Ask Your Question

mariojmdavid's profile - activity

2016-03-09 11:38:44 -0600 received badge  Famous Question (source)
2016-03-02 10:31:30 -0600 answered a question kilo heat authorization failed

ok, I discovered what was wrong had to set in [keystone_authtoken] ... admin_tenant_name admin_user admin_password ...

in _all_ confs (glance, nova, neutron, etc.) though in kilo install docs, they don't say as much AFAIU seems those are needed to delegate from the user to the heat_stack_admin guy

2016-03-02 10:30:42 -0600 received badge  Notable Question (source)
2016-03-01 10:38:58 -0600 received badge  Popular Question (source)
2016-02-29 12:18:40 -0600 asked a question kilo heat authorization failed

hi all first off I checked https://ask.openstack.org/en/question... and did not solved the problem I will describe below

I have kilo (with all latest updates) and keystone v3 up and running I have followed http://docs.openstack.org/kilo/instal... to setup heat I created the new domain, a domain admin with admin role, and also both the roles heat_stack_owner and heat_stack_user I have given heat_stack_owner to my username in one of my projects snipet of /etc/heat/heat.conf (if need I will post more)

[DEFAULT]
...
deferred_auth_method = trusts
trusts_delegated_roles = heat_stack_owner
heat_metadata_server_url = https://nimbus.ncg.ingrid.pt:8000
heat_waitcondition_server_url = https://nimbus.ncg.ingrid.pt:8000/v1/waitcondition
region_name_for_services = regionOne    # this is correct it's not RegionOne
heat_stack_user_role = heat_stack_user

stack_user_domain_id=<The Domain ID>
stack_domain_admin=heat_domain_admin
stack_domain_admin_password=XXXX

[keystone_authtoken]
admin_tenant_name = service
admin_user = heat
admin_password = d132u90834cjkiqe
auth_uri = https://nimbus.ncg.ingrid.pt:5000/v2.0
identity_uri = https://nimbus.ncg.ingrid.pt:35357
cafile = /etc/certs/lipcaroot.pem

with my username on the project where I have heat_stack_owner role heat stack-list is successful (outputs an empty list of stacks) but

heat --debug stack-create -f test.yaml -P "ImageID=Ubuntu-14.04;NetID=070fb807-4813-4fb9-9970-991c6e68880d" testStack

... heatclient.exc.HTTPInternalServerError: ERROR: Authorization failed.

I have tried with other templates with the same result

Snipet of keystone.log (check the last line)

2016-02-29 17:37:34.676 24413 INFO keystone.common.wsgi [-] GET https://nimbus.ncg.ingrid.pt:5000/v3/auth/tokens
2016-02-29 17:37:34.676 24413 DEBUG keystone.common.controller [-] RBAC: Authorizing identity:validate_token() _build_policy_check_credentials /usr/lib/python2.7/site-packages/keystone/common/controller.py:61
2016-02-29 17:37:34.676 24413 DEBUG keystone.common.controller [-] RBAC: using auth context from the request environment _build_policy_check_credentials /usr/lib/python2.7/site-packages/keystone/common/controller.py:66
2016-02-29 17:37:34.886 24413 DEBUG keystone.policy.backends.rules [-] enforce identity:validate_token: {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'7bdcd180282e414f8771425509c29bed', 'roles': [u'admin'], 'trustee_id': None, 'trustor_id': None, 'consumer_id': None, 'token': <KeystoneToken (audit_id=T0GBC77iQtq-TwoKS35m8Q, audit_chain_id=T0GBC77iQtq-TwoKS35m8Q) at 0x7fccdef98640>, 'project_id': u'70301c384cb6497b9b8164aaa4f30c32', 'trust_id': None} enforce /usr/lib/python2.7/site-packages/keystone/policy/backends/rules.py:76
2016-02-29 17:37:34.887 24413 DEBUG oslo_policy.openstack.common.fileutils [-] Reloading cached file /etc/keystone/policy.json read_cached_file /usr/lib/python2.7/site-packages/oslo_policy/openstack/common/fileutils.py:64
2016-02-29 17:37:34.891 24413 DEBUG oslo_policy.policy [-] Reloaded policy file: /etc/keystone/policy.json _load_policy_file /usr/lib/python2.7/site-packages/oslo_policy/policy.py:403
2016-02-29 17:37:34.891 24413 DEBUG keystone.common.controller [-] RBAC: Authorization granted inner /usr/lib/python2.7/site-packages/keystone/common/controller.py:161
2016-02-29 17:37:34.947 24410 INFO keystone.common.wsgi [-] OPTIONS http://nimbus.ncg.ingrid.pt/
2016-02-29 17:37:34.981 24412 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /usr/lib/python2.7/site-packages/keystone/middleware/core.py:223
2016-02-29 17:37:34.984 24412 INFO keystone.common.wsgi [-] POST https://nimbus.ncg.ingrid.pt:5000/v3/auth/tokens
2016-02-29 17:37:34.997 ...
(more)
2015-07-07 00:53:09 -0600 received badge  Famous Question (source)
2015-07-07 00:53:09 -0600 received badge  Notable Question (source)
2015-07-07 00:53:09 -0600 received badge  Popular Question (source)
2015-03-26 10:03:06 -0600 asked a question glance with identity v3 but self._session calls keystoneclient.auth.identity.v2

