[openstack-dev] Keystone Authorization Failed: Forbidden (HTTP 403)

Dhvanan Shah dhvanan at gmail.com
Wed Apr 27 11:53:18 UTC 2016


Hi,

Enabling the debug flag didn't give any additional information.

2 node Cluster means that I have one controller that also runs the compute
and an additional compute node, thus 2 node OpenStack Cluster.

The problem here is not with the password as I am able to log in through
the dashboard. Any action performed gives a Forbidden error and
authorization failed for keystone.

Any other things that I could look at?

On Wed, Apr 27, 2016 at 4:55 PM, Dolph Mathews <dolph.mathews at gmail.com>
wrote:

> Depending on which release of keystone you're running, try enabling either
> insecure_debug (more recent releases) or debug (older releases) to true in
> keystone.conf to get more detailed error messages from keystone.
>
>
> https://github.com/openstack/keystone/blob/3c4fe622ac5da00b04ccc8bc4e207a2e9ab0f863/etc/keystone.conf.sample#L87-L91
>
> That said, your configuration looks entirely correct to me, so I'm curious
> what the outcome is here. The only other red flag I see is that you
> mentioned a "2 node OpenStack cluster", and I'm not sure what that means in
> this context, exactly. How are the 2 nodes utilized?
>
> On Wed, Apr 27, 2016 at 5:43 AM, Dhvanan Shah <dhvanan at gmail.com> wrote:
>
>> keystone --debug user-list gives this:
>>
>> /usr/lib/python2.7/site-packages/keystoneclient/shell.py:65:
>> DeprecationWarning: The keystone CLI is deprecated in favor of
>> python-openstackclient. For a Python library, continue using
>> python-keystoneclient.
>>   'python-keystoneclient.', DeprecationWarning)
>> DEBUG:keystoneclient.auth.identity.v2:Making authentication request to
>> http://10.16.37.221:5000/v2.0/tokens
>> INFO:requests.packages.urllib3.connectionpool:Starting new HTTP
>> connection (1): proxy.serc.iisc.ernet.in
>> DEBUG:requests.packages.urllib3.connectionpool:"POST
>> http://10.16.37.221:5000/v2.0/tokens HTTP/1.1" 403 3370
>> DEBUG:keystoneclient.session:Request returned failure status: 403
>> Authorization Failed: Forbidden (HTTP 403)
>>
>> nova --debug user list gives this:
>>
>> DEBUG (session:195) REQ: curl -g -i -X GET http://10.16.37.221:5000/v2.0
>> -H "Accept: application/json" -H "User-Agent: python-keystoneclient"
>> INFO (connectionpool:203) Starting new HTTP connection (1):
>> proxy.serc.iisc.ernet.in
>> DEBUG (connectionpool:383) "GET http://10.16.37.221:5000/v2.0 HTTP/1.1"
>> 403 3275
>> DEBUG (session:224) RESP:
>> DEBUG (session:396) Request returned failure status: 403
>> WARNING (base:133) Discovering versions from the identity service failed
>> when creating the password plugin. Attempting to determine version from URL.
>> DEBUG (v2:76) Making authentication request to
>> http://10.16.37.221:5000/v2.0/tokens
>> DEBUG (connectionpool:383) "POST http://10.16.37.221:5000/v2.0/tokens
>> HTTP/1.1" 403 3370
>> DEBUG (session:396) Request returned failure status: 403
>> DEBUG (shell:914) Forbidden (HTTP 403)
>> Forbidden: Forbidden (HTTP 403)
>> ERROR (Forbidden): Forbidden (HTTP 403)
>>
>>
>>
>> On Wed, Apr 27, 2016 at 3:12 PM, Dhvanan Shah <dhvanan at gmail.com> wrote:
>>
>>> On running openstack-status this is what I get (all the services are
>>> running, so not included that here)
>>>
>>> == Keystone users ==
