Ask Your Question
0

heat create-stack Forbidden: {"NeutronError": {"message": "Policy doesn't allow create_port to be performed.", "type": "PolicyNotAuthorized", "detail": ""}}

asked 2014-04-05 15:19:12 -0500

theFog gravatar image

updated 2014-04-05 21:12:58 -0500

larsks gravatar image

When a tenant has multiple subnets available to the tenant it's required to select at least one to provision the machine. I tried using the sample template below to test this and the stack fails to create with a policy error. 

    heat_template_version: 2013-05-23

description: HOT template to deploy two servers to an existing Neutron network.

parameters:
  key_name:
    type: string
    description: Name of keypair to assign to servers
  image:
    type: string
    description: Name of image to use for servers
  flavor:
    type: string
    description: Flavor to use for servers
  net_id:
    type: string
    description: ID of Neutron network into which servers get deployed
  subnet_id:
    type: string
    description: ID of Neutron sub network into which servers get deployed

resources:
  server1:
    type: OS::Nova::Server
    properties:
      name: Server1
      image: { get_param: image }
      flavor: { get_param: flavor }
      key_name: { get_param: key_name }
      networks:
        - port: { get_resource: server1_port }

  server1_port:
    type: OS::Neutron::Port
    properties:
      network_id: { get_param: net_id }
      fixed_ips:
        - subnet_id: { get_param: subnet_id }

  server2:
    type: OS::Nova::Server
    properties:
      name: Server2
      image: { get_param: image }
      flavor: { get_param: flavor }
      key_name: { get_param: key_name }
      networks:
        - port: { get_resource: server2_port }

  server2_port:
    type: OS::Neutron::Port
    properties:
      network_id: { get_param: net_id }
      fixed_ips:
        - subnet_id: { get_param: subnet_id }

outputs:
  server1_provider_ip:
    description: IP address of server1 in provider network
    value: { get_attr: [ server1, first_address ] }
  server2_provider_ip:
    description: IP address of server2 in provider network
    value: { get_attr: [ server2, first_address ] }

the event output is 

status: create failed
reason: Forbidden: {"NeutronError": {"message": "Policy doesn't allow create_port to be performed.", "type": "PolicyNotAuthorized", "detail": ""}}

even with a single subnet, passing the subnetID causes the same issue. It seems you can only do this if the subnet belongs to the tenant.

has anyone been able to overcome this issue? Is this a bug ?

edit retag flag offensive close merge delete
add a comment

1 answer

Sort by ยป oldest newest most voted
0

answered 2014-04-06 19:07:15 -0500

theFog gravatar image

I was able to resolve it with something like the below template instead. I removed all of the Neutron types and resources as OS::Nova::Server can take the network name and uuid as a parameter 

    heat_template_version: 2013-05-23

description: HOT template to deploy two servers to an existing Neutron network.

parameters:
  key_name:
    type: string
    description: Name of keypair to assign to servers
  image:
    type: string
    description: Name of image to use for servers
  flavor:
    type: string
    description: Flavor to use for servers
  net_id:
    type: string
    description: ID of Neutron network into which servers get deployed

resources:
  server1:
    type: OS::Nova::Server
    properties:
      name: Server1
      image: { get_param: image }
      flavor: { get_param: flavor }
      key_name: { get_param: key_name }
      networks:
        - network: { get_param: net_id }
          uuid: { get_param: net_id }

  server2:
    type: OS::Nova::Server
    properties:
      name: Server2
      image: { get_param: image }
      flavor: { get_param: flavor }
      key_name: { get_param: key_name }
      networks:
        - network: { get_param: net_id }
          uuid: { get_param: net_id }

outputs:
  server1_provider_ip:
    description: IP address of server1 in provider network
    value: { get_attr: [ server1, first_address ] }
  server2_provider_ip:
    description: IP address of server2 in provider network
    value: { get_attr: [ server2, first_address ] }
edit flag offensive delete link more

Comments

You shouldn't specify uuid and network, just network should suffice

Steve Baker gravatar imageSteve Baker ( 2014-04-13 21:52:02 -0500 )edit

I agree it should work that way, except when only providing the network, the stack creation failed saying uuid was required

theFog gravatar imagetheFog ( 2014-04-14 04:45:11 -0500 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2014-04-05 15:19:12 -0500

Seen: 2,257 times

Last updated: Apr 14 '14

Related questions

Can I add host to aggregate using heat template ?

Hello EveryOne, I want a Heat With LAMP STACK??

Heat HOT template: Wait for volume (block_device_mapping) to be created

Heats webhook respond 'incomplete-signature'-error (not conform to AWS standards)

Docker with Heat On Juno [closed]

PROBLEM: Authentication cannot be scoped to multiple targets

Installing application using HEAT template

Heat/Yaml: get_param not working for lists in for_each construct

heat stack create error - misconfig auth issue?

Instance Name needs to be passed from template properties