Question

novaclient.exceptions.Forbidden: Policy doesn't allow compute_extension:quotas:update

after great effort to try over 20 times, i succeeded to be near the cause of problem when solving how to edit quota with python for openstack ice version

it return a useful information that policy not allow python to update,

  1. where can config policy to allow python to update quota 2.i have set os_cacert but has insecure warning, do not know why
novaclient.exceptions.Forbidden: Policy doesn't allow compute_extension:quotas:update


>>> nc = nvclient.Client(auth_url=os.environ['OS_AUTH_URL'],username="hello@gmail.com",api_key="hello",project_id="MEDULLA",auth_system=auth_system,auth_plugin=auth_plugin,cacert=os.environ['OS_CACERT'])
>>> nc.authenticate()
/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
>>> nc.quotas.update(my_tenant.id, floating_ips=1)
/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/dist-packages/novaclient/v1_1/quotas.py", line 61, in update
    return self._update(url, body, 'quota_set')
  File "/usr/lib/python2.7/dist-packages/novaclient/base.py", line 165, in _update
    _resp, body = self.api.client.put(url, body=body)
  File "/usr/lib/python2.7/dist-packages/novaclient/client.py", line 289, in put
    return self._cs_request(url, 'PUT', **kwargs)
  File "/usr/lib/python2.7/dist-packages/novaclient/client.py", line 260, in _cs_request
    **kwargs)
  File "/usr/lib/python2.7/dist-packages/novaclient/client.py", line 242, in _time_request
    resp, body = self.request(url, method, **kwargs)
  File "/usr/lib/python2.7/dist-packages/novaclient/client.py", line 236, in request
    raise exceptions.from_response(resp, body, url, method)
novaclient.exceptions.Forbidden: Policy doesn't allow compute_extension:quotas:update to be performed. (HTTP 403) (Request-ID: req-32557638-1092-47e2-ae2e-82b0a4a0f818)
Subscribe
Share

after googled,

in /etc/nova/policy.json change "compute_extension:quotas:update": "rule:admin_api" to "compute_extension:quotas:update": ""

nc = nvclient.Client(auth_url=os.environ['OS_AUTH_URL'],username="hello@gmail.com",api_key="hello",project_id="MEDULLA",auth_system=auth_system,auth_plugin=auth_plugin,cacert=os.environ['OS_CACERT'])
#nc.authenticate()

policy.enforce(nc,'quotas:update',{'getall':None})
>>> policy.enforce(nc,'quotas:update',{'getall':None})
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
NameError: name 'policy' is not defined

another strange thing is i set tenant id to project id is wrong, i need to set tenant name to project id, i feel this is odd.


Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

This comment has been deleted