>>> /usr/lib/python2.7/site-packages/keystoneclient/shell.py:65:
>>> DeprecationWarning: The keystone CLI is deprecated in favor of
>>> python-openstackclient. For a Python library, continue using
>>> python-keystoneclient.
>>>   'python-keystoneclient.', DeprecationWarning)
>>> Authorization Failed: Forbidden (HTTP 403)
>>> == Glance images ==
>>> Forbidden (HTTP 403)
>>> == Nova managed services ==
>>> No handlers could be found for logger
>>> "keystoneclient.auth.identity.generic.base"
>>> ERROR (Forbidden): Forbidden (HTTP 403)
>>> == Nova networks ==
>>> No handlers could be found for logger
>>> "keystoneclient.auth.identity.generic.base"
>>> ERROR (Forbidden): Forbidden (HTTP 403)
>>> == Nova instance flavors ==
>>> No handlers could be found for logger
>>> "keystoneclient.auth.identity.generic.base"
>>> ERROR (Forbidden): Forbidden (HTTP 403)
>>> == Nova instances ==
>>> No handlers could be found for logger
>>> "keystoneclient.auth.identity.generic.base"
>>> ERROR (Forbidden): Forbidden (HTTP 403)
>>>
>>>
>>> On Wed, Apr 27, 2016 at 3:09 PM, Dhvanan Shah <dhvanan at gmail.com> wrote:
>>>
>>>> Hi Jens,
>>>>
>>>> The password is correct when I echo $OS_PASSWORD.
>>>> I downloaded the admin-openrc.sh file from the dashboard and sourced. I
>>>> ran a nova list after that:
>>>> No handlers could be found for logger
>>>> "keystoneclient.auth.identity.generic.base"
>>>> ERROR (Forbidden): Forbidden (HTTP 403)
>>>>
>>>> It still gives the error of forbidden access.
>>>> I think the password is not the issue. Forbidden access might be
>>>> something else. Do you want me to share anything else?
>>>>
>>>> On Wed, Apr 27, 2016 at 2:56 PM, Jens Rosenboom <j.rosenboom at x-ion.de>
>>>> wrote:
>>>>
>>>>> 2016-04-27 10:30 GMT+02:00 Dhvanan Shah <dhvanan at gmail.com>:
>>>>> > UPDATE:
>>>>> > I am able to log into Horizon and perform all actions without any
>>>>> issue but
>>>>> > on my terminal, I am not able to do the same. The password that I
>>>>> thought
>>>>> > was wrong is not the issue as I logged in with the same password.
>>>>> > My keystone_adminrc file looks like this:
>>>>> >
>>>>> > unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT
>>>>> > export OS_USERNAME=admin
>>>>> > export OS_PASSWORD=****************
>>>>> > export OS_AUTH_URL=http://10.16.37.221:35357/v2.0
>>>>> > export PS1='[\u@\h \W(keystone_admin)]\$ '
>>>>> >
>>>>> > export OS_TENANT_NAME=admin
>>>>> > export OS_REGION_NAME=RegionOne
>>>>> >
>>>>> >
>>>>> > Please suggest what I could do!
>>>>>
>>>>> Does your password contain special characters that might get mangled
>>>>> by the shell? You could compare the output of "echo $OS_PASSWORD" to
>>>>> verify.
>>>>>
>>>>> Otherwise, if the dashboard is working for you, you can go to
>>>>> Project/Compute/Access&Security/API Access and use the "Download
>>>>> OpenStack RC File" link there.
>>>>>
>>>>>
>>>>> __________________________________________________________________________
>>>>> OpenStack Development Mailing List (not for usage questions)
>>>>> Unsubscribe:
>>>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Dhvanan Shah
>>>>
>>>
>>>
>>>
>>> --
>>> Dhvanan Shah
>>>
>>
>>
>>
>> --
>> Dhvanan Shah
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Dhvanan Shah
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160427/bf891910/attachment-0001.html>


More information about the OpenStack-dev mailing list