[Openstack] [Heat] Authentication required error in kilo with keystone v2 APIs

NareshA kumar nka at criterionnetworks.com
Thu Feb 2 09:19:17 UTC 2017 

Dear Davide,
Below are the steps I have followed to configure heat in kilo. Please let
me know if I am missing something here.

mysql -u root -p

CREATE DATABASE heat;

GRANT ALL PRIVILEGES ON heat.* TO 'heat'@'localhost' \
  IDENTIFIED BY 'heat';
GRANT ALL PRIVILEGES ON heat.* TO 'heat'@'%' \
  IDENTIFIED BY 'heat';

export OS_TENANT_NAME='openstack'
export OS_USERNAME='admin'
export OS_PASSWORD='Chang3M3'
export OS_AUTH_URL='https://identity.cncloud.com:5000/v2.0'
export OS_AUTH_STRATEGY='keystone'
export OS_REGION_NAME='RegionOne'


keystone user-create --name heat --pass heat
keystone user-role-add --user heat --role admin --tenant services
keystone service-create --name heat --description "Orchestration" --type
orchestration
keystone service-create --name heat-cfn --description "Orchestration"
--type cloudformation
keystone endpoint-create --service heat --publicurl "
http://54.174.88.227:8004/v1/%(tenant_id)s" --adminurl "
http://54.174.88.227:8004/v1/%(tenant_id)s" --internalurl "
http://54.174.88.227:8004/v1/%(tenant_id)s"
keystone endpoint-create --service heat-cfn --publicurl "
http://54.174.88.227:8000/v1/%(tenant_id)s" --adminurl "
http://54.174.88.227:8000/v1/%(tenant_id)s" --internalurl "
http://54.174.88.227:8000/v1/%(tenant_id)s"
keystone role-create --name heat_stack_owner
keystone user-role-add --user admin --tenant openstack --role
heat_stack_owner
keystone role-create --name heat_stack_user

heat-keystone-setup-domain \
–stack-user-domain-name heat_user_domain \
–stack-domain-admin heat_domain_admin \
–stack-domain-admin-password $HeatPass | tee heat-keystone-setup-domain.out

heact.conf:
[DEFAULT]
debug = true
verbose = true
rpc_backend = zmq
heat_metadata_server_url = http://54.174.88.227:8000
heat_waitcondition_server_url = http://54.174.88.227:8000/v1/waitcondition
stack_domain_admin  = heat_domain_admin
stack_domain_admin_password  = Chang3M3
stack_user_domain_name = heat_user_domain
stack_user_domain_id=f798141e117a417996a736ba8f57f368
rpc_zmq_host = 54.174.88.227
[database]
connection = mysql://heat:heat@54.174.88.227/heat
[keystone_authtoken]
auth_uri = https://identity.cncloud.com:5000/v2.0
identity_url = https://identity.cncloud.com:35357
#memcached_servers = controller:11211
project_name = services
auth_type = password
admin_tenant_name = services
admin_user = heat
admin_password = heat
[ec2authtoken]
auth_uri =  https://identity.cncloud.com:5000/v2.0

heat-manage db_sync

service heat-api restart
service heat-api-cfn restart
service heat-engine restart

export OS_TENANT_NAME='services'
export OS_USERNAME='heat'
export OS_PASSWORD='heat'
export OS_AUTH_URL='https://identity.cncloud.com:5000/v2.0'
export OS_AUTH_STRATEGY='keystone'
export OS_REGION_NAME='RegionOne'

heat stack-list

ERROR : Authentication Required.



Regards,
NareshA.

On Wed, Feb 1, 2017 at 4:07 PM, NareshA kumar <nka at criterionnetworks.com>
wrote:

