Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

'Unable to authorize user' after 'keystone token-get'

I am trying to learn Openstack so copied the pdf of OpenStack Installation Guide for Ubuntu 12.04 (LTS) and I am following it.

This is a clean install of Ubuntu 12.04 (LTS) with two nics (it is a KVM virtual machine).

I have encountered a problem in the Verify the Identity Service installation section - which can be found on page 16 of the pdf or the webpage http://docs.openstack.org/havana/install-guide/install/apt/content/keystone-verify.html

The command $ keystone token-get gives me a token. But I get the following result when I try to execute any keystone command

$ keystone user-list
Unable to authorize user

If I set the token and endpoint using the commands

$ export OS_SERVICE_TOKEN=ADMIN_TOKEN
$ export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0

Then i will be able to execute keystone commands

$ keystone user-role-list --tenant=admin --user=admin
    +----------------------------------+-------+----------------------------------+----------------------------------+
    |                id                |  name |             user_id              |            tenant_id             |
    +----------------------------------+-------+----------------------------------+----------------------------------+
    | a509ffa22e63484196efc36787c77319 | admin | e5f6a1887b3249ae98e74bcee149d168 | 68b8d961a0684a1aa9551b1117ffa35f |
    +----------------------------------+-------+----------------------------------+----------------------------------+

$ keystone service-list
+----------------------------------+----------+----------+---------------------------+
|                id                |   name   |   type   |        description        |
+----------------------------------+----------+----------+---------------------------+
| 356e34759e654ee69b0da0d5f89ea977 | keystone | identify | Keystone Identify Service |
+----------------------------------+----------+----------+---------------------------+

david@controller:~$ keystone endpoint-list
+----------------------------------+-----------+-----------------------------+-----------------------------+------------------------------+----------------------------------+
|                id                |   region  |          publicurl          |         internalurl         |           adminurl           |            service_id            |
+----------------------------------+-----------+-----------------------------+-----------------------------+------------------------------+----------------------------------+
| 4f5e1eee19fb425a9737f754bb230b63 | regionOne | http://controller:5000/v2.0 | http://controller:5000/v2.0 | http://controller:35357/v2.0 | 356e34759e654ee69b0da0d5f89ea977 |
+----------------------------------+-----------+-----------------------------+-----------------------------+------------------------------+----------------------------------+

I am currently stuck and have no idea what to do since I followed the manual 'word for word'. If anybody has encountered this problem before or have an idea then I would appreciate the help.

Thanks.

'Unable to authorize user' after 'keystone token-get'

I am trying to learn Openstack so copied the pdf of OpenStack Installation Guide for Ubuntu 12.04 (LTS) and I am following it.

This is a clean install of Ubuntu 12.04 (LTS) with two nics (it is a KVM virtual machine).

I have encountered a problem in the Verify the Identity Service installation section - which can be found on page 16 of the pdf or the webpage http://docs.openstack.org/havana/install-guide/install/apt/content/keystone-verify.html

The command $ keystone token-get gives me a token. But I get the following result when I try to execute any keystone command

$ keystone user-list
Unable to authorize user

If I set the token and endpoint using the commands

$ export OS_SERVICE_TOKEN=ADMIN_TOKEN
$ export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0

Then i will be able to execute keystone commands

$ keystone user-role-list --tenant=admin --user=admin
    +----------------------------------+-------+----------------------------------+----------------------------------+
    |                id                |  name |             user_id              |            tenant_id             |
    +----------------------------------+-------+----------------------------------+----------------------------------+
    | a509ffa22e63484196efc36787c77319 | admin | e5f6a1887b3249ae98e74bcee149d168 | 68b8d961a0684a1aa9551b1117ffa35f |
    +----------------------------------+-------+----------------------------------+----------------------------------+

$ keystone service-list
+----------------------------------+----------+----------+---------------------------+
|                id                |   name   |   type   |        description        |
+----------------------------------+----------+----------+---------------------------+
| 356e34759e654ee69b0da0d5f89ea977 | keystone | identify | Keystone Identify Service |
+----------------------------------+----------+----------+---------------------------+

david@controller:~$ keystone endpoint-list
+----------------------------------+-----------+-----------------------------+-----------------------------+------------------------------+----------------------------------+
|                id                |   region  |          publicurl          |         internalurl         |           adminurl           |            service_id            |
+----------------------------------+-----------+-----------------------------+-----------------------------+------------------------------+----------------------------------+
| 4f5e1eee19fb425a9737f754bb230b63 | regionOne | http://controller:5000/v2.0 | http://controller:5000/v2.0 | http://controller:35357/v2.0 | 356e34759e654ee69b0da0d5f89ea977 |
+----------------------------------+-----------+-----------------------------+-----------------------------+------------------------------+----------------------------------+

I am currently stuck and have no idea what to do since I followed the manual 'word for word'. If anybody has encountered this problem before or have an idea then I would appreciate the help.

Thanks.

Updated

Thanks to a response by rahmu, I am adding more information to help narrow down and pinpoint the problem.

I am/was using a file to export the necessary environment variables for the token-get command. Here the output of the file

export OS_USERNAME=admin
export OS_PASSWORD=admin_pass
export OS_TENANT_NAME=admin
export OS_AUTH_URL=http://controller:35357/v2.0

After looking at the policy.json file (pointed out by rahmu), I realise the token-get command need to return ["is_admin:1"] as evident in the first line of the file "admin_required": [["role:admin"], ["is_admin:1"]],

But I am getting ["is_admin:0"] when trying to get a token as shown below (while using --debug). Note: I truncated the token id to make it easier to read.

$ keystone --debug user-list
REQ: curl -i -X POST http://controller:35357/v2.0/tokens -H "Content-Type: application/json" -H "User-Agent: python-keystoneclient"
REQ BODY: {"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "admin_pass"}}}

RESP: [200] CaseInsensitiveDict({'date': 'Mon, 24 Feb 2014 02:20:28 GMT', 'vary': 'X-Auth-Token', 'content-length': '2354', 'content-type': 'application/json'})
RESP BODY: {"access": {"token": {"issued_at": "2014-02-24T02:20:28.281249", "expires": "2014-02-25T02:20:28Z", "id": "MIIE ... eek", "tenant": {"description": "Admin Tenant", "enabled": true, "id": "68b8d961a0684a1aa9551b1117ffa35f", "name": "admin"}}, "serviceCatalog": [{"endpoints": [{"adminURL": "http://controller:35357/v2.0", "region": "regionOne", "internalURL": "http://controller:5000/v2.0", "id": "0a5f3aa8623c402ea0df95d59192e51b", "publicURL": "http://controller:5000/v2.0"}], "endpoints_links": [], "type": "identify", "name": "keystone"}], "user": {"username": "admin", "roles_links": [], "id": "e5f6a1887b3249ae98e74bcee149d168", "roles": [{"name": "admin"}], "name": "admin"}, "metadata": {"is_admin": 0, "roles": ["a509ffa22e63484196efc36787c77319"]}}}

Unable to authorize user

One can see from the user-role-list command earlier in the post that the "roles": ["a509ffa22e63484196efc36787c77319"] that was returned from debugging is link to tenant=admin and user=admin.

I get the same type of error if I create another tenant/user/password comb called demo. So this leads me to believe I am not linking my user/tenant to the admin role properly.

Hope the additional info helps. Any suggestions will help.