Ask Your Question
0

the nova endpoint URL is throwing error

asked 2012-05-24 12:17:17 -0500

arpitak29 gravatar image

I am using ubuntu 11.04 machine and installed the nova compute,identity and dashbaord service in the same machine.I have used single machine to install all the component of open-stack. I am using 2011.3 version of open-stack. I have created tenant,user in the keystone.I have defined the services and the endpoints as well. Here is the output of following commands:

root@XXX:/var/log# keystone-manage endpointTemplates list

output:

service region Public URL

nova RegionOne http://XX.XX.XX.XX:8774/v1.0 keystone RegionOne http://XX.XX.XX.XX:5000/v2.0 glance RegionOne http://XX.XX.XX.XX:9292/v1

root@XXX:/var/log# keystone-manage token list

output:

token user expiration tenant

11121314151617181920 1 2015-02-05 00:00:00 4 999888777666 3 2015-02-05 00:00:00 1 77da154a-53ee-4479-b805-6bd08f227eb2 1 2012-05-25 05:00:45 3

root@XXX:/var/log#curl -d '{"auth": {"tenantName": "openstackDemo", "passwordCredentials":{"username": "adminUser", "password": "secretword"}}}' -H "Content-type: application/json" http://XX.XX.XX.XX:35357/v2.0/tokens | python -mjson.tool

output:

{ "access": { "serviceCatalog": [ { "endpoints": [ { "adminURL": "http://XX.XX.XX.XX:8774/v1.0/", "internalURL": "http://XX.XX.XX.XX:8774/v1.0/", "publicURL": "http://XX.XX.XX.XX:8774/v1.0", "region": "RegionOne" } ], "name": "nova", "type": "compute" }, { "endpoints": [ { "adminURL": "http://XX.XX.XX.XX:9292/v1", "internalURL": "http://XX.XX.XX.XX:8774/v1.0/", "publicURL": "http://XX.XX.XX.XX:9292/v1", "region": "RegionOne" } ], "name": "glance", "type": "image" }, { "endpoints": [ { "adminURL": "http://XX.XX.XX.XX:35357/v2.0", "internalURL": "http://XX.XX.XX.XX:8774/v1.0/", "publicURL": "http://XX.XX.XX.XX:5000/v2.0", "region": "RegionOne" } ], "name": "keystone", "type": "identity" } ], "token": { "expires": "2012-05-25T05:00:45", "id": "77da154a-53ee-4479-b805-6bd08f227eb2", "tenant": { "id": "3", "name": "openstackDemo" } }, "user": { "id": "1", "name": "adminUser", "roles": [ { "id": "1", "name": "Admin", "tenantId": "3" }, { "id": "1", "name": "Admin" }, { "id": "1", "name": "Admin" } ] } } }

So I got the token from the abode command.

Now I have used the curl command to validate the nova and glance endpoint URL.

root@XXX:/var/log#curl -v -X GET -H 'X-Auth-Token:77da154a-53ee-4479-b805-6bd08f227eb2' http://localhost:8774/v1.1

output:

About to connect() to localhost port 8774 (#0) * Trying ::1... Connection refused * Trying 127.0.0.1... connected * Connected to localhost (127.0.0.1) port 8774 (#0)

GET /v1.1 HTTP/1.1 User-Agent: curl/7.21.3 (xXX-pc-linux-gnu) libcurl/7.21.3 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18 Host: localhost:8774 Accept: / X-Auth-Token:77da154a-53ee-4479-b805-6bd08f227eb2

< HTTP/1.1 401 Unauthorized < Content-Length: 358 < Content-Type: text/html; charset=UTF-8 < Date: Thu, 24 May 2012 12:14:03 GMT < <html> <head> <title>401 Unauthorized</title> </head> <body>

401 Unauthorized

This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.

</body> * Connection #0 to host localhost left intact * Closing connection #0

But I have used the latest valid token.I have configured the api-paste.ini ... (more)

edit retag flag offensive close merge delete

8 answers

Sort by ยป oldest newest most voted
0

answered 2012-05-31 19:25:35 -0500

mx-chilly gravatar image

Sorry, I didn't realize you were using an older version. I have no experience with that, so I can't help you there.

At least from the debug message it looks to me like keystone is working correctly, you get you're authentication token. The GET message that results in you 401 is to the nova api. So it looks like the the nova api does not accept your token.

So the first step would be to find out if the nova api is correctly configured, so that it uses keystone for authorization or not. One way to do this could be to manipulate the database. I suspect that the nova authentication token will be checked against the table "nova.auth_tokens" where as the keystone tokens are checked against "keystone.token". So for example you create your keystone token and use this to create a nova.auth_token. If the requests then work you know at least what's going wrong.

edit flag offensive delete link more
0

answered 2012-05-28 13:10:02 -0500

arpitak29 gravatar image

I am using keystone 2011.3 version and I felt this doesn't support normal keystone command to create the service end-point. So, I have created the end-point using the following command.

$ keystone-manage endpointTemplates add RegionOne nova http://XX.XX.XX.XX:8774/v1.1/%25tenant_id%25 (http://XX.XX.XX.XX:8774/v1.1/%tenant_id%) http://XX.XX.XX.XX:8774/v1.1/%25tenant_id%25 (http://XX.XX.XX.XX:8774/v1.1/%tenant_id%) http://XX.XX.XX.XX:8774/v1.1/%25tenant_id%25 (http://XX.XX.XX.XX:8774/v1.1/%tenant_id%) 1 1

I have followed the following link to create user,tenants, roles and service end-point. http://docs.openstack.org/diablo/openstack-compute/install/openstack-install-guide-diablo.pdf (http://docs.openstack.org/diablo/open...)

I have used both the admin port 35357 as well as service port 5000 and got the same result of curl command.

I have used nova list command and received the following error message.

$ nova --debug list

output

connect: (XX.XX.XX.XX, 5000) send: 'POST /v2.0/tokens HTTP/1.1\r\nHost: XX.XX.XX.XX:5000\r\nContent-Length: 117\r\ncontent-type: application/json\r\naccept-encoding: gzip, deflate\r\nuser-agent: python-novaclient\r\n\r\n{"auth": {"tenantName": "openstackDemo", "passwordCredentials": {"username": "adminUser", "password": "secretword"}}}' reply: 'HTTP/1.1 200 OK\r\n' header: Content-Type: application/json; charset=UTF-8 header: Content-Length: 955 header: Date: Fri, 25 May 2012 13:58:35 GMT resp : {'date': 'Fri, 25 May 2012 13:58:35 GMT', 'status': '200', 'content-length': '955', 'content-type': 'application/json; charset=UTF-8'} token: 7f3618d9-668e-40f4-afe3-178d5f0f1ac0 connect: (XX.XX.XX.XX, 8774) send: u'GET /v1.1/1/servers/detail?fresh=1337954315.09 HTTP/1.1\r\nHost: XX.XX.XX.XX:8774\r\nx-auth-project-id: openstackDemo\r\nx-auth-token: 7f3618d9-668e-40f4-afe3-178d5f0f1ac0\r\naccept-encoding: gzip, deflate\r\nuser-agent: python-novaclient\r\n\r\n' reply: 'HTTP/1.1 401 Unauthorized\r\n' header: Content-Length: 253 header: Content-Type: text/plain; charset=UTF-8 header: Date: Fri, 25 May 2012 13:58:35 GMT resp : {'date': 'Fri, 25 May 2012 13:58:35 GMT', 'status': '401', 'content-length': '253', 'content-type': 'text/plain; charset=UTF-8'} n/a (HTTP 401)

edit flag offensive delete link more
0

answered 2012-05-26 10:23:32 -0500

mx-chilly gravatar image

Ok, there are a couple of issues here.

First you've got some errors in your service catalog entries, namely the internal urls of your services. They all direct to the nova api, please check that you create your endpoints according to this link: http://docs.openstack.org/essex/openstack-compute/starter/content/Creating_Endpoints-d1e469.html (http://docs.openstack.org/essex/opens...)

