[openstack-dev] Keystone Authorization Failed: Forbidden (HTTP 403)

Dhvanan Shah dhvanan at gmail.com
Wed Apr 27 12:17:31 UTC 2016


Hi,

Problem resolved.

curl 10.16.37.221:5000 returned access denied. So I added a no proxy for
the host ip in the browser after which it began returning the JSON data.
After this I exported the same in my keystone_adminrc file as Chinmaya
pointed out. That solved the problem and it no longer gives the forbidden
error.

But the funny thing here is that I have had this setup running for quite
some time now and I have not added a no_proxy for the host ip and I also
haven't faced this issue before. So I am not sure what triggered this error
here now.

Thanks a lot for your inputs.

On Wed, Apr 27, 2016 at 5:30 PM, Dolph Mathews <dolph.mathews at gmail.com>
wrote:

>
> On Wed, Apr 27, 2016 at 6:53 AM, Dhvanan Shah <dhvanan at gmail.com> wrote:
>
>> Hi,
>>
>> Enabling the debug flag didn't give any additional information.
>>
>> 2 node Cluster means that I have one controller that also runs the
>> compute and an additional compute node, thus 2 node OpenStack Cluster.
>>
>> The problem here is not with the password as I am able to log in through
>> the dashboard. Any action performed gives a Forbidden error and
>> authorization failed for keystone.
>>
>> Any other things that I could look at?
>>
>
> Another long shot, but you might have an unintended surprise in your
> environment.
>
>   $ env | grep ^OS_
>
> More likely though, I'm guessing you don't actually have the "admin" role
> on the "admin" tenant that you're expecting. The 403 is indicating that you
> are authenticated successfully (your password is correct), but you don't
> have authorization to make the request (listing users, for example). You'd
> be able to login to horizon and spin up a VM, or do the same from the CLI,
> but not make the requests you're using to exercise the cloud admin role.
>
>
>> On Wed, Apr 27, 2016 at 4:55 PM, Dolph Mathews <dolph.mathews at gmail.com>
>> wrote:
>>
>>> Depending on which release of keystone you're running, try enabling
>>> either insecure_debug (more recent releases) or debug (older releases) to
>>> true in keystone.conf to get more detailed error messages from keystone.
>>>
>>>
>>> https://github.com/openstack/keystone/blob/3c4fe622ac5da00b04ccc8bc4e207a2e9ab0f863/etc/keystone.conf.sample#L87-L91
>>>
>>> That said, your configuration looks entirely correct to me, so I'm
>>> curious what the outcome is here. The only other red flag I see is that you
>>> mentioned a "2 node OpenStack cluster", and I'm not sure what that means in
>>> this context, exactly. How are the 2 nodes utilized?
>>>
>>> On Wed, Apr 27, 2016 at 5:43 AM, Dhvanan Shah <dhvanan at gmail.com> wrote:
>>>
>>>> keystone --debug user-list gives this:
>>>>
>>>> /usr/lib/python2.7/site-packages/keystoneclient/shell.py:65:
>>>> DeprecationWarning: The keystone CLI is deprecated in favor of
>>>> python-openstackclient. For a Python library, continue using
>>>> python-keystoneclient.
>>>>   'python-keystoneclient.', DeprecationWarning)
>>>> DEBUG:keystoneclient.auth.identity.v2:Making authentication request to
>>>> http://10.16.37.221:5000/v2.0/tokens
>>>> INFO:requests.packages.urllib3.connectionpool:Starting new HTTP
>>>> connection (1): proxy.serc.iisc.ernet.in
>>>> DEBUG:requests.packages.urllib3.connectionpool:"POST
>>>> http://10.16.37.221:5000/v2.0/tokens HTTP/1.1" 403 3370
>>>> DEBUG:keystoneclient.session:Request returned failure status: 403
>>>> Authorization Failed: Forbidden (HTTP 403)
>>>>
>>>> nova --debug user list gives this:
>>>>
>>>> DEBUG (session:195) REQ: curl -g -i -X GET
>>>> http://10.16.37.221:5000/v2.0 -H "Accept: application/json" -H
>>>> "User-Agent: python-keystoneclient"
>>>> INFO (connectionpool:203) Starting new HTTP connection (1):
>>>> proxy.serc.iisc.ernet.in
>>>> DEBUG (connectionpool:383) "GET http://10.16.37.221:5000/v2.0
>>>> HTTP/1.1" 403 3275
>>>> DEBUG (session:224) RESP:
>>>> DEBUG (session:396) Request returned failure status: 403
>>>> WARNING (base:133) Discovering versions from the identity service
>>>> failed when creating the password plugin. Attempting to determine version
>>>> from URL.
>>>> DEBUG (v2:76) Making authentication request to
>>>> http://10.16.37.221:5000/v2.0/tokens
>>>> DEBUG (connectionpool:383) "POST http://10.16.37.221:5000/v2.0/tokens
>>>> HTTP/1.1" 403 3370
>>>> DEBUG (session:396) Request returned failure status: 403
