Some extra analysis:
I believe the issue was introduced by commit [1] which seems to have
landed in Wallaby.
When trusts are used and based on the changes added by that commit when
the trust is getting regenerated due to the use of a different user, a
new set of creds is generated but only for the parent stack effectively
making it impossible for updates operations to succeed unless the DB is
manually cleared or the stack rebuilt (and the same stack owner user
always used for any further update operations).
Details:
- Initially when a user different to the stack owner is used to do an update,
this is the error logged:
2025-02-20 11:43:57.112 2879 DEBUG heat.engine.stack
[req-2fd1989f-48d3-473a-b40e-59b79098f18a testadmin - - - -] Context user_id
doesn't match trustor, using stored context _delete_user_cred
/usr/lib/python3/dist-packages/heat/engin
e/stack.py:1925
- this is triggered by function store which() calls _delete_user_cred()
wich effectively removes the credentials and requests new credentials to
be generated and saved.
- when the update reaches the first nested resource, update_stack() is
called which invokes parser.Stack.load() and this function invokes
_from_db() to get the nested stack data from the DB to make the
requested changes if any.
- the problem is that by now the user_creds_id column for all nested
resources are set to NULL due to the creds deletion done in store() and
the new credentials were not propagated to the nested stacks/resources.
This then triggers the below error:
2025-02-20 16:23:13.341 822603 ERROR heat.engine.resource
oslo_messaging.rpc.client.RemoteError: Remote error: Error Attempt to
use stored_context with no user_creds
which comes from stored_context() called during the nested stack loading
s it tries to return an instance of the Stack class
- there is no logic that I can see to either copy the new creds saved
for the parent stack onto the nested stacks nor to create a new set of
creds for the nested stacks/resources
- the issue seems to be present in the Heat master branch code as well
Potential fixes:
- Make sure we propagate the credentials to all nested resources upon creation.
- When loading the nested stack data, figure out a way to get the new user
creds from the parent stack and inject those into the DB
Both methods will likely require major code changes.
[1]
https://github.com/openstack/heat/commit/d8efcd17808ebbb6eb6d88e592635bdd1ebb3d92
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2097539
Title:
Heat stack updates fail when "reauthentication_auth_method=trusts"
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/heat/+bug/2097539/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