The next thing is your curl itself to get the token. You use: curl -d '{"auth": {"tenantName": "openstackDemo", "passwordCredentials":{"username": "adminUser", "password": "secretword"}}}' -H "Content-type: application/json" http://XX.XX.XX.XX:35357/v2.0/tokens | python -mjson.tool

It should work, but you're actually using the admin url here. Usually one would use either the internal or the public url for authentication: "http://XX.XX.XX.XX:5000/v2.0"

When you try to validate the glance and nova endpoints, why don't you use the "glance index" and "nova list" commands? Use them with the "--debug" option and they'll show you the http requests they make. Also remember that glance and nova will use their respective users from the service tenant to make those requests. So if you want to check that glance and nova are working correctly using curl than use the credentials of their users.

edit flag offensive delete link more
0

answered 2012-05-25 13:56:13 -0500

arpitak29 gravatar image

I have made the necessary changes you have mentioned. But it didn't work.. I have executed the following command: $ curl -H "X-Auth-Token:11121314151617181920" http://localhost:35357/v2.0/tokens/7f3618d9-668e-40f4-afe3-178d5f0f1ac0 (http://localhost:35357/v2.0/tokens/7f...) |python -mjson.tool

output:

{ "access": { "token": { "expires": "2012-05-26T01:20:27", "id": "7f3618d9-668e-40f4-afe3-178d5f0f1ac0", "tenant": { "id": "1", "name": "openstackDemo" } }, "user": { "id": "3", "roles": [ { "id": "1", "name": "Admin", "tenantId": "1" }, { "id": "1", "name": "Admin" } ], "username": "adminUser" } } }

But if I use the same auth_token for nova service purpose I got error.

example:

$ curl -H "X-Auth-Token:11121314151617181920" http:/ost:8774/v1.0/

output:

<head> <title>401 Unauthorized</title> </head> <body>

401 Unauthorized

This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.

Still now I am not able to resolve the issue. Please help me to resole it.

edit flag offensive delete link more
0

answered 2012-05-25 06:19:31 -0500

mx-chilly gravatar image

Instead of admin_token in the api-paste.ini try those lines:

admin_tenant_name = service admin_user = nova admin_password = nova

Make sure that you enter your service tentant and the credentials for your nova user.

If you haven't done so already, create at least the admin role according to this link: http://docs.openstack.org/essex/openstack-compute/starter/content/Creating_Keystone_Roles-d1e460.html (http://docs.openstack.org/essex/opens...)

And after that add the admin role to the nova user, as explained in this link: http://docs.openstack.org/essex/openstack-compute/starter/content/Adding_Roles_to_Users-d1e465.html (http://docs.openstack.org/essex/opens...)

edit flag offensive delete link more
0

answered 2012-05-25 04:42:01 -0500

arpitak29 gravatar image

Please let me know how to grant the nova user the admin role in keystone.I I haven't added the service tenant in the end of the api-paste.ini file.Here I have copied the end portion of api-paste.ini file.

[filter:keystonecontext] paste.filter_factory = keystone.middleware.nova_keystone_context:NovaKeystoneContext.factory

[filter:authtoken] paste.filter_factory = keystone.middleware.auth_token:filter_factory service_protocol = http service_host = XX.XX.XX.XX service_port = 35357 auth_host = XX.XX.XX.XX auth_port = 5000 auth_protocol = http auth_uri = http://XX.XX.XX.XX:5000/v2.0/ admin_token = 77da154a-53ee-4479-b805-6bd08f227eb2


But the nova user,password and tenant detail present in the environment variable.Here is the environment variable set for this. NOVA_USERNAME=adminUser NOVA_PROJECT_ID=openstackDemo NOVA_PASSWORD=secretword NOVA_API_KEY=secretword NOVA_URL=http://XX.XX.XX.XX:5000/v2.0/ NOVA_VERSION=1.1 NOVA_REGION_NAME=RegionOne OS_AUTH_USER=adminUser OS_AUTH_KEY=secretword OS_AUTH_TENANT=openstackDemo OS_AUTH_URL=http://XX.XX.XX.XX:5000/v2.0/ OS_AUTH_STRATEGY=keystone

edit flag offensive delete link more
0

answered 2012-05-24 13:49:14 -0500

mx-chilly gravatar image

Just to check: - you entered your service tenant, nova user and password at the end in the api-paste.ini? - you granted the nova user the admin role in keystone?

edit flag offensive delete link more
0

answered 2012-05-24 12:18:19 -0500

arpitak29 gravatar image

I have used single machine to install all the component of open-stack.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2012-05-24 12:17:17 -0500

Seen: 184 times

Last updated: May 31 '12