Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

I'm working on a Kilo installation, and it looks like I'm having the same trouble with the nova and glance APIs.

I followed the Kilo installation guide for the config files and set up the keystone_authtoken section as follows:

[keystone_authtoken]
auth_uri = http://kilocontroller:5000
identity_uri = http://kilocontroller:35357
auth_plugin = password
project_domain_id = default
user_domain_id = default
project_name = service
username = nova
password = XXXXXXXXXXX

And before I run these commands, I source the admin credentials. That also uses the suggested environment variables from the Kilo installation guide:

[root@kilocontroller ~]# cat admin-openrc.sh 
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=XXXXXXXXXXXXXXX
export OS_AUTH_URL=http://kilocontroller:35357/v3
export OS_IMAGE_API_VERSION=2

I get the same error in my logs:

[root@kilocontroller ~]# tail -4 /var/log/nova/nova-api.log
2015-05-07 09:04:06.276 3302 ERROR keystonemiddleware.auth_token [-] Bad response code while validating token: 400
2015-05-07 09:04:06.277 3302 WARNING keystonemiddleware.auth_token [-] Identity response: {"error": {"message": "Expecting to find username or userId in passwordCredentials - the server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.", "code": 400, "title": "Bad Request"}}
2015-05-07 09:04:06.277 3302 WARNING keystonemiddleware.auth_token [-] Authorization failed for token
2015-05-07 09:04:06.278 3302 INFO nova.osapi_compute.wsgi.server [-] 192.168.10.110 "GET /v2/3a5e3f78fcbf43c9b36930a8943bc735/os-services HTTP/1.1" status: 401 len: 284 time: 0.0119960

I also ran the above curl command, and it looks like it is successful:

[root@kilocontroller ~]# curl -s -X POST http://kilocontroller:5000/v2.0/tokens \
-H "Content-Type: application/json" \
 -d '{"auth": {"tenantName": "'"$OS_TENANT_NAME"'", "passwordCredentials":
 {"username": "'"$OS_USERNAME"'", "password": "'"$OS_PASSWORD"'"}}}'
 {"access": {"token": {"issued_at": "2015-05-07T14:39:04.401974", "expires": "2015-05-07T15:39:04Z", "id": "e5807245d39c46ed84ac2bfe5b72ea8e", "tenant": {"description": "Admin Project", "enabled": true, "id": "3a5e3f78fcbf43c9b36930a8943bc735", "name": "admin"}, "audit_ids": ["MCDVi8YATQOrDDf2xFX7Pg"]}, "serviceCatalog": [{"endpoints": [{"adminURL": "http://kilocontroller:9292", "region": "RegionOne", "internalURL": "http://kilocontroller:9292", "id": "7c23f97f2bdc45268f898f98d1f5609e", "publicURL": "http://kilocontroller:9292"}], "endpoints_links": [], "type": "image", "name": "glance"}, {"endpoints": [{"adminURL": "http://kilocontroller:8774/v2/3a5e3f78fcbf43c9b36930a8943bc735", "region": "RegionOne", "internalURL": "http://kilocontroller:8774/v2/3a5e3f78fcbf43c9b36930a8943bc735", "id": "2258953915fb4a4ca352f0914ad29136", "publicURL": "http://kilocontroller:8774/v2/3a5e3f78fcbf43c9b36930a8943bc735"}], "endpoints_links": [], "type": "compute", "name": "nova"}, {"endpoints": [{"adminURL": "http://kilocontroller:35357/v2.0", "region": "RegionOne", "internalURL": "http://kilocontroller:5000/v2.0", "id": "6fc065ff9f104c128cb10b8973b7e113", "publicURL": "http://kilocontroller:5000/v2.0"}], "endpoints_links": [], "type": "identity", "name": "keystone"}], "user": {"username": "admin", "roles_links": [], "id": "66b2ff67114b47248b327aa6aad7ce24", "roles": [{"name": "admin"}], "name": "admin"}, "metadata": {"is_admin": 0, "roles": ["982193753098475c88defe4849c4d242"]}}}

With the --debug flag, this is what I'm seeing:

