Bug 1303723

Summary: Service heat does not have required endpoint in service catalog for the resource type OS::Heat::StructuredDeployment
Product: Red Hat OpenStack Reporter: Jiri Stransky <jstransk>
Component: openstack-heatAssignee: Rabi Mishra <ramishra>
Status: CLOSED ERRATA QA Contact: Omri Hochman <ohochman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0 (Liberty)CC: augol, jschluet, mburns, mlopes, ramishra, rhel-osp-director-maint, sbaker, shardy, yeylon, zbitter
Target Milestone: ga   
Target Release: 8.0 (Liberty)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-heat-5.0.1-2.el7ost Doc Type: Bug Fix
Doc Text:
Previously, heat would leave the context roles empty when loading the stored context. When signaling heat used the stored context (trust scoped token), and if the context did not have any roles, it failed. Consequently, the process failed with the error 'trustee has no delegated roles'. This fix addresses this issue by populating roles when loading the stored context. As a result, loading the auth ref, and populating the roles from the token will confirm that any RBAC performed on the context roles will work as expected, and that the stack update succeeds.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-04-07 21:27:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
os-collect-config
none
heat-engine log snippet
none
heat-api-cfn 10k lines none

Description Jiri Stransky 2016-02-01 18:34:57 UTC 
Created attachment 1120227 [details]
os-collect-config

Description of problem:

Hit when trying to upgrade from OSP 7 to OSP 8.

Os-collect-config is trying to report back to heat using the CFN API, but gets a 500 error response:

ResourceTypeUnavailable: Service heat does not have required endpoint in service catalog for the resource type OS::Heat::StructuredDeployment

Attaching relevant logs.


Heat version used:

[stack@instack ~]$ rpm -q openstack-heat-api openstack-heat-engine openstack-heat-common
openstack-heat-api-5.0.1-1.el7ost.noarch
openstack-heat-engine-5.0.1-1.el7ost.noarch
openstack-heat-common-5.0.1-1.el7ost.noarch
Comment 2 Jiri Stransky 2016-02-01 18:36:23 UTC 
Created attachment 1120228 [details]
heat-engine log snippet
Comment 3 Jiri Stransky 2016-02-01 18:43:24 UTC 
Created attachment 1120231 [details]
heat-api-cfn 10k lines
Comment 4 Jiri Stransky 2016-02-01 18:47:41 UTC 
Interesting is the error from the attached heat-engine log snippet:

2016-02-01 10:53:24.233 11434 ERROR heat.engine.resource Forbidden: Trustee has no delegated roles. (Disable debug mode to suppress these details.) (HTTP 403) (Request-ID: req-2223404b-43da-467d-8482-b3ec73bb18f8)

Is that something that could be fixed by some additional configuration of the undercloud? If so, please try to give some hints and retarget to instack-undercloud.
Comment 9 Amit Ugol 2016-04-07 17:10:11 UTC 
Following the internal mail thread, upgrades are working better now => this is verified.
Comment 10 errata-xmlrpc 2016-04-07 21:27:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-0603.html