Ask Your Question

why my openstackclient doesn't work with keystone v3 API? [closed]

asked 2015-01-03 06:28:51 -0500

darren-wang gravatar image

updated 2015-01-05 21:13:07 -0500

smaffulli gravatar image

I installed keystone and It now works good with keystoneclient CLI. But I want to try v3 API and found my openstackclient doesn't work with keystone.

here is my command:

openstack --os-auth-url http://localhost:5000/v3 \

--os-identity-api-version 3 \

--os-auth-type v3password \

--os-project-name demo \

--os-project-domain-id default \

--os-username darren \

--os-user-domain-id default \

--os-password keystonepass

here is the traceback:

2015-01-03 20:09:46.725 8411 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /usr/lib/python2.7/dist-packages/keystone/middleware/

2015-01-03 20:09:46.728 8411 DEBUG keystone.common.wsgi [-] arg_dict: {} __call__ /usr/lib/python2.7/dist-packages/keystone/common/

2015-01-03 20:09:46.859 8411 INFO eventlet.wsgi.server [-] - - [03/Jan/2015 20:09:46] "POST /v3/auth/tokens HTTP/1.1" 201 4318 0.134202

2015-01-03 20:09:46.863 8409 DEBUG keystone.common.wsgi [-] arg_dict: {} __call__ /usr/lib/python2.7/dist-packages/keystone/common/

2015-01-03 20:09:46.864 8409 INFO eventlet.wsgi.server [-] - - [03/Jan/2015 20:09:46] "GET / HTTP/1.1" 300 934 0.001486

2015-01-03 20:09:46.867 8409 INFO eventlet.wsgi.server [-] - - [03/Jan/2015 20:09:46] "GET /v3/users HTTP/1.1" 404 252 0.000999

ERROR: openstack The resource could not be found. (HTTP 404)

"user list" is just an example and I can't do anything with v3 API. The trick is I can do everything with keystoneclient using v2 API, if you need more configuration details, just let me know.

edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by darren-wang
close date 2015-01-09 11:39:47.212311


what did the openstack --debug ... say when you run the user list command against keystone v3? and could you paste your /etc/keystone.conf to

9lives gravatar image9lives ( 2015-01-03 10:10:00 -0500 )edit

Can you try the following?

1) Get the token. V2 is also fine.

2) Do curl -i -H "X-Auth-Token: http://localhost:5000/v3/users

Haneef Ali gravatar imageHaneef Ali ( 2015-01-05 11:13:25 -0500 )edit

hi, @Haneef Ali, I think I get the problem, It's the policy.json file! I'm using the v3 version policy file, It seems work when I changed some rules. Thanks anyway. By the way, do you know how to differentiate between v2password, v2token, token, password, v3token, v3password, and so on...

darren-wang gravatar imagedarren-wang ( 2015-01-09 11:21:24 -0500 )edit

thx, @9lives. The traceback said that I was not authorized to do that job. Now it's working after changing some rules. By the way, do you know what does "admin_domain_id" mean in rule "cloud_admin": "... and domain_id:admin_domain_id" in v3 policy.json? Or how can I set up an admin domain?

darren-wang gravatar imagedarren-wang ( 2015-01-09 11:29:21 -0500 )edit

The error message is misleading. It should have been 401 and not 404. Default v3 policy file will work only if you use domain scoped tokens. If you are testing openstack client, just use policy.json and not v3 policy file as you need to change many more things to make it work with v3 policy

Haneef Ali gravatar imageHaneef Ali ( 2015-01-09 11:46:17 -0500 )edit

2 answers

Sort by ยป oldest newest most voted

answered 2015-01-09 11:39:14 -0500

darren-wang gravatar image

updated 2015-01-09 11:40:23 -0500

Finally I fixed this problem. First make sure that database connection is correct, second if you need to use v3password as auth_type, this could be an example.

openstack \

--os-auth-type v3password --os-identity-api-version 3 \

--os-username admin --os-user-domain-id default \

--os-password PASSWORD \ #(optional)

--os-project-name admin --os-project-domain-id default \

--os-auth-url http://controller:35357/v3 COMMAND

Finally, if you are not authorized to fulfill some operation, please check the policy.json file.

edit flag offensive delete link more

answered 2015-01-05 14:45:59 -0500

mpetason gravatar image

I don't remember the stock Keystone Client having v3 support. You'll either need to use the API reference and use Curl, or try:

edit flag offensive delete link more


Nope, keystoneclient doesn't have v3 CLI, so I'm using openstackclient as a CLI tool. But the fact is there are too many auth-types (v2token, v2password, ...) and I'm really confused how to use it.

darren-wang gravatar imagedarren-wang ( 2015-01-09 11:02:15 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2015-01-03 06:28:51 -0500

Seen: 6,270 times

Last updated: Jan 09 '15