Ask Your Question

Unable to authentiate through keystone [closed]

asked 2015-12-22 08:06:24 -0600

Pradip gravatar image


I am trying to setup a cinder volume service to be authenticated using keystone running on another vm. I am facing the issue of non-authentication as follows:

stack@openstack4:~/devstack$ cinder --os-username cinder --os-password password --os-tenant-name service list
ERROR: Unauthorized (HTTP 401)

This is the steps followed:

A. In the vm where Keystone is running:

1. keystone user-create --name=cinder --pass=password  --tenant service
2. keystone user-role-add --user=cinder --tenant=service --role=admin
3. keystone service-create --name=cinder --type=volume --description="OpenStack Block Storage"
4. keystone endpoint-create --service cinder --publicurl\(tenant_id\)s  --internalurl\(tenant_id\)s --adminurl\(tenant_id\)s
5. keystone service-create --name=cinderv2 --type=volumev2 --description="OpenStack Block Storage v2"
6. keystone endpoint-create --service cinderv2 --publicurl\(tenant_id\)s  --internalurl\(tenant_id\)s --adminurl\(tenant_id\)s

B. In the vm where Cinder is running:

  1. Changes in the cinder.conf
signing_dir = /var/cache/cinder
cafile = /opt/stack/data/ca-bundle.pem
auth_uri =
project_domain_id = default
project_name = service
user_domain_id = default
password = password
username = cinder
auth_url =
auth_plugin = password
  1. Restart all the cinder services.

Can anyone please point me what thing I am missing here?

Thanks, Pradip

edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by Pradip
close date 2015-12-23 01:07:59.982669

2 answers

Sort by ยป oldest newest most voted

answered 2015-12-22 09:19:24 -0600

Lili Zhang gravatar image

I guess you missed the parameter --os-auth-url when calling cinder API. As shown in this documentation, auth_url needs to be passed along with username, password, and tenant name, when calling cinder API, which is the same for calling other APIs in OpenStack. To see how to set --os-auth-url, check its command line reference.

Hope this is helpful.

edit flag offensive delete link more


I tried this, however seeing an error:

cinder --os-username cinder --os-password password --os-tenant-name service --os-auth-url list
ERROR: publicURL endpoint for volumev2 service in RegionOne region not found
Pradip gravatar imagePradip ( 2015-12-22 10:28:42 -0600 )edit
  1. Check wether service_id of the endpoint really matches the id of the service it serves, and also the region.
  2. Delete current cinder services and endpoints, and recreate following step 7 and 8 here.
Lili Zhang gravatar imageLili Zhang ( 2015-12-22 20:50:39 -0600 )edit

Thanks a lot! It worked!. I think the "regionOne" was the problem. I deleted all the endpoints and created with "--region RegionOne" - it works well.

Pradip gravatar imagePradip ( 2015-12-23 00:59:18 -0600 )edit

answered 2015-12-23 01:04:34 -0600

Pradip gravatar image

What Lili Zhang replied is perfect. Here's the steps I followed and it worked (documenting for future reference):

1. Check if a tenant of name 'service' is there by keystone tenant-list
2. keystone user-create --name=cinder --pass=password --tenant service
3. keystone user-role-add --user=cinder --tenant=service --role=admin
4. keystone service-create --name=cinder --type=volume --description="OpenStack Block Storage"
5. keystone endpoint-create --service cinder --publicurl\(tenant_id\)s  --internalurl\(tenant_id\)s --adminurl\(tenant_id\)s --region RegionOne
6. keystone service-create --name=cinderv2 --type=volumev2 --description="OpenStack Block Storage v2"
7. keystone endpoint-create --service cinderv2 --publicurl\(tenant_id\)s  --internalurl\(tenant_id\)s --adminurl\(tenant_id\)s --region RegionOne
8. Now change in the /etc/cinder/cinder.conf in the VM where cinder is running:
     a. Change the keystone_authtoken section the following two: auth_uri and auth_url to point to keystone
     b. Change the oslo_messaging_rabbit section with the rabbit_userid, rabbit_password and rabbit_hosts. 
        [The rabbit_userid, rabbit_password can be retrieved from Keystone VM's local.conf and inspecting vi /var/log/rabbitmq/startup_log]
9. Stop the keystone services in the VM where cinder is installed
10. Restart all the cinder services (c-api, c-sch, c-vol)
11. cinder --os-username cinder --os-password password --os-tenant-name service --os-auth-url list
(0r) 10. export OS_USERNAME=cinder ; export OS_PASSWORD=password ; export OS_AUTH_URL= ; export OS_TENANT_NAME=service ; <cinder cli="">
[refer to: ;
 refer to :]
edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2015-12-22 08:06:24 -0600

Seen: 680 times

Last updated: Dec 23 '15