1284422 – heat_stack_owner role is not being created

Bug 1284422 - heat_stack_owner role is not being created

Summary: heat_stack_owner role is not being created

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	python-rdomanager-oscplugin
Sub Component:
Version:	8.0 (Liberty)
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	high
Target Milestone:	ga
Target Release:	8.0 (Liberty)
Assignee:	RHOS Maint
QA Contact:	Daniel Mellado
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-11-23 10:14 UTC by Daniel Mellado
Modified:	2016-04-07 21:43 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-04-07 21:43:24 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2016:0604	0	normal	SHIPPED_LIVE	Red Hat OpenStack Platform 8 director Enhancement Advisory	2016-04-08 01:03:56 UTC

Description Daniel Mellado 2015-11-23 10:14:25 UTC

Description of problem:

Heat-stack-owner is not being created, thus every tempest heat test fails.

[root@overcloud-controller-0 heat-admin]# keystone user-role-list --user heat --tenant service
+----------------------------------+----------+----------------------------------+----------------------------------+
|                id                |   name   |             user_id              |            tenant_id             |
+----------------------------------+----------+----------------------------------+----------------------------------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | 32cac9275d70429794541f1ae98f45ec | 82056287c9924ebfabe3f5f5818a2bf1 |
| 9fd77d105fa6486282318e6750510b43 |  admin   | 32cac9275d70429794541f1ae98f45ec | 82056287c9924ebfabe3f5f5818a2bf1 |
+----------------------------------+----------+----------------------------------+----------------------------------+

keystone-role-list
+----------------------------------+-----------------+
|                id                |       name      |
+----------------------------------+-----------------+
| f6b0ead043ac4a5881b423e092acda61 |  ResellerAdmin  |
| 9fe2ff9ee4384b1894a90878d3e92bab |     _member_    |
| 9fd77d105fa6486282318e6750510b43 |      admin      |
| 8f76a1ae1f9c4948b70b974beff82dbc | heat_stack_user |
| 7d70c099c8f344589781620125c01369 |  swiftoperator  |
+----------------------------------+-----------------+


Version-Release number of selected component (if applicable):


How reproducible:
Perform an installation using ospd

Steps to Reproduce:
1. Launch any heat tempest tests

Actual results:
They fail complaining about heat_stack_owner role not being there

Expected results:
For them to pass 


Additional info:

Comment 3 chris alfonso 2015-12-07 17:09:15 UTC

What is the impact on the end user, outside of running tempest tests?

Comment 4 Daniel Mellado 2015-12-09 07:31:14 UTC

If you go to the upstream guide, just like here: http://docs.openstack.org/juno/install-guide/install/yum/content/heat-install-controller-node.html you'll see that it's a prerequisite for the orchestration service, so I assume heat won't work properly.

Comment 5 Jaromir Coufal 2015-12-16 11:15:32 UTC

Zane, can you confirm concern from comment #4? Thanks

Comment 7 Ryan Brown 2015-12-17 11:52:38 UTC

Can you try using heat (create some trivial stack as an overcloud user)? 

I believe the `heat_stack_user` role will provide the right permissions. 

I'll research this more.

Comment 8 Zane Bitter 2016-01-07 16:32:48 UTC

AIUI the need for the heat_stack_owner role has been superseded by trusts. See:

https://review.openstack.org/#/c/155636/

So the issue may be that we're not configuring Heat in such a way that it is able to use trusts? I know that at a minimum access to the Keystone v3 API is required. I'm not sure what else.

Comment 9 Daniel Mellado 2016-01-25 13:34:45 UTC

+----------------------------------+------------------+
|                id                |       name       |
+----------------------------------+------------------+
| e3ea6ee7c83747c5a82de5d6b83c3d3c |  ResellerAdmin   |
| 9fe2ff9ee4384b1894a90878d3e92bab |     _member_     |
| 265a5f2ca860463c9acdb049953aedcf |      admin       |
| 71c3e77841e941d48a5eb4d2b976b0dc | heat_stack_owner |
| c19114ecb0184d54b4f61260656a3cfe | heat_stack_user  |
| 914b76d8d199492dbefa1aff919451b2 |  swiftoperator   |
+----------------------------------+------------------+

Seems fixed in latest versions so we can close this

Comment 11 errata-xmlrpc 2016-04-07 21:43:24 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-0604.html

Note You need to log in before you can comment on or make changes to this bug.