> Davide,
> Yes I am using the heat credentials as you have mentioned. But still I am
> getting Authentication required error.
>
> Regards,
> NareshA.
>
> On Wed, Feb 1, 2017 at 4:01 PM, NareshA kumar <nka at criterionnetworks.com>
> wrote:
>
>> Davide,
>> Yes I am using the heat credentials as you have mentioned. But still I am
>> getting Authentication required error.
>>
>> I am attaching heat-api.log here for your reference. I am guessing that I
>> would have missed something while creating heat domains.
>>
>> Regards,
>> NareshA.
>>
>> On Wed, Feb 1, 2017 at 3:14 PM, Davide Panarese <dpanarese at enter.eu>
>> wrote:
>>
>>> If you use heat creadential for token request it works?
>>>
>>> export OS_AUTH_URL=https://identity.cncloud.com:5000/v2.0
>>> export OS_REGION_NAME=RegionOne
>>> export OS_USERNAME=heat
>>> export OS_TENANT_NAME=services
>>> export OS_PASSWORD=heat
>>>
>>> keystone token-get
>>>
>>> Davide
>>>
>>> On 01 Feb 2017, at 10:10, NareshA kumar <nka at criterionnetworks.com>
>>> wrote:
>>>
>>> I have associated heat user to services tenant and gave it a admin role.
>>>
>>> keystone user-role-list --user heat --tenant services
>>> +----------------------------------+-------+----------------
>>> ------------------+----------------------------------+
>>> |                id                |  name |             user_id
>>>      |            tenant_id             |
>>> +----------------------------------+-------+----------------
>>> ------------------+----------------------------------+
>>> | 2b995253c23e4c1db8cd374346a4ecd4 | admin |
>>> 645eb7e9f04f4a2b8df65272a23c1394 | 024890084b7642e9b8535b52a86584ea |
>>> +----------------------------------+-------+----------------
>>> ------------------+----------------------------------+
>>>
>>> heat --debug stack-list
>>>
>>> DEBUG (session) REQ: curl -g -i -X GET https://identity.cncloud.com:5
>>> 000/v2.0 -H "Accept: application/json" -H "User-Agent:
>>> python-keystoneclient"
>>> DEBUG (session) RESP: [200] x-openstack-request-id:
>>> req-2515497e-671b-475e-b48c-0cb6f2ccfe2f content-length: 347 via: 1.1
>>> identity.cncloud.com:5000 access-control-expose-headers: Accept,
>>> Content-Type, X-Auth-Token, X-Subject-Token vary: X-Auth-Token server:
>>> Apache/2.4.7 (Ubuntu) connection: close access-control-allow-methods: GET
>>> POST OPTIONS PUT DELETE PATCH date: Wed, 01 Feb 2017 09:07:01 GMT
>>> access-control-allow-origin: * access-control-allow-headers: Accept,
>>> Content-Type, X-Auth-Token, X-Subject-Token content-type: application/json
>>> x-distribution: Ubuntu
>>> RESP BODY: {"version": {"status": "stable", "updated":
>>> "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json",
>>> "type": "application/vnd.openstack.identity-v2.0+json"}], "id": "v2.0",
>>> "links": [{"href": "https://identity.cncloud.com:5000/v2.0/", "rel":
>>> "self"}, {"href": "http://docs.openstack.org/", "type": "text/html",
>>> "rel": "describedby"}]}}
>>>
>>> DEBUG (v2) Making authentication request to
>>> https://identity.cncloud.com:5000/v2.0/tokens
>>> DEBUG (session) REQ: curl -g -i -X GET *MailScanner warning: numerical
>>> links are often malicious:* http://54.174.88.227:8004/v1/0
>>> c28d40bdcf0472d8dfb214a5c0286c4/stacks
>>> <http://54.174.88.227:8004/v1/0c28d40bdcf0472d8dfb214a5c0286c4/stacks>?
>>> -H "Accept: application/json" -H "User-Agent: python-heatclient" -H
>>> "X-Region-Name: RegionOne" -H "X-Auth-Token: {SHA1}9cc75daaff59cdb14a75bfb74ca6d77ebb8d8ac6"
>>> -H "Content-Type: application/json" -H "X-Auth-Url:
>>> https://identity.cncloud.com:5000/v2.0"
>>> DEBUG (session) RESP:
>>> DEBUG (v2) Making authentication request to
>>> https://identity.cncloud.com:5000/v2.0/tokens
>>> DEBUG (session) RESP:
