Red Hat Bugzilla – Bug 1238844
heat_stack_user_role not usable after deployment
Last modified: 2015-08-05 09:58:18 EDT
Description of problem: The config option heat_stack_user_role is set to an empty value by default after deploying with OSP director. This makes it impossible to do simple things like creating servers with Heat. Version-Release number of selected component (if applicable): python-rdomanager-oscplugin-0.0.8-13.el7ost.noarch instack-undercloud-2.1.2-6.el7ost.noarch How reproducible: Always? Steps to Reproduce: 1. Install OpenStack via OSP director 2. Try to deploy a stack that creates a server 3. Actual results: ERROR heat.common.keystoneclient [-] Failed to add user ba-sw6-0-bf2x26luglme-OpenStackBMCServer-usvh72rhlmoz to role , check role exists! Expected results: Heat stack deployed successfully Additional info:
I worked around this by setting the value to "admin" and restarting heat-engine, but that's probably not okay as a default. Maybe we need to create a role for this as part of install?
Zane, should this default to the admin user role? If so, we can get it fixed to do so.
No, it should *definitely* not be the admin role. That would be a very very bad thing - this role is meant to have *minimal* privileges, because credentials for these users end up on servers deployed by Heat+Nova. The default (which is "heat_stack_user") should be correct, unless we are using a different value when we set up the Stack User domain in Keystone and create the role for it. shardy's writeup on how/why this feature works may be helpful: http://hardysteven.blogspot.com/2014/04/heat-auth-model-updates-part-2-stack.html
Here is the current heat.conf contents for an overcloud heat: # Keystone role for heat template-defined users. (string value) #heat_stack_user_role = heat_stack_user heat_stack_user_role = # Keystone domain ID which contains heat template-defined users. If this option # is set, stack_user_domain_name option will be ignored. (string value) # Deprecated group/name - [DEFAULT]/stack_user_domain #stack_user_domain_id = <None> # Keystone domain name which contains heat template-defined users. If # `stack_user_domain_id` option is set, this option is ignored. (string value) #stack_user_domain_name = <None> # Keystone username, a user with roles sufficient to manage users and projects # in the stack_user_domain. (string value) #stack_domain_admin = <None> # Keystone password for stack_domain_admin user. (string value) #stack_domain_admin_password = <None> So heat_stack_user_role is incorrectly set to <empty>, and stack_user_domain_name, stack_domain_admin, stack_domain_admin_password are not being set at all. This would result in a non-functional heat so I'd like to propose this as a blocker. heat.conf instance_user is also currently being set to heat-admin. This would better be set to <empty> so that the default image users can be used to ssh into guest vms.
configuring the stack domain will be address by https://bugzilla.redhat.com/show_bug.cgi?id=1235748 what should heat_stack_user_role be set to?
It should be left at the default (which fwiw is "heat_stack_user"), and not explicitly set to the empty string.
... or it can be explicitly set to heat_stack_user, whichever would be easiest. I'll raise a separate bz for setting instance_user to blank
Just verifying that setting it to heat_stack_user got me past the error as well, so that should take care of this bug. Should only need to figure out where the blank value is coming from and fix that.
Its here http://git.openstack.org/cgit/openstack/tripleo-heat-templates/tree/puppet/hieradata/controller.yaml#n80
Servers are created successfully now.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2015:1549