[root@kilocontroller ~]# nova --debug service-list
DEBUG (session:195) REQ: curl -g -i -X GET http://kilocontroller:35357/v3 -H "Accept: application/json" -H "User-Agent: python-keystoneclient"
INFO (connectionpool:203) Starting new HTTP connection (1): kilocontroller
DEBUG (connectionpool:383) "GET /v3 HTTP/1.1" 200 336
DEBUG (session:224) RESP: [200] content-length: 336 vary: X-Auth-Token connection: keep-alive date: Thu, 07 May 2015 14:04:05 GMT content-type: application/json x-openstack-request-id: req-eda0bef0-fc50-4b25-a6b9-a3cb21c3084c 
RESP BODY: {"version": {"status": "stable", "updated": "2013-03-06T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}, {"base": "application/xml", "type": "application/vnd.openstack.identity-v3+xml"}], "id": "v3.0", "links": [{"href": "http://kilocontroller:35357/v3/", "rel": "self"}]}}
DEBUG (base:178) Making authentication request to http://kilocontroller:35357/v3/auth/tokens
DEBUG (connectionpool:383) "POST /v3/auth/tokens HTTP/1.1" 201 2293
DEBUG (iso8601:184) Parsed 2015-05-07T15:04:06.103486Z into {'tz_sign': None, 'second_fraction': u'103486', 'hour': u'15', 'daydash': u'07', 'tz_hour': None, 'month': None, 'timezone': u'Z', 'second': u'06', 'tz_minute': None, 'year': u'2015', 'separator': u'T', 'monthdash': u'05', 'day': None, 'minute': u'04'} with default timezone <iso8601.iso8601.Utc object at 0x158d710>
DEBUG (iso8601:140) Got u'2015' for 'year' with default None
DEBUG (iso8601:140) Got u'05' for 'monthdash' with default 1
DEBUG (iso8601:140) Got 5 for 'month' with default 5
DEBUG (iso8601:140) Got u'07' for 'daydash' with default 1
DEBUG (iso8601:140) Got 7 for 'day' with default 7
DEBUG (iso8601:140) Got u'15' for 'hour' with default None
DEBUG (iso8601:140) Got u'04' for 'minute' with default None
DEBUG (iso8601:140) Got u'06' for 'second' with default None
DEBUG (session:195) REQ: curl -g -i -X GET http://kilocontroller:8774/v2/3a5e3f78fcbf43c9b36930a8943bc735/os-services -H "User-Agent: python-novaclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}3355c3c06847e89f8f1a21f17a34a58b0fd30c56"
INFO (connectionpool:203) Starting new HTTP connection (1): kilocontroller
DEBUG (connectionpool:383) "GET /v2/3a5e3f78fcbf43c9b36930a8943bc735/os-services HTTP/1.1" 401 23
DEBUG (session:224) RESP:
DEBUG (base:178) Making authentication request to http://kilocontroller:35357/v3/auth/tokens
DEBUG (connectionpool:383) "POST /v3/auth/tokens HTTP/1.1" 201 2293
DEBUG (connectionpool:383) "GET /v2/3a5e3f78fcbf43c9b36930a8943bc735/os-services HTTP/1.1" 401 23
DEBUG (session:224) RESP:
DEBUG (shell:911) Unauthorized (HTTP 401) (Request-ID: req-6774c66c-0614-4fb0-8a89-b664d0812830)
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/novaclient/shell.py", line 908, in main
    OpenStackComputeShell().main(argv)
  File "/usr/lib/python2.7/site-packages/novaclient/shell.py", line 835, in main
    args.func(self.cs, args)
  File "/usr/lib/python2.7/site-packages/novaclient/v2/shell.py", line 3443, in do_service_list
    result = cs.services.list(host=args.host, binary=args.binary)
  File "/usr/lib/python2.7/site-packages/novaclient/v2/services.py", line 49, in list
    return self._list(url, "services")
  File "/usr/lib/python2.7/site-packages/novaclient/base.py", line 64, in _list
    _resp, body = self.api.client.get(url)
  File "/usr/lib/python2.7/site-packages/keystoneclient/adapter.py", line 170, in get
    return self.request(url, 'GET', **kwargs)
  File "/usr/lib/python2.7/site-packages/novaclient/client.py", line 92, in request
    raise exceptions.from_response(resp, body, url, method)
Unauthorized: Unauthorized (HTTP 401) (Request-ID: req-6774c66c-0614-4fb0-8a89-b664d0812830)
ERROR (Unauthorized): Unauthorized (HTTP 401) (Request-ID: req-6774c66c-0614-4fb0-8a89-b664d0812830)

I don't know if it's the same problem I'm having with the glance API, but when I try to do something there, I get:

 [root@kilocontroller ~]# glance --debug image-list
 curl -g -i -X GET -H 'Accept-Encoding: gzip, deflate' -H 'Accept: */*' -H 'User-Agent: python-glanceclient' -H 'Connection: keep-alive' -H 'X-Auth-Token: {SHA1}28aa172eab27a1ba94cab28a491d705dceabe08b' -H 'Content-Type: application/octet-stream' http://kilocontroller:9292/v2/schemas/image
 Request returned failure status 401.
 Invalid OpenStack Identity credentials.

 [root@kilocontroller ~]# tail -4 /var/log/glance/api.log 
 2015-05-07 09:45:21.525 3773 WARNING keystonemiddleware.auth_token [-] Identity response: {"error": {"message": "Expecting to find username or userId in passwordCredentials - the server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.", "code": 400, "title": "Bad Request"}}
 2015-05-07 09:45:21.525 3773 WARNING keystonemiddleware.auth_token [-] Authorization failed for token
 2015-05-07 09:45:21.525 3773 INFO keystonemiddleware.auth_token [-] Invalid user token - deferring reject downstream
 2015-05-07 09:45:21.526 3773 INFO glance.wsgi.server [-] 192.168.10.110 - - [07/May/2015 09:45:21] "GET /v2/schemas/image HTTP/1.1" 401 570 0.011955

[UPDATE] I have solved the problem I was having (see details below). For me, the new settings that I followed in [keystone_authtoken] in both nova.conf and glance-api.conf from the Kilo installation guide were the problem. I checked out the Kilo configuration guide, and I'm not even seeing project_domain_id, user_domain_id, project_name, username, and password as valid entries. I had to make a few changes:

  1. The auth_uri should be the full URL, including version number
  2. user admin_tenant_name, admin_user, and admin_password.

So my new [keystone_authtoken] section looks like this:

[keystone_authtoken]
auth_uri = http://kilocontroller:5000/v2.0
identity_uri = http://kilocontroller:35357
admin_tenant_name = service
admin_user = nova
admin_password = XXXXXXXXXXXX

I made the same changes in my glance-api.conf file and now I can do an image-list and image create, so I'm happy.

adendukuri, can you see if this is the source of your error messages as well?

[ORIGINAL POST BELOW:]

I'm working on a Kilo installation, and it looks like I'm having the same trouble with the nova and glance APIs.

I followed the Kilo installation guide for the config files and set up the keystone_authtoken section as follows:

[keystone_authtoken]
auth_uri = http://kilocontroller:5000
identity_uri = http://kilocontroller:35357
auth_plugin = password
project_domain_id = default
user_domain_id = default
project_name = service
username = nova
password = XXXXXXXXXXX

And before I run these commands, I source the admin credentials. That also uses the suggested environment variables from the Kilo installation guide:

[root@kilocontroller ~]# cat admin-openrc.sh 
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=XXXXXXXXXXXXXXX
export OS_AUTH_URL=http://kilocontroller:35357/v3
export OS_IMAGE_API_VERSION=2

I get the same error in my logs:

[root@kilocontroller ~]# tail -4 /var/log/nova/nova-api.log
2015-05-07 09:04:06.276 3302 ERROR keystonemiddleware.auth_token [-] Bad response code while validating token: 400
2015-05-07 09:04:06.277 3302 WARNING keystonemiddleware.auth_token [-] Identity response: {"error": {"message": "Expecting to find username or userId in passwordCredentials - the server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.", "code": 400, "title": "Bad Request"}}
2015-05-07 09:04:06.277 3302 WARNING keystonemiddleware.auth_token [-] Authorization failed for token
2015-05-07 09:04:06.278 3302 INFO nova.osapi_compute.wsgi.server [-] 192.168.10.110 "GET /v2/3a5e3f78fcbf43c9b36930a8943bc735/os-services HTTP/1.1" status: 401 len: 284 time: 0.0119960

I also ran the above curl command, and it looks like it is successful:

[root@kilocontroller ~]# curl -s -X POST http://kilocontroller:5000/v2.0/tokens \
-H "Content-Type: application/json" \
 -d '{"auth": {"tenantName": "'"$OS_TENANT_NAME"'", "passwordCredentials":
 {"username": "'"$OS_USERNAME"'", "password": "'"$OS_PASSWORD"'"}}}'
 {"access": {"token": {"issued_at": "2015-05-07T14:39:04.401974", "expires": "2015-05-07T15:39:04Z", "id": "e5807245d39c46ed84ac2bfe5b72ea8e", "tenant": {"description": "Admin Project", "enabled": true, "id": "3a5e3f78fcbf43c9b36930a8943bc735", "name": "admin"}, "audit_ids": ["MCDVi8YATQOrDDf2xFX7Pg"]}, "serviceCatalog": [{"endpoints": [{"adminURL": "http://kilocontroller:9292", "region": "RegionOne", "internalURL": "http://kilocontroller:9292", "id": "7c23f97f2bdc45268f898f98d1f5609e", "publicURL": "http://kilocontroller:9292"}], "endpoints_links": [], "type": "image", "name": "glance"}, {"endpoints": [{"adminURL": "http://kilocontroller:8774/v2/3a5e3f78fcbf43c9b36930a8943bc735", "region": "RegionOne", "internalURL": "http://kilocontroller:8774/v2/3a5e3f78fcbf43c9b36930a8943bc735", "id": "2258953915fb4a4ca352f0914ad29136", "publicURL": "http://kilocontroller:8774/v2/3a5e3f78fcbf43c9b36930a8943bc735"}], "endpoints_links": [], "type": "compute", "name": "nova"}, {"endpoints": [{"adminURL": "http://kilocontroller:35357/v2.0", "region": "RegionOne", "internalURL": "http://kilocontroller:5000/v2.0", "id": "6fc065ff9f104c128cb10b8973b7e113", "publicURL": "http://kilocontroller:5000/v2.0"}], "endpoints_links": [], "type": "identity", "name": "keystone"}], "user": {"username": "admin", "roles_links": [], "id": "66b2ff67114b47248b327aa6aad7ce24", "roles": [{"name": "admin"}], "name": "admin"}, "metadata": {"is_admin": 0, "roles": ["982193753098475c88defe4849c4d242"]}}}

With the --debug flag, this is what I'm seeing:

[root@kilocontroller ~]# nova --debug service-list
DEBUG (session:195) REQ: curl -g -i -X GET http://kilocontroller:35357/v3 -H "Accept: application/json" -H "User-Agent: python-keystoneclient"
INFO (connectionpool:203) Starting new HTTP connection (1): kilocontroller
DEBUG (connectionpool:383) "GET /v3 HTTP/1.1" 200 336
DEBUG (session:224) RESP: [200] content-length: 336 vary: X-Auth-Token connection: keep-alive date: Thu, 07 May 2015 14:04:05 GMT content-type: application/json x-openstack-request-id: req-eda0bef0-fc50-4b25-a6b9-a3cb21c3084c 
RESP BODY: {"version": {"status": "stable", "updated": "2013-03-06T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}, {"base": "application/xml", "type": "application/vnd.openstack.identity-v3+xml"}], "id": "v3.0", "links": [{"href": "http://kilocontroller:35357/v3/", "rel": "self"}]}}
DEBUG (base:178) Making authentication request to http://kilocontroller:35357/v3/auth/tokens
DEBUG (connectionpool:383) "POST /v3/auth/tokens HTTP/1.1" 201 2293
DEBUG (iso8601:184) Parsed 2015-05-07T15:04:06.103486Z into {'tz_sign': None, 'second_fraction': u'103486', 'hour': u'15', 'daydash': u'07', 'tz_hour': None, 'month': None, 'timezone': u'Z', 'second': u'06', 'tz_minute': None, 'year': u'2015', 'separator': u'T', 'monthdash': u'05', 'day': None, 'minute': u'04'} with default timezone <iso8601.iso8601.Utc object at 0x158d710>
DEBUG (iso8601:140) Got u'2015' for 'year' with default None
DEBUG (iso8601:140) Got u'05' for 'monthdash' with default 1
DEBUG (iso8601:140) Got 5 for 'month' with default 5
DEBUG (iso8601:140) Got u'07' for 'daydash' with default 1
DEBUG (iso8601:140) Got 7 for 'day' with default 7
DEBUG (iso8601:140) Got u'15' for 'hour' with default None
DEBUG (iso8601:140) Got u'04' for 'minute' with default None
DEBUG (iso8601:140) Got u'06' for 'second' with default None
DEBUG (session:195) REQ: curl -g -i -X GET http://kilocontroller:8774/v2/3a5e3f78fcbf43c9b36930a8943bc735/os-services -H "User-Agent: python-novaclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}3355c3c06847e89f8f1a21f17a34a58b0fd30c56"
INFO (connectionpool:203) Starting new HTTP connection (1): kilocontroller
DEBUG (connectionpool:383) "GET /v2/3a5e3f78fcbf43c9b36930a8943bc735/os-services HTTP/1.1" 401 23
DEBUG (session:224) RESP:
DEBUG (base:178) Making authentication request to http://kilocontroller:35357/v3/auth/tokens
DEBUG (connectionpool:383) "POST /v3/auth/tokens HTTP/1.1" 201 2293
DEBUG (connectionpool:383) "GET /v2/3a5e3f78fcbf43c9b36930a8943bc735/os-services HTTP/1.1" 401 23
DEBUG (session:224) RESP:
DEBUG (shell:911) Unauthorized (HTTP 401) (Request-ID: req-6774c66c-0614-4fb0-8a89-b664d0812830)
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/novaclient/shell.py", line 908, in main
    OpenStackComputeShell().main(argv)
  File "/usr/lib/python2.7/site-packages/novaclient/shell.py", line 835, in main
    args.func(self.cs, args)
  File "/usr/lib/python2.7/site-packages/novaclient/v2/shell.py", line 3443, in do_service_list
    result = cs.services.list(host=args.host, binary=args.binary)
  File "/usr/lib/python2.7/site-packages/novaclient/v2/services.py", line 49, in list
    return self._list(url, "services")
  File "/usr/lib/python2.7/site-packages/novaclient/base.py", line 64, in _list
    _resp, body = self.api.client.get(url)
  File "/usr/lib/python2.7/site-packages/keystoneclient/adapter.py", line 170, in get
    return self.request(url, 'GET', **kwargs)
  File "/usr/lib/python2.7/site-packages/novaclient/client.py", line 92, in request
    raise exceptions.from_response(resp, body, url, method)
Unauthorized: Unauthorized (HTTP 401) (Request-ID: req-6774c66c-0614-4fb0-8a89-b664d0812830)
ERROR (Unauthorized): Unauthorized (HTTP 401) (Request-ID: req-6774c66c-0614-4fb0-8a89-b664d0812830)

I don't know if it's the same problem I'm having with the glance API, but when I try to do something there, I get:

 [root@kilocontroller ~]# glance --debug image-list
 curl -g -i -X GET -H 'Accept-Encoding: gzip, deflate' -H 'Accept: */*' -H 'User-Agent: python-glanceclient' -H 'Connection: keep-alive' -H 'X-Auth-Token: {SHA1}28aa172eab27a1ba94cab28a491d705dceabe08b' -H 'Content-Type: application/octet-stream' http://kilocontroller:9292/v2/schemas/image
 Request returned failure status 401.
 Invalid OpenStack Identity credentials.

 [root@kilocontroller ~]# tail -4 /var/log/glance/api.log 
 2015-05-07 09:45:21.525 3773 WARNING keystonemiddleware.auth_token [-] Identity response: {"error": {"message": "Expecting to find username or userId in passwordCredentials - the server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.", "code": 400, "title": "Bad Request"}}
 2015-05-07 09:45:21.525 3773 WARNING keystonemiddleware.auth_token [-] Authorization failed for token
 2015-05-07 09:45:21.525 3773 INFO keystonemiddleware.auth_token [-] Invalid user token - deferring reject downstream
 2015-05-07 09:45:21.526 3773 INFO glance.wsgi.server [-] 192.168.10.110 - - [07/May/2015 09:45:21] "GET /v2/schemas/image HTTP/1.1" 401 570 0.011955