[Openstack] [Ceilometer][Ceilometer-API] Ceilometer-API Error 401 Unauthorized

Fei Long Wang flwang at cn.ibm.com
Tue May 28 08:16:46 UTC 2013


Hi Bruno,

Please follow this link:
http://docs.openstack.org/developer/ceilometer/configuration.html#keystone-middleware-authentication

Generally, you just need add some entries in ceilometer.conf like this:
[keystone_authtoken]
signing_dir = /var/cache/ceilometer
admin_tenant_name = service
admin_password = passw0rd
admin_user = ceilometer
auth_protocol = http

Thanks & Best regards,
Fei Long Wang (王飞龙)
--------------------------------------------------
Scrum Master, Cloud Solutions and OpenStack Development
Tel: 8610-82450513 | T/L: 905-0513
Email: flwang at cn.ibm.com
China Systems & Technology Laboratory in Beijing
--------------------------------------------------




From:	Bruno Oliveira <brunnop.oliveira at gmail.com>
To:	OpenStack <openstack at lists.launchpad.net>,
Date:	05/27/2013 10:14 PM
Subject:	[Openstack] [Ceilometer][Ceilometer-API] Ceilometer-API Error
            401	Unauthorized
Sent by:	"Openstack" <openstack-bounces
            +flwang=cn.ibm.com at lists.launchpad.net>



Hello stackers,

I'm having a really hard time setting up ceilometer-api so I thought
if I could ask you guys for some enlightment.

I can clearly see data being pulled in the screens that are running
/ceilometer-collector, ./ceilometer-agent-compute ,./ceilometer-agent-central


Even the screen running ceilometer-api-server starts with no problem.

But I cannot reach the api at all via curl. Neither by using its
actual port (8777)
nor using the port set in the virtual host of apache. All I'm getting
is auth error

$ curl http://127.0.0.1:8777  OR  $ curl http://127.0.0.1:9090
=============================================
<html>
 <head>
  <title>401 Unauthorized</title>
 </head>
 <body>
  <h1>401 Unauthorized</h1>
  This server could not verify that you are authorized to access the
document you requested. Either you supplied the wrong credentials
(e.g., bad password), or your browser does not understand how to
supply the credentials required.<br /><br />
Authentication required
=============================================


On top of that, the only thing I had to do in a non-standard basis, was to
setup ceilometer virtual host to answer request on port 9090 of apache
instead of the default 80 (since horizon is bind to it).


Here's a copy of my running ceilometer.conf
=====================================
/etc/ceilometer/ceilometer.conf
=====================================
[DEFAULT]
os_username=ceilometer
os_password=MYSECRET
os_tenant_name=admin
os_auth_url=http://localhost:5000/v2.0
signing_dirname = /tmp/keystone-signing-ceilometer
metering_api_port=8777
auth_strategy=keystone
nova_control_exchange=nova
hypervisor_inspector=libvirt
libvirt_type=kvm
glance_control_exchange=glance
quantum_control_exchange=quantum
debug=true
verbose=true
(...)
*logging writing parameters here*
(...)
log_dir=/var/log/ceilometer
rpc_backend=ceilometer.openstack.common.rpc.impl_kombu
rabbit_host=localhost
rabbit_port=5672
rabbit_userid=guest
rabbit_password=ficrowstran02
rabbit_retry_backoff=2
rabbit_max_retries=0
database_connection=mongodb://localhost:27017/ceilometer
sql_connection_debug=0
cinder_control_exchange=cinder
enable_v1_api=true

[rpc_notifier2]

[matchmaker_redis]

[publisher_meter]
metering_secret=METERING_SECRET

[keystone_authtoken]
auth_host = localhost
auth_port = 5000
admin_user = ceilometer
admin_password = MYSECRET
admin_tenant_name = admin
auth_uri = http://localhost:5000/v2.0/
=====================================


The "ceilometer" user pointed at "admin_user" under the
"[keystone_authtoken]" section, as well as in "os_username" under the
"[DEFAULT]" section,
was created in keystone and it'sbind to the admin tenant.


$ keystone tenant-get admin
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |                                  |
|   enabled   |               True               |
|      id     | 670f5dd4070d44b6a8308277a236d1af |
|     name    |              admin               |
+-------------+----------------------------------+

$ keystone user-get ceilometer
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|  email   |      ceilometer at example.com      |
| enabled  |               True               |
|    id    | a98ec068f5f349439acef431e826d7ff |
|   name   |            ceilometer            |
| tenantId | 670f5dd4070d44b6a8308277a236d1af |
+----------+----------------------------------+


Finally, here's the ceilometer site running on apache. the user
and group 'stackadmin' are valid users indeed in the machine

$ id stackadmin

uid=1000(stackadmin) gid=1000(stackadmin)
groups=1000(stackadmin),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),111
(libvirtd),113(lpadmin),114(sambashare


=====================================
/etc/apache2/sites-available/ceilometer
=====================================
<VirtualHost *:9090>
    WSGIDaemonProcess ceilometer user=stackadmin group=stackadmin threads=5
    WSGIScriptAlias / /opt/stack/ceilometer/ceilometer/api/app.wsgi
    SetEnv APACHE_RUN_USER stackadmin
    SetEnv APACHE_RUN_GROUP stackadmin
    WSGIProcessGroup ceilometer
    ErrorLog /var/log/apache2/ceilometer_error.log
    LogLevel warn
    CustomLog /var/log/apache2/ceilometer_access.log combined
</VirtualHost>
=====================================


Despite of everything, I keep getting that "401 Unauthorized"
auth error.

Do you guys have any suggestions of what I can try to fix it ?

Thank you all.

--

Bruno de Oliveira
Developer, System Analyst

_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack at lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130528/bf3174c7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130528/bf3174c7/attachment.gif>


More information about the Openstack mailing list