Ask Your Question
0

Kilo Heat Authorization Failed

asked 2015-07-03 14:36:48 -0500

Nastooh gravatar image

Hi
On a multi-node ubuntu 14.04 cannot instantiate VMs, due to authorization problem. Followed http://docs.openstack.org/kilo/instal..., and below is the step by step verification: (Keystone IP:10.4.0.61 and Heat IP: 10.4.0.64)
1- Added user and owner roles

$ openstack --os-token $OS_TOKEN --os-url=http://10.4.0.61:5000/v3 --os-identity-api-version=3 role list
+----------------------------------+------------------+
| ID                               | Name             |
+----------------------------------+------------------+
| 20eff6ffc86f4bdfbff871966d9a545b | heat_stack_user  |
| 79dd9b3735b641ff98ef48b29b73c075 | heat_stack_owner |
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_         |
| de239226d14a41d29eb2775b8214ea24 | ResellerAdmin    |
| f30ab88687b7462298b04095c70fedbd | Member           |
| f5c52968f8af4111bbfccd39ef500edd | Admin            |
+----------------------------------+------------------+

2- Verified that domain name and domain user names are not used

$ openstack --os-token $OS_TOKEN --os-url=http://10.4.0.61:5000/v3 --os-identity-api-version=3 domain list
+---------+---------+---------+----------------------------------------------------------------------+
| ID      | Name    | Enabled | Description                                                          |
+---------+---------+---------+----------------------------------------------------------------------+
| default | Default | True    | Owns users and tenants (i.e. projects) available on Identity API v2. |
+---------+---------+---------+----------------------------------------------------------------------+
$ openstack --os-token $OS_TOKEN --os-url=http://10.4.0.61:5000/v3 --os-identity-api-version=3 user list
+----------------------------------+-----------------+
| ID                               | Name            |
+----------------------------------+-----------------+
| 197d7d26a8794533aaac346e0f40da82 | quantum         |
| 3b81e6cf88cb4cdb9d86a994c686f7c4 | heat-cfn_heat   |
| 6b5ebe9845464932a27e2df1571e1b0b | glance          |
| 842742ffed2d4c02a86b4c199b7b45a5 | sahara          |
| 85bba42bcc164b738d32ca985dbab5d6 | nova            |
| a6ba20be2dcc48abbb0c3ea85dd47ddc | cinder_cinderv2 |
| ddf3f04f637b4621a1e10af49aa17919 | ceilometer      |
| fcbce29fa1eb4b42921a20055afdc024 | admin           |
+----------------------------------+-----------------+

3- Attempted to create domain and user, with password

$ ./bin/heat-keystone-setup-domain \
>   --stack-user-domain-name heat_user_domain \
>   --stack-domain-admin heat_domain_admin \
>   --stack-domain-admin-password 0stack
Traceback (most recent call last):
  File "./bin/heat-keystone-setup-domain", line 157, in <module>
    main()
  File "./bin/heat-keystone-setup-domain", line 147, in main
    if r.name == 'admin'][0]
IndexError: list index out of range

5- The above command seems to have failed; however, both domain and user were created:

$ openstack --os-token $OS_TOKEN --os-url=http://10.4.0.61:5000/v3 --os-identity-api-version=3 domain list
+----------------------------------+------------------+---------+----------------------------------------------------------------------+
| ID                               | Name             | Enabled | Description                                                          |
+----------------------------------+------------------+---------+----------------------------------------------------------------------+
| 8246a72faa504d1fadc50fd0940382e5 | heat_user_domain | True    | Contains users and projects created by heat                          |
| default                          | Default          | True    | Owns users and tenants (i.e. projects) available on Identity API v2. |
+----------------------------------+------------------+---------+----------------------------------------------------------------------+$ openstack --os-token $OS_TOKEN --os-url=http://10.4.0.61:5000/v3 --os-identity-api-version=3 user list
+----------------------------------+-------------------+
| ID                               | Name              |
+----------------------------------+-------------------+
| 197d7d26a8794533aaac346e0f40da82 | quantum           |
| 3b81e6cf88cb4cdb9d86a994c686f7c4 | heat-cfn_heat     |
| 6b5ebe9845464932a27e2df1571e1b0b | glance            |
| 842742ffed2d4c02a86b4c199b7b45a5 | sahara            |
| 85bba42bcc164b738d32ca985dbab5d6 | nova              |
| a6ba20be2dcc48abbb0c3ea85dd47ddc | cinder_cinderv2   |
| bea33129df03453f988986e6e22e22e4 | heat_domain_admin |
| ddf3f04f637b4621a1e10af49aa17919 | ceilometer        |
| fcbce29fa1eb4b42921a20055afdc024 | admin             |
+----------------------------------+-------------------+

