Ask Your Question

kilo heat authorization failed

asked 2016-02-29 12:18:40 -0500

mariojmdavid gravatar image

updated 2016-02-29 12:58:20 -0500

rbowen gravatar image

hi all first off I checked and did not solved the problem I will describe below

I have kilo (with all latest updates) and keystone v3 up and running I have followed to setup heat I created the new domain, a domain admin with admin role, and also both the roles heat_stack_owner and heat_stack_user I have given heat_stack_owner to my username in one of my projects snipet of /etc/heat/heat.conf (if need I will post more)

deferred_auth_method = trusts
trusts_delegated_roles = heat_stack_owner
heat_metadata_server_url =
heat_waitcondition_server_url =
region_name_for_services = regionOne    # this is correct it's not RegionOne
heat_stack_user_role = heat_stack_user

stack_user_domain_id=<The Domain ID>

admin_tenant_name = service
admin_user = heat
admin_password = d132u90834cjkiqe
auth_uri =
identity_uri =
cafile = /etc/certs/lipcaroot.pem

with my username on the project where I have heat_stack_owner role heat stack-list is successful (outputs an empty list of stacks) but

heat --debug stack-create -f test.yaml -P "ImageID=Ubuntu-14.04;NetID=070fb807-4813-4fb9-9970-991c6e68880d" testStack

... heatclient.exc.HTTPInternalServerError: ERROR: Authorization failed.

I have tried with other templates with the same result

Snipet of keystone.log (check the last line)

2016-02-29 17:37:34.676 24413 INFO keystone.common.wsgi [-] GET
2016-02-29 17:37:34.676 24413 DEBUG keystone.common.controller [-] RBAC: Authorizing identity:validate_token() _build_policy_check_credentials /usr/lib/python2.7/site-packages/keystone/common/
2016-02-29 17:37:34.676 24413 DEBUG keystone.common.controller [-] RBAC: using auth context from the request environment _build_policy_check_credentials /usr/lib/python2.7/site-packages/keystone/common/
2016-02-29 17:37:34.886 24413 DEBUG keystone.policy.backends.rules [-] enforce identity:validate_token: {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'7bdcd180282e414f8771425509c29bed', 'roles': [u'admin'], 'trustee_id': None, 'trustor_id': None, 'consumer_id': None, 'token': <KeystoneToken (audit_id=T0GBC77iQtq-TwoKS35m8Q, audit_chain_id=T0GBC77iQtq-TwoKS35m8Q) at 0x7fccdef98640>, 'project_id': u'70301c384cb6497b9b8164aaa4f30c32', 'trust_id': None} enforce /usr/lib/python2.7/site-packages/keystone/policy/backends/
2016-02-29 17:37:34.887 24413 DEBUG oslo_policy.openstack.common.fileutils [-] Reloading cached file /etc/keystone/policy.json read_cached_file /usr/lib/python2.7/site-packages/oslo_policy/openstack/common/
2016-02-29 17:37:34.891 24413 DEBUG oslo_policy.policy [-] Reloaded policy file: /etc/keystone/policy.json _load_policy_file /usr/lib/python2.7/site-packages/oslo_policy/
2016-02-29 17:37:34.891 24413 DEBUG keystone.common.controller [-] RBAC: Authorization granted inner /usr/lib/python2.7/site-packages/keystone/common/
2016-02-29 17:37:34.947 24410 INFO keystone.common.wsgi [-] OPTIONS
2016-02-29 17:37:34.981 24412 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /usr/lib/python2.7/site-packages/keystone/middleware/
2016-02-29 17:37:34.984 24412 INFO keystone.common.wsgi [-] POST
2016-02-29 17:37:34.997 ...
edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2016-03-02 10:31:30 -0500

mariojmdavid gravatar image

ok, I discovered what was wrong had to set in [keystone_authtoken] ... admin_tenant_name admin_user admin_password ...

in _all_ confs (glance, nova, neutron, etc.) though in kilo install docs, they don't say as much AFAIU seems those are needed to delegate from the user to the heat_stack_admin guy

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2016-02-29 12:18:40 -0500

Seen: 573 times

Last updated: Mar 02 '16