[Openstack] [Heat] Authentication required error in kilo with keystone v2 APIs

Davide Panarese dpanarese at enter.eu
Fri Feb 3 08:10:30 UTC 2017


If you’re using v2 authentication Domains are not enabled. Did you try to use v3 authentication?! I’m using keystone v3 (i follow mitaka install too)

Let me know.

Davide
> On 02 Feb 2017, at 20:15, NareshA kumar <nka at criterionnetworks.com> wrote:
> 
> Davide,
> I have other services like cinder and tacker configured (tacker is not working as it needs heat). Memcached server is working still authentication error is there.
> I followed http://docs.openstack.org/mitaka/install-guide-ubuntu/heat-install.html <http://docs.openstack.org/mitaka/install-guide-ubuntu/heat-install.html> In keystone v2 we cant create domains as mentioned in this document. Is there any suitable document for keystone v2 that I can follow? Please let me know how can I check if keystone store the token properly?
> 
> Regards,
> NareshA.
> 
> On Thu, Feb 2, 2017 at 9:29 PM, Davide Panarese <dpanarese at enter.eu <mailto:dpanarese at enter.eu>> wrote:
> Hi,
> do you have other services or only heat configured?! 
> Did you check if keystone store token properly? I had the same problem when my memcache token backend didn’t work.
> 
> If not, it seems all correct. Did you follow openstack install official guide?
> 
> Davide
> 
>> On 02 Feb 2017, at 10:19, NareshA kumar <nka at criterionnetworks.com <mailto:nka at criterionnetworks.com>> wrote:
>> 
>> Dear Davide,
>> Below are the steps I have followed to configure heat in kilo. Please let me know if I am missing something here.
>> 
>> mysql -u root -p
>> 
>> CREATE DATABASE heat;
>> 
>> GRANT ALL PRIVILEGES ON heat.* TO 'heat'@'localhost' \
>>   IDENTIFIED BY 'heat';
>> GRANT ALL PRIVILEGES ON heat.* TO 'heat'@'%' \
>>   IDENTIFIED BY 'heat';
>> 
>> export OS_TENANT_NAME='openstack'
>> export OS_USERNAME='admin'
>> export OS_PASSWORD='Chang3M3'
>> export OS_AUTH_URL='https://identity.cncloud.com:5000/v2.0 <https://identity.cncloud.com:5000/v2.0>'
>> export OS_AUTH_STRATEGY='keystone'
>> export OS_REGION_NAME='RegionOne'
>> 
>> 
>> keystone user-create --name heat --pass heat
>> keystone user-role-add --user heat --role admin --tenant services
>> keystone service-create --name heat --description "Orchestration" --type orchestration
>> keystone service-create --name heat-cfn --description "Orchestration" --type cloudformation
>> keystone endpoint-create --service heat --publicurl "MailScanner ha rilevato un possibile tentativo di frode proveniente da "54.174.88.227:8004" MailScanner warning: numerical links are often malicious: http://54.174.88.227:8004/v1/%(tenant_id)s <http://54.174.88.227:8004/v1/%(tenant_id)s>" --adminurl "MailScanner ha rilevato un possibile tentativo di frode proveniente da "54.174.88.227:8004" MailScanner warning: numerical links are often malicious:http://54.174.88.227:8004/v1/%(tenant_id)s <http://54.174.88.227:8004/v1/%(tenant_id)s>" --internalurl "MailScanner ha rilevato un possibile tentativo di frode proveniente da "54.174.88.227:8004" MailScanner warning: numerical links are often malicious: http://54.174.88.227:8004/v1/%(tenant_id)s <http://54.174.88.227:8004/v1/%(tenant_id)s>"
>> keystone endpoint-create --service heat-cfn --publicurl "MailScanner ha rilevato un possibile tentativo di frode proveniente da "54.174.88.227:8000" MailScanner warning: numerical links are often malicious: http://54.174.88.227:8000/v1/%(tenant_id)s <http://54.174.88.227:8000/v1/%(tenant_id)s>" --adminurl "MailScanner ha rilevato un possibile tentativo di frode proveniente da "54.174.88.227:8000" MailScanner warning: numerical links are often malicious: http://54.174.88.227:8000/v1/%(tenant_id)s <http://54.174.88.227:8000/v1/%(tenant_id)s>" --internalurl "MailScanner ha rilevato un possibile tentativo di frode proveniente da "54.174.88.227:8000" MailScanner warning: numerical links are often malicious: http://54.174.88.227:8000/v1/%(tenant_id)s <http://54.174.88.227:8000/v1/%(tenant_id)s>"
