I am getting an authentication exception while creating an user in Openstack Kilo version

asked 2015-05-09 09:16:42 -0600

mkrish004c gravatar image

updated 2015-05-14 01:13:37 -0600

            I am creating this as the first service with the token and url environment variables assigned.

    Followed steps from this page --> http://docs.openstack.org/kilo/install-guide/install/apt/content/keystone-services.html

    And my keystone conf changes,

    admin_token = ab973e842bed7e89fc78
    log_dir = /var/log/keystone
    verbose = True


    servers = localhost:11211

    driver = keystone.token.persistence.backends.memcache.Token

    driver = keystone.contrib.revoke.backends.sql.Revoke

                  root@XXX-XX-156:/home/mkrish004c/openstack/kilo# export OS_TOKEN=ab973e842bed7e89fc78(given in keystone.conf)
                    root@XXX-XX-156:/home/mkrish004c/openstack/kilo# export OS_URL=http://10.xx.xx.xx:35357/v2.0
                    root@XXX-XX-156:/home/mkrish004c/openstack/kilo# openstack service create --type identity --description "OpenStack Identity" keystone
                    /usr/lib/python2.7/dist-packages/novaclient/v1_1/__init__.py:30: UserWarning: Module novaclient.v1_1 is deprecated (taken as a basis for novaclient.v2). The preferable way to get client class or object you can find in novaclient.client module.
                      warnings.warn("Module novaclient.v1_1 is deprecated (taken as a basis for "
                    ERROR: openstack

            using openstack --debug, getting the following exception

             (openstack) user create --password-prompt admin
                INFO: openstackclient.shell command: openstackclient.identity.v2_0.user.CreateUser
                DEBUG: openstackclient.identity.v2_0.user.CreateUser take_action(Namespace(columns=[], disable=False, email=None, enable=False, formatter='table', max_width=0, name='admin', or_show=False, password=None, password_prompt=True, prefix='', project=None, variables=[]))
                User Password:
                Repeat User Password:
                ERROR: openstack
                Traceback (most recent call last):
                  File "/usr/lib/python2.7/dist-packages/cliff/app.py", line 303, in run_subcommand
                    result = cmd.run(parsed_args)
                  File "/usr/lib/python2.7/dist-packages/cliff/display.py", line 91, in run
                    column_names, data = self.take_action(parsed_args)
                  File "/usr/lib/python2.7/dist-packages/openstackclient/identity/v2_0/user.py", line 105, in take_action
                  File "/usr/lib/python2.7/dist-packages/keystoneclient/v2_0/users.py", line 102, in create
                    return self._create('/users', params, "user", log=not bool(password))
                  File "/usr/lib/python2.7/dist-packages/keystoneclient/base.py", line 151, in _create
                    return self._post(url, body, response_key, return_raw, **kwargs)
                  File "/usr/lib/python2.7/dist-packages/keystoneclient/base.py", line 165, in _post
                    resp, body = self.client.post(url, body=body, **kwargs)
                  File "/usr/lib/python2.7/dist-packages/keystoneclient/adapter.py", line 170, in post
                    return self.request(url, 'POST', **kwargs)
                  File "/usr/lib/python2.7/dist-packages/keystoneclient/adapter.py", line 200, in request
                    resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
                  File "/usr/lib/python2.7/dist-packages/keystoneclient/adapter.py", line 89, in request
                    return self.session.request(url, method, **kwargs)
                  File "/usr/lib/python2.7/dist-packages/keystoneclient/utils.py", line 318, in inner
                    return func(*args, **kwargs)
                  File "/usr/lib/python2.7/dist-packages/keystoneclient/session.py", line 307, in request
                    auth_headers = self.get_auth_headers(auth)
                  File "/usr/lib/python2.7/dist-packages/keystoneclient/session.py", line 589, in get_auth_headers
                    return auth.get_headers(self, **kwargs)
                  File "/usr/lib/python2.7/dist-packages/keystoneclient/auth/base.py", line 114, in get_headers
                    token = self.get_token(session)
                  File "/usr/lib/python2.7/dist-packages/keystoneclient/auth/identity/base.py ...
edit retag flag offensive close merge delete



Can you provide the contents of your /etc/keystone/keystone.conf file as well any log output from /var/log/keystone/keystone.log and /var/log/keystone/keystone-all.log from the time when you are running the openstack-service-create? Thanks.

ghebda gravatar imageghebda ( 2015-05-12 15:07:38 -0600 )edit

Added the logs in question, Thanks for your analysis.

mkrish004c gravatar imagemkrish004c ( 2015-05-13 12:48:39 -0600 )edit

See my updated, answer. I think I'm going to need more characters.

ghebda gravatar imageghebda ( 2015-05-13 15:22:21 -0600 )edit

Also, I don't know if token_flush not working is intended, a bug, or a configuration problem that I also have. According to this link, it looks like they intended to have it in Kilo: http://docs.openstack.org/developer/keystone/configuration.html (http://docs.openstack.org/developer/k...) I haven't found anything on that problem yet...

