Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Magnum commands return ERROR: Not Authorized

Magnum commands return "ERROR: Not Authorized"

I keep getting ERROR: Not Authorized[1] when executing any magnum command. It seems to fail some endpoint check after studying the trace-back.


There are no outputs from commands in mangum-api.log nor magnum-conductor.log.

There are some logging info in keystone.log[2] which I do not understand.


I have followed the official installation guide from http://docs.openstack.org/mitaka/install-guide-ubuntu when installing the openstack "base"

I have two nodes, controller and compute node containing (compute node only contains nova-compute):

  • Identity service
  • Image service (can store images)
  • Compute service (can deploy cirros instance and login to it)
  • Networking service (with LBaaS, not tested completely)
  • Dashboard
  • Block Storage service
  • Orchestration service (Stack deployment tested and working)
  • Telemetry service

I've tried installing magnum several times, both from git repository stable/mitaka and master following install-guide-from-source.rst. I've also tried to install it from trusty-updates/mitaka with apt-get install magnum-api magnum-conductor

I've configured /etc/magnum/magnum.conf[3] and tried many different documentation versions and sources including the one mentioned above.

/etc/heat/policy.json contains

   ...
   "stacks:global_index": "rule:context_is_admin",
   ...

admin-openrc:

export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=password
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

Everything seems to work fine except for magnum which dont want to authenticate or find endpoint or whatever it is...


[1] magnum command using debug:

magnum --debug service-list

DEBUG (extension:157) found extension EntryPoint.parse('v2token = keystoneauth1.loading._plugins.identity.v2:Token')
DEBUG (extension:157) found extension EntryPoint.parse('admin_token = keystoneauth1.loading._plugins.admin_token:AdminToken')
DEBUG (extension:157) found extension EntryPoint.parse('v3oidcauthcode = keystoneauth1.loading._plugins.identity.v3:OpenIDConnectAuthorizationCode')
DEBUG (extension:157) found extension EntryPoint.parse('v2password = keystoneauth1.loading._plugins.identity.v2:Password')
DEBUG (extension:157) found extension EntryPoint.parse('v3password = keystoneauth1.loading._plugins.identity.v3:Password')
DEBUG (extension:157) found extension EntryPoint.parse('v3oidcpassword = keystoneauth1.loading._plugins.identity.v3:OpenIDConnectPassword')
DEBUG (extension:157) found extension EntryPoint.parse('token = keystoneauth1.loading._plugins.identity.generic:Token')
DEBUG (extension:157) found extension EntryPoint.parse('v3token = keystoneauth1.loading._plugins.identity.v3:Token')
DEBUG (extension:157) found extension EntryPoint.parse('password = keystoneauth1.loading._plugins.identity.generic:Password')
DEBUG (extension:157) found extension EntryPoint.parse('password-ceilometer-legacy = ceilometer.keystone_client:LegacyCeilometerKeystoneLoader')
DEBUG (session:248) REQ: curl -g -i -X GET http://controller:35357/v3 -H "Accept: application/json" -H "User-Agent: keystoneauth1/2.4.0 python-requests/2.9.1 CPython/2.7.6"
INFO (connectionpool:208) Starting new HTTP connection (1): controller
DEBUG (connectionpool:388) "GET /v3 HTTP/1.1" 200 250
DEBUG (session:277) RESP: [200] Content-Length: 250 Vary: X-Auth-Token Keep-Alive: timeout=5, max=100 Server: Apache/2.4.7 (Ubuntu) Connection: Keep-Alive Date: Sun, 10 Jul 2016 19:20:29 GMT x-openstack-request-id: req-c8b901cf-6215-4e0b-a618-860234814b18 Content-Type: application/json X-Distribution: Ubuntu 
RESP BODY: {"version": {"status": "stable", "updated": "2016-04-04T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.6", "links": [{"href": "http://controller:35357/v3/", "rel": "self"}]}}

