OpenStack Compute (nova)

nova live-migration = AdminRequired: User does not have admin privileges

Asked by Jacob Cherkas

Hello,

I am trying to test live migration of a running instances and keep getting:

raise exception.AdminRequired()
AdminRequired: User does not have admin privileges

In nova-schedular.log

Here is the command I use to initiate the migration:

 nova live-migration --block_migrate 86cc9f9b-872d-4342-8c83-d529e06b2f4e inap48-45

Returns and errors immediately.

Here is the trace back from nova-scheduler:

2012-06-06 23:21:58 WARNING nova.scheduler.manager [req-447f7ca7-a225-4063-b05c-0e0e614b02e6 jcherkas demo] Failed to sc
hedule_live_migration: User does not have admin privileges
2012-06-06 23:21:58 ERROR nova.rpc.amqp [req-447f7ca7-a225-4063-b05c-0e0e614b02e6 jcherkas demo] Exception during messag
e handling
2012-06-06 23:21:58 TRACE nova.rpc.amqp Traceback (most recent call last):
2012-06-06 23:21:58 TRACE nova.rpc.amqp File "/usr/lib/python2.7/dist-packages/nova/rpc/amqp.py", line 252, in _process_data
2012-06-06 23:21:58 TRACE nova.rpc.amqp rval = node_func(context=ctxt, **node_args)
2012-06-06 23:21:58 TRACE nova.rpc.amqp File "/usr/lib/python2.7/dist-packages/nova/scheduler/manager.py", line 97, in _schedule
2012-06-06 23:21:58 TRACE nova.rpc.amqp context, ex, *args, **kwargs)
2012-06-06 23:21:58 TRACE nova.rpc.amqp File "/usr/lib/python2.7/contextlib.py", line 24, in __exit__
2012-06-06 23:21:58 TRACE nova.rpc.amqp self.gen.next()
2012-06-06 23:21:58 TRACE nova.rpc.amqp File "/usr/lib/python2.7/dist-packages/nova/scheduler/manager.py", line 92, in _schedule
2012-06-06 23:21:58 TRACE nova.rpc.amqp return driver_method(*args, **kwargs)
2012-06-06 23:21:58 TRACE nova.rpc.amqp File "/usr/lib/python2.7/dist-packages/nova/scheduler/driver.py", line 213, in schedule_live_migration
2012-06-06 23:21:58 TRACE nova.rpc.amqp self._live_migration_src_check(context, instance_ref)
2012-06-06 23:21:58 TRACE nova.rpc.amqp File "/usr/lib/python2.7/dist-packages/nova/scheduler/driver.py", line 263, in _live_migration_src_check
2012-06-06 23:21:58 TRACE nova.rpc.amqp services = db.service_get_all_compute_by_host(context, src)
2012-06-06 23:21:58 TRACE nova.rpc.amqp File "/usr/lib/python2.7/dist-packages/nova/db/api.py", line 122, in service_get_all_compute_by_host
2012-06-06 23:21:58 TRACE nova.rpc.amqp return IMPL.service_get_all_compute_by_host(context, host)
2012-06-06 23:21:58 TRACE nova.rpc.amqp File "/usr/lib/python2.7/dist-packages/nova/db/sqlalchemy/api.py", line 101, in wrapper
2012-06-06 23:21:58 TRACE nova.rpc.amqp raise exception.AdminRequired()
2012-06-06 23:21:58 TRACE nova.rpc.amqp AdminRequired: User does not have admin privileges
2012-06-06 23:21:58 TRACE nova.rpc.amqp

There is no error or even a log message created on the remote compute node.

I add cloudadmin role to the user and still same issue so at this point not exactly sure what the issue is.

Any help would be greatly appreciated.

Thanks,

JC

Question information

Language:
English Edit question
Status:
Solved
For:
OpenStack Compute (nova) Edit question
Assignee:
No assignee Edit question
Solved by:
Vish Ishaya
Solved:
Last query:
Last reply:
Revision history for this message
Vish Ishaya (vishvananda) said : 		#1

You need an administrative user in keystone, i.e. a user with the role 'admin'.

Revision history for this message
Jacob Cherkas (jcherkas) said : 		#2

Thanks for update Vish.

The challenge is that we are NOT using keystone right now but deprecated auth.

I did some looking around and found that in the user table there is the "is_admin" flag that is set to 0. If I set that flag to 1 for my user account I can get live-migration to work.

Trying to understand what the is_admin flag denotes. Is that equivalent to cloudadmin? If not then admin of what?

'nova-manage user admin' has this flag which you can set outside of directly editing the DB.

va-manage user admin <args> [options]

Options:
  -h, --help show this help message and exit
  --name=<admin name> Admin name
  --access=<access> Access
  --secret=<secret> Secret

Revision history for this message
Best Vish Ishaya (vishvananda) said : 		#3

Yes with deprecated auth adminness is set based on that flag. You also might be able to create a role called 'admin' and use that. BTW, stop using deprecated auth!!!!

:)

Revision history for this message
Jacob Cherkas (jcherkas) said : 		#4

Thanks Vish.

Appreciate the response.

But I love deprecated auth ;)

Switching to keystone soon. Testing in dev env before rolling out in to prod....