Ask Your Question
0

heat create-stack Forbidden: {"NeutronError": {"message": "Policy doesn't allow create_port to be performed.", "type": "PolicyNotAuthorized", "detail": ""}}

asked 2014-04-05 15:19:12 -0600

theFog gravatar image

updated 2014-04-05 21:12:58 -0600

larsks gravatar image

When a tenant has multiple subnets available to the tenant it's required to select at least one to provision the machine. I tried using the sample template below to test this and the stack fails to create with a policy error. 

    heat_template_version: 2013-05-23

description: HOT template to deploy two servers to an existing Neutron network.

parameters:
  key_name:
    type: string
    description: Name of keypair to assign to servers
  image:
    type: string
    description: Name of image to use for servers
  flavor:
    type: string
    description: Flavor to use for servers
  net_id:
    type: string
    description: ID of Neutron network into which servers get deployed
  subnet_id:
    type: string
    description: ID of Neutron sub network into which servers get deployed

resources:
  server1:
    type: OS::Nova::Server
    properties:
      name: Server1
      image: { get_param: image }
      flavor: { get_param: flavor }
      key_name: { get_param: key_name }
      networks:
        - port: { get_resource: server1_port }

  server1_port:
    type: OS::Neutron::Port
    properties:
      network_id: { get_param: net_id }
      fixed_ips:
        - subnet_id: { get_param: subnet_id }

  server2:
    type: OS::Nova::Server
    properties:
      name: Server2
      image: { get_param: image }
      flavor: { get_param: flavor }
      key_name: { get_param: key_name }
      networks:
        - port: { get_resource: server2_port }

  server2_port:
    type: OS::Neutron::Port
    properties:
      network_id: { get_param: net_id }
      fixed_ips:
        - subnet_id: { get_param: subnet_id }

outputs:
  server1_provider_ip:
    description: IP address of server1 in provider network
    value: { get_attr: [ server1, first_address ] }
  server2_provider_ip:
    description: IP address of server2 in provider network
    value: { get_attr: [ server2, first_address ] }

the event output is 

status: create failed
reason: Forbidden: {"NeutronError": {"message": "Policy doesn't allow create_port to be performed.", "type": "PolicyNotAuthorized", "detail": ""}}

even with a single subnet, passing the subnetID causes the same issue. It seems you can only do this if the subnet belongs to the tenant.

has anyone been able to overcome this issue? Is this a bug ?

edit retag flag offensive close merge delete
add a comment

1 answer

Sort by ยป oldest newest most voted
0

answered 2014-04-06 19:07:15 -0600

theFog gravatar image

I was able to resolve it with something like the below template instead. I removed all of the Neutron types and resources as OS::Nova::Server can take the network name and uuid as a parameter 

    heat_template_version: 2013-05-23

description: HOT template to deploy two servers to an existing Neutron network.

parameters:
  key_name:
    type: string
    description: Name of keypair to assign to servers
  image:
    type: string
    description: Name of image to use for servers
  flavor:
    type: string
    description: Flavor to use for servers
  net_id:
    type: string
    description: ID of Neutron network into which servers get deployed

resources:
  server1:
    type: OS::Nova::Server
    properties:
      name: Server1
      image: { get_param: image }
      flavor: { get_param: flavor }
      key_name: { get_param: key_name }
      networks:
        - network: { get_param: net_id }
          uuid: { get_param: net_id }

  server2:
    type: OS::Nova::Server
    properties:
      name: Server2
      image: { get_param: image }
      flavor: { get_param: flavor }
      key_name: { get_param: key_name }
      networks:
        - network: { get_param: net_id }
          uuid: { get_param: net_id }

outputs:
  server1_provider_ip:
    description: IP address of server1 in provider network
    value: { get_attr: [ server1, first_address ] }
  server2_provider_ip:
    description: IP address of server2 in provider network
    value: { get_attr: [ server2, first_address ] }
edit flag offensive delete link more

Comments

You shouldn't specify uuid and network, just network should suffice

Steve Baker gravatar imageSteve Baker ( 2014-04-13 21:52:02 -0600 )edit

I agree it should work that way, except when only providing the network, the stack creation failed saying uuid was required

theFog gravatar imagetheFog ( 2014-04-14 04:45:11 -0600 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2014-04-05 15:19:12 -0600

Seen: 2,369 times

Last updated: Apr 14 '14

Related questions

is ther anyway to mark an instance as unhealthy?

Sending Heat Scale URLs to Instances

Heat: Resource create failed: InvalidTemplateAttribute: The Referenced Attribute (instance0_port0 security_groups)

Unable to launch a vm with sriov ports using heat

stand alone heat server

highly available heat?

Accessing property of child node of ResourceGroup

heat stack create and update with --timeout or --wait

heat event-list has duplicate entries

Magnum vm instance can ping controller ip but can't resolve it by hostname to notify heat of status