Description of problem: 'ceilometer' user is missing 'ResellerAdmin' role (both on undercloud and overcloud). This results in failed checks for 'storage.*' meters(Swift): 2015-11-19 03:50:04.929 6974 INFO ceilometer.agent.manager [-] Polling pollster storage.containers.objects.size in the context of meter_source 2015-11-19 03:50:05.007 6974 INFO swiftclient [-] RESP BODY: <html><h1>Forbidden</h1><p>Access was denied to this resource.</p></html> 2015-11-19 03:50:05.008 6974 WARNING ceilometer.agent.manager [-] Continue after error from storage.containers.objects.size: Account GET failed: http://192.0.2.6:8080/v1/AUTH_6e386057f06748f9a99d937a23b82c9d?for mat=json 403 Forbidden [first 60 chars of response] <html><h1>Forbidden</h1><p>Access was denied to this resourc 2015-11-19 03:50:05.008 6974 ERROR ceilometer.agent.manager Traceback (most recent call last): 2015-11-19 03:50:05.008 6974 ERROR ceilometer.agent.manager File "/usr/lib/python2.7/site-packages/ceilometer/agent/manager.py", line 194, in poll_and_notify 2015-11-19 03:50:05.008 6974 ERROR ceilometer.agent.manager for sample in samples: 2015-11-19 03:50:05.008 6974 ERROR ceilometer.agent.manager File "/usr/lib/python2.7/site-packages/ceilometer/objectstore/swift.py", line 191, in get_samples 2015-11-19 03:50:05.008 6974 ERROR ceilometer.agent.manager cache, tenants): 2015-11-19 03:50:05.008 6974 ERROR ceilometer.agent.manager File "/usr/lib/python2.7/site-packages/ceilometer/objectstore/swift.py", line 81, in _iter_accounts 2015-11-19 03:50:05.008 6974 ERROR ceilometer.agent.manager ksclient, tenants)) 2015-11-19 03:50:05.008 6974 ERROR ceilometer.agent.manager File "/usr/lib/python2.7/site-packages/ceilometer/objectstore/swift.py", line 93, in _get_account_info 2015-11-19 03:50:05.008 6974 ERROR ceilometer.agent.manager ksclient.auth_token)) 2015-11-19 03:50:05.008 6974 ERROR ceilometer.agent.manager File "/usr/lib/python2.7/site-packages/swiftclient/client.py", line 556, in get_account 2015-11-19 03:50:05.008 6974 ERROR ceilometer.agent.manager http_response_content=body) Version-Release number of selected component (if applicable): openstack-ceilometer-api-5.0.0-1.el7ost.noarch openstack-ceilometer-central-5.0.0-1.el7ost.noarch openstack-ceilometer-common-5.0.0-1.el7ost.noarch openstack-ceilometer-compute-5.0.0-1.el7ost.noarch python-ceilometerclient-1.5.0-1.el7ost.noarch openstack-ceilometer-polling-5.0.0-1.el7ost.noarch openstack-ceilometer-collector-5.0.0-1.el7ost.noarch python-ceilometer-5.0.0-1.el7ost.noarch openstack-ceilometer-notification-5.0.0-1.el7ost.noarch openstack-ceilometer-alarm-5.0.0-1.el7ost.noarch Environment: Virtual HA setup(3controllers + 1 compute) Actual results: Traceback in logs. Expected results: 'ceilometer' user has correct group set.
So this patch will fix this bug: https://review.openstack.org/#/c/244162/ The reason is ::ceilometer::keystone::auth will add 'ResellerAdmin' role to 'ceilometer' user in Keystone.
*** Bug 1245267 has been marked as a duplicate of this bug. ***
Assigning the bug to Ben, I'm not author of the upstream patch.
The linked puppet patch is definitely not going to make OSP 8. We need a fix in os-cloud-config for this.
It looks to me like this was actually fixed about six months ago, but the bug wasn't open yet when the patch merged so there was a disconnect. This should be ready for QA in 8.0 already.
keystone user-role-list --user ceilometer --tenant service | grep Reseller | 2c2d14a586914b4da600aa8b01e6d1bc | ResellerAdmin | 20de971715fd428189fd95bf5ff458ec | c2332cc393ff4ad88a4274964d391de3 | keystone user-role-list --user ceilometer --tenant service | grep Reseller | 3b5b141c417344fe80727a8f4a67e1d3 | ResellerAdmin | dd188c3334414069934ea797a4e02181 | a04cb152a2cb411d887fe4da7a9f8092 | rpm -qa | grep tripleo-heat openstack-tripleo-heat-templates-kilo-0.8.14-1.el7ost.noarch openstack-tripleo-heat-templates-0.8.14-1.el7ost.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-0604.html