Ask Your Question
1

Icehouse on 14.04 LTS, Unauthorized (HTTP 401) when running "nova image-list"

asked 2014-06-01 12:02:00 -0500

MercIceman gravatar image

Hello,

I am following the install guide for Icehouse on Ubuntu LTS 14.04 (here: http://docs.openstack.org/icehouse/install-guide/install/apt/content/index.html).

I have installed and configured Nova per the guide, but am receiving an Unauthorized (HTTP 401)Error when I attempt to run "nova image-list"

Using command line arguments to rule out environment variable errors (no variables are set for OpenStack):

user@Controller-Test:~$ nova --os-username=nova --os-password=NOVA_PASS --os-tenant-name=service --os-auth-url=http://controller-test:35357/v2.0 image-list
ERROR: Unauthorized (HTTP 401)

And trying with keystone admin credentials:

user@Controller-Test:~$ nova --os-username=admin --os-password=ADMIN_PASS --os-tenant-name=admin --os-auth-url=http://controller-test:35357/v2.0 image-list
ERROR: Unauthorized (HTTP 401)

Commands from Keystone complete correctly with either set of credentials:

user@Controller-Test:~$ keystone --os-username=nova --os-password=NOVA_PASS --os-tenant-name=service --os-auth-url=http://controller-test:35357/v2.0 user-list
+----------------------------------+--------+---------+------------------------+
|                id                |  name  | enabled |         email          |
+----------------------------------+--------+---------+------------------------+
| 04cfac10ca2f47c698161428ddddd0b2 | admin  |   True  | OSAdmin@example.net    |
| 64f2eded7f0d46938b1e6b11b0a1cb4b |  demo  |   True  |  OSdemo@example.net    |
| 1e78938f407a4d3b86b04d18f25b6020 | glance |   True  | OSglance@example.net   |
| 7446766030224696aa21a7ba409ee03a |  nova  |   True  |  OSnova@example.net    |
+----------------------------------+--------+---------+------------------------+

user@Controller-Test:~$keystone --os-username=admin --os-password=ADMIN_PASS --os-tenant-name=admin --os-auth-url=http://controller-test:35357/v2.0 user-list
+----------------------------------+--------+---------+------------------------+
|                id                |  name  | enabled |         email          |
+----------------------------------+--------+---------+------------------------+
| 04cfac10ca2f47c698161428ddddd0b2 | admin  |   True  | OSAdmin@example.net    |
| 64f2eded7f0d46938b1e6b11b0a1cb4b |  demo  |   True  |  OSdemo@example.net    |
| 1e78938f407a4d3b86b04d18f25b6020 | glance |   True  | OSglance@example.net   |
| 7446766030224696aa21a7ba409ee03a |  nova  |   True  |  OSnova@example.net    |
+----------------------------------+--------+---------+------------------------+

As does asking glance for the image-list (I've removed characters from the ID Field for readability):

user@Controller-Test:~$ glance --os-username=nova --os-password=NOVA_PASS --os-tenant-name=service --os-auth-url=http://controller-test:35357/v2.0 image-list
+----------------------------+-------------+-------------+------------------+----------+--------+
| ID                         | Name        | Disk Format | Container Format | Size     | Status |
+----------------------------+-------------+-------------+------------------+----------+--------+
| 14b-437d-9188-cc9a62b937bc | CIRROS-Test | qcow2       | bare             | 13167616 | active |
+----------------------------+-------------+-------------+------------------+----------+--------+
user@Controller-Test:~$ glance --os-username=admin --os-password=ADMIN_PASS --os-tenant-name=admin --os-auth-url=http://controller-test:35357/v2.0 image-list
+----------------------------+-------------+-------------+------------------+----------+--------+
| ID                         | Name        | Disk Format | Container Format | Size     | Status |
+----------------------------+-------------+-------------+------------------+----------+--------+
| 14b-437d-9188-cc9a62b937bc | CIRROS-Test | qcow2       | bare             | 13167616 | active |
+----------------------------+-------------+-------------+------------------+----------+--------+

Searching Ask.Openstack gave me a few results for the error above gave me a few results with the Havana release, and they pointed to conflicts between the authentication information being passed via the command and/or environment variables (hence my clarification that not environment variables were set).

I've checked the files referenced in those posts (/etc/nova/nova.conf and /etc/nova/api-paste.ini) and not found anything out of the ordinary (like additional credentials in api-paste.ini)

nova.conf:

    [DEFAULT]
    dhcpbridge_flagfile=/etc/nova/nova.conf
    dhcpbridge=/usr/bin/nova-dhcpbridge
    logdir=/var/log/nova
    state_path=/var/lib/nova
    lock_path=/var/lock/nova
    force_dhcp_release=True
    iscsi_helper=tgtadm
    libvirt_use_virtio_for_bridges=True
    connection_type=libvirt
    root_helper=sudo nova-rootwrap /etc/nova/rootwrap.conf
    verbose=True
    ec2_private_dns_show_ip=True
    api_paste_config=/etc/nova/api-paste.ini
    volumes_path=/var/lib/nova/volumes
    enabled_apis=ec2,osapi_compute,metadata

    # Authentication Strategy
    auth_strategy = keystone

    # RabbitMQ Authentication information
    rpc_backend = rabbit
    rabbit_host = controller-test
    rabbit_password = RABBIT_PASS

    # IP and VNC server information
    my_ip = 172.31.1.200
    vncserver_listen = 172.31.1.200
    vncserver_proxyclient_address = 172.31.1.200

    [database]
    connection = mysql://nova:NOVA_DBPASS@controller-test/nova

    [keystone_authoken]
    auth_uri = http://controller-test:5000
    auth_host = controller-test
    auth_port = 35357
    auth_protocol = http
    admin_tenant_name = service
    admin_user = nova
    admin_password = NOVA_PASS

api-paste.ini:

############
# Metadata #
############
[composite:metadata]
use = egg:Paste#urlmap
/: meta

[pipeline:meta]
pipeline = ec2faultwrap logrequest metaapp

[app:metaapp]
paste ...
(more)
edit retag flag offensive close merge delete

Comments

I got exactly the same error, did you find a solution ?

RenoRainz gravatar imageRenoRainz ( 2014-06-30 17:15:44 -0500 )edit
add a comment

2 answers

Sort by ยป oldest newest most voted
1

answered 2014-10-05 15:31:24 -0500

programster gravatar image

updated 2014-10-05 15:31:56 -0500

I noticed a typo in the config

[keystone_authoken]

instead of 

[keystone_authtoken]

in the /etc/nova/nova.conf file. Perhaps this is the issue. This was also shown in Haneef's answer, so I made sure to double check the docs at http://docs.openstack.org/icehouse/in...

edit flag offensive delete link more
add a comment
0

answered 2014-06-30 18:59:16 -0500

Haneef Ali gravatar image

updated 2014-07-01 12:03:25 -0500

for some strange reason, the middlwarre is not reading your configuration file section

 [keystone_authoken]
    auth_uri = http://controller-test:5000
    auth_host = controller-test
    auth_port = 35357
    auth_protocol = http
    admin_tenant_name = service
    admin_user = nova
    admin_password = NOVA_PASS

So it is defaulting to https://localhost and failing. Can you make sure that section is correct. Or you can check with glance.conf

Make sure nova is using this configuraiton file. You can check that by changing the value of auth_protocol=junk. Then the error in the keystone middleware will be obvious.

edit flag offensive delete link more

Comments

1

Hello. Did you find a resolution? I am facing the same exact symptom. Here is my keystone debug log:

2014-07-05 17:46:19.838 2754 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /usr/lib/python2.7/dist-packages/keystone/middleware/core.py:271 2014-07-05 17:46:19.846 2754 DEBUG keystone.common.wsgi [-] arg_dict: {} __call__ /usr/lib/python2.7/dist-packages/keystone/common/wsgi.py:181 2014-07-05 17:46:19.871 2754 DEBUG keystone.notifications [-] CADF Event: {'typeURI': 'http://schemas.dmtf.org/cloud/audit/1.0/event', 'initiator': {'typeURI': 'service/security/account/user', 'host': {'agent': 'python-novaclient', 'address': '10.20.69.60'}, 'id': 'openstack:5c074116-03c1-4fab-8b55-bb7e54dee441', 'name': u'05c237c8250d47f5a0f9af84d5740235'}, 'target': {'typeURI': 'service/security/account/user', 'id': 'openstack:8e1b97e4-c3b2-472f-8e33-d9094d885d5f'}, 'observer': {'typeURI': 'service/security', 'id': 'openstack:21f48ed3-8724-457a-b8da-cb9b17c2883b'}, 'eventType': 'activity', 'eventTime': '2014-07-05T21:46:19.870406+0000', 'action': 'authenticate', 'outcome': 'pending', 'id': 'openstack:16664f28-1b4f-48ba-b57b-e083af5c620a'} _send_audit_notification /usr/lib/python2 ...(more)

rattler555 gravatar imagerattler555 ( 2014-07-05 16:50:33 -0500 )edit
add a comment

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2014-06-01 12:02:00 -0500

Seen: 2,686 times

Last updated: Oct 05 '14

Related questions

"Host key verification failed" error while resizing instance [closed]

docker --net=host with openstack

luanch instance faile [closed]

Instance failed to spawn

Instance metadata backup

Which network to choose

Understanding iSCSI in Openstack

nova can't find my SR-IOV VF

I can`t get images from glance server

DHCP discover does not arrive on the tap/qvo interface [closed]