Ask Your Question

Cinder and Keystone Authorization Error (HTTP 401)

asked 2014-09-25 15:04:51 -0500

sambol gravatar image

updated 2014-09-25 16:22:47 -0500

I'm having difficulty getting Cinder and Keystone to talk properly (I've tried several other solutions related to this question to no avail). I have an RDO deployment of OpenStack on a bare metal (the controller) and Cinder installed on a separate node (the node). I have confirmed connectivity between the controller and the node. On the controller, I have deleted the endpoints for cinder and cinderv2 and created new ones that point to the node. I have also deleted the cinder database on the controller and created and synced a rew one. Cinder-API and Cinder-Scheduler are running on the node, but when I try to run 'cinder list', I get the following error in cinder-api.log on the node:

WARNING [keystoneclient.middleware.auth_token] Unexpected response from keystone service: {u'error': {u'message': u'The request you have made requires authentication.', u'code': 401, u'title': u'Unauthorized'}}

On the controller, the following message shows in keystone.log:

WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication. from <node_IP>

Here's my cinder.conf on the node:

logdir = /var/log/cinder
state_path = /var/lib/cinder
lock_path = /var/lib/cinder/tmp
volumes_dir = /etc/cinder/volumes
iscsi_helper = tgtadm

api_paste_config = /etc/cinder/api-paste.ini
sql_connection = mysql://cinder:5d96c8fa075b400d@<controller_iP>/cinder
rpc_backend = cinder.openstack.common.rpc.impl_kombu
rootwrap_config = /etc/cinder/rootwrap.conf
auth_strategy = keystone
rabbit_host = <controller_IP>
rabbit_port = 5672
rabbit_hosts = <controller_IP>:5672


admin_tenant_name = services
admin_user = cinder
admin_password = passw0rd
auth_uri = http://<controller_IP>:5000/v2.0/
auth_host = <controller_IP>
auth_port = 35357
auth_protocol = http
signing_dirname = /tmp/keystone-signing-cinder

connection = mysql://cinder:5d96c8fa075b400d@<controller_IP>/cinder

And api-paste.ini on the node:

# OpenStack #

use = call:cinder.api:root_app_factory
/: apiversions
/v1: openstack_volume_api_v1
/v2: openstack_volume_api_v2

use = call:cinder.api.middleware.auth:pipeline_factory
noauth = faultwrap sizelimit noauth apiv1
keystone = faultwrap sizelimit authtoken keystonecontext apiv1
keystone_nolimit = faultwrap sizelimit authtoken keystonecontext apiv1

use = call:cinder.api.middleware.auth:pipeline_factory
noauth = faultwrap sizelimit noauth apiv2
keystone = faultwrap sizelimit authtoken keystonecontext apiv2
keystone_nolimit = faultwrap sizelimit authtoken keystonecontext apiv2

paste.filter_factory = cinder.api.middleware.fault:FaultWrapper.factory

paste.filter_factory = cinder.api.middleware.auth:NoAuthMiddleware.factory

paste.filter_factory = cinder.api.middleware.sizelimit:RequestBodySizeLimiter.factory

paste.app_factory = cinder.api.v1.router:APIRouter.factory

paste.app_factory = cinder.api.v2.router:APIRouter.factory

pipeline = faultwrap osvolumeversionapp

paste.app_factory = cinder.api.versions:Versions.factory

# Shared #

paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
#paste.filter_factory = cinder.api.middleware.auth:CinderKeystoneContext.factory

paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
admin_password= passw0rd

Output from 'cinder --debug list':

REQ: curl -i http://<controller_IP>:35357/v2.0/tokens -X POST -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-cinderclient" -d '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password ...
edit retag flag offensive close merge delete


Do cinder --debug list and paste the output

Haneef Ali gravatar imageHaneef Ali ( 2014-09-25 15:29:30 -0500 )edit

Edited above.

sambol gravatar imagesambol ( 2014-09-25 15:39:28 -0500 )edit

Didn't you see REQ logging? You don't need to copy the token. Do you get the token from keystone?

Haneef Ali gravatar imageHaneef Ali ( 2014-09-25 16:16:29 -0500 )edit

Once again do cinder --debug list. If you still see 401 check the keystone log , which will have better information about the error

Haneef Ali gravatar imageHaneef Ali ( 2014-09-25 20:39:27 -0500 )edit

1 answer

Sort by ยป oldest newest most voted

answered 2014-09-25 20:38:41 -0500

There can be many reason for auth failure. Change the token provider in keystone to uuid provider and restart token. This will give you a better idea. The token will be very small. This setting is under [token] section in keystone.conf

provider = keystone.token.providers.uuid.Provider

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-09-25 15:04:51 -0500

Seen: 4,295 times

Last updated: Sep 25 '14