Ask Your Question
0

heat create-stack Forbidden: {"NeutronError": {"message": "Policy doesn't allow create_port to be performed.", "type": "PolicyNotAuthorized", "detail": ""}}

asked 2014-04-05 15:19:12 -0600

theFog gravatar image

updated 2014-04-05 21:12:58 -0600

larsks gravatar image

When a tenant has multiple subnets available to the tenant it's required to select at least one to provision the machine. I tried using the sample template below to test this and the stack fails to create with a policy error. 

    heat_template_version: 2013-05-23

description: HOT template to deploy two servers to an existing Neutron network.

parameters:
  key_name:
    type: string
    description: Name of keypair to assign to servers
  image:
    type: string
    description: Name of image to use for servers
  flavor:
    type: string
    description: Flavor to use for servers
  net_id:
    type: string
    description: ID of Neutron network into which servers get deployed
  subnet_id:
    type: string
    description: ID of Neutron sub network into which servers get deployed

resources:
  server1:
    type: OS::Nova::Server
    properties:
      name: Server1
      image: { get_param: image }
      flavor: { get_param: flavor }
      key_name: { get_param: key_name }
      networks:
        - port: { get_resource: server1_port }

  server1_port:
    type: OS::Neutron::Port
    properties:
      network_id: { get_param: net_id }
      fixed_ips:
        - subnet_id: { get_param: subnet_id }

  server2:
    type: OS::Nova::Server
    properties:
      name: Server2
      image: { get_param: image }
      flavor: { get_param: flavor }
      key_name: { get_param: key_name }
      networks:
        - port: { get_resource: server2_port }

  server2_port:
    type: OS::Neutron::Port
    properties:
      network_id: { get_param: net_id }
      fixed_ips:
        - subnet_id: { get_param: subnet_id }

outputs:
  server1_provider_ip:
    description: IP address of server1 in provider network
    value: { get_attr: [ server1, first_address ] }
  server2_provider_ip:
    description: IP address of server2 in provider network
    value: { get_attr: [ server2, first_address ] }

the event output is 

status: create failed
reason: Forbidden: {"NeutronError": {"message": "Policy doesn't allow create_port to be performed.", "type": "PolicyNotAuthorized", "detail": ""}}

even with a single subnet, passing the subnetID causes the same issue. It seems you can only do this if the subnet belongs to the tenant.

has anyone been able to overcome this issue? Is this a bug ?

edit retag flag offensive close merge delete
add a comment

1 answer

Sort by ยป oldest newest most voted
0

answered 2014-04-06 19:07:15 -0600

theFog gravatar image

I was able to resolve it with something like the below template instead. I removed all of the Neutron types and resources as OS::Nova::Server can take the network name and uuid as a parameter 

    heat_template_version: 2013-05-23

description: HOT template to deploy two servers to an existing Neutron network.

parameters:
  key_name:
    type: string
    description: Name of keypair to assign to servers
  image:
    type: string
    description: Name of image to use for servers
  flavor:
    type: string
    description: Flavor to use for servers
  net_id:
    type: string
    description: ID of Neutron network into which servers get deployed

resources:
  server1:
    type: OS::Nova::Server
    properties:
      name: Server1
      image: { get_param: image }
      flavor: { get_param: flavor }
      key_name: { get_param: key_name }
      networks:
        - network: { get_param: net_id }
          uuid: { get_param: net_id }

  server2:
    type: OS::Nova::Server
    properties:
      name: Server2
      image: { get_param: image }
      flavor: { get_param: flavor }
      key_name: { get_param: key_name }
      networks:
        - network: { get_param: net_id }
          uuid: { get_param: net_id }

outputs:
  server1_provider_ip:
    description: IP address of server1 in provider network
    value: { get_attr: [ server1, first_address ] }
  server2_provider_ip:
    description: IP address of server2 in provider network
    value: { get_attr: [ server2, first_address ] }
edit flag offensive delete link more

Comments

You shouldn't specify uuid and network, just network should suffice

Steve Baker gravatar imageSteve Baker ( 2014-04-13 21:52:02 -0600 )edit

I agree it should work that way, except when only providing the network, the stack creation failed saying uuid was required

theFog gravatar imagetheFog ( 2014-04-14 04:45:11 -0600 )edit
add a comment

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2014-04-05 15:19:12 -0600

Seen: 2,537 times

Last updated: Apr 14 '14

Related questions

Rolling updates with heat autoscaling.

Heat (Stein) create stack fails on nics

Why each time I create a heat stack a new project is created?

delete hanging security group

Debugging Heat Installation

How HAproxy works with Openstack HEAT?

Use Heat templates with Tacker

HEAT and count list elements

How to modify a heat template to update a stack

How to debug scripts at Heat's SoftwareConfig resource