[Openstack] [Heat] Authentication required error in kilo with keystone v2 APIs

Davide Panarese dpanarese at enter.eu
Thu Feb 2 15:59:23 UTC 2017 

Hi,
do you have other services or only heat configured?! 
Did you check if keystone store token properly? I had the same problem when my memcache token backend didn’t work.

If not, it seems all correct. Did you follow openstack install official guide?

Davide

> On 02 Feb 2017, at 10:19, NareshA kumar <nka at criterionnetworks.com> wrote:
> 
> Dear Davide,
> Below are the steps I have followed to configure heat in kilo. Please let me know if I am missing something here.
> 
> mysql -u root -p
> 
> CREATE DATABASE heat;
> 
> GRANT ALL PRIVILEGES ON heat.* TO 'heat'@'localhost' \
>   IDENTIFIED BY 'heat';
> GRANT ALL PRIVILEGES ON heat.* TO 'heat'@'%' \
>   IDENTIFIED BY 'heat';
> 
> export OS_TENANT_NAME='openstack'
> export OS_USERNAME='admin'
> export OS_PASSWORD='Chang3M3'
> export OS_AUTH_URL='https://identity.cncloud.com:5000/v2.0 <https://identity.cncloud.com:5000/v2.0>'
> export OS_AUTH_STRATEGY='keystone'
> export OS_REGION_NAME='RegionOne'
> 
> 
> keystone user-create --name heat --pass heat
> keystone user-role-add --user heat --role admin --tenant services
> keystone service-create --name heat --description "Orchestration" --type orchestration
> keystone service-create --name heat-cfn --description "Orchestration" --type cloudformation
> keystone endpoint-create --service heat --publicurl "MailScanner warning: numerical links are often malicious: http://54.174.88.227:8004/v1/%(tenant_id)s <http://54.174.88.227:8004/v1/%(tenant_id)s>" --adminurl "MailScanner warning: numerical links are often malicious: http://54.174.88.227:8004/v1/%(tenant_id)s <http://54.174.88.227:8004/v1/%(tenant_id)s>" --internalurl "MailScanner warning: numerical links are often malicious: http://54.174.88.227:8004/v1/%(tenant_id)s <http://54.174.88.227:8004/v1/%(tenant_id)s>"
> keystone endpoint-create --service heat-cfn --publicurl "MailScanner warning: numerical links are often malicious: http://54.174.88.227:8000/v1/%(tenant_id)s <http://54.174.88.227:8000/v1/%(tenant_id)s>" --adminurl "MailScanner warning: numerical links are often malicious: http://54.174.88.227:8000/v1/%(tenant_id)s <http://54.174.88.227:8000/v1/%(tenant_id)s>" --internalurl "MailScanner warning: numerical links are often malicious: http://54.174.88.227:8000/v1/%(tenant_id)s <http://54.174.88.227:8000/v1/%(tenant_id)s>"
> keystone role-create --name heat_stack_owner
> keystone user-role-add --user admin --tenant openstack --role heat_stack_owner
> keystone role-create --name heat_stack_user
> 
> heat-keystone-setup-domain \
> –stack-user-domain-name heat_user_domain \
> –stack-domain-admin heat_domain_admin \
> –stack-domain-admin-password $HeatPass | tee heat-keystone-setup-domain.out
> 
> heact.conf:
> [DEFAULT]
> debug = true
> verbose = true
> rpc_backend = zmq
> heat_metadata_server_url = MailScanner warning: numerical links are often malicious: http://54.174.88.227:8000 <http://54.174.88.227:8000/>
> heat_waitcondition_server_url = MailScanner warning: numerical links are often malicious: http://54.174.88.227:8000/v1/waitcondition <http://54.174.88.227:8000/v1/waitcondition>
> stack_domain_admin  = heat_domain_admin
> stack_domain_admin_password  = Chang3M3
> stack_user_domain_name = heat_user_domain
> stack_user_domain_id=f798141e117a417996a736ba8f57f368
> rpc_zmq_host = 54.174.88.227
> [database]
> connection = mysql://heat:heat@54.174.88.227/heat <http://heat:heat@54.174.88.227/heat>
> [keystone_authtoken]
> auth_uri = https://identity.cncloud.com:5000/v2.0 <https://identity.cncloud.com:5000/v2.0>
> identity_url = https://identity.cncloud.com:35357 <https://identity.cncloud.com:35357/>
> #memcached_servers = controller:11211
> project_name = services
> auth_type = password
> admin_tenant_name = services
> admin_user = heat
> admin_password = heat
> [ec2authtoken]
> auth_uri =  https://identity.cncloud.com:5000/v2.0 <https://identity.cncloud.com:5000/v2.0>
> 
> heat-manage db_sync
> 
> service heat-api restart
> service heat-api-cfn restart
> service heat-engine restart
> 
> export OS_TENANT_NAME='services'
