ceilometer command line api error

asked 2013-10-03 16:01:20 -0500

cloud gravatar image

I am trying to run ceilometer meter-list but it gives me following error Authentication required

WARNING (http:168) Request returned failure status.
Invalid OpenStack Identity credentials.

when I tried ceilometer --debug meter-list it gave following out put

root@osgrizzly:~# ceilometer --debug meter-list
INFO (connectionpool:191) Starting new HTTP connection (1):
DEBUG (connectionpool:283) "POST /v2.0/tokens HTTP/1.1" 200 8216
DEBUG (http:110) curl -i -X GET -H 'X-Auth-Token: MIIOSQYJKoZIhvcNAQcCoIIOOjCCDjYCAQExCTAHBgUrDgMCGjCCDSIGCSqGSIb3DQEHAaCCDRMEgg0PeyJhY2Nlc3MiOiB7InRva2VuIjogeyJpc3N1ZWRfYXQiOiAiMjAxMy0xMC0wM1QyMDozNTowOS4yOTEyMTciLCAiZXhwaXJlcyI6ICIyMDEzLTEwLTA0VDIwOjM1OjA5WiIsICJpZCI6ICJwbGFjZWhvbGRlciIsICJ0ZW5hbnQiOiB7ImRlc2NyaXB0aW9uIjogbnVsbCwgImVuYWJsZWQiOiB0cnVlLCAiaWQiOiAiZjEyNTAyZDI2NmVlNGQ1OWE5MjBkZTY0Y2IyZTUwYzgiLCAibmFtZSI6ICJhZG1pbiJ9fSwgInNlcnZpY2VDYXRhbG9nIjogW3siZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzEwLjQuMTAuMDo4Nzc0L3YyL2YxMjUwMmQyNjZlZTRkNTlhOTIwZGU2NGNiMmU1MGM4IiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEwLjQuMTAuMDo4Nzc0L3YyL2YxMjUwMmQyNjZlZTRkNTlhOTIwZGU2NGNiMmU1MGM4IiwgImlkIjogIjFmNjE1YWJiNzc4YTRhMTZiNTk2Y2Y4OWQyNDIwYTkyIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMTAuNC4xMC4wOjg3NzQvdjIvZjEyNTAyZDI2NmVlNGQ1OWE5MjBkZTY0Y2IyZTUwYzgifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAiY29tcHV0ZSIsICJuYW1lIjogIm5vdmEifSwgeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vMTAuNC4xMC4wOjk2OTYvIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEwLjQuMTAuMDo5Njk2LyIsICJpZCI6ICI1MjUzNGVjNWQ4MmM0YjU4YjRiMGUyMTI1ZTA1ODI0OSIsICJwdWJsaWNVUkwiOiAiaHR0cDovLzEwLjQuMTAuMDo5Njk2LyJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJuZXR3b3JrIiwgIm5hbWUiOiAicXVhbnR1bSJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xMC40LjEwLjA6OTI5Mi8iLCAicmVnaW9uIjogIlJlZ2lvbk9uZSIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMTAuNC4xMC4wOjkyOTIvIiwgImlkIjogIjEyN2NhMzk1YTg4MjRlZjNhZmY0NDhkYjIxMjM0NGY0IiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMTAuNC4xMC4wOjkyOTIvIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImltYWdlIiwgIm5hbWUiOiAiZ2xhbmNlIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzEwLjQuMTAuMDo4Nzc3LyIsICJyZWdpb24iOiAiUmVnaW9uT25lIiwgImludGVybmFsVVJMIjogImh0dHA6Ly8xMC40LjEwLjA6ODc3Ny8iLCAiaWQiOiAiNmU2M2EyMTYzYzE5NGY1MGIxNzg3MDg0YzdiN2U3YTIiLCAicHVibGljVVJMIjogImh0dHA6Ly8xMC40