Subscribe
Accepted Solution

Cinder Mitaka RH OSP9 insufficient privileges qos-policy-group

[ Edited ]

Hi,

 

Cinder and Glance are working ok with Netapp FAS8020 ontap 8.3 (NFS). We have a copy offload license and this is also working fine.

 

However the volume log in Cinder contains permissions errors  as follows -

 

 ERROR cinder.volume.drivers.netapp.dataontap.performance.perf_cmode NaApiError: NetApp API failed. Reason - 13003:Insufficient privileges: user 'openstack' does not have read access to this resource

 

and on the netapp command log -

 

 [kern_command-history:info:909] ontapi :: [ip address] :: openstack :: <netapp xmlns="http://www.netapp.com/filer/admin" version="1.31"><qos-policy-group-delete-iter><max-records>3500</max-records><query><qos-policy-group-info><policy-group>deleted_cinder_*</policy-group><vserver>[vserver_name]</vserver></qos-policy-group-info></query><return-success-list>false</return-success-list><return-failure-list>false</return-failure-list><continue-on-failure>true</continue-on-failure></qos-policy-group-delete-iter></netapp> :: Pending
 [kern_command-history:info:909] ontapi :: [ip address] :: openstack :: Insufficient privileges: user 'openstack' does not have write access to this resource :: ONTAPI :: Error

 

Any ideas what may be causing this error.?

The NetApp role was set up as per NetApp documentation here -

 

http://netapp.github.io/openstack-deploy-ops-guide/mitaka/content/cinder.fas.configuration.html#cinder.cdot.account_permissions

 

The user is a cluster level user

Re: Cinder Mitaka RH OSP9 insufficient privileges qos-policy-group

Might be handy to post a trial of creating/deleteing QOS from Clustershell using this user on involved vols and Vserver and then we dig deeper into this.

 

Best Regards,

Bishoy

Re: Cinder Mitaka RH OSP9 insufficient privileges qos-policy-group

In your cinder.conf, do you have the value of netapp_server_hostname set as the IP address of the cluster management LIFYou're on the right track with respect to using the Cluster-scoped account.

 

Just to reiterate, the "qos policy-group" command requires a Cluster-scoped account, and you need to ensure that you have netapp_server_hostname in your cinder.conf set as the IP address of the cluster management LIF.

Re: Cinder Mitaka RH OSP9 insufficient privileges qos-policy-group

[ Edited ]

Yes the cinder.conf correctly has the cluster management LIF ip address.

 

A ticket has been opened with NetApp support. I will report back on any progress

Re: Cinder Mitaka RH OSP9 insufficient privileges qos-policy-group

I have already addressed this with support

 

https://bugs.launchpad.net/cinder/+bug/1670879