I have, haproxy nodes on top of the controllers nodes, https openstack endpoints ssl terminated at the haproxy Centos7, Openstack Juno latest updates, in particular relevant for what follows

openstack-keystone-2014.2.2-1.el7.noarch python-keystone-2014.2.2-1.el7.noarch python-keystoneclient-0.11.1-1.el7.centos.noarch python-keystonemiddleware-1.2.0-1.el7.centos.noarch

openstack-glance-2014.2.2-1.el7.noarch python-glance-2014.2.2-1.el7.noarch python-glanceclient-0.15.0-1.el7.centos.noarch python-glance-store-0.1.10-2.el7.centos.noarch

Virtual IP is:  nimbus.ncg.ingrid.pt

client env variables
OS_AUTH_URL=https://nimbus.ncg.ingrid.pt:5000/v3
OS_CACERT=lipca.pem
OS_IDENTITY_API_VERSION=3
OS_PASSWORD=XXXX
OS_PROJECT_DOMAIN_NAME=default
OS_PROJECT_NAME=admin
OS_TENANT_NAME=admin
OS_URL=https://nimbus.ncg.ingrid.pt:35357/v3
OS_USER_DOMAIN_NAME=default
OS_USERNAME=admin

keystone.conf contains
...
admin_endpoint = https://nimbus.ncg.ingrid.pt:35357
public_endpoint = https://nimbus.ncg.ingrid.pt:5000
...

glance-api.conf contains
...
[keystone_authtoken]
auth_uri=https://nimbus.ncg.ingrid.pt:5000/v3
identity_uri=https://nimbus.ncg.ingrid.pt:35357
auth_version=v3
admin_tenant_name=service
admin_user=glance
admin_password=XXX
...

openstack user list ( or service, project, endpoint ... work as expected) Relevant endpoints Service Name | Service Type | Enabled | Interface | URL | glance | image | True | admin | https://nimbus.ncg.ingrid.pt:9292 glance | image | True | public | https://nimbus.ncg.ingrid.pt:9292 keystone | identity | True | public | https://nimbus.ncg.ingrid.pt:5000/v3 keystone | identity | True | admin | https://nimbus.ncg.ingrid.pt:35357/v3

openstack --debug image list gives .... DEBUG: keystoneclient.auth.identity.v3 Making authentication request to https://nimbus.ncg.ingrid.pt:5000/v3/... DEBUG: requests.packages.urllib3.connectionpool "POST /v3/auth/tokens HTTP/1.1" 201 4293 DEBUG: requests.packages.urllib3.connectionpool "GET /v1/AUTH_2317a44519e04f2d9d898282f8b4ee96?format=json HTTP/1.1" 401 131 DEBUG: keystoneclient.session RESP: DEBUG: keystoneclient.session Request returned failure status: 401 ERROR: openstack Unauthorized (HTTP 401) ..... So the first 2 lines give the correct result, but after that

relevant entries in /var/log/glance/api.log

...
2015-03-26 10:00:58.968 29541 DEBUG glance.api.middleware.version_negotiation [-] new path /v1/images/detail process_request /usr/lib/python2.7/site-packages/glance/api/middleware/version_negotiation.py:70
2015-03-26 10:00:58.969 29541 DEBUG keystonemiddleware.auth_token [-] Removing headers from request environment: X-Service-Catalog .... X-Tenant _remove_auth_headers /usr/lib/python2.7/site-packages/keystonemiddleware/auth_token.py:780
2015-03-26 10:00:58.969 29541 DEBUG keystonemiddleware.auth_token [-] Authenticating user token __call__ /usr/lib/python2.7/site-packages/keystonemiddleware/auth_token.py:708
2015-03-26 10:00:58.970 29541 INFO keystonemiddleware.auth_token [-] Auth Token proceeding with requested v3 apis
2015-03-26 10:00:58.971 29541 DEBUG keystoneclient.auth.identity.v2 [-] Making authentication request to https://nimbus.ncg.ingrid.pt:35357/v2.0/tokens get_auth_ref /usr/lib/python2.7/site-packages/keystoneclient/auth/identity/v2.py:77
2015-03-26 10:00:58.982 29541 INFO urllib3.connectionpool [-] Starting new HTTPS connection (1): nimbus.ncg.ingrid.pt
2015-03-26 10:00:59.011 29541 WARNING keystonemiddleware.auth_token [-] Retrying on HTTP connection exception: SSL exception connecting to https://nimbus.ncg.ingrid.pt:35357/v2.0/tokens
2015-03-26 10:00:59.511 29541 DEBUG keystoneclient.auth.identity.v2 [-] Making authentication request to https://nimbus.ncg.ingrid ...
(more)