>> keystone role-create --name heat_stack_owner
>> keystone user-role-add --user admin --tenant openstack --role heat_stack_owner
>> keystone role-create --name heat_stack_user
>> 
>> heat-keystone-setup-domain \
>> –stack-user-domain-name heat_user_domain \
>> –stack-domain-admin heat_domain_admin \
>> –stack-domain-admin-password $HeatPass | tee heat-keystone-setup-domain.out
>> 
>> heact.conf:
>> [DEFAULT]
>> debug = true
>> verbose = true
>> rpc_backend = zmq
>> heat_metadata_server_url = MailScanner ha rilevato un possibile tentativo di frode proveniente da "54.174.88.227:8000" MailScanner warning: numerical links are often malicious: http://54.174.88.227:8000 <http://54.174.88.227:8000/>
>> heat_waitcondition_server_url = MailScanner ha rilevato un possibile tentativo di frode proveniente da "54.174.88.227:8000" MailScanner warning: numerical links are often malicious: http://54.174.88.227:8000/v1/waitcondition <http://54.174.88.227:8000/v1/waitcondition>
>> stack_domain_admin  = heat_domain_admin
>> stack_domain_admin_password  = Chang3M3
>> stack_user_domain_name = heat_user_domain
>> stack_user_domain_id=f798141e117a417996a736ba8f57f368
>> rpc_zmq_host = 54.174.88.227
>> [database]
>> connection = mysql://heat:heat@54.174.88.227/heat <http://heat:heat@54.174.88.227/heat>
>> [keystone_authtoken]
>> auth_uri = https://identity.cncloud.com:5000/v2.0 <https://identity.cncloud.com:5000/v2.0>
>> identity_url = https://identity.cncloud.com:35357 <https://identity.cncloud.com:35357/>
>> #memcached_servers = controller:11211
>> project_name = services
>> auth_type = password
>> admin_tenant_name = services
>> admin_user = heat
>> admin_password = heat
>> [ec2authtoken]
>> auth_uri =  https://identity.cncloud.com:5000/v2.0 <https://identity.cncloud.com:5000/v2.0>
>> 
>> heat-manage db_sync
>> 
>> service heat-api restart
>> service heat-api-cfn restart
>> service heat-engine restart
>> 
>> export OS_TENANT_NAME='services'
>> export OS_USERNAME='heat'
>> export OS_PASSWORD='heat'
>> export OS_AUTH_URL='https://identity.cncloud.com:5000/v2.0 <https://identity.cncloud.com:5000/v2.0>'
>> export OS_AUTH_STRATEGY='keystone'
>> export OS_REGION_NAME='RegionOne'
>> 
>> heat stack-list
>> 
>> ERROR : Authentication Required.
>> 
>>  
>> 
>> Regards,
>> NareshA.
>> 
>> On Wed, Feb 1, 2017 at 4:07 PM, NareshA kumar <nka at criterionnetworks.com <mailto:nka at criterionnetworks.com>> wrote:
>> Davide,
>> Yes I am using the heat credentials as you have mentioned. But still I am getting Authentication required error.
>> 
>> Regards,
>> NareshA.
>> 
>> On Wed, Feb 1, 2017 at 4:01 PM, NareshA kumar <nka at criterionnetworks.com <mailto:nka at criterionnetworks.com>> wrote:
>> Davide,
>> Yes I am using the heat credentials as you have mentioned. But still I am getting Authentication required error.
>> 
>> I am attaching heat-api.log here for your reference. I am guessing that I would have missed something while creating heat domains.
>> 
>> Regards,
>> NareshA.
>> 
>> On Wed, Feb 1, 2017 at 3:14 PM, Davide Panarese <dpanarese at enter.eu <mailto:dpanarese at enter.eu>> wrote:
>> If you use heat creadential for token request it works?
>> 
>> export OS_AUTH_URL=https://identity.cncloud.com:5000/v2.0 <https://identity.cncloud.com:5000/v2.0>
>> export OS_REGION_NAME=RegionOne
>> export OS_USERNAME=heat
>> export OS_TENANT_NAME=services
>> export OS_PASSWORD=heat
>> 
>> keystone token-get 
>> 
>> Davide
>>> On 01 Feb 2017, at 10:10, NareshA kumar <nka at criterionnetworks.com <mailto:nka at criterionnetworks.com>> wrote:
>>> 
>>> I have associated heat user to services tenant and gave it a admin role.