DEBUG (base:165) Making authentication request to http://controller:35357/v3/auth/tokens
DEBUG (connectionpool:388) "POST /v3/auth/tokens HTTP/1.1" 401 114
DEBUG (session:466) Request returned failure status: 401
DEBUG (shell:629) Not Authorized
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/magnumclient/shell.py", line 626, in main
    OpenStackMagnumShell().main(map(encodeutils.safe_decode, sys.argv[1:]))
  File "/usr/lib/python2.7/dist-packages/magnumclient/shell.py", line 566, in main
    insecure=insecure)
  File "/usr/lib/python2.7/dist-packages/magnumclient/v1/client.py", line 101, in __init__
    raise RuntimeError("Not Authorized")
RuntimeError: Not Authorized
ERROR: Not Authorized

[2]/var/log/apache2/keystone.log:

 DEBUG keystone.middleware.auth [req-b6e4ca5d-056f-4ebf-ad92-8c2072da3d79 - - - - -] There is either no auth token in the request or the certificate issuer is not trusted. No auth context will be set. _build_auth_context /usr/lib/python2.7/dist-packages/keystone/middleware/auth.py:71
INFO keystone.common.wsgi [req-b6e4ca5d-056f-4ebf-ad92-8c2072da3d79 - - - - -] GET http://controller:35357/v3/
DEBUG keystone.middleware.auth [req-025f30a0-78ac-43ce-9bae-8809a94e4e4c - - - - -] There is either no auth token in the request or the certificate issuer is not trusted. No auth context will be set. _build_auth_context /usr/lib/python2.7/dist-packages/keystone/middleware/auth.py:71
INFO keystone.common.wsgi [req-025f30a0-78ac-43ce-9bae-8809a94e4e4c - - - - -] POST http://controller:35357/v3/auth/tokens
DEBUG keystone.token.providers.common [req-025f30a0-78ac-43ce-9bae-8809a94e4e4c - - - - -] User 8287aab640be448fa5377db6b17ceb51 has no access to project e47de250d41c4bad96e90f7837a46358 _populate_roles /usr/lib/python2.7/dist-packages/keystone/token/providers/common.py:454
WARNING keystone.common.wsgi [req-025f30a0-78ac-43ce-9bae-8809a94e4e4c - - - - -] Authorization failed. The request you have made requires authentication. from 10.10.0.11

[3]/etc/magnum/magnum.conf:

[DEFAULT]
host = controller
debug = True
rpc_backend = rabbit

[api]
host = 10.10.0.11

[barbican_client]

[bay]

[bay_heat]

[baymodel]

[certificates]
cert_manager_type = local
storage_path = /var/lib/magnum/certificates/

[cinder_client]
region_name = RegionOne

[conductor]

[cors]

[cors.subdomain]

[database]
connection = mysql+pymysql://magnum:magnum@controller/magnum

[docker]

[docker_registry]

[glance_client]
region_name = RegionOne

[heat_client]
region_name = RegionOne

[keystone_auth]
memcached_servers = controller:11211
auth_version = v3
auth_uri = http://controller:5000/v3
project_domain_id = default
project_name = service
user_domain_id = default
password = magnum
username = magnum
auth_url = http://controller:35357
auth_type = password

[keystone_authtoken]
memcached_servers = controller:11211
auth_version = v3
auth_uri = http://controller:5000/v3
project_domain_id = default
project_name = service
user_domain_id = default
password = magnum
username = magnum
auth_url = http://controller:35357
auth_type = password

[magnum_client]
region_name = RegionOne
endpoint_type = http://controller:9511/v1

[matchmaker_redis]

[neutron_client]

[nova_client]

[oslo_concurrency]
lock_path = /var/lib/magnum/tmp

[oslo_messaging_amqp]

[oslo_messaging_notifications]
driver = messagingv2

[oslo_messaging_rabbit]
rabbit_host = controller
rabbit_userid = openstack
rabbit_password = rabbit

[oslo_policy]
[trust]
trustee_domain_admin_id = efbaf894a3ae4d09b58e802b3b05d6a8
trustee_domain_id = 30fa971615a5483994e82b7d2dc3fc77
trustee_domain_admin_password = magnum_domain_admin

[x509]

Magnum commands return ERROR: Not Authorized

Magnum commands return "ERROR: Not Authorized"

I keep getting ERROR: Not Authorized[1] when executing any magnum command. It seems to fail some endpoint check after studying the trace-back.


There are no outputs from commands in mangum-api.log nor magnum-conductor.log.

There are some logging info in keystone.log[2] which I do not understand.


I have followed the official installation guide from http://docs.openstack.org/mitaka/install-guide-ubuntu when installing the openstack "base"

I have two nodes, controller and compute node containing (compute node only contains nova-compute):

  • Identity service
  • Image service (can store images)
  • Compute service (can deploy cirros instance and login to it)
  • Networking service (with LBaaS, not tested completely)
  • Dashboard
  • Block Storage service
  • Orchestration service (Stack deployment tested and working)
  • Telemetry service

I've tried installing magnum several times, both from git repository stable/mitaka and master following install-guide-from-source.rst. I've also tried to install it from trusty-updates/mitaka with apt-get install magnum-api magnum-conductor

I've configured /etc/magnum/magnum.conf[3] and tried many different documentation versions and sources including the one mentioned above.

/etc/heat/policy.json contains

   ...
   "stacks:global_index": "rule:context_is_admin",
   ...

admin-openrc:

export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=password
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

Everything seems to work fine except for magnum which dont want to authenticate or find endpoint or whatever it is...


[1] magnum command using debug:

magnum --debug service-list

DEBUG (extension:157) found extension EntryPoint.parse('v2token = keystoneauth1.loading._plugins.identity.v2:Token')
DEBUG (extension:157) found extension EntryPoint.parse('admin_token = keystoneauth1.loading._plugins.admin_token:AdminToken')
DEBUG (extension:157) found extension EntryPoint.parse('v3oidcauthcode = keystoneauth1.loading._plugins.identity.v3:OpenIDConnectAuthorizationCode')
DEBUG (extension:157) found extension EntryPoint.parse('v2password = keystoneauth1.loading._plugins.identity.v2:Password')
DEBUG (extension:157) found extension EntryPoint.parse('v3password = keystoneauth1.loading._plugins.identity.v3:Password')
DEBUG (extension:157) found extension EntryPoint.parse('v3oidcpassword = keystoneauth1.loading._plugins.identity.v3:OpenIDConnectPassword')
DEBUG (extension:157) found extension EntryPoint.parse('token = keystoneauth1.loading._plugins.identity.generic:Token')
DEBUG (extension:157) found extension EntryPoint.parse('v3token = keystoneauth1.loading._plugins.identity.v3:Token')
DEBUG (extension:157) found extension EntryPoint.parse('password = keystoneauth1.loading._plugins.identity.generic:Password')
DEBUG (extension:157) found extension EntryPoint.parse('password-ceilometer-legacy = ceilometer.keystone_client:LegacyCeilometerKeystoneLoader')
DEBUG (session:248) REQ: curl -g -i -X GET http://controller:35357/v3 -H "Accept: application/json" -H "User-Agent: keystoneauth1/2.4.0 python-requests/2.9.1 CPython/2.7.6"
INFO (connectionpool:208) Starting new HTTP connection (1): controller
DEBUG (connectionpool:388) "GET /v3 HTTP/1.1" 200 250
DEBUG (session:277) RESP: [200] Content-Length: 250 Vary: X-Auth-Token Keep-Alive: timeout=5, max=100 Server: Apache/2.4.7 (Ubuntu) Connection: Keep-Alive Date: Sun, 10 Jul 2016 19:20:29 GMT x-openstack-request-id: req-c8b901cf-6215-4e0b-a618-860234814b18 Content-Type: application/json X-Distribution: Ubuntu 
RESP BODY: {"version": {"status": "stable", "updated": "2016-04-04T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.6", "links": [{"href": "http://controller:35357/v3/", "rel": "self"}]}}

