Bug 1238844 - heat_stack_user_role not usable after deployment
Summary: heat_stack_user_role not usable after deployment
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: rhosp-director
Version: Director
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: ga
: Director
Assignee: Jay Dobies
QA Contact: Amit Ugol
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-07-02 19:19 UTC by Ben Nemec
Modified: 2015-08-05 13:58 UTC (History)
11 users (show)

Fixed In Version: openstack-tripleo-heat-templates-0.8.6-29.el7ost
Doc Type: Bug Fix
Doc Text:
The Overcloud's configured its Heat component incorrectly and lacked settings for heat_stack_user_role, stack_domain_admin, and stack_domain_admin_password. This fix correctly sets the user and admin roles in /etc/heat/heat.conf.
Clone Of:
Environment:
Last Closed: 2015-08-05 13:58:18 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
OpenStack gerrit 199204 None None None Never
Red Hat Bugzilla 1240449 None CLOSED overcloud heat instance_user is set to heat-admin 2019-04-12 01:32:35 UTC
Red Hat Product Errata RHEA-2015:1549 normal SHIPPED_LIVE Red Hat Enterprise Linux OpenStack Platform director Release 2015-08-05 17:49:10 UTC

Internal Links: 1240449

Description Ben Nemec 2015-07-02 19:19:40 UTC
Description of problem: The config option heat_stack_user_role is set to an empty value by default after deploying with OSP director.  This makes it impossible to do simple things like creating servers with Heat.


Version-Release number of selected component (if applicable):
python-rdomanager-oscplugin-0.0.8-13.el7ost.noarch
instack-undercloud-2.1.2-6.el7ost.noarch

How reproducible: Always?


Steps to Reproduce:
1. Install OpenStack via OSP director
2. Try to deploy a stack that creates a server
3.

Actual results: ERROR heat.common.keystoneclient [-] Failed to add user ba-sw6-0-bf2x26luglme-OpenStackBMCServer-usvh72rhlmoz to role , check role exists!


Expected results: Heat stack deployed successfully


Additional info:

Comment 3 Ben Nemec 2015-07-02 19:21:49 UTC
I worked around this by setting the value to "admin" and restarting heat-engine, but that's probably not okay as a default.  Maybe we need to create a role for this as part of install?

Comment 4 chris alfonso 2015-07-06 15:58:56 UTC
Zane, should this default to the admin user role? If so, we can get it fixed to do so.

Comment 5 chris alfonso 2015-07-06 15:58:57 UTC
Zane, should this default to the admin user role? If so, we can get it fixed to do so.

Comment 6 Zane Bitter 2015-07-06 17:36:39 UTC
No, it should *definitely* not be the admin role. That would be a very very bad thing - this role is meant to have *minimal* privileges, because credentials for these users end up on servers deployed by Heat+Nova. The default (which is "heat_stack_user") should be correct, unless we are using a different value when we set up the Stack User domain in Keystone and create the role for it.

shardy's writeup on how/why this feature works may be helpful: http://hardysteven.blogspot.com/2014/04/heat-auth-model-updates-part-2-stack.html

Comment 7 Steve Baker 2015-07-06 21:20:35 UTC
Here is the current heat.conf contents for an overcloud heat:

# Keystone role for heat template-defined users. (string value)
#heat_stack_user_role = heat_stack_user
heat_stack_user_role =

# Keystone domain ID which contains heat template-defined users. If this option
# is set, stack_user_domain_name option will be ignored. (string value)
# Deprecated group/name - [DEFAULT]/stack_user_domain
#stack_user_domain_id = <None>

# Keystone domain name which contains heat template-defined users. If
# `stack_user_domain_id` option is set, this option is ignored. (string value)
#stack_user_domain_name = <None>

# Keystone username, a user with roles sufficient to manage users and projects
# in the stack_user_domain. (string value)
#stack_domain_admin = <None>

# Keystone password for stack_domain_admin user. (string value)
#stack_domain_admin_password = <None>

So heat_stack_user_role is incorrectly set to <empty>, and stack_user_domain_name, stack_domain_admin, stack_domain_admin_password are not being set at all. This would result in a non-functional heat so I'd like to propose this as a blocker.

heat.conf instance_user is also currently being set to heat-admin. This would better be set to <empty> so that the default image users can be used to ssh into guest vms.

Comment 8 James Slagle 2015-07-06 21:31:07 UTC
configuring the stack domain will be address by https://bugzilla.redhat.com/show_bug.cgi?id=1235748

what should heat_stack_user_role be set to?

Comment 9 Zane Bitter 2015-07-06 21:56:40 UTC
It should be left at the default (which fwiw is "heat_stack_user"), and not explicitly set to the empty string.

Comment 10 Steve Baker 2015-07-06 22:21:18 UTC
... or it can be explicitly set to heat_stack_user, whichever would be easiest.

I'll raise a separate bz for setting instance_user to blank

Comment 11 Ben Nemec 2015-07-06 22:58:38 UTC
Just verifying that setting it to heat_stack_user got me past the error as well, so that should take care of this bug.  Should only need to figure out where the blank value is coming from and fix that.

Comment 15 Amit Ugol 2015-07-21 15:40:08 UTC
Servers are created successfully now.

Comment 17 errata-xmlrpc 2015-08-05 13:58:18 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2015:1549


Note You need to log in before you can comment on or make changes to this bug.