User/AccessKey/WaitConditionHandle don't work on devstack
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Heat |
Fix Released
|
High
|
Steven Hardy | ||
Grizzly |
Fix Released
|
High
|
Steven Hardy |
Bug Description
Did some testing on devstack, and it seems like the resources which require access to keystone to create/delete users and EC2 credentials don't work:
[stack@F17devstack heat]$ heat-cfn -d create teststack_HA --template-
DEBUG:Debug level logging enabled
<CreateStackRes
<CreateStackR
<Descriptio
</CreateStack
</CreateStackRe
DEBUG:Completed in 5.0613 sec.
The seems to be that the devstack configuration make the heat admin context really be a service context, which doesn't have the admin role required to administer users
I'll look at the simplest fix and send a patch to devstack
Changed in heat: | |
status: | New → Triaged |
importance: | Undecided → High |
assignee: | nobody → Steven Hardy (shardy) |
milestone: | none → grizzly-2 |
Changed in heat: | |
status: | Fix Committed → Fix Released |
Changed in heat: | |
milestone: | grizzly-2 → 2013.1 |
Actually, this may be a result of my recent changes to user.py:
File "/opt/stack/ heat/heat/ engine/ resources/ user.py" , line 141, in FnGetAtt accesskey( ) heat/heat/ engine/ resources/ user.py" , line 113, in _secret_accesskey ).get_user_ by_name( self.properties ['UserName' ]) heat/heat/ common/ heat_keystonecl ient.py" , line 93, in get_user_by_name users.list( tenant_ id=self. context. tenant_ id) python- keystoneclient/ keystoneclient/ v2_0/users. py", line 125, in list python- keystoneclient/ keystoneclient/ base.py" , line 67, in _list
res = self._secret_
File "/opt/stack/
user_id = self.keystone(
File "/opt/stack/
users = self.client.
File "/opt/stack/
"users")
File "/opt/stack/
resp, body = self.api.get(url)
It should be possible to call FnGetAtt to get the secret access key for the user *in the request context* without needing any special admin role - previously I avoided client.users.list but I seem to have introduced a regression here by calling get_user_by_name in FnGetAtt