DEBUG (base:165) Making authentication request to http://controller:35357/v3/auth/tokens
DEBUG (connectionpool:388) "POST /v3/auth/tokens HTTP/1.1" 401 114
DEBUG (session:466) Request returned failure status: 401
DEBUG (shell:629) Not Authorized
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/magnumclient/shell.py", line 626, in main
    OpenStackMagnumShell().main(map(encodeutils.safe_decode, sys.argv[1:]))
  File "/usr/lib/python2.7/dist-packages/magnumclient/shell.py", line 566, in main
    insecure=insecure)
  File "/usr/lib/python2.7/dist-packages/magnumclient/v1/client.py", line 101, in __init__
    raise RuntimeError("Not Authorized")
RuntimeError: Not Authorized
ERROR: Not Authorized

[2]/var/log/apache2/keystone.log:

 DEBUG keystone.middleware.auth [req-b6e4ca5d-056f-4ebf-ad92-8c2072da3d79 - - - - -] There is either no auth token in the request or the certificate issuer is not trusted. No auth context will be set. _build_auth_context /usr/lib/python2.7/dist-packages/keystone/middleware/auth.py:71
INFO keystone.common.wsgi [req-b6e4ca5d-056f-4ebf-ad92-8c2072da3d79 - - - - -] GET http://controller:35357/v3/
DEBUG keystone.middleware.auth [req-025f30a0-78ac-43ce-9bae-8809a94e4e4c - - - - -] There is either no auth token in the request or the certificate issuer is not trusted. No auth context will be set. _build_auth_context /usr/lib/python2.7/dist-packages/keystone/middleware/auth.py:71
INFO keystone.common.wsgi [req-025f30a0-78ac-43ce-9bae-8809a94e4e4c - - - - -] POST http://controller:35357/v3/auth/tokens
DEBUG keystone.token.providers.common [req-025f30a0-78ac-43ce-9bae-8809a94e4e4c - - - - -] User 8287aab640be448fa5377db6b17ceb51 has no access to project e47de250d41c4bad96e90f7837a46358 _populate_roles /usr/lib/python2.7/dist-packages/keystone/token/providers/common.py:454
WARNING keystone.common.wsgi [req-025f30a0-78ac-43ce-9bae-8809a94e4e4c - - - - -] Authorization failed. The request you have made requires authentication. from 10.10.0.11

[3]/etc/magnum/magnum.conf:

[DEFAULT]
host = controller
debug = True
rpc_backend = rabbit

[api]
host = 10.10.0.11

[barbican_client]

[bay]

[bay_heat]

[baymodel]

[certificates]
cert_manager_type = local
storage_path = /var/lib/magnum/certificates/

[cinder_client]
region_name = RegionOne

[conductor]

[cors]

[cors.subdomain]

[database]
connection = mysql+pymysql://magnum:magnum@controller/magnum

[docker]

[docker_registry]

[glance_client]
region_name = RegionOne

[heat_client]
region_name = RegionOne

[keystone_auth]
memcached_servers = controller:11211
auth_version = v3
auth_uri = http://controller:5000/v3
project_domain_id = default
project_name = service
user_domain_id = default
password = magnum
username = magnum
auth_url = http://controller:35357
auth_type = password

[keystone_authtoken]
memcached_servers = controller:11211
auth_version = v3
auth_uri = http://controller:5000/v3
project_domain_id = default
project_name = service
user_domain_id = default
password = magnum
username = magnum
auth_url = http://controller:35357
auth_type = password

[magnum_client]
region_name = RegionOne
endpoint_type = http://controller:9511/v1

[matchmaker_redis]

[neutron_client]

[nova_client]

[oslo_concurrency]
lock_path = /var/lib/magnum/tmp

[oslo_messaging_amqp]

[oslo_messaging_notifications]
driver = messagingv2

[oslo_messaging_rabbit]
rabbit_host = controller
rabbit_userid = openstack
rabbit_password = rabbit

[oslo_policy]
[trust]
trustee_domain_admin_id = efbaf894a3ae4d09b58e802b3b05d6a8
trustee_domain_id = 30fa971615a5483994e82b7d2dc3fc77
trustee_domain_admin_password = magnum_domain_admin

[x509]