Ask Your Question
1

Unauthorized: The request you have made requires authentication. (HTTP 401)

asked 2017-11-13 21:41:21 -0500

s-esm gravatar image

Dear Members,

I try to manually install openstack with 3 nodes (controller, network, compute).

I have installed keystone and glance successfully but when I installed nova it is giving some errors in controller:/var/log/nova/nova-placement-api.log

  • OS:CentOS7.4
  • Version:Pike

-- 

[root@controller ~]$ source admin-openrc
[root@controller ~]$ nova-status --debug upgrade check
Error:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/nova/cmd/status.py", line 459, in main
    ret = fn(*fn_args, **fn_kwargs)
  File "/usr/lib/python2.7/site-packages/nova/cmd/status.py", line 389, in check
    result = func(self)
  File "/usr/lib/python2.7/site-packages/nova/cmd/status.py", line 203, in _check_placement
    versions = self._placement_get("/")
  File "/usr/lib/python2.7/site-packages/nova/cmd/status.py", line 191, in _placement_get
    return client.get(path, endpoint_filter=ks_filter).json()
  File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 845, in get
    return self.request(url, 'GET', **kwargs)
  File "/usr/lib/python2.7/site-packages/positional/__init__.py", line 101, in inner
    return wrapped(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 742, in request
    raise exceptions.from_response(resp, method, url)
ServiceUnavailable: Service Unavailable (HTTP 503) (Request-ID: req-56f3bd0f-01af-429a-a6eb-a262e93007fb)

[root@controller ~]$ cat /var/log/nova/nova-placement-api.log
2017-11-14 03:27:58.016 12531 WARNING keystonemiddleware.auth_token [-] Identity response: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}: Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-322b8a25-0f30-4fce-8c93-8be15dac6366)
2017-11-14 03:27:58.017 12531 CRITICAL keystonemiddleware.auth_token [-] Unable to validate token: Identity server rejected authorization necessary to fetch token data: ServiceError: Identity server rejected authorization necessary to fetch token data
2017-11-14 03:27:58.542 12529 WARNING keystonemiddleware.auth_token [-] Identity response: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}: Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-9eac582b-fea0-4afd-9a7b-082a3babee08)
2017-11-14 03:27:58.953 12529 WARNING keystonemiddleware.auth_token [-] Identity response: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}: Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-0deac8a3-f196-4bb6-b869-e81f54a8ad35)
2017-11-14 03:27:58.954 12529 CRITICAL keystonemiddleware.auth_token [-] Unable to validate token: Identity server rejected authorization necessary to fetch token data: ServiceError: Identity server rejected authorization necessary to fetch token data

[root@controller ~]$ cat /etc/nova/nova.conf
[DEFAULT]
enabled_apis = osapi_compute,metadata
transport_url = rabbit://openstack:password@controller
my_ip = 172.16.201.1
use_neutron = True
firewall_driver = nova.virt.firewall.NoopFirewallDriver

[api_database]
connection = mysql+pymysql://nova:password@controller/nova_api

[database]
connection = mysql+pymysql://nova:password@controller/nova

[api]
auth_strategy = keystone

[keystone_authtoken]
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = nova
password = password

[vnc]
enabled = true
vncserver_listen = $my_ip
vncserver_proxyclient_address = $my_ip

[glance]
api_servers = http://controller:9292

[oslo_concurrency]
lock_path = /var/lib/nova/tmp

[placement]
os_region_name = RegionOne
project_domain_name = default
project_name = service
auth_type = password
user_domain_name = default
auth_url = http://controller:35357/v3
username = placement
password = password

[root@controller ~]$ cat /etc/httpd/conf.d/00-nova-placement-api.conf
Listen 8778

<VirtualHost *:8778>
  WSGIProcessGroup nova-placement-api
  WSGIApplicationGroup %{GLOBAL ...
(more)
edit retag flag offensive close merge delete
add a comment

3 answers

Sort by ยป oldest newest most voted
0

answered 2017-11-13 23:28:58 -0500

Bernd Bausch gravatar image

The error says that Placement can't authenticate with Keystone. Check if there is a user named placement, with a password password. Also try logging on as Placement:

  • Give your environment variables OS_USERNAME, OS_PASSWORD etc the values under [placement]
  • openstack token issue
edit flag offensive delete link more
add a comment
0

answered 2017-11-14 01:29:07 -0500

s-esm gravatar image

Thank you for your response.

There is no problem with authentication, but I have got 503 http response and 401 error in logs.