> export OS_USERNAME='heat'
> export OS_PASSWORD='heat'
> export OS_AUTH_URL='https://identity.cncloud.com:5000/v2.0 <https://identity.cncloud.com:5000/v2.0>'
> export OS_AUTH_STRATEGY='keystone'
> export OS_REGION_NAME='RegionOne'
> 
> heat stack-list
> 
> ERROR : Authentication Required.
> 
>  
> 
> Regards,
> NareshA.
> 
> On Wed, Feb 1, 2017 at 4:07 PM, NareshA kumar <nka at criterionnetworks.com <mailto:nka at criterionnetworks.com>> wrote:
> Davide,
> Yes I am using the heat credentials as you have mentioned. But still I am getting Authentication required error.
> 
> Regards,
> NareshA.
> 
> On Wed, Feb 1, 2017 at 4:01 PM, NareshA kumar <nka at criterionnetworks.com <mailto:nka at criterionnetworks.com>> wrote:
> Davide,
> Yes I am using the heat credentials as you have mentioned. But still I am getting Authentication required error.
> 
> I am attaching heat-api.log here for your reference. I am guessing that I would have missed something while creating heat domains.
> 
> Regards,
> NareshA.
> 
> On Wed, Feb 1, 2017 at 3:14 PM, Davide Panarese <dpanarese at enter.eu <mailto:dpanarese at enter.eu>> wrote:
> If you use heat creadential for token request it works?
> 
> export OS_AUTH_URL=https://identity.cncloud.com:5000/v2.0 <https://identity.cncloud.com:5000/v2.0>
> export OS_REGION_NAME=RegionOne
> export OS_USERNAME=heat
> export OS_TENANT_NAME=services
> export OS_PASSWORD=heat
> 
> keystone token-get 
> 
> Davide
>> On 01 Feb 2017, at 10:10, NareshA kumar <nka at criterionnetworks.com <mailto:nka at criterionnetworks.com>> wrote:
>> 
>> I have associated heat user to services tenant and gave it a admin role.
>> 
>> keystone user-role-list --user heat --tenant services
>> +----------------------------------+-------+----------------------------------+----------------------------------+
>> |                id                |  name |             user_id              |            tenant_id             |
>> +----------------------------------+-------+----------------------------------+----------------------------------+
>> | 2b995253c23e4c1db8cd374346a4ecd4 | admin | 645eb7e9f04f4a2b8df65272a23c1394 | 024890084b7642e9b8535b52a86584ea |
>> +----------------------------------+-------+----------------------------------+----------------------------------+
>> 
>> heat --debug stack-list
>> 
>> DEBUG (session) REQ: curl -g -i -X GET https://identity.cncloud.com:5000/v2.0 <https://identity.cncloud.com:5000/v2.0> -H "Accept: application/json" -H "User-Agent: python-keystoneclient"
>> DEBUG (session) RESP: [200] x-openstack-request-id: req-2515497e-671b-475e-b48c-0cb6f2ccfe2f content-length: 347 via: 1.1 identity.cncloud.com:5000 <http://identity.cncloud.com:5000/> access-control-expose-headers: Accept, Content-Type, X-Auth-Token, X-Subject-Token vary: X-Auth-Token server: Apache/2.4.7 (Ubuntu) connection: close access-control-allow-methods: GET POST OPTIONS PUT DELETE PATCH date: Wed, 01 Feb 2017 09:07:01 GMT access-control-allow-origin: * access-control-allow-headers: Accept, Content-Type, X-Auth-Token, X-Subject-Token content-type: application/json x-distribution: Ubuntu 
>> RESP BODY: {"version": {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}], "id": "v2.0", "links": [{"href": "https://identity.cncloud.com:5000/v2.0/ <https://identity.cncloud.com:5000/v2.0/>", "rel": "self"}, {"href": "http://docs.openstack.org/ <http://docs.openstack.org/>", "type": "text/html", "rel": "describedby"}]}}
>> 
>> DEBUG (v2) Making authentication request to https://identity.cncloud.com:5000/v2.0/tokens <https://identity.cncloud.com:5000/v2.0/tokens>
>> DEBUG (session) REQ: curl -g -i -X GET MailScanner ha rilevato un possibile tentativo di frode proveniente da "54.174.88.227:8004" MailScanner warning: numerical links are often malicious: http://54.174.88.227:8004/v1/0c28d40bdcf0472d8dfb214a5c0286c4/stacks <http://54.174.88.227:8004/v1/0c28d40bdcf0472d8dfb214a5c0286c4/stacks>? -H "Accept: application/json" -H "User-Agent: python-heatclient" -H "X-Region-Name: RegionOne" -H "X-Auth-Token: {SHA1}9cc75daaff59cdb14a75bfb74ca6d77ebb8d8ac6" -H "Content-Type: application/json" -H "X-Auth-Url: https://identity.cncloud.com:5000/v2.0 <https://identity.cncloud.com:5000/v2.0>"
