port create fails with "disallowed by policy rule"

[vija...@gmail.com]

Hi,

 Setup:   CloudifyManager: 4.2

              blueprint: nodecellar-auto-scale-auto-heal-blueprint-master

Issue:

      The create of network ports fail with "PolicyNotAuthorized" error.

       The network "test-network" is created by admin and not by the tenant being used for manager.

Tried out the following:         

     1. create port on "test-network" is successful from openstack client.

     2. create port from heat script is successful.

Logs:

RESP BODY: {"NeutronError": {"message": "{'binding:host_id': <neutron_lib.constants.Sentinel object at 0x7fb8119caa90>, u'name': u'port_nodecellar-auto-scale-auto-heal-blueprint-master_haproxy_host_port_x6yqus', 'allowed_address_pairs': <neutron_lib.constants.Sentinel object at 0x7fb8119caa90>, 'admin_state_up': True, u'network_id': u'67decac0-a475-48b1-8651-e3560456134f', 'tenant_id': u'6e5a23eee3944355a842d0ba3e2f1a8f', 'extra_dhcp_opts': None, 'binding:vnic_type': 'normal', 'device_owner': '', 'device_id': '', 'mac_address': <neutron_lib.constants.Sentinel object at 0x7fb8119caa90>, 'binding:profile': <neutron_lib.constants.Sentinel object at 0x7fb8119caa90>, 'project_id': u'6e5a23eee3944355a842d0ba3e2f1a8f', u'fixed_ips': [{u'subnet_id': u'c302bd98-dd41-46a2-a71d-eeccd9f06b30'}], u'network:tenant_id': u'5140729ebfe84b97a20bb33082aa87a2', u'security_groups': [], 'description': ''} is disallowed by policy rule (rule:create_port and rule:create_port:fixed_ips) with {'project_id': u'6e5a23eee3944355a842d0ba3e2f1a8f', 'domain': None, 'project_name': u'Telia-POC', 'user_id': u'ae79da91b7474317824f0f2087057ade', 'roles': [u'heat_stack_owner'], 'user_domain_id': None, 'service_project_id': None, 'project_domain': None, 'tenant_id': u'6e5a23eee3944355a842d0ba3e2f1a8f', 'service_user_domain_id': None, 'service_project_domain_id': None, 'service_roles': [], 'is_admin_project': True, 'service_user_id': None, 'is_admin': False, 'user': u'ae79da91b7474317824f0f2087057ade', 'tenant_name': u'Telia-POC', 'user_domain': None, 'user_name': u'telia', 'tenant': u'6e5a23eee3944355a842d0ba3e2f1a8f', 'project_domain_id': None} ", "type": "PolicyNotAuthorized", "detail": ""}}

Any suggestions will help.

Thanks

Vijaya

[Trammell -]

Hello,

First I would take this error to your Openstack Administrators. They should be able to look at the openstack logs and understand the request and what is not valid.

Though it may not be relevant, what version of Openstack are you using, and did you make any changes to the blueprint?