LjEwLjA6ODc3Ny8ifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAibWV0ZXJpbmciLCAibmFtZSI6ICJjZWlsb21ldGVyIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovL2xvY2FsaG9zdDo4MDAwL3YxIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovL2xvY2FsaG9zdDo4MDAwL3YxIiwgImlkIjogIjc3MGVkNmNjMGUzOTRiYjNhNGRmMjYyMDAwNDNjOTkxIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vbG9jYWxob3N0OjgwMDAvdjEifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAiY2xvdWRmb3JtYXRpb24iLCAibmFtZSI6ICJoZWF0LWNmbiJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xMC40LjEwLjA6ODc3Ni92MS9mMTI1MDJkMjY2ZWU0ZDU5YTkyMGRlNjRjYjJlNTBjOCIsICJyZWdpb24iOiAiUmVnaW9uT25lIiwgImludGVybmFsVVJMIjogImh0dHA6Ly8xMC40LjEwLjA6ODc3Ni92MS9mMTI1MDJkMjY2ZWU0ZDU5YTkyMGRlNjRjYjJlNTBjOCIsICJpZCI6ICIzNDIxNjAzN2NhNTk0MDMwYjM0MTk0ZjM2ZmVhZGE0ZSIsICJwdWJsaWNVUkwiOiAiaHR0cDovLzEwLjQuMTAuMDo4Nzc2L3YxL2YxMjUwMmQyNjZlZTRkNTlhOTIwZGU2NGNiMmU1MGM4In1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogInZvbHVtZSIsICJuYW1lIjogImNpbmRlciJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xMC40LjEwLjA6ODc3My9zZXJ2aWNlcy9BZG1pbiIsICJyZWdpb24iOiAiUmVnaW9uT25lIiwgImludGVybmFsVVJMIjogImh0dHA6Ly8xMC40LjEwLjA6ODc3My9zZXJ2aWNlcy9DbG91ZCIsICJpZCI6ICIzYzBiYWMyMzg2MjQ0ZTI4Yjk4NWQ2MjE1NWM5MzY3MyIsICJwdWJsaWNVUkwiOiAiaHR0cDovLzEwLjQuMTAuMDo4NzczL3NlcnZpY2VzL0Nsb3VkIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImVjMiIsICJuYW1lIjogImVjMiJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly9sb2NhbGhvc3Q6ODAwNC92MS9mMTI1MDJkMjY2ZWU0ZDU5YTkyMGRlNjRjYjJlNTBjOCIsICJyZWdpb24iOiAiUmVnaW9uT25lIiwgImludGVybmFsVVJMIjogImh0dHA6Ly9sb2NhbGhvc3Q6ODAwNC92MS9mMTI1MDJkMjY2ZWU0ZDU5YTkyMGRlNjRjYjJlNTBjOCIsICJpZCI6ICIwMjhlZTNmNjA0OWE0NGE1OGRjOTMxN2Q0NDFkNDg4ZCIsICJwdWJsaWNVUkwiOiAiaHR0cDovL2xvY2FsaG9zdDo4MDA0L3YxL2YxMjUwMmQyNjZlZTRkNTlhOTIwZGU2NGNiMmU1MGM4In1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogIm9yY2hlc3RyYXRpb24iLCAibmFtZSI6ICJoZWF0In0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDoiugsdaCAQEwBwYFKw4DAhowDQYJKoZIhvcNAQEBBQAEgYAFzE6vEs86YcDHONo0cKH0Fl3ymTDgHdwsboOoRV0BDinFB+gehVN2RkqYBVcxGu4nVmJRRZMlPZ-gdl3mmJVrgmS4oPLSfKZFz8yR9h1mqxczinIo+dI4Z8AMzcfdSOKv-TYhcJR8rYBOAuYvckRqsdOuIGA7txvJPzDkDNVJtA==' -H 'Content-Type: application/json' -H 'Accept: application/json' -H 'User-Agent: python-ceilometerclient'
DEBUG (http:120)
HTTP/1.0 401 Unauthorized
date: Thu, 03 Oct 2013 20:35:12 GMT
content-length: 23
content-type: text/plain
www-authenticate: Keystone uri=''
server: WSGIServer/0.1 Python/2.7.3

