclient.py", line 564, in request
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource resp = super(HTTPClient, self).request(url, method, **kwargs)
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource File "/usr/lib/python2.7/site-packages/keystoneclient/baseclient.py", line 21, in request
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource return self.session.request(url, method, **kwargs)
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource File "/usr/lib/python2.7/site-packages/keystoneclient/utils.py", line 318, in inner
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource return func(*args, **kwargs)
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource File "/usr/lib/python2.7/site-packages/keystoneclient/session.py", line 266, in request
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource raise exceptions.from_response(resp, method, url)
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource Forbidden: You are not authorized to perform the requested action, identity:list_roles. (HTTP 403)
2014-06-03 12:13:22.686 18270 TRACE heat.engine.resource
2014-06-03 12:13:22.708 18270 WARNING heat.engine.service [-] Stack create failed, status FAILED
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments