Ask Your Question
1

Unauthorized: The request you have made requires authentication. (HTTP 401)

asked 2017-11-13 21:41:21 -0600

s-esm gravatar image

Dear Members,

I try to manually install openstack with 3 nodes (controller, network, compute).

I have installed keystone and glance successfully but when I installed nova it is giving some errors in controller:/var/log/nova/nova-placement-api.log

  • OS:CentOS7.4
  • Version:Pike

-- 

[root@controller ~]$ source admin-openrc
[root@controller ~]$ nova-status --debug upgrade check
Error:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/nova/cmd/status.py", line 459, in main
    ret = fn(*fn_args, **fn_kwargs)
  File "/usr/lib/python2.7/site-packages/nova/cmd/status.py", line 389, in check
    result = func(self)
  File "/usr/lib/python2.7/site-packages/nova/cmd/status.py", line 203, in _check_placement
    versions = self._placement_get("/")
  File "/usr/lib/python2.7/site-packages/nova/cmd/status.py", line 191, in _placement_get
    return client.get(path, endpoint_filter=ks_filter).json()
  File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 845, in get
    return self.request(url, 'GET', **kwargs)
  File "/usr/lib/python2.7/site-packages/positional/__init__.py", line 101, in inner
    return wrapped(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 742, in request
    raise exceptions.from_response(resp, method, url)
ServiceUnavailable: Service Unavailable (HTTP 503) (Request-ID: req-56f3bd0f-01af-429a-a6eb-a262e93007fb)

[root@controller ~]$ cat /var/log/nova/nova-placement-api.log
2017-11-14 03:27:58.016 12531 WARNING keystonemiddleware.auth_token [-] Identity response: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}: Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-322b8a25-0f30-4fce-8c93-8be15dac6366)
2017-11-14 03:27:58.017 12531 CRITICAL keystonemiddleware.auth_token [-] Unable to validate token: Identity server rejected authorization necessary to fetch token data: ServiceError: Identity server rejected authorization necessary to fetch token data
2017-11-14 03:27:58.542 12529 WARNING keystonemiddleware.auth_token [-] Identity response: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}: Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-9eac582b-fea0-4afd-9a7b-082a3babee08)
2017-11-14 03:27:58.953 12529 WARNING keystonemiddleware.auth_token [-] Identity response: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}: Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-0deac8a3-f196-4bb6-b869-e81f54a8ad35)
2017-11-14 03:27:58.954 12529 CRITICAL keystonemiddleware.auth_token [-] Unable to validate token: Identity server rejected authorization necessary to fetch token data: ServiceError: Identity server rejected authorization necessary to fetch token data

[root@controller ~]$ cat /etc/nova/nova.conf
[DEFAULT]
enabled_apis = osapi_compute,metadata
transport_url = rabbit://openstack:password@controller
my_ip = 172.16.201.1
use_neutron = True
firewall_driver = nova.virt.firewall.NoopFirewallDriver

[api_database]
connection = mysql+pymysql://nova:password@controller/nova_api

[database]
connection = mysql+pymysql://nova:password@controller/nova

[api]
auth_strategy = keystone

[keystone_authtoken]
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = nova
password = password

[vnc]
enabled = true
vncserver_listen = $my_ip
vncserver_proxyclient_address = $my_ip

[glance]
api_servers = http://controller:9292

[oslo_concurrency]
lock_path = /var/lib/nova/tmp

[placement]
os_region_name = RegionOne
project_domain_name = default
project_name = service
auth_type = password
user_domain_name = default
auth_url = http://controller:35357/v3
username = placement
password = password

[root@controller ~]$ cat /etc/httpd/conf.d/00-nova-placement-api.conf
Listen 8778

<VirtualHost *:8778>
  WSGIProcessGroup nova-placement-api
  WSGIApplicationGroup %{GLOBAL ...
(more)
edit retag flag offensive close merge delete
add a comment

3 answers

Sort by ยป oldest newest most voted
0

answered 2017-11-13 23:28:58 -0600

Bernd Bausch gravatar image

The error says that Placement can't authenticate with Keystone. Check if there is a user named placement, with a password password. Also try logging on as Placement:

  • Give your environment variables OS_USERNAME, OS_PASSWORD etc the values under [placement]
  • openstack token issue
edit flag offensive delete link more
add a comment
0

answered 2017-11-14 01:29:07 -0600

s-esm gravatar image

Thank you for your response.

There is no problem with authentication, but I have got 503 http response and 401 error in logs.

[root@controller ~]# echo $OSTOKEN
[root@controller ~]#
[root@controller ~]# export OS_PROJECT_DOMAIN_NAME=default
[root@controller ~]# export OS_USER_DOMAIN_NAME=default
[root@controller ~]# export OS_PROJECT_NAME=service
[root@controller ~]# export OS_USERNAME=placement
[root@controller ~]# export OS_PASSWORD=password
[root@controller ~]# export OS_AUTH_URL=http://controller:35357/v3
[root@controller ~]# export OS_IDENTITY_API_VERSION=3
[root@controller ~]# export OS_IMAGE_API_VERSION=2
[root@controller ~]# OSTOKEN=$(openstack token issue -f value -c id)
[root@controller ~]# echo $OSTOKEN
gAAAAABaCo1F1CIMVlsTBeuqYH8tm2qR29tbkmUL4vZuhCNPXJI39TQ2YzL6Twoj8fNcAyLe3WhCYW2O1YpbBF0G8mo4bt7Kf0IRsoDOoJ6uWa3RYyJ5SQNoB_5n8EnVXbKPxFYOZ_iFBnaVtL1_XDrGbwsrlDeyy8lZTDdLsqY52pUhFR-7Uow
[root@controller ~]# curl -s -H "X-Auth-Token: $OSTOKEN" http://controller:8778/
<html>
 <head>
  <title>503 Service Unavailable</title>
 </head>
 <body>
  <h1>503 Service Unavailable</h1>
  The server is currently unavailable. Please try again at a later time.<br /><br />
 </body>
</html>
[root@controller ~]#
[root@controller ~]# tail /var/log/keystone/keystone.log
2017-11-14 06:30:19.268 6324 INFO keystone.common.wsgi [req-94873876-b922-403b-9463-74b2c19cc7ac - - - - -] POST http://controller:35357/v3/auth/tokens
2017-11-14 06:30:19.731 6324 WARNING keystone.common.wsgi [req-94873876-b922-403b-9463-74b2c19cc7ac - - - - -] Authorization failed. The request you have made requires authentication. from 172.16.201.1: Unauthorized: The request you have made requires authentication.
2017-11-14 06:30:19.737 6321 INFO keystone.common.wsgi [req-c0e51dc8-b058-4626-9d5e-fd1c30af9be4 - - - - -] POST http://controller:35357/v3/auth/tokens
2017-11-14 06:30:20.149 6321 WARNING keystone.common.wsgi [req-c0e51dc8-b058-4626-9d5e-fd1c30af9be4 - - - - -] Authorization failed. The request you have made requires authentication. from 172.16.201.1: Unauthorized: The request you have made requires authentication.
[root@controller ~]# 
[root@controller ~]# tail /var/log/nova/nova-placement-api.log 
2017-11-14 06:30:19.733 6315 WARNING keystonemiddleware.auth_token [-] Identity response: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}: Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-94873876-b922-403b-9463-74b2c19cc7ac)
2017-11-14 06:30:20.151 6315 WARNING keystonemiddleware.auth_token [-] Identity response: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}: Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-c0e51dc8-b058-4626-9d5e-fd1c30af9be4)
2017-11-14 06:30:20.151 6315 CRITICAL keystonemiddleware.auth_token [-] Unable to validate token: Identity server rejected authorization necessary to fetch token data: ServiceError: Identity server rejected authorization necessary to fetch token data
[root@controller ~]#
edit flag offensive delete link more

Comments

I remember a similar case a few months ago where the problem was the os_region_name parameter https://ask.openstack.org/en/question.... Perhaps it needs fixing or can be removed.

Bernd Bausch gravatar imageBernd Bausch ( 2017-11-14 02:39:23 -0600 )edit

Thank you for your response. I tyied again with os_region_name parameter, but I still have error..

s-esm gravatar images-esm ( 2017-11-14 06:25:41 -0600 )edit
add a comment
0

answered 2017-11-15 16:50:33 -0600

rrottach gravatar image

updated 2017-11-15 16:53:57 -0600

I am in the process of installing Pike and when I logged into Horizon and selected an item in the tree on the left such as instances. I would get logged out stating that was not authorized. I figured out that the auth_uri is wrong in the [keystone_authtoken]

Original line: auth_uri = http://controller:5000

Update line: auth_uri = http://controller:5000/v3

You can see in the admin-openrc and demo-openrc files they use the http://controller:5000/v3 for authentication.

Once I made this change in all of the appropriate files and rebooted i was able to log into Horizon and navigate as expected. This is an error in their documentation for installing Pike.

I am not sure if this will fix your problem but it sounds like a similiar authentication issue to me.

edit flag offensive delete link more
add a comment

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2017-11-13 21:41:21 -0600

Seen: 13,700 times

Last updated: Nov 15 '17

Related questions

Where is "localhost" coming from? [closed]

live migration - CPU doesn't have compatibility

the nova endpoint URL is throwing error

authorization failed (keystone logs)

problem when running command

keystone not following config file

Unable to login into Horizon via Dashboard

Setting answer file to Keystone V3

Is it possible to create instance with multiple SSH keys?

List domain function is not implemented on keystoneclient, Why?