[openstack-dev] Keystone Authorization Failed: Forbidden (HTTP 403)
Dolph Mathews
dolph.mathews at gmail.com
Wed Apr 27 11:25:37 UTC 2016
Depending on which release of keystone you're running, try enabling either
insecure_debug (more recent releases) or debug (older releases) to true in
keystone.conf to get more detailed error messages from keystone.
https://github.com/openstack/keystone/blob/3c4fe622ac5da00b04ccc8bc4e207a2e9ab0f863/etc/keystone.conf.sample#L87-L91
That said, your configuration looks entirely correct to me, so I'm curious
what the outcome is here. The only other red flag I see is that you
mentioned a "2 node OpenStack cluster", and I'm not sure what that means in
this context, exactly. How are the 2 nodes utilized?
On Wed, Apr 27, 2016 at 5:43 AM, Dhvanan Shah <dhvanan at gmail.com> wrote:
> keystone --debug user-list gives this:
>
> /usr/lib/python2.7/site-packages/keystoneclient/shell.py:65:
> DeprecationWarning: The keystone CLI is deprecated in favor of
> python-openstackclient. For a Python library, continue using
> python-keystoneclient.
> 'python-keystoneclient.', DeprecationWarning)
> DEBUG:keystoneclient.auth.identity.v2:Making authentication request to
> http://10.16.37.221:5000/v2.0/tokens
> INFO:requests.packages.urllib3.connectionpool:Starting new HTTP connection
> (1): proxy.serc.iisc.ernet.in
> DEBUG:requests.packages.urllib3.connectionpool:"POST
> http://10.16.37.221:5000/v2.0/tokens HTTP/1.1" 403 3370
> DEBUG:keystoneclient.session:Request returned failure status: 403
> Authorization Failed: Forbidden (HTTP 403)
>
> nova --debug user list gives this:
>
> DEBUG (session:195) REQ: curl -g -i -X GET http://10.16.37.221:5000/v2.0
> -H "Accept: application/json" -H "User-Agent: python-keystoneclient"
> INFO (connectionpool:203) Starting new HTTP connection (1):
> proxy.serc.iisc.ernet.in
> DEBUG (connectionpool:383) "GET http://10.16.37.221:5000/v2.0 HTTP/1.1"
> 403 3275
> DEBUG (session:224) RESP:
> DEBUG (session:396) Request returned failure status: 403
> WARNING (base:133) Discovering versions from the identity service failed
> when creating the password plugin. Attempting to determine version from URL.
> DEBUG (v2:76) Making authentication request to
> http://10.16.37.221:5000/v2.0/tokens
> DEBUG (connectionpool:383) "POST http://10.16.37.221:5000/v2.0/tokens
> HTTP/1.1" 403 3370
> DEBUG (session:396) Request returned failure status: 403
> DEBUG (shell:914) Forbidden (HTTP 403)
> Forbidden: Forbidden (HTTP 403)
> ERROR (Forbidden): Forbidden (HTTP 403)
>
>
>
> On Wed, Apr 27, 2016 at 3:12 PM, Dhvanan Shah <dhvanan at gmail.com> wrote:
>
>> On running openstack-status this is what I get (all the services are
>> running, so not included that here)
>>
>> == Keystone users ==
>> /usr/lib/python2.7/site-packages/keystoneclient/shell.py:65:
>> DeprecationWarning: The keystone CLI is deprecated in favor of
>> python-openstackclient. For a Python library, continue using
>> python-keystoneclient.
>> 'python-keystoneclient.', DeprecationWarning)
>> Authorization Failed: Forbidden (HTTP 403)
>> == Glance images ==
>> Forbidden (HTTP 403)
>> == Nova managed services ==
>> No handlers could be found for logger
>> "keystoneclient.auth.identity.generic.base"
>> ERROR (Forbidden): Forbidden (HTTP 403)
>> == Nova networks ==
>> No handlers could be found for logger
>> "keystoneclient.auth.identity.generic.base"
>> ERROR (Forbidden): Forbidden (HTTP 403)
>> == Nova instance flavors ==
>> No handlers could be found for logger
>> "keystoneclient.auth.identity.generic.base"
>> ERROR (Forbidden): Forbidden (HTTP 403)
>> == Nova instances ==
>> No handlers could be found for logger
>> "keystoneclient.auth.identity.generic.base"
>> ERROR (Forbidden): Forbidden (HTTP 403)
>>
>>
>> On Wed, Apr 27, 2016 at 3:09 PM, Dhvanan Shah <dhvanan at gmail.com> wrote:
>>
>>> Hi Jens,
>>>
>>> The password is correct when I echo $OS_PASSWORD.
>>> I downloaded the admin-openrc.sh file from the dashboard and sourced. I
>>> ran a nova list after that:
>>> No handlers could be found for logger
>>> "keystoneclient.auth.identity.generic.base"
>>> ERROR (Forbidden): Forbidden (HTTP 403)
>>>
>>> It still gives the error of forbidden access.
>>> I think the password is not the issue. Forbidden access might be
>>> something else. Do you want me to share anything else?
>>>
>>> On Wed, Apr 27, 2016 at 2:56 PM, Jens Rosenboom <j.rosenboom at x-ion.de>
>>> wrote:
>>>
>>>> 2016-04-27 10:30 GMT+02:00 Dhvanan Shah <dhvanan at gmail.com>:
>>>> > UPDATE:
>>>> > I am able to log into Horizon and perform all actions without any
>>>> issue but
>>>> > on my terminal, I am not able to do the same. The password that I
>>>> thought
>>>> > was wrong is not the issue as I logged in with the same password.
>>>> > My keystone_adminrc file looks like this:
>>>> >
>>>> > unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT
>>>> > export OS_USERNAME=admin
>>>> > export OS_PASSWORD=****************
>>>> > export OS_AUTH_URL=http://10.16.37.221:35357/v2.0
>>>> > export PS1='[\u@\h \W(keystone_admin)]\$ '
>>>> >
>>>> > export OS_TENANT_NAME=admin
>>>> > export OS_REGION_NAME=RegionOne
>>>> >
>>>> >
>>>> > Please suggest what I could do!
>>>>
>>>> Does your password contain special characters that might get mangled
>>>> by the shell? You could compare the output of "echo $OS_PASSWORD" to
>>>> verify.
>>>>
>>>> Otherwise, if the dashboard is working for you, you can go to
>>>> Project/Compute/Access&Security/API Access and use the "Download
>>>> OpenStack RC File" link there.
>>>>
>>>>
>>>> __________________________________________________________________________
>>>> OpenStack Development Mailing List (not for usage questions)
>>>> Unsubscribe:
>>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>
>>>
>>>
>>>
>>> --
>>> Dhvanan Shah
>>>
>>
>>
>>
>> --
>> Dhvanan Shah
>>
>
>
>
> --
> Dhvanan Shah
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160427/8d5527da/attachment.html>
More information about the OpenStack-dev
mailing list