| Summary: | Service heat does not have required endpoint in service catalog for the resource type OS::Heat::StructuredDeployment | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Jiri Stransky <jstransk> | ||||||||
| Component: | openstack-heat | Assignee: | Rabi Mishra <ramishra> | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | Omri Hochman <ohochman> | ||||||||
| Severity: | unspecified | Docs Contact: | |||||||||
| Priority: | unspecified | ||||||||||
| Version: | 8.0 (Liberty) | CC: | augol, jschluet, mburns, mlopes, ramishra, rhel-osp-director-maint, sbaker, shardy, yeylon, zbitter | ||||||||
| Target Milestone: | ga | ||||||||||
| Target Release: | 8.0 (Liberty) | ||||||||||
| Hardware: | Unspecified | ||||||||||
| OS: | Unspecified | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | openstack-heat-5.0.1-2.el7ost | Doc Type: | Bug Fix | ||||||||
| Doc Text: |
Previously, heat would leave the context roles empty when loading the stored context. When signaling heat used the stored context (trust scoped token), and if the context did not have any roles, it failed. Consequently, the process failed with the error 'trustee has no delegated roles'. This fix addresses this issue by populating roles when loading the stored context. As a result, loading the auth ref, and populating the roles from the token will confirm that any RBAC performed on the context roles will work as expected, and that the stack update succeeds.
|
Story Points: | --- | ||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2016-04-07 21:27:18 UTC | Type: | Bug | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Attachments: |
|
||||||||||
Created attachment 1120228 [details]
heat-engine log snippet
Created attachment 1120231 [details]
heat-api-cfn 10k lines
Interesting is the error from the attached heat-engine log snippet: 2016-02-01 10:53:24.233 11434 ERROR heat.engine.resource Forbidden: Trustee has no delegated roles. (Disable debug mode to suppress these details.) (HTTP 403) (Request-ID: req-2223404b-43da-467d-8482-b3ec73bb18f8) Is that something that could be fixed by some additional configuration of the undercloud? If so, please try to give some hints and retarget to instack-undercloud. Following the internal mail thread, upgrades are working better now => this is verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-0603.html |
Created attachment 1120227 [details] os-collect-config Description of problem: Hit when trying to upgrade from OSP 7 to OSP 8. Os-collect-config is trying to report back to heat using the CFN API, but gets a 500 error response: ResourceTypeUnavailable: Service heat does not have required endpoint in service catalog for the resource type OS::Heat::StructuredDeployment Attaching relevant logs. Heat version used: [stack@instack ~]$ rpm -q openstack-heat-api openstack-heat-engine openstack-heat-common openstack-heat-api-5.0.1-1.el7ost.noarch openstack-heat-engine-5.0.1-1.el7ost.noarch openstack-heat-common-5.0.1-1.el7ost.noarch