6- Via openstack client added a password for heat_domain_admin:

openstack --os-token $OS_TOKEN --os-url=http://10.4.0.61:5000/v3 --os-identity-api-version=3 user set --password 0stack heat_domain_admin

7-Updated heat.conf

[DEFAULT]
    use_syslog = False
    debug = False
    verbose = False
    log_dir = /var/log/heat
    instance_user=ec2-user
    instance_driver=heat.engine.nova
    plugin_dirs=/usr/lib64/heat,/usr/lib/heat,/home/ubuntu/heat/contrib/heat_docker
    environment_dir=/etc/heat/environment.d
    deferred_auth_method=password
    host=heat
    auth_encryption_key=WCqnhgw972Gbxx4G
    heat_metadata_server_url = http://10.4.0.64:8000
    heat_waitcondition_server_url = http://10.4.0.64:8000/v1/waitcondition
    stack_domain_admin = heat_domain_admin 
    stack_domain_admin_password = 0stack 
    stack_user_domain_name = heat_user_domain
    # < Icehouse db config
    sql_connection = mysql://heat:jxJBzcLKKwBZcnK2Nd9f7yhxT3ZVd7cS@10.4.0.53/heat
    rabbit_userid = heat
    rabbit_virtual_host = openstack
    rabbit_password = 89phCHJYGshhdydfJKm5hr2pdxhkcGt2nCVTGwXtFMwRdZ8wx25ZRRcbVKHkWFTZ
    rabbit_host = 10.4.0.60
    [keystone_authtoken]
    identity_uri = http://10.4.0.61:35357
    auth_uri = http://10.4.0.61:5000/v2.0
    auth_host = 10.4.0.61
    auth_port = 35357
    auth_protocol = http
    admin_tenant_name = services
    admin_user = heat-cfn_heat
    admin_password = Fht8bfdkMkS6TTFHL9Vs52Bz4dsm5L77m3sTbG2fWyLChZn4KytZrdWGGmLBRxtw
    signing_dir = /var/cache/heat
    [ec2_authtoken]
    auth_uri = http://10.4.0.61:5000/v2.0
    keystone_ec2_uri = http://10.4.0.61:5000/v2.0/ec2tokens
    [database]
    connection = mysql://heat:jxJBzcLKKwBZcnK2Nd9f7yhxT3ZVd7cS@10.4.0.53/heat
    [paste_deploy]
    api_paste_config=/etc/heat/api-paste.ini
    [heat_api]
    bind_port=7994
    [heat_api_cfn]
    bind_port=7990

8- Restarted heat services

service heat-api restart && service heat-api-cfn ...
(more)
edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
0

answered 2015-07-05 17:20:22 -0500

Steve Baker gravatar image

The failure in step 3 looks like you would end up with a domain user who isn't a domain admin. Could you please raise a bug.

Feel free to try adding debugging to heat-keystone-setup-domain line 147 to see why keystone is not returning the data the script is expecting.

edit flag offensive delete link more

Comments

Here is the bug id: https://bugs.launchpad.net/heat/+bug/.... As noted there, workaround is to use openstack client

Nastooh gravatar imageNastooh ( 2015-07-06 10:52:36 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-07-03 14:36:48 -0500

Seen: 1,780 times

Last updated: Jul 05 '15