Revision history [back]

click to hide/show revision 1
initial version

Can't connect to OpenStack Python SDK

Hi, I try to code a Python script that can create/delete VM in my OpenStack cloud. Following the doc, I made this:

#!/usr/bin/env python

from os import environ
from novaclient.client import Client

def get_nova_credentials_v2():
    d = {}
    d['version'] = '2'
    d['username'] = environ['OS_USERNAME']
    d['password'] = environ['OS_PASSWORD']
    d['auth_url'] = environ['OS_AUTH_URL']
    d['project_id'] = environ['OS_TENANT_NAME']
    return d

credentials = get_nova_credentials_v2()
nova_client = Client(**credentials)

print(nova_client.servers.list())

Before running the code, i source the following openrc file that was created by DevStack:

#!/usr/bin/env bash
#
# source openrc [username] [projectname]
#
# Configure a set of credentials for $PROJECT/$USERNAME:
#   Set OS_PROJECT_NAME to override the default project 'demo'
#   Set OS_USERNAME to override the default user name 'demo'
#   Set ADMIN_PASSWORD to set the password for 'admin' and 'demo'

# NOTE: support for the old NOVA_* novaclient environment variables has
# been removed.

if [[ -n "$1" ]]; then
    OS_USERNAME=$1
fi
if [[ -n "$2" ]]; then
    OS_PROJECT_NAME=$2
fi

# Find the other rc files
RC_DIR=$(cd $(dirname "${BASH_SOURCE:-$0}") && pwd)

# Import common functions
source $RC_DIR/functions

# Load local configuration
source $RC_DIR/stackrc

# Load the last env variables if available
if [[ -r $RC_DIR/.stackenv ]]; then
    source $RC_DIR/.stackenv
fi

# Get some necessary configuration
source $RC_DIR/lib/tls

# The OpenStack ecosystem has standardized the term **project** as the
# entity that owns resources.  In some places **tenant** remains
# referenced, but in all cases this just means **project**.  We will
# warn if we need to turn on legacy **tenant** support to have a
# working environment.
export OS_PROJECT_NAME=${OS_PROJECT_NAME:-demo}

echo "WARNING: setting legacy OS_TENANT_NAME to support cli tools."
export OS_TENANT_NAME=$OS_PROJECT_NAME

# In addition to the owning entity (project), nova stores the entity performing
# the action as the **user**.
export OS_USERNAME=${OS_USERNAME:-demo}

# With Keystone you pass the keystone password instead of an api key.
# Recent versions of novaclient use OS_PASSWORD instead of NOVA_API_KEYs
# or NOVA_PASSWORD.
export OS_PASSWORD=${ADMIN_PASSWORD:-secret}

# Region
export OS_REGION_NAME=${REGION_NAME:-RegionOne}

# Set the host API endpoint. This will default to HOST_IP if SERVICE_IP_VERSION
# is 4, else HOST_IPV6 if it's 6. SERVICE_HOST may also be used to specify the
# endpoint, which is convenient for some localrc configurations. Additionally,
# some exercises call Glance directly. On a single-node installation, Glance
# should be listening on a local IP address, depending on the setting of
# SERVICE_IP_VERSION. If its running elsewhere, it can be set here.
if [[ $SERVICE_IP_VERSION == 6 ]]; then
    HOST_IPV6=${HOST_IPV6:-::1}
    SERVICE_HOST=${SERVICE_HOST:-[$HOST_IPV6]}
    GLANCE_HOST=${GLANCE_HOST:-[$HOST_IPV6]}
else
    HOST_IP=${HOST_IP:-127.0.0.1}
    SERVICE_HOST=${SERVICE_HOST:-$HOST_IP}
    GLANCE_HOST=${GLANCE_HOST:-$HOST_IP}
fi

# Identity API version
export OS_IDENTITY_API_VERSION=${IDENTITY_API_VERSION:-3}

# Ask keystoneauth1 to use keystone
export OS_AUTH_TYPE=password

# Authenticating against an OpenStack cloud using Keystone returns a **Token**
# and **Service Catalog**.  The catalog contains the endpoints for all services
# the user/project has access to - including nova, glance, keystone, swift, ...
# We currently recommend using the version 3 *identity api*.
#

# If you don't have a working .stackenv, this is the backup position
KEYSTONE_BACKUP=$SERVICE_PROTOCOL://$SERVICE_HOST:5000
KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_URI:-$KEYSTONE_BACKUP}

export OS_AUTH_URL=${OS_AUTH_URL:-$KEYSTONE_AUTH_URI}

# Currently, in order to use openstackclient with Identity API v3,
# we need to set the domain which the user and project belong to.
if [ "$OS_IDENTITY_API_VERSION" = "3" ]; then
    export OS_USER_DOMAIN_ID=${OS_USER_DOMAIN_ID:-"default"}
    export OS_PROJECT_DOMAIN_ID=${OS_PROJECT_DOMAIN_ID:-"default"}
fi

# Set OS_CACERT to a default CA certificate chain if it exists.
if [[ ! -v OS_CACERT ]] ; then
    DEFAULT_OS_CACERT=$INT_CA_DIR/ca-chain.pem
    # If the file does not exist, this may confuse preflight sanity checks
    if [ -e $DEFAULT_OS_CACERT ] ; then
        export OS_CACERT=$DEFAULT_OS_CACERT
    fi
fi

# Currently cinderclient needs you to specify the *volume api* version. This
# needs to match the config of your catalog returned by Keystone.
export CINDER_VERSION=${CINDER_VERSION:-3}
export OS_VOLUME_API_VERSION=${OS_VOLUME_API_VERSION:-$CINDER_VERSION}

However, then I run my code, I have the following error:

Traceback (most recent call last):
  File "test.py", line 18, in <module>
    print(nova_client.servers.list())
  File "/usr/local/lib/python2.7/dist-packages/novaclient/v2/servers.py", line 854, in list
    "servers")
  File "/usr/local/lib/python2.7/dist-packages/novaclient/base.py", line 257, in _list
    resp, body = self.api.client.get(url)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/adapter.py", line 304, in get
    return self.request(url, 'GET', **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/novaclient/client.py", line 77, in request
    **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/adapter.py", line 463, in request
    resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/adapter.py", line 189, in request
    return self.session.request(url, method, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/session.py", line 673, in request
    auth_headers = self.get_auth_headers(auth)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/session.py", line 1035, in get_auth_headers
    return auth.get_headers(self, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/plugin.py", line 95, in get_headers
    token = self.get_token(session)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/identity/base.py", line 88, in get_token
    return self.get_access(session).auth_token
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/identity/base.py", line 134, in get_access
    self.auth_ref = self.get_auth_ref(session)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/identity/generic/base.py", line 208, in get_auth_ref
    return self._plugin.get_auth_ref(session, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/identity/v3/base.py", line 178, in get_auth_ref
    authenticated=False, log=False, **rkwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/session.py", line 983, in post
    return self.request(url, 'POST', **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/session.py", line 857, in request
    raise exceptions.from_response(resp, method, url)
keystoneauth1.exceptions.http.Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-d8b457e5-c56f-4ebe-9b3c-23c2942aa570)

I do it on a branch new DevStack single node install, any ID what am I doing wrong ? Thank you in advance.