>> DEBUG (session) RESP:
>> DEBUG (v2) Making authentication request to https://identity.cncloud.com:5000/v2.0/tokens <https://identity.cncloud.com:5000/v2.0/tokens>
>> DEBUG (session) RESP:
>> Traceback (most recent call last):
>>   File "/usr/bin/heat", line 10, in <module>
>>     sys.exit(main())
>>   File "/usr/lib/python2.7/dist-packages/heatclient/shell.py", line 706, in main
>>     HeatShell().main(args)
>>   File "/usr/lib/python2.7/dist-packages/heatclient/shell.py", line 656, in main
>>     args.func(client, args)
>>   File "/usr/lib/python2.7/dist-packages/heatclient/v1/shell.py", line 581, in do_stack_list
>>     utils.print_list(stacks, fields, sortby_index=3)
>>   File "/usr/lib/python2.7/dist-packages/heatclient/openstack/common/cliutils.py", line 169, in print_list
>>     for o in objs:
>>   File "/usr/lib/python2.7/dist-packages/heatclient/v1/stacks.py", line 100, in paginate
>>     stacks = self._list(url, 'stacks')
>>   File "/usr/lib/python2.7/dist-packages/heatclient/openstack/common/apiclient/base.py", line 117, in _list
>>     body = self.client.get(url).json()
>>   File "/usr/lib/python2.7/dist-packages/heatclient/common/http.py", line 292, in get
>>     return self.client_request("GET", url, **kwargs)
>>   File "/usr/lib/python2.7/dist-packages/heatclient/common/http.py", line 285, in client_request
>>     resp, body = self.json_request(method, url, **kwargs)
>>   File "/usr/lib/python2.7/dist-packages/heatclient/common/http.py", line 266, in json_request
>>     resp = self._http_request(url, method, **kwargs)
>>   File "/usr/lib/python2.7/dist-packages/heatclient/common/http.py", line 361, in _http_request
>>     raise exc.from_response(resp)
>> heatclient.exc.HTTPUnauthorized: ERROR: Authentication required
>> 
>> 
>> Regards,
>> NareshA.
>> 
>> On Wed, Feb 1, 2017 at 2:16 PM, Davide Panarese <dpanarese at enter.eu <mailto:dpanarese at enter.eu>> wrote:
>> Could you debug heat api call with heat —debug stack-list?
>> Did you associate heat user to service tenant and give it admin role?
>> 
>> Davide
>>> On 31 Jan 2017, at 19:54, NareshA kumar <nka at criterionnetworks.com <mailto:nka at criterionnetworks.com>> wrote:
>>> 
>>> Hi,
>>> I am installing heat in kilo with keystone v2 APIs. As per document I have configured the endpoints and heat.conf. "heat stack-list" gives me Authentication required error. In heat-api.log I am seeing "Authorization failed for token" message. 
>>> Can anyone help me solve this issue?
>>> 
>>> Regards,
>>> NareshA.
>>> 
>>> -- 
>>> Questo messaggio e' stato analizzato con Libra ESVA ed e' risultato non infetto. 
>>> Clicca qui per segnalarlo come spam. <http://mx01.enter.it/cgi-bin/learn-msg.cgi?id=32A47402B1.A84A6> 
>>> Clicca qui per metterlo in blacklist <http://mx01.enter.it/cgi-bin/learn-msg.cgi?blacklist=1&id=32A47402B1.A84A6> _______________________________________________
>>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack>
>>> Post to     : openstack at lists.openstack.org <mailto:openstack at lists.openstack.org>
>>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack>
>> 
>> 
>> 
>> -- 
>> Questo messaggio e' stato analizzato con Libra ESVA ed e' risultato non infetto. 
>> Clicca qui per segnalarlo come spam. <http://mx01.enter.it/cgi-bin/learn-msg.cgi?id=557444011D.A905A> 
>> Clicca qui per metterlo in blacklist <http://mx01.enter.it/cgi-bin/learn-msg.cgi?blacklist=1&id=557444011D.A905A> _______________________________________________
>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack>
>> Post to     : openstack at lists.openstack.org <mailto:openstack at lists.openstack.org>
>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack>
> 
> 
> 
> 
> 
> -- 
> Questo messaggio e' stato analizzato con Libra ESVA ed e' risultato non infetto. 
> Clicca qui per segnalarlo come spam. <http://mx01.enter.it/cgi-bin/learn-msg.cgi?id=B4EDD402E7.ADD0F> 
> Clicca qui per metterlo in blacklist <http://mx01.enter.it/cgi-bin/learn-msg.cgi?blacklist=1&id=B4EDD402E7.ADD0F> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20170202/0694680c/attachment.html>

More information about the Openstack mailing list