Ask Your Question
0

Magnum commands return ERROR: Not Authorized

asked 2016-07-10 16:15:41 -0500

appeno gravatar image

updated 2016-07-11 04:26:05 -0500

Magnum commands return "ERROR: Not Authorized"

I keep getting ERROR: Not Authorized[1] when executing any magnum command. It seems to fail some endpoint check after studying the trace-back.


There are no outputs from commands in mangum-api.log nor magnum-conductor.log.

There are some logging info in keystone.log[2] which I do not understand.


I have followed the official installation guide from http://docs.openstack.org/mitaka/install-guide-ubuntu/ (http://docs.openstack.org/mitaka/install-guide-ubuntu) when installing the openstack "base"

I have two nodes, controller and compute node containing (compute node only contains nova-compute):

  • Identity service
  • Image service (can store images)
  • Compute service (can deploy cirros instance and login to it)
  • Networking service (with LBaaS, not tested completely)
  • Dashboard
  • Block Storage service
  • Orchestration service (Stack deployment tested and working)
  • Telemetry service

I've tried installing magnum several times, both from git repository stable/mitaka and master following https://github.com/openstack/magnum/blob/master/doc/source/install-guide-from-source.rst (install-guide-from-source.rst). I've also tried to install it from trusty-updates/mitaka with apt-get install magnum-api magnum-conductor

I've configured /etc/magnum/magnum.conf[3] and tried many different documentation versions and sources including the one mentioned above.

/etc/heat/policy.json contains

   ...
   "stacks:global_index": "rule:context_is_admin",
   ...

admin-openrc:

export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=password
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

Everything seems to work fine except for magnum which dont want to authenticate or find endpoint or whatever it is...


[1] magnum command using debug:

magnum --debug service-list

DEBUG (extension:157) found extension EntryPoint.parse('v2token = keystoneauth1.loading._plugins.identity.v2:Token')
DEBUG (extension:157) found extension EntryPoint.parse('admin_token = keystoneauth1.loading._plugins.admin_token:AdminToken')
DEBUG (extension:157) found extension EntryPoint.parse('v3oidcauthcode = keystoneauth1.loading._plugins.identity.v3:OpenIDConnectAuthorizationCode')
DEBUG (extension:157) found extension EntryPoint.parse('v2password = keystoneauth1.loading._plugins.identity.v2:Password')
DEBUG (extension:157) found extension EntryPoint.parse('v3password = keystoneauth1.loading._plugins.identity.v3:Password')
DEBUG (extension:157) found extension EntryPoint.parse('v3oidcpassword = keystoneauth1.loading._plugins.identity.v3:OpenIDConnectPassword')
DEBUG (extension:157) found extension EntryPoint.parse('token = keystoneauth1.loading._plugins.identity.generic:Token')
DEBUG (extension:157) found extension EntryPoint.parse('v3token = keystoneauth1.loading._plugins.identity.v3:Token')
DEBUG (extension:157) found extension EntryPoint.parse('password = keystoneauth1.loading._plugins.identity.generic:Password')
DEBUG (extension:157) found extension EntryPoint.parse('password-ceilometer-legacy = ceilometer.keystone_client:LegacyCeilometerKeystoneLoader')
DEBUG (session:248) REQ: curl -g -i -X GET http://controller:35357/v3 -H "Accept: application/json" -H "User-Agent: keystoneauth1/2.4.0 python-requests/2.9.1 CPython/2.7.6"
INFO (connectionpool:208) Starting new HTTP connection (1): controller
DEBUG (connectionpool:388) "GET /v3 HTTP/1.1" 200 250
DEBUG (session:277) RESP: [200] Content-Length: 250 Vary: X-Auth-Token Keep-Alive: timeout=5, max=100 Server: Apache/2.4.7 (Ubuntu) Connection: Keep-Alive Date: Sun, 10 Jul 2016 19:20:29 GMT x-openstack-request-id: req-c8b901cf-6215-4e0b-a618-860234814b18 Content-Type: application/json X-Distribution: Ubuntu 
RESP BODY: {"version": {"status": "stable", "updated": "2016-04-04T00:00:00Z", "media-types": [{"base": "application ...
(more)
edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
2

answered 2016-07-11 08:34:25 -0500

appeno gravatar image

updated 2016-07-11 09:04:14 -0500

After almost two days of debugging I finally solved the issue and it was not due to the amazingly confusing log outputs.. It's incredibly that you have to read source files to understand basic configuration errors...

I'm gonna put my solution here in case someone is having the same issue.

First error

First of all, look for these variables in /usr/lib/python2.7/dist-packages/magnumclient/v1/client.py (trace-back output from magnum command)

...
DEFAULT_API_VERSION = '1'
DEFAULT_ENDPOINT_TYPE = 'publicURL'
DEFAULT_SERVICE_TYPE = 'container'
...

Make sure you name your service type accordingly to DEFAULT_SERVICE_TYPE when you are creating the magnum service and endpoints. I had named my service type to container-infra according to the documentation I followed (apparently I followed wrong magnum version guide)


Second error

After that I ran into a keystone error that looked like this:

magnum-api.log

CRITICAL keystonemiddleware.auth_token [-] Unable to validate token: Identity server rejected authorization necessary to fetch token data
WARNING keystonemiddleware.auth_token [-] Identity response: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}
WARNING keystonemiddleware.auth_token [-] Identity response: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}

keystone.log:

ERROR keystone.auth.controllers     raise exception.DomainNotFound(domain_id=domain_id)
ERROR keystone.auth.controllers DomainNotFound: Could not find domain: default
ERROR keystone.auth.controllers 
WARNING keystone.common.wsgi [req-162a1fb2-798d-4c75-85cb-f1921b5f786d - - - - -] Authorization failed. The request you have made requires authentication. from 10.10.0.11

This was solved by changing project_domain_id and user_domain_id to project_domain_name and user_domain_name under [keystone_authtoken] in /etc/magnum/magnum.conf:

[keystone_authtoken]
identity_uri = http://controller:35357
memcached_servers = controller:11211
auth_version = v3
auth_uri = http://controller:5000/v3
project_domain_name = default
project_name = service
user_domain_name = default
password = password
username = magnum
auth_url = http://controller:35357
auth_type = password

Edit 1: This question is solved but I lack points to mark it that way.

Edit 2: Forgot to mention that magnum was installed from apt-repository http://ubuntu-cloud.archive.canonical.com/ubuntu (http://ubuntu-cloud.archive.canonical...) with distribution trusty-updates/mitaka on Ubuntu Trusty 14.04.

edit flag offensive delete link more

Comments

Thanks a lot!!! I got the same error as you. The document has too many errors...

JackLin gravatar imageJackLin ( 2016-09-18 23:04:25 -0500 )edit

Thanks a lot... U saved me from debugging it.... Worked like a charm

Prateek K gravatar imagePrateek K ( 2016-12-21 02:57:41 -0500 )edit

About the second error it's applicable for openstack-magnum-api-3.1.1-1.el7 running on Centos 7 CentOS Linux release 7.3.1611.

rodrigocleme gravatar imagerodrigocleme ( 2017-02-10 15:21:26 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

Stats

Asked: 2016-07-10 16:15:41 -0500

Seen: 1,899 times

Last updated: Jul 11 '16