ghebda gravatar imageghebda ( 2015-05-13 15:38:47 -0600 )edit

I just folowd the steps from the installatn guide from http://docs.openstack.org/kilo/install-guide/ (http://docs.openstack.org/kilo/instal...) and note says for conf file changes "Default configuration files vary by distribution. You might need to add these sections and options rather than modifying existing sections and options."

mkrish004c gravatar imagemkrish004c ( 2015-05-14 03:17:40 -0600 )edit

1 answer

Sort by ยป oldest newest most voted

answered 2015-05-11 09:03:23 -0600

ghebda gravatar image

updated 2015-05-15 08:13:47 -0600


Can you run a yum list installed | grep openstack and check which packages actually downloaded? It turns out if you jumped on the Kilo release on day 1, like I did, they had both kilo and juno repos in the /etc/yum.repos.d/rdo-release.repo. Then, they moved the location of the kilo repos, so about half the packages I ended up downloading came from the juno repo. I wonder if they did something similar with the the sources in the Ubuntu release. It was causing all sorts of weird little buggy things, including the keystone-manage token_flush problem I was having. They have since release an updated version with no juno repo and the correct url for the kilo repo.


If you do an nslookup controller, does it resolve to an IP address? The reason I ask is that the hostname of your controller node looks like it is XXX-XX-156, and the @controller part of the database connection line is looking for whatever hostname you assign to your controller. It has to be resolvable by your dns and/or (preferrably and) your /etc/hosts file. Right now, I'm sort of looking for any part of the config that might be off, and since I don't know your environment, that one sticks out to me as a potential problem.

[UPDATE] From the logs, it looks like something is trying to call the same function that running keystone-manage token_flush does. I have what appears to be a functioning keystone setup and I get that same traceback when I run keystone-manage token_flush by hand:

[root@kilocontroller ~]# keystone-manage token_flush
2015-05-13 15:11:20.412 32368 INFO keystone.common.kvs.core [-] Using default dogpile sha1_mangle_key as KVS region token-driver key_mangler
2015-05-13 15:11:20.413 32368 CRITICAL keystone [-] NotImplemented: The action you have requested has not been implemented.
2015-05-13 15:11:20.413 32368 TRACE keystone Traceback (most recent call last):
2015-05-13 15:11:20.413 32368 TRACE keystone   File "/usr/bin/keystone-manage", line 44, in <module>
2015-05-13 15:11:20.413 32368 TRACE keystone     cli.main(argv=sys.argv, config_files=config_files)
2015-05-13 15:11:20.413 32368 TRACE keystone   File "/usr/lib/python2.7/site-packages/keystone/cli.py", line 306, in main
2015-05-13 15:11:20.413 32368 TRACE keystone     CONF.command.cmd_class.main()
2015-05-13 15:11:20.413 32368 TRACE keystone   File "/usr/lib/python2.7/site-packages/keystone/cli.py", line 175, in main
2015-05-13 15:11:20.413 32368 TRACE keystone     token_manager.driver.flush_expired_tokens()
2015-05-13 15:11:20.413 32368 TRACE keystone   File "/usr/lib/python2.7/site-packages/keystone/token/persistence/backends/kvs.py", line 356, in flush_expired_tokens
2015-05-13 15:11:20.413 32368 TRACE keystone     raise exception.NotImplemented()
2015-05-13 15:11:20.413 32368 TRACE keystone NotImplemented: The action you have requested has not been implemented.
2015-05-13 15:11:20.413 32368 TRACE keystone

If I were you I would double check any options in keystone.conf that deal with tokens. Did you follow ... (more)

edit flag offensive delete link more


Yeah to avoid that host name problem i have used IP address in each and every config file. isnt it a good practice ?

mkrish004c gravatar imagemkrish004c ( 2015-05-14 12:33:31 -0600 )edit

Yeah, that should work. Did you replace controller with the IP of your controller node in the keystone.conf database connection line and try again? If so, how did it go?

ghebda gravatar imageghebda ( 2015-05-14 13:09:42 -0600 )edit

I am putting another update in my answer, since I have some new info on the keystone-manage token_flush issue.

ghebda gravatar imageghebda ( 2015-05-15 08:07:53 -0600 )edit

I am hitting the same issue here:

I changed my connection string as well

I am now getting a lot of these:

WARNING oslo_db.sqlalchemy.session [-] SQL connection failed. 10 attempts left.

lhinds gravatar imagelhinds ( 2015-05-17 17:39:56 -0600 )edit

Yeah @ghebda, that upgrading issue might cause a problem in my case, by the way i updated source.list.d with the this command... echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu%22 (http://ubuntu-cloud.archive.canonical...) "trusty-updates/kilo main" > /etc/apt/sources.list.d/cloudarchive-kilo.list

mkrish004c gravatar imagemkrish004c ( 2015-05-18 00:45:39 -0600 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2015-05-09 09:16:42 -0600

Seen: 2,000 times

Last updated: May 15 '15