Bug 1284422

Summary:	heat_stack_owner role is not being created
Product:	Red Hat OpenStack	Reporter:	Daniel Mellado <dmellado>
Component:	python-rdomanager-oscplugin	Assignee:	RHOS Maint <rhos-maint>
Status:	CLOSED ERRATA	QA Contact:	Daniel Mellado <dmellado>
Severity:	high	Docs Contact:
Priority:	urgent
Version:	8.0 (Liberty)	CC:	dmellado, hbrock, jcoufal, jslagle, mburns, rhel-osp-director-maint, rybrown, shardy, tkammer, zbitter
Target Milestone:	ga	Keywords:	Automation, AutomationBlocker
Target Release:	8.0 (Liberty)
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-04-07 21:43:24 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Daniel Mellado 2015-11-23 10:14:25 UTC

Description of problem:

Heat-stack-owner is not being created, thus every tempest heat test fails.

[root@overcloud-controller-0 heat-admin]# keystone user-role-list --user heat --tenant service
+----------------------------------+----------+----------------------------------+----------------------------------+
|                id                |   name   |             user_id              |            tenant_id             |
+----------------------------------+----------+----------------------------------+----------------------------------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | 32cac9275d70429794541f1ae98f45ec | 82056287c9924ebfabe3f5f5818a2bf1 |
| 9fd77d105fa6486282318e6750510b43 |  admin   | 32cac9275d70429794541f1ae98f45ec | 82056287c9924ebfabe3f5f5818a2bf1 |
+----------------------------------+----------+----------------------------------+----------------------------------+

keystone-role-list
+----------------------------------+-----------------+
|                id                |       name      |
+----------------------------------+-----------------+
| f6b0ead043ac4a5881b423e092acda61 |  ResellerAdmin  |
| 9fe2ff9ee4384b1894a90878d3e92bab |     _member_    |
| 9fd77d105fa6486282318e6750510b43 |      admin      |
| 8f76a1ae1f9c4948b70b974beff82dbc | heat_stack_user |
| 7d70c099c8f344589781620125c01369 |  swiftoperator  |
+----------------------------------+-----------------+


Version-Release number of selected component (if applicable):


How reproducible:
Perform an installation using ospd

Steps to Reproduce:
1. Launch any heat tempest tests

Actual results:
They fail complaining about heat_stack_owner role not being there

Expected results:
For them to pass 


Additional info:

Comment 3 chris alfonso 2015-12-07 17:09:15 UTC

What is the impact on the end user, outside of running tempest tests?

Comment 4 Daniel Mellado 2015-12-09 07:31:14 UTC

If you go to the upstream guide, just like here: http://docs.openstack.org/juno/install-guide/install/yum/content/heat-install-controller-node.html you'll see that it's a prerequisite for the orchestration service, so I assume heat won't work properly.

Comment 5 Jaromir Coufal 2015-12-16 11:15:32 UTC

Zane, can you confirm concern from comment #4? Thanks

Comment 7 Ryan Brown 2015-12-17 11:52:38 UTC

Can you try using heat (create some trivial stack as an overcloud user)? 

I believe the `heat_stack_user` role will provide the right permissions. 

I'll research this more.

Comment 8 Zane Bitter 2016-01-07 16:32:48 UTC

AIUI the need for the heat_stack_owner role has been superseded by trusts. See:

https://review.openstack.org/#/c/155636/

So the issue may be that we're not configuring Heat in such a way that it is able to use trusts? I know that at a minimum access to the Keystone v3 API is required. I'm not sure what else.

Comment 9 Daniel Mellado 2016-01-25 13:34:45 UTC

+----------------------------------+------------------+
|                id                |       name       |
+----------------------------------+------------------+
| e3ea6ee7c83747c5a82de5d6b83c3d3c |  ResellerAdmin   |
| 9fe2ff9ee4384b1894a90878d3e92bab |     _member_     |
| 265a5f2ca860463c9acdb049953aedcf |      admin       |
| 71c3e77841e941d48a5eb4d2b976b0dc | heat_stack_owner |
| c19114ecb0184d54b4f61260656a3cfe | heat_stack_user  |
| 914b76d8d199492dbefa1aff919451b2 |  swiftoperator   |
+----------------------------------+------------------+

Seems fixed in latest versions so we can close this

Comment 11 errata-xmlrpc 2016-04-07 21:43:24 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-0604.html