[Openstack-operators] keystone is throwing Authorization Failed: 'module' object is not callable errors

Jeff Silverman jeff at sweetlabs.com
Fri Aug 1 21:35:01 UTC 2014 

I did something to keystone, I'm not sure what.

root at controller1-prod.controller1-prod:~# keystone role-list
Authorization Failed: 'module' object is not callable
root at controller1-prod.controller1-prod:~#
root at controller1-prod.controller1-prod:~# keystone role-get admin
Authorization Failed: 'module' object is not callable
root at controller1-prod.controller1-prod:~#


I have envars OS_USERNAME, OS_PASSWORD, OS_TENANT defined.  OS_AUTH_URL has
a URL:
root at controller1-prod.controller1-prod:~# curl -i
http://controller1-prod.sea.opencandy.com:35357/v2.0
HTTP/1.1 200 OK
Vary: X-Auth-Token
Content-Type: application/json
Date: Fri, 01 Aug 2014 21:10:47 GMT
Transfer-Encoding: chunked

{"version": {"status": "stable", "updated": "2012-10-13T17:42:56Z",
"media-types": [{"base": "application/json", "type":
"application/vnd.openstack.identity-v2.0+json"}, {"base":
"application/xml", "type": "application/vnd.openstack.identity-v2.0+xml"}],
"id": "v2.0", "links": [{"href": "
http://controller1-prod.sea.opencandy.com:35357/v2.0/", "rel": "self"},
{"href": "
http://docs.openstack.org/api/openstack-identity-service/2.0/content/",
"type": "text/html", "rel": "describedby"}, {"href": "
http://docs.openstack.org/api/openstack-identity-service/2.0/identity-dev-guide-2.0.pdf",
"type": "application/pdf", "rel":
"describedby"}]}}root at controller1-prod.controller1-prod:~#


I have been poking at keystone with pdb to try find the point where the
exception is raised, with little success.  Maybe I am incompetent as a
python programmer.

I have discovered that keystoneclient does a call to the identity server to
get a token - I think.  I tried to simulate the call using curl.

root at controller1-prod.controller1-prod:~# curl -i
http://controller1-prod.sea.opencandy.com:35357/v2.0/tokens
HTTP/1.1 404 Not Found
Vary: X-Auth-Token
Content-Type: application/json
Date: Fri, 01 Aug 2014 20:26:00 GMT
Transfer-Encoding: chunked

{"error": {"message": "The resource could not be found.", "code": 404,
"title": "Not Found"}}


One of the things I find frustrating is the code assumes that any error is
an authorization problem, which means that any bug is handled and doesn't
percolate up the stack.  There seems to be no way to get the debugger to
halt on a handled exception.  In client.py, there is
        except Exception as e:
            raise exceptions.AuthorizationFailure("Authorization Failed: "
which makes debugging a challenge..

I think that the exception is in the call to a.get_auth_ref(self.session).
 I think that the problem is that a, a Password object, is not callable.

(Pdb) print callable(a)
False
(Pdb)
(Pdb) list
168                                        token=token,
169                                        trust_id=trust_id,
170                                        tenant_id=project_id or
tenant_id,
171                                        tenant_name=project_name or
tenant_name)
172
173  ->            return a.get_auth_ref(self.session)
174          except (exceptions.AuthorizationFailure,
exceptions.Unauthorized):
175              _logger.debug("Authorization Failed.")
176              raise
177          except exceptions.EndpointNotFound:
178              msg = 'There was no suitable authentication url for this
request'


(Pdb) pp vars(a)
{'auth_ref': None,
 'auth_url': 'http://controller1-prod.sea.opencandy.com:35357/v2.0',
 'password': "XXXXXXXXXXX",
 'tenant_id': None,
 'tenant_name': 'admin',
 'token': None,
 'trust_id': None,
 'username': 'admin'}
(Pdb)

I instrumented the code to see if I could get a better handle on the
exception getting thrown:

(Pdb) list 165,184
165              a = v2_auth.Auth._factory(auth_url,
166                                        username=username,
167                                        password=password,
168                                        token=token,
169                                        trust_id=trust_id,
170                                        tenant_id=project_id or
tenant_id,
171                                        tenant_name=project_name or
tenant_name)
172
173              try:
174                  return a.get_auth_ref(self.session)
175              except Exception as e:
176                  print "Hit an exception %s" % e
177                  pdb.set_trace()
178  ->                raise
179          except (exceptions.AuthorizationFailure,
exceptions.Unauthorized):
180              _logger.debug("Authorization Failed.")
181              raise
182          except exceptions.EndpointNotFound:
183              msg = 'There was no suitable authentication url for this
request'
184              raise exceptions.AuthorizationFailure(msg)

(Pdb) c
Hit an exception 'module' object is not callable
>
/usr/lib/python2.6/site-packages/keystoneclient/v2_0/client.py(178)get_raw_token_from_identity_service()
-> raise


Not sure what to do next.


Jeff



-- 
*Jeff Silverman*
Systems Engineer
(253) 459-2318 (c)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20140801/28d7ee87/attachment.html>

More information about the OpenStack-operators mailing list