Cinder and Keystone Authorization Error (HTTP 401)
I'm having difficulty getting Cinder and Keystone to talk properly (I've tried several other solutions related to this question to no avail). I have an RDO deployment of OpenStack on a bare metal (the controller) and Cinder installed on a separate node (the node). I have confirmed connectivity between the controller and the node. On the controller, I have deleted the endpoints for cinder and cinderv2 and created new ones that point to the node. I have also deleted the cinder database on the controller and created and synced a rew one. Cinder-API and Cinder-Scheduler are running on the node, but when I try to run 'cinder list', I get the following error in cinder-api.log on the node:
WARNING [keystoneclient.middleware.auth_token] Unexpected response from keystone service: {u'error': {u'message': u'The request you have made requires authentication.', u'code': 401, u'title': u'Unauthorized'}}
On the controller, the following message shows in keystone.log:
WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication. from <node_IP>
Here's my cinder.conf on the node:
[DEFAULT]
logdir = /var/log/cinder
state_path = /var/lib/cinder
lock_path = /var/lib/cinder/tmp
volumes_dir = /etc/cinder/volumes
iscsi_helper = tgtadm
api_paste_config = /etc/cinder/api-paste.ini
sql_connection = mysql://cinder:5d96c8fa075b400d@<controller_iP>/cinder
rpc_backend = cinder.openstack.common.rpc.impl_kombu
rootwrap_config = /etc/cinder/rootwrap.conf
auth_strategy = keystone
rabbit_host = <controller_IP>
rabbit_port = 5672
rabbit_hosts = <controller_IP>:5672
rabbit_use_ssl=False
rabbit_userid=guest
rabbit_password=guest
#rabbit_login_method=AMQPLAIN
rabbit_virtual_host=/
rabbit_ha_queues=False
notification_driver=cinder.openstack.common.notifier.rpc_notifier
amqp_durable_queues=False
[keystone_authtoken]
admin_tenant_name = services
admin_user = cinder
admin_password = passw0rd
auth_uri = http://<controller_IP>:5000/v2.0/
auth_host = <controller_IP>
auth_port = 35357
auth_protocol = http
signing_dirname = /tmp/keystone-signing-cinder
[database]
connection = mysql://cinder:5d96c8fa075b400d@<controller_IP>/cinder
idle_timeout=3600
And api-paste.ini on the node:
#############
# OpenStack #
#############
[composite:osapi_volume]
use = call:cinder.api:root_app_factory
/: apiversions
/v1: openstack_volume_api_v1
/v2: openstack_volume_api_v2
[composite:openstack_volume_api_v1]
use = call:cinder.api.middleware.auth:pipeline_factory
noauth = faultwrap sizelimit noauth apiv1
keystone = faultwrap sizelimit authtoken keystonecontext apiv1
keystone_nolimit = faultwrap sizelimit authtoken keystonecontext apiv1
[composite:openstack_volume_api_v2]
use = call:cinder.api.middleware.auth:pipeline_factory
noauth = faultwrap sizelimit noauth apiv2
keystone = faultwrap sizelimit authtoken keystonecontext apiv2
keystone_nolimit = faultwrap sizelimit authtoken keystonecontext apiv2
[filter:faultwrap]
paste.filter_factory = cinder.api.middleware.fault:FaultWrapper.factory
[filter:noauth]
paste.filter_factory = cinder.api.middleware.auth:NoAuthMiddleware.factory
[filter:sizelimit]
paste.filter_factory = cinder.api.middleware.sizelimit:RequestBodySizeLimiter.factory
[app:apiv1]
paste.app_factory = cinder.api.v1.router:APIRouter.factory
[app:apiv2]
paste.app_factory = cinder.api.v2.router:APIRouter.factory
[pipeline:apiversions]
pipeline = faultwrap osvolumeversionapp
[app:osvolumeversionapp]
paste.app_factory = cinder.api.versions:Versions.factory
##########
# Shared #
##########
[filter:keystonecontext]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
#paste.filter_factory = cinder.api.middleware.auth:CinderKeystoneContext.factory
[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
admin_tenant_name=services
auth_host=<controller_IP>
service_port=5000
auth_uri=http://<controller_IP>:5000/
auth_port=35357
service_host=<controller_IP>
service_protocol=http
admin_user=cinder
auth_protocol=http
admin_password= passw0rd
Output from 'cinder --debug list':
REQ: curl -i http://<controller_IP>:35357/v2.0/tokens -X POST -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-cinderclient" -d '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password ...
Do cinder --debug list and paste the output
Edited above.
Didn't you see REQ logging? You don't need to copy the token. Do you get the token from keystone?
Once again do cinder --debug list. If you still see 401 check the keystone log , which will have better information about the error