Question

novaclient.exceptions.Forbidden: Policy doesn't allow compute_extension:quotas:update

Posted September 13, 2016 2.4k views
UbuntuPython

after great effort to try over 20 times,
i succeeded to be near the cause of problem when solving how to edit quota with python for openstack ice version

it return a useful information that policy not allow python to update,

  1. where can config policy to allow python to update quota 2.i have set os_cacert but has insecure warning, do not know why
novaclient.exceptions.Forbidden: Policy doesn't allow compute_extension:quotas:update


>>> nc = nvclient.Client(auth_url=os.environ['OS_AUTH_URL'],username="hello@gmail.com",api_key="hello",project_id="MEDULLA",auth_system=auth_system,auth_plugin=auth_plugin,cacert=os.environ['OS_CACERT'])
>>> nc.authenticate()
/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
>>> nc.quotas.update(my_tenant.id, floating_ips=1)
/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/dist-packages/novaclient/v1_1/quotas.py", line 61, in update
    return self._update(url, body, 'quota_set')
  File "/usr/lib/python2.7/dist-packages/novaclient/base.py", line 165, in _update
    _resp, body = self.api.client.put(url, body=body)
  File "/usr/lib/python2.7/dist-packages/novaclient/client.py", line 289, in put
    return self._cs_request(url, 'PUT', **kwargs)
  File "/usr/lib/python2.7/dist-packages/novaclient/client.py", line 260, in _cs_request
    **kwargs)
  File "/usr/lib/python2.7/dist-packages/novaclient/client.py", line 242, in _time_request
    resp, body = self.request(url, method, **kwargs)
  File "/usr/lib/python2.7/dist-packages/novaclient/client.py", line 236, in request
    raise exceptions.from_response(resp, body, url, method)
novaclient.exceptions.Forbidden: Policy doesn't allow compute_extension:quotas:update to be performed. (HTTP 403) (Request-ID: req-32557638-1092-47e2-ae2e-82b0a4a0f818)
edited by kamaln7
2 comments
  • another strange thing is i set tenant id to project id is wrong, i need to set tenant name to project id, i feel this is odd.

  • after googled,

    in /etc/nova/policy.json
    change
    "compute_extension:quotas:update": "rule:admin_api"
    to
    "compute_extension:quotas:update": ""

    nc = nvclient.Client(auth_url=os.environ['OS_AUTH_URL'],username="hello@gmail.com",api_key="hello",project_id="MEDULLA",auth_system=auth_system,auth_plugin=auth_plugin,cacert=os.environ['OS_CACERT'])
    #nc.authenticate()
    
    policy.enforce(nc,'quotas:update',{'getall':None})
    >>> policy.enforce(nc,'quotas:update',{'getall':None})
    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
    NameError: name 'policy' is not defined
    
    
    edited by kamaln7

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer