Ask Your Question
2

How should I authenticate against keystone?

asked 2013-08-08 07:33:35 -0600

anonymous user

Anonymous

updated 2013-08-08 11:42:16 -0600

smaffulli gravatar image

While installing openstack grizzly using github document for All-in one installation for ubuntu 12.04 server got error

command: keystone user-list 
Error:
Unable to communicate with identity service: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Not Authorized"}}. (HTTP 401)
edit retag flag offensive close merge delete

Comments

1

Would it be possible for someone who has editing privileges to edit this question to move relevant info outside of the title and into the body of the question, and reformulate the question so that it's a bit more descriptive? Thanks!

rahmu gravatar imagerahmu ( 2013-08-08 10:45:57 -0600 )edit

4 answers

Sort by ยป oldest newest most voted
5

answered 2013-08-08 10:43:48 -0600

rahmu gravatar image

You're not giving the Keystone client enough info to authenticate itself to the server. You need to get:

  • Your user name + password
  • Your tenant name
  • Keystone's public URL

Once you have this info, you can give it to the client using one of these 2 methods:

CLI options

$ keystone --os-auth-url <KEYSTONE_URL> --os-username <USERNAME> --os-password <PASSWORD> --os-tenant-name <TENANT_NAME> user-list

Environment Variables

If these parameters aren't found in the command line arguments, keystone is going to look for them in the environment. Try this:

$ export OS_USERNAME=<USERNAME>
$ export OS_PASSWORD=<PASSWORD>
$ export OS_TENANT_NAME=<TENANT_NAME>
$ export OS_AUTH_URL=<KEYSTONE_URL>
$ keystone user-list

If no user are created

You may be connecting to Keystone for the first time, as such, you have no user created in the keystone database. You should then use Keystone's Admin Token for authentication.

You can retrieve the token from the keystone.conf configuration file. It's usually located:

[DEFAULT]
admin_token = THE_ADMIN_TOKEN

You can then use it like this:

$ keystone --os-token THE_ADMIN_TOKEN user-list

(or you can have it as an environment variable in OS_SERVICE_TOKEN)

If you need more help

You need to give much more info. We cannot possibly help you in the current state of the question. Here's what we need:

  • The URL of the guide you're following.
  • The exact steps you followed and which stage of the guide you're at.
  • The exact request you enter when getting the error.

If you need more help, edit your question to include this info; it will help us get a better understanding of your system and hopefully give you a better answer.

edit flag offensive delete link more
0

answered 2016-07-25 08:51:59 -0600

raja k gravatar image

I am facing the same issue with all environment variables configured.

[root@controller keystone]# echo $OS_USERNAME admin [root@controller keystone]# echo $OS_PASSWORD admin [root@controller keystone]# echo $OS_TENANT_NAME admin [root@controller keystone]# echo $OS_AUTH_URL http://controller:35357/v3 [root@controller keystone]# [root@controller keystone]# [root@controller keystone]# echo $OS_URL http://controller:35357/v3

[root@controller keystone]# keystone --os-auth-url http://controller:35357/v3 --os-username admin --os-password admin --os-tenant-name admin user-list /usr/lib/python2.7/site-packages/keystoneclient/shell.py:64: DeprecationWarning: The keystone CLI is deprecated in favor of python-openstackclient. For a Python library, continue using python-keystoneclient. 'python-keystoneclient.', DeprecationWarning) WARNING: unsupported identity-api-version 3, falling back to 2.0 /usr/lib/python2.7/site-packages/keystoneclient/v2_0/client.py:145: DeprecationWarning: Constructing an instance of the keystoneclient.v2_0.client.Client class without a session is deprecated as of the 1.7.0 release and may be removed in the 2.0.0 release. 'the 2.0.0 release.', DeprecationWarning) /usr/lib/python2.7/site-packages/keystoneclient/v2_0/client.py:147: DeprecationWarning: Using the 'tenant_name' argument is deprecated in version '1.7.0' and will be removed in version '2.0.0', please use the 'project_name' argument instead super(Client, self).__init__(*kwargs) /usr/lib/python2.7/site-packages/debtcollector/renames.py:43: DeprecationWarning: Using the 'tenant_id' argument is deprecated in version '1.7.0' and will be removed in version '2.0.0', please use the 'project_id' argument instead return f(args, **kwargs) /usr/lib/python2.7/site-packages/keystoneclient/httpclient.py:376: DeprecationWarning: Constructing an HTTPClient instance without using a session is deprecated as of the 1.7.0 release and may be removed in the 2.0.0 release. 'the 2.0.0 release.', DeprecationWarning) Authorization Failed: The resource could not be found. (HTTP 404) (Request-ID: req-7365b6da-5b50-48fa-8acb-42d099a1a875)

