Authorization problem when using "WaitCondition" by non-admin tenant user

Asked by Kimi Zhang on 2013-07-31

Hello,

I am trying template https://github.com/openstack/heat-templates/blob/master/cfn/WordPress_With_LB.template

I use a non-admin tenant user.

I get "CREATE_FAILED " error when creating the stack.

 /var/log/heat/engine.log shows error as below:
2013-07-31 14:13:58.655 48115 ERROR heat.engine.resource [-] create WaitConditionHandle "WaitHandle"
2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource Traceback (most recent call last):
2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource File "/usr/lib/python2.6/site-packages/heat/engine/resource.py", line 320, in create
2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource self.handle_create()
2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource File "/usr/lib/python2.6/site-packages/heat/engine/resources/wait_condition.py", line 89, in handle_create
2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource self.physical_resource_name())
2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource File "/usr/lib/python2.6/site-packages/heat/common/heat_keystoneclient.py", line 67, in create_stack_user
2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource enabled=True)
2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource File "/usr/lib/python2.6/site-packages/keystoneclient/v2_0/users.py", line 108, in create
2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource return self._create('/users', params, "user")
2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource File "/usr/lib/python2.6/site-packages/keystoneclient/base.py", line 88, in _create
2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource resp, body = self.api.post(url, body=body)
2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource File "/usr/lib/python2.6/site-packages/keystoneclient/client.py", line 414, in post
2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource return self._cs_request(url, 'POST', **kwargs)
2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource File "/usr/lib/python2.6/site-packages/keystoneclient/client.py", line 404, in _cs_request
2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource **kwargs)
2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource File "/usr/lib/python2.6/site-packages/keystoneclient/client.py", line 366, in request
2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource raise exceptions.from_response(resp, resp.text)
2013-07-31 14:13:58.655 48115 TRACE heat.engine.resource Forbidden: Unable to communicate with identity service: {"error": {"message": "You are not authorized to perform the requested action: admin_required", "code": 403, "title": "Not Authorized"}}. (HTTP 403)

If I use an admin tenant user, creating stack works fine without error.

Is it a problem or something I did wrong ?

Kimi

Question information

Language:
English Edit question
Status:
Answered
For:
OpenStack Heat Edit question
Assignee:
No assignee Edit question
Last query:
2013-07-31
Last reply:
2013-07-31
Angus Salkeld (asalkeld) said : #1

basically you need admin.

Longer story:
the waitcond needs to create an ec2signed url and to do that it creates a restricted user in keystone.
to create any user in keystone you need admin rights:(

David Bingham (wwriverrat) said : #3

Also when solving this, keep in mind that this may not be allowed by Keystone when you are configured with LDAP Identity driver. Within this configuration the setting the following two scenarios will fail:
1) keystone.conf setting for ldap: user_allow_create=False
2) The authenticated user from ldap does not have privilege in LDAP to create other users in ldap.

Ref: https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample

We are currently blocked by both of these scenarios. I'm not familiar with how to add use-case requirements into the blueprints and hope this helps to capture some needs for this fix.

Can you help with this problem?

Provide an answer of your own, or ask Kimi Zhang for more information if necessary.

To post a message you must log in.