Ask Your Question
0

Mistral: Authorization failed: The resource could not be found. (HTTP 404)

asked 2014-11-17 19:41:42 -0600

dt.turner gravatar image

updated 2014-11-18 14:58:14 -0600

Environment:

 - Icehouse 2014.1.2 
 - Dedicated control, network and DB nodes
 - 6 compute nodes
 - Keystone API v2

I've installed the latest github drop (as of 11-10-14) of mistral within a virtual python environment per the instructions on https://github.com/stackforge/mistral . All services are running under a single process. I've verified connection to my existing cloud's messaging queue (rabbitmq). I can run list commands (workbook-list, action-list), however when I attempt to create a workbook from mistral-extra/exampes/v1/create_vm/create_vm_example.yaml, I receive the following error:

mistralclient.api.base.APIException: Authorization failed: The resource could not be found. (HTTP 404)

I notice that mistral assumes keystone API v3, but from reading through some of the python code, it would appear that it "should" still be able to handshake with v2 keystone API. Is this true? Does mistral support authenticating against keystone API v2?

I'm running mistral services within it's own VM for testing. I've verified that the keystone service endpoints are configured for the correct IP and port. This debug example shows that I tried a version 1 example against a v2 mistral endpoint, however I've tried against the v1 mistral endpoint as well as tried version 2 examples against the v2 endpoint. All result in the same error.

Below I've included debug output from the mistral client, keystone and mistral server logs for a single workbook-create request. You can also reference the log entries here: http://paste.openstack.org/show/134427/

Mistral client:

mistral --debug workbook-create create_vm_example.yaml 

Authorization failed: The resource could not be found. (HTTP 404)

Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/cliff/app.py", line 280, in run_subcommand
    result = cmd.run(parsed_args)

  File "/usr/lib/python2.6/site-packages/cliff/display.py", line 91, in run
    column_names, data = self.take_action(parsed_args)

  File "/usr/lib/python2.6/site-packages/mistralclient/commands/v2/workbooks.py", line 101, in take_action
    .create(parsed_args.definition.read())

  File "/usr/lib/python2.6/site-packages/mistralclient/api/v2/workbooks.py", line 28, in create
    return self._create('/workbooks', {'definition': definition})

  File "/usr/lib/python2.6/site-packages/mistralclient/api/base.py", line 92, in _create
    self._raise_api_exception(resp)

 File "/usr/lib/python2.6/site-packages/mistralclient/api/base.py", line 138, in _raise_api_exception
    raise APIException(error_data)

APIException: Authorization failed: The resource could not be found. (HTTP 404)
Traceback (most recent call last):

  File "/usr/bin/mistral", line 11, in <module>
    sys.exit(main())

  File "/usr/lib/python2.6/site-packages/mistralclient/shell.py", line 280, in main
    return MistralShell().run(argv)

  File "/usr/lib/python2.6/site-packages/cliff/app.py", line 215, in run
    result = self.run_subcommand(remainder)

  File "/usr/lib/python2.6/site-packages/cliff/app.py", line 280, in run_subcommand
    result = cmd.run(parsed_args)

  File "/usr/lib/python2.6/site-packages/cliff/display.py", line 91, in run
    column_names, data = self.take_action(parsed_args)

  File "/usr/lib/python2.6/site-packages/mistralclient/commands/v2/workbooks.py", line 101, in take_action
    .create(parsed_args.definition.read())

  File "/usr/lib ...
(more)
edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
0

answered 2014-11-19 01:41:23 -0600

Renat gravatar image

Hi,

There are two options now in Mistral: 1) Using Keystone API v3 since Mistral relies on trusts in a number of places (long-lived workflows, triggers that lead to deferred executions) 2) Disable authentication at all. However, in this case we won't be able to use lots of things like OpenStack actions, cron triggers etc.

Regarding Keyston API v2, we can actually support it but there's a number of tricky places where we'll have to workaround and this support will be limited. For example, in order to make deferred calls (e.g. triggers) we have to impersonate access based on initial user credentials (or token) provided when a workbook/workflow was uploaded. Because we can't store credentials in Mistral, of course. So in case of Keystone API v2 we can only use different credentials, for example those that we have in Mistral server config itself, but it's obviously a security problem.

Anyway, it'd be nice if you could provide more info about your use case so that we can see what we can do.

Thanks, Renat

edit flag offensive delete link more
0

answered 2014-11-20 16:53:34 -0600

dt.turner gravatar image

Thanks for your response Renat.

I ended up adding a Keystone endpoint for v3 which allowed Mistral to succesfully setup trusts. I was then able to create a workbook from the mistral-extra v2 examples.

I'm hitting an error when creating the execution, but I think this issue falls outside of this question. :-)

To summarize:

  1. Left the Keystone v2.0 endpoints in place for existing services
  2. Added another identity endpoint using the same URLs as the existing endpoint, but ending in /v3 instead of the existing /v2.0
  3. Updated auth_uri in mistral.conf to point to the /v3 endpoint.
  4. Restarted Mistral services
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-11-17 19:41:42 -0600

Seen: 2,697 times

Last updated: Nov 20 '14