Ask Your Question
0

Authorization problem when using "WaitCondition" by non-admin tenant user

asked 2013-07-31 08:15:40 -0500

kimi-zhangkai gravatar image

Hello,

I am trying template https://github.com/openstack/heat-templates/blob/master/cfn/WordPress_With_LB.template (https://github.com/openstack/heat-tem...)

I use a non-admin tenant user.

I get "CREATE_FAILED " error when creating the stack.

/var/log/heat/engine.log shows error as below: 2013-07-31 14:13:58.655 48115 ERROR heat.engine.resource [-] create WaitConditionHandle "WaitHandle" 2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource Traceback (most recent call last): 2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource File "/usr/lib/python2.6/site-packages/heat/engine/resource.py", line 320, in create 2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource self.handle_create() 2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource File "/usr/lib/python2.6/site-packages/heat/engine/resources/wait_condition.py", line 89, in handle_create 2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource self.physical_resource_name()) 2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource File "/usr/lib/python2.6/site-packages/heat/common/heat_keystoneclient.py", line 67, in create_stack_user 2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource enabled=True) 2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource File "/usr/lib/python2.6/site-packages/keystoneclient/v2_0/users.py", line 108, in create 2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource return self._create('/users', params, "user") 2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource File "/usr/lib/python2.6/site-packages/keystoneclient/base.py", line 88, in _create 2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource resp, body = self.api.post(url, body=body) 2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource File "/usr/lib/python2.6/site-packages/keystoneclient/client.py", line 414, in post 2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource return self._cs_request(url, 'POST', *kwargs) 2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource File "/usr/lib/python2.6/site-packages/keystoneclient/client.py", line 404, in _cs_request 2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource *kwargs) 2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource File "/usr/lib/python2.6/site-packages/keystoneclient/client.py", line 366, in request 2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource raise exceptions.from_response(resp, resp.text) 2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource Forbidden: Unable to communicate with identity service: {"error": {"message": "You are not authorized to perform the requested action: admin_required", "code": 403, "title": "Not Authorized"}}. (HTTP 403)

If I use an admin tenant user, creating stack works fine without error.

Is it a problem or something I did wrong ?

Kimi

edit retag flag offensive close merge delete

3 answers

Sort by ยป oldest newest most voted
0

answered 2013-07-31 10:40:15 -0500

asalkeld gravatar image

basically you need admin.

Longer story: the waitcond needs to create an ec2signed url and to do that it creates a restricted user in keystone. to create any user in keystone you need admin rights:(

edit flag offensive delete link more
0

answered 2013-07-31 12:02:13 -0500

shardy gravatar image
edit flag offensive delete link more
0

answered 2013-12-13 23:55:26 -0500

Also when solving this, keep in mind that this may not be allowed by Keystone when you are configured with LDAP Identity driver. Within this configuration the setting the following two scenarios will fail: 1) keystone.conf setting for ldap: user_allow_create=False 2) The authenticated user from ldap does not have privilege in LDAP to create other users in ldap.

Ref: https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample (https://github.com/openstack/keystone...)

We are currently blocked by both of these scenarios. I'm not familiar with how to add use-case requirements into the blueprints and hope this helps to capture some needs for this fix.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2013-07-31 08:15:40 -0500

Seen: 392 times

Last updated: Dec 13 '13