# Revision history [back]

### 'Unable to authorize user' after 'keystone token-get'

I am trying to learn Openstack so copied the pdf of OpenStack Installation Guide for Ubuntu 12.04 (LTS) and I am following it.

This is a clean install of Ubuntu 12.04 (LTS) with two nics (it is a KVM virtual machine).

I have encountered a problem in the Verify the Identity Service installation section - which can be found on page 16 of the pdf or the webpage http://docs.openstack.org/havana/install-guide/install/apt/content/keystone-verify.html

The command $keystone token-get gives me a token. But I get the following result when I try to execute any keystone command $ keystone user-list
Unable to authorize user


If I set the token and endpoint using the commands

$export OS_SERVICE_TOKEN=ADMIN_TOKEN$ export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0


Then i will be able to execute keystone commands

$keystone user-role-list --tenant=admin --user=admin +----------------------------------+-------+----------------------------------+----------------------------------+ | id | name | user_id | tenant_id | +----------------------------------+-------+----------------------------------+----------------------------------+ | a509ffa22e63484196efc36787c77319 | admin | e5f6a1887b3249ae98e74bcee149d168 | 68b8d961a0684a1aa9551b1117ffa35f | +----------------------------------+-------+----------------------------------+----------------------------------+$ keystone service-list
+----------------------------------+----------+----------+---------------------------+
|                id                |   name   |   type   |        description        |
+----------------------------------+----------+----------+---------------------------+
| 356e34759e654ee69b0da0d5f89ea977 | keystone | identify | Keystone Identify Service |
+----------------------------------+----------+----------+---------------------------+

david@controller:~$keystone endpoint-list +----------------------------------+-----------+-----------------------------+-----------------------------+------------------------------+----------------------------------+ | id | region | publicurl | internalurl | adminurl | service_id | +----------------------------------+-----------+-----------------------------+-----------------------------+------------------------------+----------------------------------+ | 4f5e1eee19fb425a9737f754bb230b63 | regionOne | http://controller:5000/v2.0 | http://controller:5000/v2.0 | http://controller:35357/v2.0 | 356e34759e654ee69b0da0d5f89ea977 | +----------------------------------+-----------+-----------------------------+-----------------------------+------------------------------+----------------------------------+  I am currently stuck and have no idea what to do since I followed the manual 'word for word'. If anybody has encountered this problem before or have an idea then I would appreciate the help. Thanks. ### 'Unable to authorize user' after 'keystone token-get' I am trying to learn Openstack so copied the pdf of OpenStack Installation Guide for Ubuntu 12.04 (LTS) and I am following it. This is a clean install of Ubuntu 12.04 (LTS) with two nics (it is a KVM virtual machine). I have encountered a problem in the Verify the Identity Service installation section - which can be found on page 16 of the pdf or the webpage http://docs.openstack.org/havana/install-guide/install/apt/content/keystone-verify.html The command $ keystone token-get gives me a token. But I get the following result when I try to execute any keystone command

$keystone user-list Unable to authorize user  If I set the token and endpoint using the commands $ export OS_SERVICE_TOKEN=ADMIN_TOKEN
$export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0  Then i will be able to execute keystone commands $ keystone user-role-list --tenant=admin --user=admin
+----------------------------------+-------+----------------------------------+----------------------------------+
|                id                |  name |             user_id              |            tenant_id             |
+----------------------------------+-------+----------------------------------+----------------------------------+
| a509ffa22e63484196efc36787c77319 | admin | e5f6a1887b3249ae98e74bcee149d168 | 68b8d961a0684a1aa9551b1117ffa35f |
+----------------------------------+-------+----------------------------------+----------------------------------+

$keystone service-list +----------------------------------+----------+----------+---------------------------+ | id | name | type | description | +----------------------------------+----------+----------+---------------------------+ | 356e34759e654ee69b0da0d5f89ea977 | keystone | identify | Keystone Identify Service | +----------------------------------+----------+----------+---------------------------+ david@controller:~$ keystone endpoint-list
+----------------------------------+-----------+-----------------------------+-----------------------------+------------------------------+----------------------------------+
|                id                |   region  |          publicurl          |         internalurl         |           adminurl           |            service_id            |
+----------------------------------+-----------+-----------------------------+-----------------------------+------------------------------+----------------------------------+
| 4f5e1eee19fb425a9737f754bb230b63 | regionOne | http://controller:5000/v2.0 | http://controller:5000/v2.0 | http://controller:35357/v2.0 | 356e34759e654ee69b0da0d5f89ea977 |
+----------------------------------+-----------+-----------------------------+-----------------------------+------------------------------+----------------------------------+


I am currently stuck and have no idea what to do since I followed the manual 'word for word'. If anybody has encountered this problem before or have an idea then I would appreciate the help.

Thanks.

Updated

Thanks to a response by rahmu, I am adding more information to help narrow down and pinpoint the problem.

I am/was using a file to export the necessary environment variables for the token-get command. Here the output of the file

export OS_USERNAME=admin
export OS_AUTH_URL=http://controller:35357/v2.0


After looking at the policy.json file (pointed out by rahmu), I realise the token-get command need to return ["is_admin:1"] as evident in the first line of the file "admin_required": [["role:admin"], ["is_admin:1"]],

But I am getting ["is_admin:0"] when trying to get a token as shown below (while using --debug). Note: I truncated the token id to make it easier to read.

\$ keystone --debug user-list
REQ: curl -i -X POST http://controller:35357/v2.0/tokens -H "Content-Type: application/json" -H "User-Agent: python-keystoneclient"