>>>> DEBUG (shell:914) Forbidden (HTTP 403)
>>>> Forbidden: Forbidden (HTTP 403)
>>>> ERROR (Forbidden): Forbidden (HTTP 403)
>>>>
>>>>
>>>>
>>>> On Wed, Apr 27, 2016 at 3:12 PM, Dhvanan Shah <dhvanan at gmail.com>
>>>> wrote:
>>>>
>>>>> On running openstack-status this is what I get (all the services are
>>>>> running, so not included that here)
>>>>>
>>>>> == Keystone users ==
>>>>> /usr/lib/python2.7/site-packages/keystoneclient/shell.py:65:
>>>>> DeprecationWarning: The keystone CLI is deprecated in favor of
>>>>> python-openstackclient. For a Python library, continue using
>>>>> python-keystoneclient.
>>>>>   'python-keystoneclient.', DeprecationWarning)
>>>>> Authorization Failed: Forbidden (HTTP 403)
>>>>> == Glance images ==
>>>>> Forbidden (HTTP 403)
>>>>> == Nova managed services ==
>>>>> No handlers could be found for logger
>>>>> "keystoneclient.auth.identity.generic.base"
>>>>> ERROR (Forbidden): Forbidden (HTTP 403)
>>>>> == Nova networks ==
>>>>> No handlers could be found for logger
>>>>> "keystoneclient.auth.identity.generic.base"
>>>>> ERROR (Forbidden): Forbidden (HTTP 403)
>>>>> == Nova instance flavors ==
>>>>> No handlers could be found for logger
>>>>> "keystoneclient.auth.identity.generic.base"
>>>>> ERROR (Forbidden): Forbidden (HTTP 403)
>>>>> == Nova instances ==
>>>>> No handlers could be found for logger
>>>>> "keystoneclient.auth.identity.generic.base"
>>>>> ERROR (Forbidden): Forbidden (HTTP 403)
>>>>>
>>>>>
>>>>> On Wed, Apr 27, 2016 at 3:09 PM, Dhvanan Shah <dhvanan at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hi Jens,
>>>>>>
>>>>>> The password is correct when I echo $OS_PASSWORD.
>>>>>> I downloaded the admin-openrc.sh file from the dashboard and sourced.
>>>>>> I ran a nova list after that:
>>>>>> No handlers could be found for logger
>>>>>> "keystoneclient.auth.identity.generic.base"
>>>>>> ERROR (Forbidden): Forbidden (HTTP 403)
>>>>>>
>>>>>> It still gives the error of forbidden access.
>>>>>> I think the password is not the issue. Forbidden access might be
>>>>>> something else. Do you want me to share anything else?
>>>>>>
>>>>>> On Wed, Apr 27, 2016 at 2:56 PM, Jens Rosenboom <j.rosenboom at x-ion.de
>>>>>> > wrote:
>>>>>>
>>>>>>> 2016-04-27 10:30 GMT+02:00 Dhvanan Shah <dhvanan at gmail.com>:
>>>>>>> > UPDATE:
>>>>>>> > I am able to log into Horizon and perform all actions without any
>>>>>>> issue but
>>>>>>> > on my terminal, I am not able to do the same. The password that I
>>>>>>> thought
>>>>>>> > was wrong is not the issue as I logged in with the same password.
>>>>>>> > My keystone_adminrc file looks like this:
>>>>>>> >
>>>>>>> > unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT
>>>>>>> > export OS_USERNAME=admin
>>>>>>> > export OS_PASSWORD=****************
>>>>>>> > export OS_AUTH_URL=http://10.16.37.221:35357/v2.0
>>>>>>> > export PS1='[\u@\h \W(keystone_admin)]\$ '
>>>>>>> >
>>>>>>> > export OS_TENANT_NAME=admin
>>>>>>> > export OS_REGION_NAME=RegionOne
>>>>>>> >
>>>>>>> >
>>>>>>> > Please suggest what I could do!
>>>>>>>
>>>>>>> Does your password contain special characters that might get mangled
>>>>>>> by the shell? You could compare the output of "echo $OS_PASSWORD" to
>>>>>>> verify.
>>>>>>>
>>>>>>> Otherwise, if the dashboard is working for you, you can go to
>>>>>>> Project/Compute/Access&Security/API Access and use the "Download
>>>>>>> OpenStack RC File" link there.
>>>>>>>
>>>>>>>
>>>>>>> __________________________________________________________________________
>>>>>>> OpenStack Development Mailing List (not for usage questions)
>>>>>>> Unsubscribe:
>>>>>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Dhvanan Shah
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Dhvanan Shah
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Dhvanan Shah
>>>>
>>>>
>>>> __________________________________________________________________________
>>>> OpenStack Development Mailing List (not for usage questions)
>>>> Unsubscribe:
>>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>
>>>>
>>>
>>>
>>> __________________________________________________________________________
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe:
>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>>
>>
>>
>> --
>> Dhvanan Shah
>>
>
>


-- 
Dhvanan Shah
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160427/d67b6e9c/attachment.html>


More information about the OpenStack-dev mailing list