Bug 1314725

Summary: missing heat_stack_owner role after installation
Product: Red Hat OpenStack Reporter: tkammer
Component: python-tripleoclientAssignee: RHOS Maint <rhos-maint>
Status: CLOSED ERRATA QA Contact: tkammer
Severity: high Docs Contact:
Priority: unspecified    
Version: 8.0 (Liberty)CC: afazekas, cschwede, dbecker, hbrock, jcoufal, jslagle, lnatapov, mburns, mmagr, morazi, rhel-osp-director-maint
Target Milestone: Upstream M2Keywords: Automation, AutomationBlocker
Target Release: 11.0 (Ocata)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-tripleoclient-5.3.0-4.el7ost Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1314732 (view as bug list) Environment:
Last Closed: 2017-05-17 19:27:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1314732    

Description tkammer 2016-03-04 10:47:20 UTC 
Description of problem:
There is a missing role after deploying OSP8 with osp-director.
[root@undercloud ~]# openstack role list
+----------------------------------+-----------------+
| ID                               | Name            |
+----------------------------------+-----------------+
| 0beece53fc7c4d3d880b58d4b92d21cb | swiftoperator   |
| 573ee117f1d5468b8fe8a998193d03a9 | admin           |
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_        |
| c8f0127d2032450581edf45e5ef766c9 | ResellerAdmin   |
| fddcf2fa6e6541c5922c414453383381 | heat_stack_user |
+----------------------------------+-----------------+

The role "heat_stack_owner" is also referenced in the tempest-deployer-input.conf file provided by the osp-director:
stack_owner_role = heat_stack_owner

This causes the following tempest tests to fail:
tempest.api.orchestration.stacks.test_templates_negative.TemplateYAMLNegativeTestJSON
tempest.api.orchestration.stacks.test_environment.StackEnvironmentTest
tempest.api.orchestration.stacks.test_stacks.StacksTestJSON
tempest.api.orchestration.stacks.test_templates.TemplateAWSTestJSON
tempest.api.orchestration.stacks.test_nova_keypair_resources.NovaKeyPairResourcesAWSTest
tempest.api.orchestration.stacks.test_limits.TestServerStackLimits
tempest.api.orchestration.stacks.test_nova_keypair_resources.NovaKeyPairResourcesYAMLTest
tempest.api.orchestration.stacks.test_swift_resources.SwiftResourcesTestJSON
tempest.api.orchestration.stacks.test_templates_negative.TemplateAWSNegativeTestJSON
tempest.api.orchestration.stacks.test_resource_types.ResourceTypesTest
tempest.api.orchestration.stacks.test_non_empty_stack.StacksTestJSON
tempest.api.orchestration.stacks.test_soft_conf.TestSoftwareConfig
tempest.api.orchestration.stacks.test_templates.TemplateYAMLTestJSON
tempest.api.orchestration.stacks.test_volumes.CinderResourcesTest

How reproducible:
100%

Steps to Reproduce:
1. deploy OSP8 using osp-director
2. run the above tests
Comment 2 Mike Burns 2016-04-07 21:14:44 UTC 
This bug did not make the OSP 8.0 release.  It is being deferred to OSP 10.
Comment 3 Attila Fazekas 2016-10-10 14:02:58 UTC 
https://review.openstack.org/#/c/155636/

AFAIK heat does not needs that role since long.

tempest-deployer-input.conf should not contain any heat specific role, unless the default user roles ([auth]tempest_roles) are not sufficient for a user to fully utilize heat.
Comment 4 Attila Fazekas 2016-10-11 06:35:45 UTC 
The deployer-input-config actually has the 'heat_stack_user' for stack_owner_role in my case which is the opposite role!
It will not work for sure, that role is for heat for special usage, tempest should not ever get this role name, and especially should not try to create regular test users with this role. 

The heat_stack_user is deny almost everything role.
Comment 5 Jaromir Coufal 2016-10-11 13:18:46 UTC 
Assigning to OpsTools to update Tempest tests.
Comment 6 Attila Fazekas 2016-10-11 13:36:03 UTC 
This might help: https://review.openstack.org/#/c/384820/
Comment 7 Christian Schwede (cschwede) 2016-11-03 19:02:00 UTC 
Fix has been merged upstream, and is included in the latest python-tripleoclient build.
Comment 10 Leonid Natapov 2017-02-02 15:23:02 UTC 
python-tripleoclient-6.0.1-0.20170127055753.8ea289c.el7ost.noarch
Comment 11 errata-xmlrpc 2017-05-17 19:27:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1245