[root@controller ~]# echo $OSTOKEN
[root@controller ~]#
[root@controller ~]# export OS_PROJECT_DOMAIN_NAME=default
[root@controller ~]# export OS_USER_DOMAIN_NAME=default
[root@controller ~]# export OS_PROJECT_NAME=service
[root@controller ~]# export OS_USERNAME=placement
[root@controller ~]# export OS_PASSWORD=password
[root@controller ~]# export OS_AUTH_URL=http://controller:35357/v3
[root@controller ~]# export OS_IDENTITY_API_VERSION=3
[root@controller ~]# export OS_IMAGE_API_VERSION=2
[root@controller ~]# OSTOKEN=$(openstack token issue -f value -c id)
[root@controller ~]# echo $OSTOKEN
gAAAAABaCo1F1CIMVlsTBeuqYH8tm2qR29tbkmUL4vZuhCNPXJI39TQ2YzL6Twoj8fNcAyLe3WhCYW2O1YpbBF0G8mo4bt7Kf0IRsoDOoJ6uWa3RYyJ5SQNoB_5n8EnVXbKPxFYOZ_iFBnaVtL1_XDrGbwsrlDeyy8lZTDdLsqY52pUhFR-7Uow
[root@controller ~]# curl -s -H "X-Auth-Token: $OSTOKEN" http://controller:8778/
<html>
 <head>
  <title>503 Service Unavailable</title>
 </head>
 <body>
  <h1>503 Service Unavailable</h1>
  The server is currently unavailable. Please try again at a later time.<br /><br />
 </body>
</html>
[root@controller ~]#
[root@controller ~]# tail /var/log/keystone/keystone.log
2017-11-14 06:30:19.268 6324 INFO keystone.common.wsgi [req-94873876-b922-403b-9463-74b2c19cc7ac - - - - -] POST http://controller:35357/v3/auth/tokens
2017-11-14 06:30:19.731 6324 WARNING keystone.common.wsgi [req-94873876-b922-403b-9463-74b2c19cc7ac - - - - -] Authorization failed. The request you have made requires authentication. from 172.16.201.1: Unauthorized: The request you have made requires authentication.
2017-11-14 06:30:19.737 6321 INFO keystone.common.wsgi [req-c0e51dc8-b058-4626-9d5e-fd1c30af9be4 - - - - -] POST http://controller:35357/v3/auth/tokens
2017-11-14 06:30:20.149 6321 WARNING keystone.common.wsgi [req-c0e51dc8-b058-4626-9d5e-fd1c30af9be4 - - - - -] Authorization failed. The request you have made requires authentication. from 172.16.201.1: Unauthorized: The request you have made requires authentication.
[root@controller ~]# 
[root@controller ~]# tail /var/log/nova/nova-placement-api.log 
2017-11-14 06:30:19.733 6315 WARNING keystonemiddleware.auth_token [-] Identity response: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}: Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-94873876-b922-403b-9463-74b2c19cc7ac)
2017-11-14 06:30:20.151 6315 WARNING keystonemiddleware.auth_token [-] Identity response: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}: Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-c0e51dc8-b058-4626-9d5e-fd1c30af9be4)
2017-11-14 06:30:20.151 6315 CRITICAL keystonemiddleware.auth_token [-] Unable to validate token: Identity server rejected authorization necessary to fetch token data: ServiceError: Identity server rejected authorization necessary to fetch token data
[root@controller ~]#
edit flag offensive delete link more

Comments

I remember a similar case a few months ago where the problem was the os_region_name parameter https://ask.openstack.org/en/question.... Perhaps it needs fixing or can be removed.

Bernd Bausch gravatar imageBernd Bausch ( 2017-11-14 02:39:23 -0500 )edit

Thank you for your response. I tyied again with os_region_name parameter, but I still have error..

s-esm gravatar images-esm ( 2017-11-14 06:25:41 -0500 )edit
add a comment
0

answered 2017-11-15 16:50:33 -0500

rrottach gravatar image

updated 2017-11-15 16:53:57 -0500

I am in the process of installing Pike and when I logged into Horizon and selected an item in the tree on the left such as instances. I would get logged out stating that was not authorized. I figured out that the auth_uri is wrong in the [keystone_authtoken]

Original line: auth_uri = http://controller:5000

Update line: auth_uri = http://controller:5000/v3

You can see in the admin-openrc and demo-openrc files they use the http://controller:5000/v3 for authentication.

Once I made this change in all of the appropriate files and rebooted i was able to log into Horizon and navigate as expected. This is an error in their documentation for installing Pike.

I am not sure if this will fix your problem but it sounds like a similiar authentication issue to me.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2017-11-13 21:41:21 -0500

Seen: 11,688 times

Last updated: Nov 15 '17

Related questions

Placement service resource provider warnings (Queens)

my nova doesn't work now, shows url's project_id doesn't match context's project_id. The url's project_id I thought is the role of admin added to the nova at tenant service, but my question is, how can I check the "context's project_id"?

rocky nova-status warning on operation verification

Instance run/start schedule

LAMP in Ubuntu instance

WARNING nova.virt.libvirt.driver

nova-api on CentOS

VM instance NOT getting proper IP

live migration: cpu doesn't have compatibility

swift diy saio with external keystone 503 error problems [closed]