OpenStack Discussions

Cinder Mitaka RH OSP9 insufficient privileges qos-policy-group

openstack1
5,913 Views

Hi,

 

Cinder and Glance are working ok with Netapp FAS8020 ontap 8.3 (NFS). We have a copy offload license and this is also working fine.

 

However the volume log in Cinder contains permissions errors  as follows -

 

 ERROR cinder.volume.drivers.netapp.dataontap.performance.perf_cmode NaApiError: NetApp API failed. Reason - 13003:Insufficient privileges: user 'openstack' does not have read access to this resource

 

and on the netapp command log -

 

 [kern_command-history:info:909] ontapi :: [ip address] :: openstack :: <netapp xmlns="http://www.netapp.com/filer/admin" version="1.31"><qos-policy-group-delete-iter><max-records>3500</max-records><query><qos-policy-group-info><policy-group>deleted_cinder_*</policy-group><vserver>[vserver_name]</vserver></qos-policy-group-info></query><return-success-list>false</return-success-list><return-failure-list>false</return-failure-list><continue-on-failure>true</continue-on-failure></qos-policy-group-delete-iter></netapp> :: Pending
 [kern_command-history:info:909] ontapi :: [ip address] :: openstack :: Insufficient privileges: user 'openstack' does not have write access to this resource :: ONTAPI :: Error

 

Any ideas what may be causing this error.?

The NetApp role was set up as per NetApp documentation here -

 

http://netapp.github.io/openstack-deploy-ops-guide/mitaka/content/cinder.fas.configuration.html#cinder.cdot.account_permissions

 

The user is a cluster level user

1 ACCEPTED SOLUTION

Bishoy
5,610 Views
4 REPLIES 4

Bishoy
5,837 Views

Might be handy to post a trial of creating/deleteing QOS from Clustershell using this user on involved vols and Vserver and then we dig deeper into this.

 

Best Regards,

Bishoy

SumitK
5,811 Views

In your cinder.conf, do you have the value of netapp_server_hostname set as the IP address of the cluster management LIFYou're on the right track with respect to using the Cluster-scoped account.

 

Just to reiterate, the "qos policy-group" command requires a Cluster-scoped account, and you need to ensure that you have netapp_server_hostname in your cinder.conf set as the IP address of the cluster management LIF.

openstack1
5,784 Views

Yes the cinder.conf correctly has the cluster management LIF ip address.

 

A ticket has been opened with NetApp support. I will report back on any progress

Bishoy
5,611 Views

I have already addressed this with support

 

https://bugs.launchpad.net/cinder/+bug/1670879 

Public