Bug 1815011 - No permission to execute a stack check after a fresh install of RHOSP13
Summary: No permission to execute a stack check after a fresh install of RHOSP13
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-heat
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Linux
Target Milestone: ---
: ---
Assignee: David Peacock
QA Contact: David Rosenfeld
Depends On:
TreeView+ depends on / blocked
Reported: 2020-03-19 10:16 UTC by miguelcastilhodias
Modified: 2020-03-19 18:47 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-03-19 18:47:50 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description miguelcastilhodias 2020-03-19 10:16:22 UTC
Description of problem:
After a fresh install of RHOSP 13, if I use the command "openstack stack check <stack id>" it fails with the message "ERROR: You are not authorized to use actions:action."

Below is the heat policy. Note that this file was created as is after a fresh install.
$ cat /etc/heat/policy.json

In RHOSP 10 this behaviour does not happen. In RHOSP 10 the heat policy.json file has the rule "{"actions:action":"rule:deny_stack_user"}" as one of the many rules in the file. This allows the execution of the command "openstack stack check <stack id>".

Is this the intended behaviour for RHOSP 13?

Version-Release number of selected component (if applicable):
RHEL 7.6
$ openstack --version
openstack 3.14.3

How reproducible:
Every time after a fresh install of RHOSP 13.

Steps to Reproduce:
1. Fresh install RHOSP 13
2. Execute: $ openstack stack check <stack id>

Actual results:
$ openstack stack check f4c295b8-538b-4a36-a137-a1002de4b968
ERROR: You are not authorized to use actions:action.

Expected results:
Expected to execute the check on the stack

Additional info:

Comment 1 miguelcastilhodias 2020-03-19 14:32:23 UTC
One thing I forgot to mention is that it does work if I change the policy to {"actions:action":"rule:deny_stack_user"} or if I delete the line.

Comment 2 David Peacock 2020-03-19 18:47:50 UTC
Hi there,

The architecture changed significantly between Red Hat OpenStack Platform 10 and Red Hat OpenStack Platform 13.  These two architectures can be broadly categorised as pre-convergence and post-convergence.

In pre-convergence world, the stack was a monolithic structure that when updated or modified would require the entire stack to be locked whilst the heat engine iterated through the entire thing making any and all changes.  This was sub-optimal and problematic for numerous reasons beyond the scope of this bug.

With this knowledge we implemented the post-convergence architecture which persists to this day, in that the stack is locked at the resource group level, providing a safer, faster, and more nimble environment for the heat engine to work with.

The stack check command is no longer relevant to the post-convergence architecture, and can be mentally disposed of for your use cases now you're running Red Hat OpenStack Platform 13.

In short, don't worry about it, there's nothing to see here, please move on and enjoy your day. :-)

I hope this was helpful.


Note You need to log in before you can comment on or make changes to this bug.