Ask Your Question

HTTP 401 error on role add with Keystone V3 API

asked 2015-05-26 04:37:19 -0600

zsolt-krenak gravatar image


I've configured a keystone installation with Keystone V3 API and multiple domain backends(but there is only the Default domain yet). I copied v3cloudsamplpolicy.json to /etc/keystone/policy.json and edited to correct domain_id for cloud_admin.

When I try to assign a role to a user with admin token for example(of course I set the enviromental variables: OS_URL, OS_TOKEN, OS_IDENTITY_API_VERSION to correct values):

openstack role add --domain default --user admin admin

I get the following error:

The request you have made requires authentication.(HTTP401)

In the admin.log file I see the following error:

2015-05-26 11:24:27.810 1218 INFO keystone.common.wsgi [-] GET /users?name=admin
2015-05-26 11:24:27.810 1218 WARNING keystone.common.controller [-] RBAC: Bypassing authorization
2015-05-26 11:24:27.814 1218 DEBUG keystone.common.kvs.core [-] KVS region configuration for token-driver: {'keystone.kvs.backend': 'openstack.kvs.Memcached', 'keystone.kvs.arguments.distributed_lock': True, 'keystone.kvs.arguments.no_expiry_keys': ['revocation-list'], 'keystone.kvs.arguments.url': ['localhost:11211'], 'keystone.kvs.arguments.memcached_expire_time': 3600, 'keystone.kvs.arguments.memcached_backend': 'memcached', 'keystone.kvs.arguments.lock_timeout': 6} _configure_region /usr/lib/python2.7/dist-packages/keystone/common/kvs/
2015-05-26 11:24:27.819 1218 INFO keystone.common.kvs.core [-] Using default dogpile sha1_mangle_key as KVS region token-driver key_mangler
2015-05-26 11:24:27.822 1218 WARNING keystone.common.controller [-] Invalid token found while getting domain ID for list request
2015-05-26 11:24:27.824 1218 WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication.

Same issue when I try to list roles of a user:

openstack role list --domain default --user admin

On the other hand I can create project, roles, domains.. I could really use some help on this. Thank you in advance!

edit retag flag offensive close merge delete


could u please give me keystone package version:with dpkg --list | grep keystone

RajasiK gravatar imageRajasiK ( 2015-05-26 06:23:55 -0600 )edit

Hi! The version is 1:2015.1.0-0ubuntu0~cloud0

zsolt-krenak gravatar imagezsolt-krenak ( 2015-06-01 04:20:46 -0600 )edit

2 answers

Sort by ยป oldest newest most voted

answered 2015-05-27 16:24:36 -0600

updated 2015-05-29 18:05:45 -0600

There are couple of problems, all of them are due to admintoken. Certain api calls try to get user's domain_id from the token and since you using admin token, they are going to fail.

Openstack client command is trying to be smart. It doesn't know whether the user has given "id" or "name". It assumes the input as "id" and if it fails assumes it as "name". If both fails errors out.

Your Openstack command does the following

1)   Get domain by domain_id using the domain_id default . This will work
2)   Get user by user_id using user_id as "admin". This won't work. So it will once again try to list all the users and filter by name where name is "admin".  Most probably you are getting 401 here

So your options are  to use  Id for username 
edit flag offensive delete link more


Sadly it's not the solution, and wouldn't explain why the listing doesn't work as well.

zsolt-krenak gravatar imagezsolt-krenak ( 2015-05-28 01:54:51 -0600 )edit

Updated my answer

Haneef Ali gravatar imageHaneef Ali ( 2015-05-29 10:14:07 -0600 )edit

Thanks a lot, it's working now! Although for me this seems a little messy, it complicates automatic deployment a little, would more user friendly with names i think.

zsolt-krenak gravatar imagezsolt-krenak ( 2015-06-01 04:20:49 -0600 )edit

answered 2015-10-12 07:47:09 -0600

Viswanath gravatar image


I"m having same issue while using kilo devstack. but the above reply did not work for me. for the sake of community can you pls elaborate any other work around.

$openstack project list ERROR: openstack project ID not found: default

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2015-05-26 04:37:19 -0600

Seen: 3,685 times

Last updated: Oct 12 '15