'Unable to authorize user' after 'keystone token-get'
I am trying to learn Openstack so copied the pdf of OpenStack Installation Guide for Ubuntu 12.04 (LTS) and I am following it.
This is a clean install of Ubuntu 12.04 (LTS) with two nics (it is a KVM virtual machine).
I have encountered a problem in the Verify the Identity Service installation section - which can be found on page 16 of the pdf or the webpage http://docs.openstack.org/havana/install-guide/install/apt/content/keystone-verify.html
The command $ keystone token-get
gives me a token.
But I get the following result when I try to execute any keystone command
$ keystone user-list
Unable to authorize user
If I set the token and endpoint using the commands
$ export OS_SERVICE_TOKEN=ADMIN_TOKEN
$ export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0
Then i will be able to execute keystone commands
$ keystone user-role-list --tenant=admin --user=admin
+----------------------------------+-------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+-------+----------------------------------+----------------------------------+
| a509ffa22e63484196efc36787c77319 | admin | e5f6a1887b3249ae98e74bcee149d168 | 68b8d961a0684a1aa9551b1117ffa35f |
+----------------------------------+-------+----------------------------------+----------------------------------+
$ keystone service-list
+----------------------------------+----------+----------+---------------------------+
| id | name | type | description |
+----------------------------------+----------+----------+---------------------------+
| 356e34759e654ee69b0da0d5f89ea977 | keystone | identify | Keystone Identify Service |
+----------------------------------+----------+----------+---------------------------+
david@controller:~$ keystone endpoint-list
+----------------------------------+-----------+-----------------------------+-----------------------------+------------------------------+----------------------------------+
| id | region | publicurl | internalurl | adminurl | service_id |
+----------------------------------+-----------+-----------------------------+-----------------------------+------------------------------+----------------------------------+
| 4f5e1eee19fb425a9737f754bb230b63 | regionOne | http://controller:5000/v2.0 | http://controller:5000/v2.0 | http://controller:35357/v2.0 | 356e34759e654ee69b0da0d5f89ea977 |
+----------------------------------+-----------+-----------------------------+-----------------------------+------------------------------+----------------------------------+
I am currently stuck and have no idea what to do since I followed the manual 'word for word'. If anybody has encountered this problem before or have an idea then I would appreciate the help.
Thanks.
Updated
Thanks to a response by rahmu, I am adding more information to help narrow down and pinpoint the problem.
I am/was using a file to export the necessary environment variables for the token-get command. Here the output of the file
export OS_USERNAME=admin
export OS_PASSWORD=admin_pass
export OS_TENANT_NAME=admin
export OS_AUTH_URL=http://controller:35357/v2.0
After looking at the policy.json file (pointed out by rahmu), I realise the token-get command need to return ["is_admin:1"] as evident in the first line of the file "admin_required": [["role:admin"], ["is_admin:1"]],
But I am getting ["is_admin:0"] when trying to get a token as shown below (while using --debug). Note: I truncated the token id to make it easier to read.
$ keystone --debug user-list
REQ: curl -i -X POST http://controller:35357/v2.0/tokens -H "Content-Type: application/json" -H "User-Agent: python-keystoneclient"
REQ BODY: {"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "admin_pass"}}}
RESP: [200] CaseInsensitiveDict({'date': 'Mon, 24 Feb 2014 02:20:28 GMT', 'vary': 'X-Auth-Token', 'content-length': '2354', 'content-type': 'application/json'})
RESP BODY: {"access": {"token": {"issued_at": "2014-02-24T02:20:28.281249", "expires": "2014-02-25T02:20:28Z", "id": "MIIE ... eek", "tenant": {"description": "Admin Tenant", "enabled": true, "id": "68b8d961a0684a1aa9551b1117ffa35f", "name": "admin"}}, "serviceCatalog": [{"endpoints": [{"adminURL": "http://controller:35357/v2.0", "region": "regionOne", "internalURL": "http://controller:5000/v2.0", "id": "0a5f3aa8623c402ea0df95d59192e51b", "publicURL": "http://controller:5000/v2.0"}], "endpoints_links": [], "type": "identify", "name": "keystone"}], "user": {"username": "admin", "roles_links": [], "id": "e5f6a1887b3249ae98e74bcee149d168", "roles": [{"name": "admin"}], "name": "admin"}, "metadata": {"is_admin": 0, "roles": ["a509ffa22e63484196efc36787c77319"]}}}
Unable to authorize user
One can see from the user-role-list command earlier in the post that the "roles": ["a509ffa22e63484196efc36787c77319"] that was returned from debugging is link to tenant ...