When I checked the keystone logs, this is the log i see:

016-07-22 19:22:38.326 28569 WARNING keystone.common.wsgi [req-ff4a3793-838b-424f-bd93-ebd571c4e456 - - - - -] Authorization failed. The request you have made requires authentication. from fe80::a00:27ff:fe88:6c25

2016-07-22 19:30:21.690 28573 INFO keystone.common.wsgi [req-b0d596e6-0084-4384-80ba-0602855f40a7 - - - - -] GET http://controller:35357/v3/users

2016-07-22 19:30:21.691 28573 WARNING keystone.common.controller [req-b0d596e6-0084-4384-80ba-0602855f40a7 - - - - -] RBAC: Bypassing authorization

2016-07-24 21:35:10.747 1879 INFO keystone.common.wsgi [req-27bfd7ea-cfb7-43d9-90c7-6217d821e333 - - - - -] GET http://controller:35357/v3/

2016-07-24 21:35:12.440 1874 INFO keystone.common.wsgi [req-d73d2648-9eef-481f-a64a-4c79ddcb3a49 - - - - -] POST http://controller:35357/v3/auth/tokens

2016-07-24 21:35:12.948 1874 WARNING keystone.common.wsgi [req-d73d2648-9eef-481f-a64a-4c79ddcb3a49 - - - - -] Authorization failed. The request you have made requires authentication. from fe80::a00:27ff:fe88:6c25

2016-07-24 21:53:21.887 1888 INFO keystone.common.kvs.core [req-99b5c3c9-0c14-4cbd-a17e-57269ccf9e24 - - - - -] Using default dogpile sha1_mangle_key as KVS region token-driver key_mangler

2016-07-24 21:53:21.890 1888 WARNING keystone.middleware.core [req-99b5c3c9-0c14-4cbd-a17e-57269ccf9e24 - - - - -] RBAC: Invalid token

2016-07-24 21:53:21.890 1888 WARNING keystone.common.wsgi [req-99b5c3c9-0c14-4cbd-a17e-57269ccf9e24 - - - - -] The request you have made requires authentication.

I have reinstalled all the services including keystone.

/etc/httpd/conf.d/wsgi-keystone.conf file has the below entry and httpd service is running.

<virtualhost *:35357 ... (more)

edit flag offensive delete link more
0

answered 2015-10-14 07:15:35 -0600

updated 2015-10-14 07:18:06 -0600

I was facing the same issue in the installation of OpenStack Kilo on Ubuntu 14.04 till I re-started everything from scratch paying attention to this detail: be extremely careful to the "$" and "#" symbol before each command. They stand for "command by user" and "command by root" (in order).

More precisely, this commands, to be inserted before keystone related activities, are all sent by user and not from root:

export OS_TOKEN=(insert_your_random_generated_key_here) 
export OS_URL=http://controller:35357/v2.0

I suppose the environment variables are user related.

edit flag offensive delete link more

Comments

What if you only have a root user and no other users created.

csayre2 gravatar imagecsayre2 ( 2015-12-11 08:31:13 -0600 )edit
0

answered 2014-08-06 04:01:49 -0600

Mayank gravatar image

Make the keystonerc for the authentication parameters.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

3 followers

Stats

Asked: 2013-08-08 07:33:35 -0600

Seen: 20,085 times

Last updated: Oct 14 '15