Authentication required

WARNING (http:168) Request returned failure status.
Invalid OpenStack Identity credentials.

I know that the error is related to keystone authentication. However the www-authenticate: Keystone uri='' I have my uri as I am not sure from where it taking the local host ip address..

Also I have doubts about the user role and tennant name for ceilometer.. Can I have all three as admin?? (I am not using swift so i dont need a ResellerAdmin role)

edit retag flag offensive close merge delete

3 answers

Sort by ยป oldest newest most voted

answered 2013-11-07 07:40:14 -0500

igordcard gravatar image

updated 2013-11-07 07:59:08 -0500

You have already fixed your problem. However, I will deliver this answer anyway because even though I had the exact same output when running the command you've ran, your solution/workaround did not apply to my scenario.

To contextualize: I had the correct credentials sourced in my environment, so that wasn't the problem.

This is what was being output to /var/log/keystone/keystone.log:

2013-11-07 12:44:13.066 14747 WARNING keystone.common.wsgi [-] You are not authorized to perform the requested action, identity:revocation_list.

By the way, each time an operation was requested, the generated token was different.

That revocation_list made me suspicious, so I start searching for things related to tokens and revocations, in my configurations.

Eventually, I changed the following entry in /etc/ceilometer/ceilometer.conf:




Thus disabling token caching completely. After that, the API started responding to my commands, perfectly.

So, it seems that either ceilometer was sending already revoked tokens or Keystone was revoking them automatically because they were from the previous request, or something else. I'd be happy if someone familiar with this could give a correct justification...

Either way, this workaround fixes your original question, for a scenario like mine.

Running final Havana on Ubuntu 12.04.3 LTS.

edit flag offensive delete link more

answered 2014-11-18 03:39:02 -0500

ysnam gravatar image

updated 2014-11-18 06:56:06 -0500

Authorization may not be possible due to many reasons.

I got the same debug messages, but i can't find what's the real problem. I just guess some package dependencies are broken or messed up.
but i suggest a workaround.

In my case, running Ubuntu 14.04.1 and icehouse, i changed the authentication strategy configuration (auth_strategy) to 'noauth', although it is one of workarounds, but if you just wanna deploy and develop ceilometer's functionality on research propose, you can use 'no authentication' option.

edit flag offensive delete link more

answered 2013-10-04 11:35:42 -0500

cloud gravatar image

updated 2013-10-14 16:04:04 -0500

This was solved by adding AUTH_TOKEN in the source file




# Allows to pass in the name of a fake http_handler callback
# function used instead of httplib.HTTPConnection or
# httplib.HTTPSConnection. Useful for unit testing where
# network is not available. (string value)

# Single shared secret with the Keystone configuration used
# for bootstrapping a Keystone installation, or otherwise
# bypassing the normal authentication process. (string value)

# Keystone account username (string value)

# Keystone account password (string value)

# Keystone service account tenant name to validate user tokens
# (string value)
auth_uri =
# Env key for the swift cache (string value)

# Required if Keystone server requires client certificate
# (string value)

# Required if Keystone server requires client certificate
# (string value)

# Directory used to cache files related to PKI tokens (string
# value)

# If defined, the memcache server(s) to use for caching (list
# value)

# In order to prevent excessive requests and validations, the
# middleware uses an in-memory cache for the tokens the
# Keystone API returns. This is only valid if memcache_servers
# is defined. Set to -1 to disable caching completely.
# (integer value)

# Value only used for unit testing (integer value)

# (optional) if defined, indicate whether token data should be
# authenticated or authenticated and encrypted. Acceptable
# values are MAC or ENCRYPT.  If MAC, token data is
# authenticated (with HMAC) in the cache. If ENCRYPT, token
# data is encrypted and authenticated in the cache. If the
# value is not one of these options or empty, auth_token will
# raise an exception on initialization. (string value)

# (optional, mandatory if memcache_security_strategy is
# defined) this string is used for key derivation. (string
# value)


# Options defined in ceilometer.service

# Username to use for openstack service access (string value)


# Password to use for openstack service access (string value)

# Tenant ID to use for openstack service access (string value)

# Tenant name to use for openstack service access (string
# value)

# Certificate chain for SSL validation (string value)

# Auth URL to use for openstack service access (string value)

# Type of endpoint in Identity service catalog to use for
# communication with OpenStack services. (string value)


# Options defined in ceilometer.middleware

# Exchanges name to listen for notifications (multi valued)

# Options defined in ceilometer.pipeline

# Configuration file for pipeline definition (string value)

# Options defined in ceilometer.sample

# Source for samples emited on this instance (string value)

# Options defined in ceilometer.api.app

# The strategy to use for auth: noauth or keystone. (string
# value)

# Deploy the deprecated v1 API. (boolean value)

# Options defined in ceilometer.compute.notifications

# Exchange name for Nova notifications (string value)

# Options defined ...
edit flag offensive delete link more


Hi, May you share your configuration because i have problem with qpid i check log always probelm there.. THanks Regards Fand Kurnia

fandikurnia gravatar imagefandikurnia ( 2013-10-13 15:50:47 -0500 )edit

I have made the ceilometer source file in which I source AUTH_TOKEN...just before starting ceilometer api

cloud gravatar imagecloud ( 2013-10-14 16:06:07 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2013-10-03 16:01:20 -0500

Seen: 3,610 times

Last updated: Nov 18 '14