[openstack-dev] Keystone Authorization Failed: Forbidden (HTTP 403)

Chinmaya Bharadwaj acbharadwaj at gmail.com
Wed Apr 27 11:56:32 UTC 2016


Hi,

Looks like its connecting to proxy first,

Starting new HTTP connection (1): proxy.serc.iisc.ernet.in



​Try
export no_proxy= <Your ip>​

#Chinmaya

On 27 April 2016 at 17:23, Dhvanan Shah <dhvanan at gmail.com> wrote:

> Hi,
>
> Enabling the debug flag didn't give any additional information.
>
> 2 node Cluster means that I have one controller that also runs the compute
> and an additional compute node, thus 2 node OpenStack Cluster.
>
> The problem here is not with the password as I am able to log in through
> the dashboard. Any action performed gives a Forbidden error and
> authorization failed for keystone.
>
> Any other things that I could look at?
>
> On Wed, Apr 27, 2016 at 4:55 PM, Dolph Mathews <dolph.mathews at gmail.com>
> wrote:
>
>> Depending on which release of keystone you're running, try enabling
>> either insecure_debug (more recent releases) or debug (older releases) to
>> true in keystone.conf to get more detailed error messages from keystone.
>>
>>
>> https://github.com/openstack/keystone/blob/3c4fe622ac5da00b04ccc8bc4e207a2e9ab0f863/etc/keystone.conf.sample#L87-L91
>>
>> That said, your configuration looks entirely correct to me, so I'm
>> curious what the outcome is here. The only other red flag I see is that you
>> mentioned a "2 node OpenStack cluster", and I'm not sure what that means in
>> this context, exactly. How are the 2 nodes utilized?
>>
>> On Wed, Apr 27, 2016 at 5:43 AM, Dhvanan Shah <dhvanan at gmail.com> wrote:
>>
>>> keystone --debug user-list gives this:
>>>
>>> /usr/lib/python2.7/site-packages/keystoneclient/shell.py:65:
>>> DeprecationWarning: The keystone CLI is deprecated in favor of
>>> python-openstackclient. For a Python library, continue using
>>> python-keystoneclient.
>>>   'python-keystoneclient.', DeprecationWarning)
>>> DEBUG:keystoneclient.auth.identity.v2:Making authentication request to
>>> http://10.16.37.221:5000/v2.0/tokens
>>> INFO:requests.packages.urllib3.connectionpool:Starting new HTTP
>>> connection (1): proxy.serc.iisc.ernet.in
>>> DEBUG:requests.packages.urllib3.connectionpool:"POST
>>> http://10.16.37.221:5000/v2.0/tokens HTTP/1.1" 403 3370
>>> DEBUG:keystoneclient.session:Request returned failure status: 403
>>> Authorization Failed: Forbidden (HTTP 403)
>>>
>>> nova --debug user list gives this:
>>>
>>> DEBUG (session:195) REQ: curl -g -i -X GET http://10.16.37.221:5000/v2.0
>>> -H "Accept: application/json" -H "User-Agent: python-keystoneclient"
>>> INFO (connectionpool:203) Starting new HTTP connection (1):
>>> proxy.serc.iisc.ernet.in
>>> DEBUG (connectionpool:383) "GET http://10.16.37.221:5000/v2.0 HTTP/1.1"
>>> 403 3275
>>> DEBUG (session:224) RESP:
>>> DEBUG (session:396) Request returned failure status: 403
>>> WARNING (base:133) Discovering versions from the identity service failed
>>> when creating the password plugin. Attempting to determine version from URL.
>>> DEBUG (v2:76) Making authentication request to
>>> http://10.16.37.221:5000/v2.0/tokens
>>> DEBUG (connectionpool:383) "POST http://10.16.37.221:5000/v2.0/tokens
>>> HTTP/1.1" 403 3370
>>> DEBUG (session:396) Request returned failure status: 403
>>> DEBUG (shell:914) Forbidden (HTTP 403)
>>> Forbidden: Forbidden (HTTP 403)
>>> ERROR (Forbidden): Forbidden (HTTP 403)
>>>
>>>
>>>
>>> On Wed, Apr 27, 2016 at 3:12 PM, Dhvanan Shah <dhvanan at gmail.com> wrote:
>>>
>>>> On running openstack-status this is what I get (all the services are
>>>> running, so not included that here)
>>>>
>>>> == Keystone users ==
