[Rdo-list] [Heat ]unauthorized to use heat

Steven Hardy shardy at redhat.com
Fri Jul 10 09:43:13 UTC 2015


On Fri, Jul 10, 2015 at 12:15:32AM -0400, Adam Young wrote:
>    On 07/09/2015 03:33 AM, pauline phaure wrote:
> 
>      Hey there, can anyone please help me.
> 
>    In order to use any service, you need a scoped token.  I suspect taht the
>    Heat API is limited to Admin users, and maybe you are using the demo user
>    token?

Nearly all heat API paths should be accessible to non-admin users.

>    http://git.openstack.org/cgit/openstack/heat/tree/etc/heat/policy.json
> 
>    You don't say What API you are trying to call.  Most of the Heat APIs look
>    like they are:
> 
>  "deny_stack_user": "not role:heat_stack_user",

This is a common mistake, "real" users accessing the heat service should
*not* have the heat_stack_user role - this role is reserved for internal
use inside heat, and is used to limit the API surface available to
in-instance agents.

>    But a few are  "role:admin",
> 
>  "stacks:global_index": is deny everybody

Yeah, these are a couple of things like this, but all API operations
required for normal usage of heat should be accessible to non-admin users.

The "deny everybody" one is a special case, designed to disable a global
lookup which the community felt was unsafe to enable by default, e.g to
force deployers to secure it with their own role/policy.

Steve




More information about the dev mailing list