Hi
I'm testing this simple template: https://github.com/openstack/heat-templates/blob/master/hot/autoscaling.yaml But please notice that Fuel Health Test autoscale also fails.....so I guess those trusts and domains might not be correctly deployed....... :( Regards J. De: Pavlo Shchelokovskyy Enviado: martes 10 de mayo 20:04 Asunto: Re: [Openstack] Heat autoscaling: heat.engine.resource Forbidden: You are not authorized to perform the requested action. Para: magicb...@hotmail.com Cc: openstack@lists.openstack.org Hi, no, "heat_stack_owner" role is actually not needed in MOS 8.0. Earlier it was used as a special role to pass via trusts, but now all roles are passed via trust by default. You also do not have to be "admin" either, priviledge "escalation" is handled by Heat using Keystone V3 trusts and domains which should have been set up automatically during deployment. One question though - Is by any chance the "heat_stack_user" role assigned to the actual ("human") user who is accessing Heat API? It _must_not_ be - this is a special role used by internal Heat-created users (implementation detail), and it has _very_ limited privileges in regard Heat API access. Also, could you show the template you are testing autoscaling with? just in case... Cheers, Dr. Pavlo Shchelokovskyy Senior Software Engineer Mirantis Inc www.mirantis.com On Tue, May 10, 2016 at 6:52 PM, magicb...@hotmail.com <magicb...@hotmail.com> wrote: Hi again, these are the roles I have : #openstack role list +----------------------------------+-----------------+ | ID | Name | +----------------------------------+-----------------+ | 0d77782f1ae54fa799b0585b267fb746 | ResellerAdmin | | 2c0a5b381f2b4f10b42aaa09678210a5 | heat_stack_user | | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | | d819d32c0eba4c86a99241e741c241c1 | admin | | e0729bbb6f8544268fd371e50682754a | SwiftOperator | So, there is no "heat_stack_owner" role defined in my environment, but you're right, in http://docs.openstack.org/draft/install-guide-ubuntu/heat-install.html docs says: Add the heat_stack_owner role to the demo project and user to enable stack management by the demo user: $ openstack role add --project demo --user demo heat_stack_owner Is this a bug in Mirantis MOS 8.0? On 10/05/16 17:05, magicb...@hotmail.com wrote: Hi Raghavendra, how can I check those privileges? Even with "admin" user, I get the same error..... :( Best regards J. On 10/05/16 13:23, raghavendra....@accenture.com wrote: Hi Mag, Please check if you have provided the heat-stack-owner and admin privileges to the tenant then try to spin up the Heat stack. Regards, Raghavendra Lad From: magicb...@hotmail.com [mailto:magicb...@hotmail.com] Sent: Tuesday, May 10, 2016 4:30 PM To: openstack@lists.openstack.org Subject: [Openstack] Heat autoscaling: heat.engine.resource Forbidden: You are not authorized to perform the requested action. Hi testing Openstack Mitaka (deployed with Mirantis FUEL 8.0), when testing Heat Autoscaling, I get this error: heat.engine.resource Forbidden: You are not authorized to perform the requested action. Any ideas on what's going on? Thanks in advance. J This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. ______________________________________________________________________________________ www.accenture.com _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
