tesleft
By:
tesleft

novaclient.exceptions.Forbidden: Policy doesn't allow compute_extension:quotas:update

September 13, 2016 393 views
Python Ubuntu

after great effort to try over 20 times,
i succeeded to be near the cause of problem when solving how to edit quota with python for openstack ice version

it return a useful information that policy not allow python to update,

  1. where can config policy to allow python to update quota 2.i have set os_cacert but has insecure warning, do not know why
novaclient.exceptions.Forbidden: Policy doesn't allow compute_extension:quotas:update


>>> nc = nvclient.Client(auth_url=os.environ['OS_AUTH_URL'],username="hello@gmail.com",api_key="hello",project_id="MEDULLA",auth_system=auth_system,auth_plugin=auth_plugin,cacert=os.environ['OS_CACERT'])
>>> nc.authenticate()
/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
>>> nc.quotas.update(my_tenant.id, floating_ips=1)
/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/dist-packages/novaclient/v1_1/quotas.py", line 61, in update
    return self._update(url, body, 'quota_set')
  File "/usr/lib/python2.7/dist-packages/novaclient/base.py", line 165, in _update
    _resp, body = self.api.client.put(url, body=body)
  File "/usr/lib/python2.7/dist-packages/novaclient/client.py", line 289, in put
    return self._cs_request(url, 'PUT', **kwargs)
  File "/usr/lib/python2.7/dist-packages/novaclient/client.py", line 260, in _cs_request
    **kwargs)
  File "/usr/lib/python2.7/dist-packages/novaclient/client.py", line 242, in _time_request
    resp, body = self.request(url, method, **kwargs)
  File "/usr/lib/python2.7/dist-packages/novaclient/client.py", line 236, in request
    raise exceptions.from_response(resp, body, url, method)
novaclient.exceptions.Forbidden: Policy doesn't allow compute_extension:quotas:update to be performed. (HTTP 403) (Request-ID: req-32557638-1092-47e2-ae2e-82b0a4a0f818)
2 comments
  • another strange thing is i set tenant id to project id is wrong, i need to set tenant name to project id, i feel this is odd.

  • after googled,

    in /etc/nova/policy.json
    change
    "computeextension:quotas:update": "rule:adminapi"
    to
    "compute_extension:quotas:update": ""

    nc = nvclient.Client(authurl=os.environ['OSAUTHURL'],username="hello@gmail.com",apikey="hello",projectid="MEDULLA",authsystem=authsystem,authplugin=authplugin,cacert=os.environ['OSCACERT'])

    nc.authenticate()

    policy.enforce(nc,'quotas:update',{'getall':None})

    policy.enforce(nc,'quotas:update',{'getall':None})
    Traceback (most recent call last):
    File "<stdin>", line 1, in <module>
    NameError: name 'policy' is not defined

1 Answer
Have another answer? Share your knowledge.