Description of problem: Heat-stack-owner is not being created, thus every tempest heat test fails. [root@overcloud-controller-0 heat-admin]# keystone user-role-list --user heat --tenant service +----------------------------------+----------+----------------------------------+----------------------------------+ | id | name | user_id | tenant_id | +----------------------------------+----------+----------------------------------+----------------------------------+ | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | 32cac9275d70429794541f1ae98f45ec | 82056287c9924ebfabe3f5f5818a2bf1 | | 9fd77d105fa6486282318e6750510b43 | admin | 32cac9275d70429794541f1ae98f45ec | 82056287c9924ebfabe3f5f5818a2bf1 | +----------------------------------+----------+----------------------------------+----------------------------------+ keystone-role-list +----------------------------------+-----------------+ | id | name | +----------------------------------+-----------------+ | f6b0ead043ac4a5881b423e092acda61 | ResellerAdmin | | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | | 9fd77d105fa6486282318e6750510b43 | admin | | 8f76a1ae1f9c4948b70b974beff82dbc | heat_stack_user | | 7d70c099c8f344589781620125c01369 | swiftoperator | +----------------------------------+-----------------+ Version-Release number of selected component (if applicable): How reproducible: Perform an installation using ospd Steps to Reproduce: 1. Launch any heat tempest tests Actual results: They fail complaining about heat_stack_owner role not being there Expected results: For them to pass Additional info:
What is the impact on the end user, outside of running tempest tests?
If you go to the upstream guide, just like here: http://docs.openstack.org/juno/install-guide/install/yum/content/heat-install-controller-node.html you'll see that it's a prerequisite for the orchestration service, so I assume heat won't work properly.
Zane, can you confirm concern from comment #4? Thanks
Can you try using heat (create some trivial stack as an overcloud user)? I believe the `heat_stack_user` role will provide the right permissions. I'll research this more.
AIUI the need for the heat_stack_owner role has been superseded by trusts. See: https://review.openstack.org/#/c/155636/ So the issue may be that we're not configuring Heat in such a way that it is able to use trusts? I know that at a minimum access to the Keystone v3 API is required. I'm not sure what else.
+----------------------------------+------------------+ | id | name | +----------------------------------+------------------+ | e3ea6ee7c83747c5a82de5d6b83c3d3c | ResellerAdmin | | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | | 265a5f2ca860463c9acdb049953aedcf | admin | | 71c3e77841e941d48a5eb4d2b976b0dc | heat_stack_owner | | c19114ecb0184d54b4f61260656a3cfe | heat_stack_user | | 914b76d8d199492dbefa1aff919451b2 | swiftoperator | +----------------------------------+------------------+ Seems fixed in latest versions so we can close this
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-0604.html