Ask Your Question
1

'Unable to authorize user' after 'keystone token-get'

asked 2014-02-23 13:39:29 -0600

Dbruiser gravatar image

updated 2014-02-23 21:03:04 -0600

I am trying to learn Openstack so copied the pdf of OpenStack Installation Guide for Ubuntu 12.04 (LTS) and I am following it.

This is a clean install of Ubuntu 12.04 (LTS) with two nics (it is a KVM virtual machine).

I have encountered a problem in the Verify the Identity Service installation section - which can be found on page 16 of the pdf or the webpage http://docs.openstack.org/havana/install-guide/install/apt/content/keystone-verify.html

The command $ keystone token-get gives me a token. But I get the following result when I try to execute any keystone command

$ keystone user-list
Unable to authorize user

If I set the token and endpoint using the commands

$ export OS_SERVICE_TOKEN=ADMIN_TOKEN
$ export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0

Then i will be able to execute keystone commands

$ keystone user-role-list --tenant=admin --user=admin
    +----------------------------------+-------+----------------------------------+----------------------------------+
    |                id                |  name |             user_id              |            tenant_id             |
    +----------------------------------+-------+----------------------------------+----------------------------------+
    | a509ffa22e63484196efc36787c77319 | admin | e5f6a1887b3249ae98e74bcee149d168 | 68b8d961a0684a1aa9551b1117ffa35f |
    +----------------------------------+-------+----------------------------------+----------------------------------+

$ keystone service-list
+----------------------------------+----------+----------+---------------------------+
|                id                |   name   |   type   |        description        |
+----------------------------------+----------+----------+---------------------------+
| 356e34759e654ee69b0da0d5f89ea977 | keystone | identify | Keystone Identify Service |
+----------------------------------+----------+----------+---------------------------+

david@controller:~$ keystone endpoint-list
+----------------------------------+-----------+-----------------------------+-----------------------------+------------------------------+----------------------------------+
|                id                |   region  |          publicurl          |         internalurl         |           adminurl           |            service_id            |
+----------------------------------+-----------+-----------------------------+-----------------------------+------------------------------+----------------------------------+
| 4f5e1eee19fb425a9737f754bb230b63 | regionOne | http://controller:5000/v2.0 | http://controller:5000/v2.0 | http://controller:35357/v2.0 | 356e34759e654ee69b0da0d5f89ea977 |
+----------------------------------+-----------+-----------------------------+-----------------------------+------------------------------+----------------------------------+

I am currently stuck and have no idea what to do since I followed the manual 'word for word'. If anybody has encountered this problem before or have an idea then I would appreciate the help.

Thanks.

Updated

Thanks to a response by rahmu, I am adding more information to help narrow down and pinpoint the problem.

I am/was using a file to export the necessary environment variables for the token-get command. Here the output of the file

export OS_USERNAME=admin
export OS_PASSWORD=admin_pass
export OS_TENANT_NAME=admin
export OS_AUTH_URL=http://controller:35357/v2.0

After looking at the policy.json file (pointed out by rahmu), I realise the token-get command need to return ["is_admin:1"] as evident in the first line of the file "admin_required": [["role:admin"], ["is_admin:1"]],

But I am getting ["is_admin:0"] when trying to get a token as shown below (while using --debug). Note: I truncated the token id to make it easier to read.

$ keystone --debug user-list
REQ: curl -i -X POST http://controller:35357/v2.0/tokens -H "Content-Type: application/json" -H "User-Agent: python-keystoneclient"
REQ BODY: {"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "admin_pass"}}}

RESP: [200] CaseInsensitiveDict({'date': 'Mon, 24 Feb 2014 02:20:28 GMT', 'vary': 'X-Auth-Token', 'content-length': '2354', 'content-type': 'application/json'})
RESP BODY: {"access": {"token": {"issued_at": "2014-02-24T02:20:28.281249", "expires": "2014-02-25T02:20:28Z", "id": "MIIE ... eek", "tenant": {"description": "Admin Tenant", "enabled": true, "id": "68b8d961a0684a1aa9551b1117ffa35f", "name": "admin"}}, "serviceCatalog": [{"endpoints": [{"adminURL": "http://controller:35357/v2.0", "region": "regionOne", "internalURL": "http://controller:5000/v2.0", "id": "0a5f3aa8623c402ea0df95d59192e51b", "publicURL": "http://controller:5000/v2.0"}], "endpoints_links": [], "type": "identify", "name": "keystone"}], "user": {"username": "admin", "roles_links": [], "id": "e5f6a1887b3249ae98e74bcee149d168", "roles": [{"name": "admin"}], "name": "admin"}, "metadata": {"is_admin": 0, "roles": ["a509ffa22e63484196efc36787c77319"]}}}