>>>> /usr/lib/python2.7/site-packages/keystoneclient/shell.py:65:
>>>> DeprecationWarning: The keystone CLI is deprecated in favor of
>>>> python-openstackclient. For a Python library, continue using
>>>> python-keystoneclient.
>>>>   'python-keystoneclient.', DeprecationWarning)
>>>> Authorization Failed: Forbidden (HTTP 403)
>>>> == Glance images ==
>>>> Forbidden (HTTP 403)
>>>> == Nova managed services ==
>>>> No handlers could be found for logger
>>>> "keystoneclient.auth.identity.generic.base"
>>>> ERROR (Forbidden): Forbidden (HTTP 403)
>>>> == Nova networks ==
>>>> No handlers could be found for logger
>>>> "keystoneclient.auth.identity.generic.base"
>>>> ERROR (Forbidden): Forbidden (HTTP 403)
>>>> == Nova instance flavors ==
>>>> No handlers could be found for logger
>>>> "keystoneclient.auth.identity.generic.base"
>>>> ERROR (Forbidden): Forbidden (HTTP 403)
>>>> == Nova instances ==
>>>> No handlers could be found for logger
>>>> "keystoneclient.auth.identity.generic.base"
>>>> ERROR (Forbidden): Forbidden (HTTP 403)
>>>>
>>>>
>>>> On Wed, Apr 27, 2016 at 3:09 PM, Dhvanan Shah <dhvanan at gmail.com>
>>>> wrote:
>>>>
>>>>> Hi Jens,
>>>>>
>>>>> The password is correct when I echo $OS_PASSWORD.
>>>>> I downloaded the admin-openrc.sh file from the dashboard and sourced.
>>>>> I ran a nova list after that:
>>>>> No handlers could be found for logger
>>>>> "keystoneclient.auth.identity.generic.base"
>>>>> ERROR (Forbidden): Forbidden (HTTP 403)
>>>>>
>>>>> It still gives the error of forbidden access.
>>>>> I think the password is not the issue. Forbidden access might be
>>>>> something else. Do you want me to share anything else?
>>>>>
>>>>> On Wed, Apr 27, 2016 at 2:56 PM, Jens Rosenboom <j.rosenboom at x-ion.de>
>>>>> wrote:
>>>>>
>>>>>> 2016-04-27 10:30 GMT+02:00 Dhvanan Shah <dhvanan at gmail.com>:
>>>>>> > UPDATE:
>>>>>> > I am able to log into Horizon and perform all actions without any
>>>>>> issue but
>>>>>> > on my terminal, I am not able to do the same. The password that I
>>>>>> thought
>>>>>> > was wrong is not the issue as I logged in with the same password.
>>>>>> > My keystone_adminrc file looks like this:
>>>>>> >
>>>>>> > unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT
>>>>>> > export OS_USERNAME=admin
>>>>>> > export OS_PASSWORD=****************
>>>>>> > export OS_AUTH_URL=http://10.16.37.221:35357/v2.0
>>>>>> > export PS1='[\u@\h \W(keystone_admin)]\$ '
>>>>>> >
>>>>>> > export OS_TENANT_NAME=admin
>>>>>> > export OS_REGION_NAME=RegionOne
>>>>>> >
>>>>>> >
>>>>>> > Please suggest what I could do!
>>>>>>
>>>>>> Does your password contain special characters that might get mangled
>>>>>> by the shell? You could compare the output of "echo $OS_PASSWORD" to
>>>>>> verify.
>>>>>>
>>>>>> Otherwise, if the dashboard is working for you, you can go to
>>>>>> Project/Compute/Access&Security/API Access and use the "Download
>>>>>> OpenStack RC File" link there.
>>>>>>
>>>>>>
>>>>>> __________________________________________________________________________
>>>>>> OpenStack Development Mailing List (not for usage questions)
>>>>>> Unsubscribe:
>>>>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Dhvanan Shah
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Dhvanan Shah
>>>>
>>>
>>>
>>>
>>> --
>>> Dhvanan Shah
>>>
>>>
>>> __________________________________________________________________________
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe:
>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>>
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
>
> --
> Dhvanan Shah
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160427/540150e6/attachment.html>


More information about the OpenStack-dev mailing list