>>> 
>>> keystone user-role-list --user heat --tenant services
>>> +----------------------------------+-------+----------------------------------+----------------------------------+
>>> |                id                |  name |             user_id              |            tenant_id             |
>>> +----------------------------------+-------+----------------------------------+----------------------------------+
>>> | 2b995253c23e4c1db8cd374346a4ecd4 | admin | 645eb7e9f04f4a2b8df65272a23c1394 | 024890084b7642e9b8535b52a86584ea |
>>> +----------------------------------+-------+----------------------------------+----------------------------------+
>>> 
>>> heat --debug stack-list
>>> 
>>> DEBUG (session) REQ: curl -g -i -X GET https://identity.cncloud.com:5000/v2.0 <https://identity.cncloud.com:5000/v2.0> -H "Accept: application/json" -H "User-Agent: python-keystoneclient"
>>> DEBUG (session) RESP: [200] x-openstack-request-id: req-2515497e-671b-475e-b48c-0cb6f2ccfe2f content-length: 347 via: 1.1 identity.cncloud.com:5000 <http://identity.cncloud.com:5000/> access-control-expose-headers: Accept, Content-Type, X-Auth-Token, X-Subject-Token vary: X-Auth-Token server: Apache/2.4.7 (Ubuntu) connection: close access-control-allow-methods: GET POST OPTIONS PUT DELETE PATCH date: Wed, 01 Feb 2017 09:07:01 GMT access-control-allow-origin: * access-control-allow-headers: Accept, Content-Type, X-Auth-Token, X-Subject-Token content-type: application/json x-distribution: Ubuntu 
>>> RESP BODY: {"version": {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}], "id": "v2.0", "links": [{"href": "https://identity.cncloud.com:5000/v2.0/ <https://identity.cncloud.com:5000/v2.0/>", "rel": "self"}, {"href": "http://docs.openstack.org/ <http://docs.openstack.org/>", "type": "text/html", "rel": "describedby"}]}}
>>> 
>>> DEBUG (v2) Making authentication request to https://identity.cncloud.com:5000/v2.0/tokens <https://identity.cncloud.com:5000/v2.0/tokens>
>>> DEBUG (session) REQ: curl -g -i -X GET MailScanner ha rilevato un possibile tentativo di frode proveniente da "54.174.88.227:8004" MailScanner warning: numerical links are often malicious: http://54.174.88.227:8004/v1/0c28d40bdcf0472d8dfb214a5c0286c4/stacks <http://54.174.88.227:8004/v1/0c28d40bdcf0472d8dfb214a5c0286c4/stacks>? -H "Accept: application/json" -H "User-Agent: python-heatclient" -H "X-Region-Name: RegionOne" -H "X-Auth-Token: {SHA1}9cc75daaff59cdb14a75bfb74ca6d77ebb8d8ac6" -H "Content-Type: application/json" -H "X-Auth-Url: https://identity.cncloud.com:5000/v2.0 <https://identity.cncloud.com:5000/v2.0>"
>>> DEBUG (session) RESP:
>>> DEBUG (v2) Making authentication request to https://identity.cncloud.com:5000/v2.0/tokens <https://identity.cncloud.com:5000/v2.0/tokens>
>>> DEBUG (session) RESP:
>>> Traceback (most recent call last):
>>>   File "/usr/bin/heat", line 10, in <module>
>>>     sys.exit(main())
>>>   File "/usr/lib/python2.7/dist-packages/heatclient/shell.py", line 706, in main
>>>     HeatShell().main(args)
>>>   File "/usr/lib/python2.7/dist-packages/heatclient/shell.py", line 656, in main
>>>     args.func(client, args)
>>>   File "/usr/lib/python2.7/dist-packages/heatclient/v1/shell.py", line 581, in do_stack_list
>>>     utils.print_list(stacks, fields, sortby_index=3)
>>>   File "/usr/lib/python2.7/dist-packages/heatclient/openstack/common/cliutils.py", line 169, in print_list
>>>     for o in objs:
>>>   File "/usr/lib/python2.7/dist-packages/heatclient/v1/stacks.py", line 100, in paginate
>>>     stacks = self._list(url, 'stacks')
>>>   File "/usr/lib/python2.7/dist-packages/heatclient/openstack/common/apiclient/base.py", line 117, in _list
>>>     body = self.client.get(url).json()
>>>   File "/usr/lib/python2.7/dist-packages/heatclient/common/http.py", line 292, in get
>>>     return self.client_request("GET", url, **kwargs)
>>>   File "/usr/lib/python2.7/dist-packages/heatclient/common/http.py", line 285, in client_request
>>>     resp, body = self.json_request(method, url, **kwargs)
>>>   File "/usr/lib/python2.7/dist-packages/heatclient/common/http.py", line 266, in json_request
>>>     resp = self._http_request(url, method, **kwargs)
>>>   File "/usr/lib/python2.7/dist-packages/heatclient/common/http.py", line 361, in _http_request
>>>     raise exc.from_response(resp)
>>> heatclient.exc.HTTPUnauthorized: ERROR: Authentication required
>>> 
>>> 
>>> Regards,
>>> NareshA.
