Re: [Rdo-list] [Heat ]unauthorized to use heat
On Fri, Jul 10, 2015 at 12:15:32AM -0400, Adam Young wrote:
On 07/09/2015 03:33 AM, pauline phaure wrote:
Hey there, can anyone please help me.
In order to use any service, you need a scoped token. I suspect taht the
Heat API is limited to Admin users, and maybe you are using the demo user
token?
Nearly all heat API paths should be accessible to non-admin users.
http://git.openstack.org/cgit/openstack/heat/tree/etc/heat/policy.json
You don't say What API you are trying to call. Most of the Heat APIs look
like they are:
"deny_stack_user": "not role:heat_stack_user",
This is a common mistake, "real" users accessing the heat service should
*not* have the heat_stack_user role - this role is reserved for internal
use inside heat, and is used to limit the API surface available to
in-instance agents.
But a few are "role:admin",
"stacks:global_index": is deny everybody
Yeah, these are a couple of things like this, but all API operations
required for normal usage of heat should be accessible to non-admin users.
The "deny everybody" one is a special case, designed to disable a global
lookup which the community felt was unsafe to enable by default, e.g to
force deployers to secure it with their own role/policy.
Steve