[Trove] `trove list` results in ERROR: Unauthorized (HTTP 401)

asked 2014-08-25 07:42:21 -0600

beni gravatar image

If as OpenStack user admin, that means, with sourced keystonerc_admin, I run trove list or trove datastore-list I get

ERROR: Unauthorized (HTTP 401).

The same happens with user trove (see below).

The log files trove.log and keystone.log show (full excerpts below):


  • Unexpected response from keystone service: {u'error': {u'message': u"object of type 'NoneType' has no len()", u'code': 400, u'title': u'Bad Request'}}
  • ServiceError: invalid json response
  • Authorization failed for token


  • TypeError: object of type 'NoneType' has no len()

I run the stable branch of OpenStack Icehouse on Scientific Linux 6 (based on RHEL), installed with Packstack, with Trove release 2014.2.b2 and python-troveclient 1.0.5 (newest release/tag for both of them).

I think it is a problem with the users and tenants I configured for Trove. Someone having the same problem with Glance could fix it by putting the right login information into glance.conf, see a bug report on Launchpad.

For configuration of Trove I followed the OpenStack documentation [1], Trove's documentation for manual install [2] and the DevStack code [3]. These three use different combinations of users and tenants.

Does someone of you know which users and tenants have to be used?

At the moment, I have the following configuration:

Users and tenants:

  • tenant trove
  • user trove is member and admin in tenant trove and services, which is the service tenant in my installation of OpenStack
  • user admin is member and admin in tenant trove, and for testing even member and admin in services, but this didn't help

Trove's api-paste.ini:


trove-taskmanager.conf, trove-conductor.conf and trove-guestagent.conf:


[1] uses tenant services here.


INFO eventlet.wsgi [-] (6221) accepted ('***.***.***.***', 45415)
DEBUG keystoneclient.middleware.auth_token [-] Authenticating user token __call__ /usr/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py:666
DEBUG keystoneclient.middleware.auth_token [-] Removing headers from request environment: X-Identity-Status,X-Domain-Id,X-Domain-Name,X-Project-Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-User-Id,X-User-Name,X-User-Domain-Id,X-User-Domain-Name,X-Roles,X-Service-Catalog,X-User,X-Tenant-Id,X-Tenant-Name,X-Tenant,X-Role _remove_auth_headers /usr/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py:725
WARNING keystoneclient.middleware.auth_token [-] Unexpected response from keystone service: {u'error': {u'message': u"object of type 'NoneType' has no len()", u'code': 400, u'title': u'Bad Request'}}
DEBUG keystoneclient.middleware.auth_token [-] Token validation failure. _validate_user_token /usr/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py:943
TRACE keystoneclient.middleware.auth_token Traceback (most recent call last):
TRACE keystoneclient.middleware.auth_token   File "/usr/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py", line 930, in _validate_user_token
TRACE keystoneclient.middleware.auth_token     verified = self.verify_signed_token(user_token, token_ids)
TRACE keystoneclient.middleware.auth_token   File "/usr/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py", line 1347, in verify_signed_token
TRACE keystoneclient.middleware.auth_token     if self.is_signed_token_revoked(token_ids):
TRACE keystoneclient.middleware.auth_token   File "/usr/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py", line 1299, in is_signed_token_revoked
TRACE keystoneclient.middleware.auth_token     if self._is_token_id_in_revoked_list(token_id):
TRACE keystoneclient.middleware.auth_token   File "/usr/lib ...
edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2014-08-25 09:45:11 -0600

beni gravatar image

updated 2014-08-25 09:46:56 -0600

Got it working with the following setup. My service tenant is services.

Set up everything like in the official OpenStack documentation, but:

Add another config section [keystone_authtoken] to all Trove config files like shown in the following Bash code:

for config_file in api-paste.ini trove.conf trove-taskmanager.conf trove-conductor.conf trove-guestagent.conf; do
        openstack-config --set /etc/trove/$config_file keystone_authtoken auth_uri http://$HOST_IP:35357/
        openstack-config --set /etc/trove/$config_file keystone_authtoken identity_uri http://$HOST_IP:35357/
        openstack-config --set /etc/trove/$config_file keystone_authtoken admin_password $TROVE_PASS
        openstack-config --set /etc/trove/$config_file keystone_authtoken admin_user trove
        openstack-config --set /etc/trove/$config_file keystone_authtoken admin_tenant_name services

Your auth_uri and identity_uri can look different, for example using https, or hostname and not IP.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-08-25 07:42:21 -0600

Seen: 1,906 times

Last updated: Aug 25 '14