Solved: Cinder Mitaka RH OSP9 insufficient privileges qos-policy-group

openstack1 · ‎2017-02-07

Hi,

Cinder and Glance are working ok with Netapp FAS8020 ontap 8.3 (NFS). We have a copy offload license and this is also working fine.

However the volume log in Cinder contains permissions errors as follows -

ERROR cinder.volume.drivers.netapp.dataontap.performance.perf_cmode NaApiError: NetApp API failed. Reason - 13003:Insufficient privileges: user 'openstack' does not have read access to this resource

and on the netapp command log -

[kern_command-history:info:909] ontapi :: [ip address] :: openstack :: <netapp xmlns="http://www.netapp.com/filer/admin" version="1.31"><qos-policy-group-delete-iter><max-records>3500</max-records><query><qos-policy-group-info><policy-group>deleted_cinder_*</policy-group><vserver>[vserver_name]</vserver></qos-policy-group-info></query><return-success-list>false</return-success-list><return-failure-list>false</return-failure-list><continue-on-failure>true</continue-on-failure></qos-policy-group-delete-iter></netapp> :: Pending
[kern_command-history:info:909] ontapi :: [ip address] :: openstack :: Insufficient privileges: user 'openstack' does not have write access to this resource :: ONTAPI :: Error

Any ideas what may be causing this error.?

The NetApp role was set up as per NetApp documentation here -

http://netapp.github.io/openstack-deploy-ops-guide/mitaka/content/cinder.fas.configuration.html#cinder.cdot.account_permissions

The user is a cluster level user

Bishoy · ‎2017-02-08

Might be handy to post a trial of creating/deleteing QOS from Clustershell using this user on involved vols and Vserver and then we dig deeper into this.

Best Regards,

Bishoy

SumitK · ‎2017-02-08

In your cinder.conf, do you have the value of netapp_server_hostname set as the IP address of the cluster management LIF? You're on the right track with respect to using the Cluster-scoped account.

Just to reiterate, the "qos policy-group" command requires a Cluster-scoped account, and you need to ensure that you have netapp_server_hostname in your cinder.conf set as the IP address of the cluster management LIF.

openstack1 · ‎2017-02-09

Yes the cinder.conf correctly has the cluster management LIF ip address.

A ticket has been opened with NetApp support. I will report back on any progress

Bishoy · ‎2017-03-28

I have already addressed this with support

https://bugs.launchpad.net/cinder/+bug/1670879

Community

Cinder Mitaka RH OSP9 insufficient privileges qos-policy-group

Cinder Mitaka RH OSP9 insufficient privileges qos-policy-group

Re: Cinder Mitaka RH OSP9 insufficient privileges qos-policy-group

Re: Cinder Mitaka RH OSP9 insufficient privileges qos-policy-group

Re: Cinder Mitaka RH OSP9 insufficient privileges qos-policy-group

Re: Cinder Mitaka RH OSP9 insufficient privileges qos-policy-group

Re: Cinder Mitaka RH OSP9 insufficient privileges qos-policy-group

Re: Cinder Mitaka RH OSP9 insufficient privileges qos-policy-group

Re: Cinder Mitaka RH OSP9 insufficient privileges qos-policy-group

Re: Cinder Mitaka RH OSP9 insufficient privileges qos-policy-group