>>> Traceback (most recent call last):
>>>   File "/usr/bin/heat", line 10, in <module>
>>>     sys.exit(main())
>>>   File "/usr/lib/python2.7/dist-packages/heatclient/shell.py", line
>>> 706, in main
>>>     HeatShell().main(args)
>>>   File "/usr/lib/python2.7/dist-packages/heatclient/shell.py", line
>>> 656, in main
>>>     args.func(client, args)
>>>   File "/usr/lib/python2.7/dist-packages/heatclient/v1/shell.py", line
>>> 581, in do_stack_list
>>>     utils.print_list(stacks, fields, sortby_index=3)
>>>   File "/usr/lib/python2.7/dist-packages/heatclient/openstack/common/cliutils.py",
>>> line 169, in print_list
>>>     for o in objs:
>>>   File "/usr/lib/python2.7/dist-packages/heatclient/v1/stacks.py", line
>>> 100, in paginate
>>>     stacks = self._list(url, 'stacks')
>>>   File "/usr/lib/python2.7/dist-packages/heatclient/openstack/common/apiclient/base.py",
>>> line 117, in _list
>>>     body = self.client.get(url).json()
>>>   File "/usr/lib/python2.7/dist-packages/heatclient/common/http.py",
>>> line 292, in get
>>>     return self.client_request("GET", url, **kwargs)
>>>   File "/usr/lib/python2.7/dist-packages/heatclient/common/http.py",
>>> line 285, in client_request
>>>     resp, body = self.json_request(method, url, **kwargs)
>>>   File "/usr/lib/python2.7/dist-packages/heatclient/common/http.py",
>>> line 266, in json_request
>>>     resp = self._http_request(url, method, **kwargs)
>>>   File "/usr/lib/python2.7/dist-packages/heatclient/common/http.py",
>>> line 361, in _http_request
>>>     raise exc.from_response(resp)
>>> heatclient.exc.HTTPUnauthorized: ERROR: Authentication required
>>>
>>>
>>> Regards,
>>> NareshA.
>>>
>>> On Wed, Feb 1, 2017 at 2:16 PM, Davide Panarese <dpanarese at enter.eu>
>>> wrote:
>>>
>>>> Could you debug heat api call with heat —debug stack-list?
>>>> Did you associate heat user to service tenant and give it admin role?
>>>>
>>>> Davide
>>>>
>>>> On 31 Jan 2017, at 19:54, NareshA kumar <nka at criterionnetworks.com>
>>>> wrote:
>>>>
>>>> Hi,
>>>> I am installing heat in kilo with keystone v2 APIs. As per document I
>>>> have configured the endpoints and heat.conf. "heat stack-list" gives me
>>>> Authentication required error. In heat-api.log I am seeing "Authorization
>>>> failed for token" message.
>>>> Can anyone help me solve this issue?
>>>>
>>>> Regards,
>>>> NareshA.
>>>>
>>>> --
>>>> Questo messaggio e' stato analizzato con Libra ESVA ed e' risultato non
>>>> infetto.
>>>> Clicca qui per segnalarlo come spam.
>>>> <http://mx01.enter.it/cgi-bin/learn-msg.cgi?id=32A47402B1.A84A6>
>>>> Clicca qui per metterlo in blacklist
>>>> <http://mx01.enter.it/cgi-bin/learn-msg.cgi?blacklist=1&id=32A47402B1.A84A6>
>>>> _______________________________________________
>>>> Mailing list: http://lists.openstack.org/cgi
>>>> -bin/mailman/listinfo/openstack
>>>> Post to     : openstack at lists.openstack.org
>>>> Unsubscribe : http://lists.openstack.org/cgi
>>>> -bin/mailman/listinfo/openstack
>>>>
>>>>
>>>>
>>>
>>> --
>>> Questo messaggio e' stato analizzato con Libra ESVA ed e' risultato non
>>> infetto.
>>> Clicca qui per segnalarlo come spam.
>>> <http://mx01.enter.it/cgi-bin/learn-msg.cgi?id=557444011D.A905A>
>>> Clicca qui per metterlo in blacklist
>>> <http://mx01.enter.it/cgi-bin/learn-msg.cgi?blacklist=1&id=557444011D.A905A>
>>> _______________________________________________
>>> Mailing list: http://lists.openstack.org/cgi
>>> -bin/mailman/listinfo/openstack
>>> Post to     : openstack at lists.openstack.org
>>> Unsubscribe : http://lists.openstack.org/cgi
>>> -bin/mailman/listinfo/openstack
>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20170202/6e385ebe/attachment.html>

More information about the Openstack mailing list