Ask Your Question

Why does keystone not authenticate my neutron server? [closed]

asked 2013-11-28 06:57:21 -0600

dario-valocchi gravatar image

updated 2013-11-29 11:02:20 -0600

Hello everybody. This is my first question here so I'm sorry if something is not formatted correctly. I installed and configured all Havana OpenStack entities on a single Ubuntu server machine just for testing purpose. The server machine runs nova-compute, nova-controller, keystone, glance and neutron. I correctly installed and used Keystone, Glance, Nova and Swift for a copule of month and now I'm trying to introduce Neutron for networking. I followed this guide using the ovs plugin with GRE encapsulation.

When I try the command neutron net-list i obtain:

    enterAuthentication required
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/neutronclient/", line 517, in run_subcommand
    return run_command(cmd, cmd_parser, sub_argv)
  File "/usr/lib/python2.7/dist-packages/neutronclient/", line 78, in run_command
  File "/usr/lib/python2.7/dist-packages/neutronclient/common/", line 35, in run
    return super(OpenStackCommand, self).run(parsed_args)
  File "/usr/lib/python2.7/dist-packages/cliff/", line 84, in run
    column_names, data = self.take_action(parsed_args)
  File "/usr/lib/python2.7/dist-packages/neutronclient/common/", line 41, in take_action
    return self.get_data(parsed_args)
  File "/usr/lib/python2.7/dist-packages/neutronclient/neutron/v2_0/", line 586, in get_data
    data = self.retrieve_list(parsed_args)
  File "/usr/lib/python2.7/dist-packages/neutronclient/neutron/v2_0/", line 555, in retrieve_list
    data = self.call_server(neutron_client, search_opts, parsed_args)
  File "/usr/lib/python2.7/dist-packages/neutronclient/neutron/v2_0/", line 527, in call_server
    data = obj_lister(**search_opts)
  File "/usr/lib/python2.7/dist-packages/neutronclient/v2_0/", line 108, in with_params
    ret = self.function(instance, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/neutronclient/v2_0/", line 325, in list_networks
  File "/usr/lib/python2.7/dist-packages/neutronclient/v2_0/", line 1197, in list
    for r in self._pagination(collection, path, **params):
  File "/usr/lib/python2.7/dist-packages/neutronclient/v2_0/", line 1210, in _pagination
    res = self.get(path, params=params)
  File "/usr/lib/python2.7/dist-packages/neutronclient/v2_0/", line 1183, in get
    headers=headers, params=params)
  File "/usr/lib/python2.7/dist-packages/neutronclient/v2_0/", line 1168, in retry_request
    headers=headers, params=params)
  File "/usr/lib/python2.7/dist-packages/neutronclient/v2_0/", line 1103, in do_request
    resp, replybody = self.httpclient.do_request(action, method, body=body)
  File "/usr/lib/python2.7/dist-packages/neutronclient/", line 192, in do_request
    self.endpoint_url + url, method, **kwargs)
  File "/usr/lib/python2.7/dist-packages/neutronclient/", line 156, in _cs_request
    raise exceptions.Unauthorized(message=body)
Unauthorized: Authentication required

I can use glance and nova client without any authentication issue, exporting admin username and password and tenantid in enrivonment variables, but the neutron client keeps on creating this problem. I tried with the auth_strategy=noauth in the file neutron.conf and it works but i would like to have a secure access to the neutron api.

Surfing through the log I found in /var/log/neutron ... (more)

edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by dheeru
close date 2013-12-02 04:51:18.773773


Hi, I am having the same issue; did you get it resolved? I can work around this by setting auth_strategy to 'noauth'. I still wonder why keystone would not authenticate neutron-server. Thanks.

laocius gravatar imagelaocius ( 2013-12-03 01:54:02 -0600 )edit

1 answer

Sort by ยป oldest newest most voted

answered 2013-11-28 09:54:43 -0600

dheeru gravatar image

updated 2013-12-02 03:08:56 -0600

As suspected it was issue of mis-match of user credentials.
There are two configuration files for neutron

Following keystone authentication configurations were in both the configuration files. Preference is always for api-paste.conf.

paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory

In this case password specified in api-paste.conf was wrong. Authentication information was correct in neutron.conf. This resulted neutron to fail with authentication with keystone.

The auth_token middleware for keystone now enables you to configure auth_token in the neutron.conf file. You no longer have to edit the api-paste.ini file. This change does not break backward compatibility. The auth_token middleware first tries the configurations in /etc/neutron/api-paste.ini and then tries the neutron.conf configuration. If you currently use api-paste.ini, you do not need to change it


It is clear case of mismatch of credentials what you are specifying in /etc/neutron/neutron.conf. Can you check those user name, passoword and tenant you specify in this file. I'm assuming that auth_strategy is mentioned neutron.conf file

Please check and revert me with following.

1. keystone user-list
2. keystone tenant-list
3. keystone role-list
4. keystone endpoint-list
5. keystone service-list

Check what you specified in neutron.conf indeed exist here.  Do let me know if this helps. Other wise ping me. we can quickly close this.
edit flag offensive delete link more


Thank you very much for you answer. I will edit the question with the result of the command you asked me to execute.

dario-valocchi gravatar imagedario-valocchi ( 2013-11-29 02:16:17 -0600 )edit

1. Please run the command with --debug option. 2. neutron.conf specify user=neutron pass=nano and tenant=service. Can you verify these credentials with the help of following link 3. Ensure that your keystone service is running.

dheeru gravatar imagedheeru ( 2013-11-29 10:16:17 -0600 )edit

Thank you again. I updated the question. Anyway I'm able to use neutron service with auth_strategy=noauth, but it is annoying to specify the tenant_id for each command and i would like to delegate the security mechanism to keystone as for the other OpenStack services.

dario-valocchi gravatar imagedario-valocchi ( 2013-11-29 10:53:30 -0600 )edit

Yes I agree with you. It is check whether those credentials work or not. You can try specify admin/admin and admin password in neutron.conf. --debug option is see what is really passed. Hope it is clear.

dheeru gravatar imagedheeru ( 2013-11-29 11:03:56 -0600 )edit

I'm really sorry, I don't get your last tip. I specified the admin username/tenant and password in the neutron.conf and restarted the neutron-server. I used the environement variable for the admin user and run neutron --debug net-list neutron --verbose net-list and I had back the same outputs reported in my edit.

dario-valocchi gravatar imagedario-valocchi ( 2013-11-29 11:15:39 -0600 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2013-11-28 06:57:21 -0600

Seen: 11,115 times

Last updated: Dec 02 '13