Ask Your Question
0

neutron auth failure

asked 2015-10-21 19:05:39 -0500

hansyin gravatar image

Hi, I'm setting up neutron in my lab, but I always get "authentication reuqired" error. from my controller or networker, I got: user1@compute2:~$ neutron ext-list Authentication required

from controller /var/log/keystone/admin.log, I can see: 2015-10-21 16:34:08.297 24046 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /usr/lib/python2.7/dist-packages/keystone/middleware/core.py:229

Then I did sniffer for the traffic, I can see first connection heading to 35357, request and get token. the second connection heading to 9696 port with CORRECT X-Auth-Token, but controller responded with "401 unauthorized". This confuses me very much: if there is X-Auth-Token, how comes keystone/admin.log complains "Auth token not in the request header"? 

 GET /v2.0/extensions.json HTTP/1.1

Host: controller:9696

Connection: keep-alive

User-Agent: python-neutronclient

Accept-Encoding: gzip, deflate

Accept: application/json

X-Auth-Token: c95490f94eea4d2da5211aab0895e2cb



HTTP/1.1 401 Unauthorized

Www-Authenticate: Keystone uri='http://controller:35357'

Content-Type: text/plain

X-Openstack-Request-Id: req-03787e91-e308-46ae-b2af-8be6fafb69db

Content-Length: 23

Date: Wed, 21 Oct 2015 23:34:08 GMT

Connection: keep-alive



Authentication required

I can do "keystone user-list", nova service-list" without problem. where should I check for next step? Thanks!!!

edit retag flag offensive close merge delete
add a comment

1 answer

Sort by ยป oldest newest most voted
0

answered 2015-10-22 12:53:16 -0500

hansyin gravatar image

Further test:

Change neutron.conf to use :auth_strategy = noauth. Then problem disappear. Change it back, problem comes back. So I think problem should be in neutron, then check /var/log/neutron/neutron-server.log, I found neutron is complaing "Authorization failed for token". 

2015-10-22 10:24:12.496 7692 INFO neutron.wsgi [-] (7692) accepted ('172.18.7.173', 43217)
2015-10-22 10:24:12.499 7692 WARNING keystonemiddleware.auth_token [-] Authorization failed for token
2015-10-22 10:24:12.500 7692 INFO neutron.wsgi [-] 172.18.7.173 - - [22/Oct/2015 10:24:12] "GET /v2.0/extensions.json HTTP/1.1" 401 283 0.002160
2015-10-22 10:24:12.649 7692 WARNING keystonemiddleware.auth_token [-] Authorization failed for token
2015-10-22 10:24:12.650 7692 INFO neutron.wsgi [-] 172.18.7.173 - - [22/Oct/2015 10:24:12] "GET /v2.0/extensions.json HTTP/1.1" 401 283 0.002272

I guess this caused keystone/admin.log give that confusing error: "Auth token not in the request header"

Then I confirm the problem should be in neutron-server side, I already turn on debug by adding "debug=True, verbose=True". but it did not give any more info. I hope I can see what sent to neutron-server and neutron-server complain what's wrong. Anywhere I can improve debug log level?

Finally I go back to go through the neutron.conf. In [default], I specified "auth=keystone", then go to [keystone_authtoken] , I found I have a bad typo:

auth_uri = http://controller:5000/v2.0
auth_uri = http://controller:35357

The second line should be auth_url. After changing to correct one, problem go away immediately. Here is correct neutron-server.log:

2015-10-22 10:33:29.145 7854 INFO neutron.wsgi [-] (7854) accepted ('172.18.7.174', 41474)
2015-10-22 10:33:29.148 7854 DEBUG keystoneclient.session [-] REQ: curl -g -i -X GET http://controller:35357 -H "Accept: application/json" -H "User-Agent: python-keystoneclient" _http_log_request /usr/lib/python2.7/dist-packages/keystoneclient/session.py:195
2015-10-22 10:33:29.192 7854 DEBUG keystoneclient.session [-] RESP: [300] content-length: 591 vary: X-Auth-Token keep-alive: timeout=5, max=100 server: Apache/2.4.7 (Ubuntu) connection: Keep-Alive date: Thu, 22 Oct 2015 17:33:29 GMT content-type: application/json x-distribution: Ubuntu 
RESP BODY: {"versions": {"values": [{"status": "stable", "updated": "2015-03-30T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.4", "links": [{"href": "http://controller:35357/v3/", "rel": "self"}]}, {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}], "id": "v2.0", "links": [{"href": "http://controller:35357/v2.0/", "rel": "self"}, {"href": "http://docs.openstack.org/", "type": "text/html", "rel": "describedby"}]}]}}

I'm wondering how can this be improved to make debug easier.

edit flag offensive delete link more
add a comment

Get to know Ask OpenStack

Resources for moderators

Question Tools

subscribe to rss feed

Stats

Asked: 2015-10-21 19:05:39 -0500

Seen: 2,220 times

Last updated: Oct 22 '15

Related questions

How to control service provide to user

Openstack global vs. project roles: What do they mean?

Router External Gateway DOWN

Cause for strange network config?

Keystone configuration error: Client configured to run without a service

Keystone problem

Unable to create a tenant for an administrative user. Please help me [closed]

glance-api resource not found

Openstack dashboard login error

cannot ping 203.0.113.101 icehouse