Unable to authorize user

One can see from the user-role-list command earlier in the post that the "roles": ["a509ffa22e63484196efc36787c77319"] that was returned from debugging is link to tenant ... (more)

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
3

answered 2014-02-24 18:37:50 -0600

dtroyer gravatar image

I see one thing that needs to be corrected:

+----------------------------------+----------+----------+---------------------------+
|                id                |   name   |   type   |        description        |
+----------------------------------+----------+----------+---------------------------+
| 356e34759e654ee69b0da0d5f89ea977 | keystone | identify | Keystone Identify Service |
+----------------------------------+----------+----------+---------------------------+

The type here should be 'identity'. Re-create the endpoint with the correct type.

edit flag offensive delete link more

Comments

Thanks. Simple errors like these 'kill me'. Shame to say I had done it twice and made the same mistake. Making this the answer and adding myself to the 'hall of shame'.

Dbruiser gravatar imageDbruiser ( 2014-02-26 00:11:27 -0600 )edit
0

answered 2014-02-23 17:51:27 -0600

rahmu gravatar image

updated 2014-02-23 17:52:11 -0600

By default, you need to be an admin in order to run this command. You can either use the ADMIN_TOKEN as you did or authenticate with keystone with the admin username/tenant/password.

From my devstack:

ubuntu@devstack:/opt/stack/keystone$ keystone --os-username=demo --os-tenant-name=demo --os-password=password user-list
You are not authorized to perform the requested action, admin_required. (HTTP 403)
ubuntu@devstack:/opt/stack/keystone$ keystone --os-username=admin --os-tenant-name=admin --os-password=password user-list
+----------------------------------+----------------------+---------+----------------------------------+
|                id                |         name         | enabled |              email               |
+----------------------------------+----------------------+---------+----------------------------------+
| 5b3aae966ee94c5c8d23825e55a429c9 | VPNaaSJSON-226252333 |   True  | VPNaaSJSON-928312134@example.com |
| 42a8a9caebff42019e34ffddf070dd04 |        admin         |   True  |        admin@example.com         |
| f9044c3388804c26ad14ed6206ac9e58 |       alt_demo       |   True  |       alt_demo@example.com       |
| 504e7d1fda744487844f162c355ee22d |        cinder        |   True  |        cinder@example.com        |
| d7bd8045433e49d4aefb0f293b17d067 |         demo         |   True  |         demo@example.com         |
| 4f3aa1ddb28d48fd8b371a35524a392e |        glance        |   True  |        glance@example.com        |
| f61019fc5d984f3a93506d625254d25c |     glance-swift     |   True  |     glance-swift@example.com     |
| 2f524de4fb584e269578ea76dd5d1168 |       neutron        |   True  |       neutron@example.com        |
| 1d4712a6668f456689c143699e52ef3f |         nova         |   True  |         nova@example.com         |
| 84f511f42e7b4b859c72837c6b204d97 |        swift         |   True  |        swift@example.com         |
| 14df1f91844c4b6e85fbad0abea2f1c5 |    swiftusertest1    |   True  |         test@example.com         |
| 20a622e5e95e4081a764ec7ad1c088e3 |    swiftusertest2    |   True  |        test2@example.com         |
| 81a98da4a04243fe8d3f1a3e2a35aa87 |    swiftusertest3    |   True  |        test3@example.com         |
+----------------------------------+----------------------+---------+----------------------------------+

You can set this policy by modifying the file etc/policy.json. From my devstack:

ubuntu@devstack:/opt/stack/keystone$ grep list_users etc/policy.json
"identity:list_users": "rule:admin_required",
"identity:list_users_in_group": "rule:admin_required",
edit flag offensive delete link more

Comments

I am using a file to source the admin username/tenant/password. I get the same error if I put the variables in the comand like '$ keystone --os-username=admin --os-tenant-name=admin --os-password=admin_pass user-list'. I added information to the question after you pointed out the policy.json.

Dbruiser gravatar imageDbruiser ( 2014-02-23 21:02:11 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-02-23 13:39:29 -0600

Seen: 6,617 times

Last updated: Feb 24 '14