Ask Your Question
0

neutron auth failure

asked 2015-10-21 19:05:39 -0600

hansyin gravatar image

Hi, I'm setting up neutron in my lab, but I always get "authentication reuqired" error. from my controller or networker, I got: user1@compute2:~$ neutron ext-list Authentication required

from controller /var/log/keystone/admin.log, I can see: 2015-10-21 16:34:08.297 24046 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /usr/lib/python2.7/dist-packages/keystone/middleware/core.py:229

Then I did sniffer for the traffic, I can see first connection heading to 35357, request and get token. the second connection heading to 9696 port with CORRECT X-Auth-Token, but controller responded with "401 unauthorized". This confuses me very much: if there is X-Auth-Token, how comes keystone/admin.log complains "Auth token not in the request header"? 

 GET /v2.0/extensions.json HTTP/1.1

Host: controller:9696

Connection: keep-alive

User-Agent: python-neutronclient

Accept-Encoding: gzip, deflate

Accept: application/json

X-Auth-Token: c95490f94eea4d2da5211aab0895e2cb



HTTP/1.1 401 Unauthorized

Www-Authenticate: Keystone uri='http://controller:35357'

Content-Type: text/plain

X-Openstack-Request-Id: req-03787e91-e308-46ae-b2af-8be6fafb69db

Content-Length: 23

Date: Wed, 21 Oct 2015 23:34:08 GMT

Connection: keep-alive



Authentication required

I can do "keystone user-list", nova service-list" without problem. where should I check for next step? Thanks!!!

edit retag flag offensive close merge delete
add a comment

1 answer

Sort by ยป oldest newest most voted
0

answered 2015-10-22 12:53:16 -0600

hansyin gravatar image

Further test:

Change neutron.conf to use :auth_strategy = noauth. Then problem disappear. Change it back, problem comes back. So I think problem should be in neutron, then check /var/log/neutron/neutron-server.log, I found neutron is complaing "Authorization failed for token". 

2015-10-22 10:24:12.496 7692 INFO neutron.wsgi [-] (7692) accepted ('172.18.7.173', 43217)
2015-10-22 10:24:12.499 7692 WARNING keystonemiddleware.auth_token [-] Authorization failed for token
2015-10-22 10:24:12.500 7692 INFO neutron.wsgi [-] 172.18.7.173 - - [22/Oct/2015 10:24:12] "GET /v2.0/extensions.json HTTP/1.1" 401 283 0.002160
2015-10-22 10:24:12.649 7692 WARNING keystonemiddleware.auth_token [-] Authorization failed for token
2015-10-22 10:24:12.650 7692 INFO neutron.wsgi [-] 172.18.7.173 - - [22/Oct/2015 10:24:12] "GET /v2.0/extensions.json HTTP/1.1" 401 283 0.002272

I guess this caused keystone/admin.log give that confusing error: "Auth token not in the request header"

Then I confirm the problem should be in neutron-server side, I already turn on debug by adding "debug=True, verbose=True". but it did not give any more info. I hope I can see what sent to neutron-server and neutron-server complain what's wrong. Anywhere I can improve debug log level?

Finally I go back to go through the neutron.conf. In [default], I specified "auth=keystone", then go to [keystone_authtoken] , I found I have a bad typo:

auth_uri = http://controller:5000/v2.0
auth_uri = http://controller:35357

The second line should be auth_url. After changing to correct one, problem go away immediately. Here is correct neutron-server.log:

2015-10-22 10:33:29.145 7854 INFO neutron.wsgi [-] (7854) accepted ('172.18.7.174', 41474)
2015-10-22 10:33:29.148 7854 DEBUG keystoneclient.session [-] REQ: curl -g -i -X GET http://controller:35357 -H "Accept: application/json" -H "User-Agent: python-keystoneclient" _http_log_request /usr/lib/python2.7/dist-packages/keystoneclient/session.py:195
2015-10-22 10:33:29.192 7854 DEBUG keystoneclient.session [-] RESP: [300] content-length: 591 vary: X-Auth-Token keep-alive: timeout=5, max=100 server: Apache/2.4.7 (Ubuntu) connection: Keep-Alive date: Thu, 22 Oct 2015 17:33:29 GMT content-type: application/json x-distribution: Ubuntu 
RESP BODY: {"versions": {"values": [{"status": "stable", "updated": "2015-03-30T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.4", "links": [{"href": "http://controller:35357/v3/", "rel": "self"}]}, {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}], "id": "v2.0", "links": [{"href": "http://controller:35357/v2.0/", "rel": "self"}, {"href": "http://docs.openstack.org/", "type": "text/html", "rel": "describedby"}]}]}}

I'm wondering how can this be improved to make debug easier.

edit flag offensive delete link more
add a comment

Get to know Ask OpenStack

Resources for moderators

Question Tools

subscribe to rss feed

Stats

Asked: 2015-10-21 19:05:39 -0600

Seen: 2,276 times

Last updated: Oct 22 '15

Related questions

why does nova have so many tokens?

What are endpoints?

Neutron - Expecting to find id or name in user

Authorization failed for token between keystone and neutron

'ExtensionManager' object does not support item assignment

conflict occurred attempting to store project

quantum admin plugin for horizon

Register Designate with Keystone

lbaas-agent high availablity

How do I solve error NotAuthenticated when trying to upload image to Glance