Ask Your Question
2

Cinder and Keystone Authorization Error (HTTP 401)

asked 2014-09-25 15:04:51 -0500

sambol gravatar image

updated 2014-09-25 16:22:47 -0500

I'm having difficulty getting Cinder and Keystone to talk properly (I've tried several other solutions related to this question to no avail). I have an RDO deployment of OpenStack on a bare metal (the controller) and Cinder installed on a separate node (the node). I have confirmed connectivity between the controller and the node. On the controller, I have deleted the endpoints for cinder and cinderv2 and created new ones that point to the node. I have also deleted the cinder database on the controller and created and synced a rew one. Cinder-API and Cinder-Scheduler are running on the node, but when I try to run 'cinder list', I get the following error in cinder-api.log on the node:

WARNING [keystoneclient.middleware.auth_token] Unexpected response from keystone service: {u'error': {u'message': u'The request you have made requires authentication.', u'code': 401, u'title': u'Unauthorized'}}

On the controller, the following message shows in keystone.log:

WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication. from <node_IP>

Here's my cinder.conf on the node:

[DEFAULT]
logdir = /var/log/cinder
state_path = /var/lib/cinder
lock_path = /var/lib/cinder/tmp
volumes_dir = /etc/cinder/volumes
iscsi_helper = tgtadm

api_paste_config = /etc/cinder/api-paste.ini
sql_connection = mysql://cinder:5d96c8fa075b400d@<controller_iP>/cinder
rpc_backend = cinder.openstack.common.rpc.impl_kombu
rootwrap_config = /etc/cinder/rootwrap.conf
auth_strategy = keystone
rabbit_host = <controller_IP>
rabbit_port = 5672
rabbit_hosts = <controller_IP>:5672
rabbit_use_ssl=False
rabbit_userid=guest
rabbit_password=guest
#rabbit_login_method=AMQPLAIN
rabbit_virtual_host=/
rabbit_ha_queues=False
notification_driver=cinder.openstack.common.notifier.rpc_notifier

amqp_durable_queues=False

[keystone_authtoken]
admin_tenant_name = services
admin_user = cinder
admin_password = passw0rd
auth_uri = http://<controller_IP>:5000/v2.0/
auth_host = <controller_IP>
auth_port = 35357
auth_protocol = http
signing_dirname = /tmp/keystone-signing-cinder

[database]
connection = mysql://cinder:5d96c8fa075b400d@<controller_IP>/cinder
idle_timeout=3600

And api-paste.ini on the node:

#############
# OpenStack #
#############

[composite:osapi_volume]
use = call:cinder.api:root_app_factory
/: apiversions
/v1: openstack_volume_api_v1
/v2: openstack_volume_api_v2

[composite:openstack_volume_api_v1]
use = call:cinder.api.middleware.auth:pipeline_factory
noauth = faultwrap sizelimit noauth apiv1
keystone = faultwrap sizelimit authtoken keystonecontext apiv1
keystone_nolimit = faultwrap sizelimit authtoken keystonecontext apiv1

[composite:openstack_volume_api_v2]
use = call:cinder.api.middleware.auth:pipeline_factory
noauth = faultwrap sizelimit noauth apiv2
keystone = faultwrap sizelimit authtoken keystonecontext apiv2
keystone_nolimit = faultwrap sizelimit authtoken keystonecontext apiv2

[filter:faultwrap]
paste.filter_factory = cinder.api.middleware.fault:FaultWrapper.factory

[filter:noauth]
paste.filter_factory = cinder.api.middleware.auth:NoAuthMiddleware.factory

[filter:sizelimit]
paste.filter_factory = cinder.api.middleware.sizelimit:RequestBodySizeLimiter.factory

[app:apiv1]
paste.app_factory = cinder.api.v1.router:APIRouter.factory

[app:apiv2]
paste.app_factory = cinder.api.v2.router:APIRouter.factory

[pipeline:apiversions]
pipeline = faultwrap osvolumeversionapp

[app:osvolumeversionapp]
paste.app_factory = cinder.api.versions:Versions.factory

##########
# Shared #
##########

[filter:keystonecontext]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
#paste.filter_factory = cinder.api.middleware.auth:CinderKeystoneContext.factory

[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
admin_tenant_name=services
auth_host=<controller_IP>
service_port=5000
auth_uri=http://<controller_IP>:5000/
auth_port=35357
service_host=<controller_IP>
service_protocol=http
admin_user=cinder
auth_protocol=http
admin_password= passw0rd

Output from 'cinder --debug list':

REQ: curl -i http://<controller_IP>:35357/v2.0/tokens -X POST -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-cinderclient" -d '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password ...
(more)
edit retag flag offensive close merge delete

Comments

Do cinder --debug list and paste the output

Haneef Ali gravatar imageHaneef Ali ( 2014-09-25 15:29:30 -0500 )edit

Edited above.

sambol gravatar imagesambol ( 2014-09-25 15:39:28 -0500 )edit

Didn't you see REQ logging? You don't need to copy the token. Do you get the token from keystone?

Haneef Ali gravatar imageHaneef Ali ( 2014-09-25 16:16:29 -0500 )edit

Once again do cinder --debug list. If you still see 401 check the keystone log , which will have better information about the error

Haneef Ali gravatar imageHaneef Ali ( 2014-09-25 20:39:27 -0500 )edit

1 answer

Sort by ยป oldest newest most voted
1

answered 2014-09-25 20:38:41 -0500

There can be many reason for auth failure. Change the token provider in keystone to uuid provider and restart token. This will give you a better idea. The token will be very small. This setting is under [token] section in keystone.conf

provider = keystone.token.providers.uuid.Provider

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-09-25 15:04:51 -0500

Seen: 4,040 times

Last updated: Sep 25 '14