>>> 
>>> On Wed, Feb 1, 2017 at 2:16 PM, Davide Panarese <dpanarese at enter.eu <mailto:dpanarese at enter.eu>> wrote:
>>> Could you debug heat api call with heat —debug stack-list?
>>> Did you associate heat user to service tenant and give it admin role?
>>> 
>>> Davide
>>>> On 31 Jan 2017, at 19:54, NareshA kumar <nka at criterionnetworks.com <mailto:nka at criterionnetworks.com>> wrote:
>>>> 
>>>> Hi,
>>>> I am installing heat in kilo with keystone v2 APIs. As per document I have configured the endpoints and heat.conf. "heat stack-list" gives me Authentication required error. In heat-api.log I am seeing "Authorization failed for token" message. 
>>>> Can anyone help me solve this issue?
>>>> 
>>>> Regards,
>>>> NareshA.
>>>> 
>>>> -- 
>>>> Questo messaggio e' stato analizzato con Libra ESVA ed e' risultato non infetto. 
>>>> Clicca qui per segnalarlo come spam. <http://mx01.enter.it/cgi-bin/learn-msg.cgi?id=32A47402B1.A84A6> 
>>>> Clicca qui per metterlo in blacklist <http://mx01.enter.it/cgi-bin/learn-msg.cgi?blacklist=1&id=32A47402B1.A84A6> _______________________________________________
>>>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack>
>>>> Post to     : openstack at lists.openstack.org <mailto:openstack at lists.openstack.org>
>>>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack>
>>> 
>>> 
>>> 
>>> -- 
>>> Questo messaggio e' stato analizzato con Libra ESVA ed e' risultato non infetto. 
>>> Clicca qui per segnalarlo come spam. <http://mx01.enter.it/cgi-bin/learn-msg.cgi?id=557444011D.A905A> 
>>> Clicca qui per metterlo in blacklist <http://mx01.enter.it/cgi-bin/learn-msg.cgi?blacklist=1&id=557444011D.A905A> _______________________________________________
>>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack>
>>> Post to     : openstack at lists.openstack.org <mailto:openstack at lists.openstack.org>
>>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack>
>> 
>> 
>> 
>> 
>> 
>> -- 
>> Questo messaggio e' stato analizzato con Libra ESVA ed e' risultato non infetto. 
>> Clicca qui per segnalarlo come spam. <http://mx01.enter.it/cgi-bin/learn-msg.cgi?id=B4EDD402E7.ADD0F> 
>> Clicca qui per metterlo in blacklist <http://mx01.enter.it/cgi-bin/learn-msg.cgi?blacklist=1&id=B4EDD402E7.ADD0F> _______________________________________________
>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack>
>> Post to     : openstack at lists.openstack.org <mailto:openstack at lists.openstack.org>
>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack>
> 
> 
> 
> -- 
> Questo messaggio e' stato analizzato con Libra ESVA ed e' risultato non infetto. 
> Clicca qui per segnalarlo come spam. <http://mx01.enter.it/cgi-bin/learn-msg.cgi?id=9F70240221.A5908> 
> Clicca qui per metterlo in blacklist <http://mx01.enter.it/cgi-bin/learn-msg.cgi?blacklist=1&id=9F70240221.A5908>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20170203/9225bfaf/attachment.html>


More information about the Openstack mailing list