HTTP error 401 when configuring keystone

chriss picture chriss · Dec 10, 2015 · Viewed 17k times · Source

I am attempting to install keystone on my controller node. I am using the install guide located at http://docs.openstack.org/kilo/install-guide/install/yum/content/keystone-services.html. I am having some issues when I get to the following step.

The Identity service manages a catalog of services in your OpenStack environment. Services use this catalog to determine the other services available in your environment.

Create the service entity for the Identity service:

$ openstack service create \ --name keystone --description "OpenStack Identity" identity

The error that I get is: ERROR: openstack The request you have made requires authentication. (HTTP 401) (Request-ID: req-58dd8b55-78ce-4c4f-9319-6d35dde192eb)

Output of command with --debug is:

    [root@controller1 ~]# openstack service create   --name keystone --description "OpenStack Identity" identity --debug
DEBUG: cliff.commandmanager found command 'hypervisor_stats_show'
DEBUG: cliff.commandmanager found command 'security_group_create'
DEBUG: cliff.commandmanager found command 'security_group_rule_list'
DEBUG: cliff.commandmanager found command 'ip_floating_add'
DEBUG: cliff.commandmanager found command 'keypair_list'
DEBUG: cliff.commandmanager found command 'flavor_unset'
DEBUG: cliff.commandmanager found command 'host_show'
DEBUG: cliff.commandmanager found command 'host_list'
DEBUG: cliff.commandmanager found command 'hypervisor_show'
DEBUG: cliff.commandmanager found command 'server_pause'
DEBUG: cliff.commandmanager found command 'server_reboot'
DEBUG: cliff.commandmanager found command 'server_migrate'
DEBUG: cliff.commandmanager found command 'server_set'
DEBUG: cliff.commandmanager found command 'server_add_security_group'
DEBUG: cliff.commandmanager found command 'server_unrescue'
DEBUG: cliff.commandmanager found command 'usage_list'
DEBUG: cliff.commandmanager found command 'keypair_show'
DEBUG: cliff.commandmanager found command 'security_group_set'
DEBUG: cliff.commandmanager found command 'compute_agent_create'
DEBUG: cliff.commandmanager found command 'server_rescue'
DEBUG: cliff.commandmanager found command 'console_log_show'
DEBUG: cliff.commandmanager found command 'compute_agent_delete'
DEBUG: cliff.commandmanager found command 'server_ssh'
DEBUG: cliff.commandmanager found command 'server_lock'
DEBUG: cliff.commandmanager found command 'server_unset'
DEBUG: cliff.commandmanager found command 'server_show'
DEBUG: cliff.commandmanager found command 'server_suspend'
DEBUG: cliff.commandmanager found command 'server_add_volume'
DEBUG: cliff.commandmanager found command 'server_image_create'
DEBUG: cliff.commandmanager found command 'flavor_list'
DEBUG: cliff.commandmanager found command 'server_remove_volume'
DEBUG: cliff.commandmanager found command 'compute_agent_set'
DEBUG: cliff.commandmanager found command 'aggregate_add_host'
DEBUG: cliff.commandmanager found command 'aggregate_remove_host'
DEBUG: cliff.commandmanager found command 'compute_service_set'
DEBUG: cliff.commandmanager found command 'aggregate_create'
DEBUG: cliff.commandmanager found command 'keypair_create'
DEBUG: cliff.commandmanager found command 'ip_floating_list'
DEBUG: cliff.commandmanager found command 'aggregate_delete'
DEBUG: cliff.commandmanager found command 'flavor_set'
DEBUG: cliff.commandmanager found command 'security_group_rule_create'
DEBUG: cliff.commandmanager found command 'security_group_delete'
DEBUG: cliff.commandmanager found command 'server_rebuild'
DEBUG: cliff.commandmanager found command 'flavor_delete'
DEBUG: cliff.commandmanager found command 'server_delete'
DEBUG: cliff.commandmanager found command 'project_usage_list'
DEBUG: cliff.commandmanager found command 'availability_zone_list'
DEBUG: cliff.commandmanager found command 'hypervisor_list'
DEBUG: cliff.commandmanager found command 'flavor_create'
DEBUG: cliff.commandmanager found command 'console_url_show'
DEBUG: cliff.commandmanager found command 'ip_fixed_add'
DEBUG: cliff.commandmanager found command 'server_remove_security_group'
DEBUG: cliff.commandmanager found command 'usage_show'
DEBUG: cliff.commandmanager found command 'compute_agent_list'
DEBUG: cliff.commandmanager found command 'flavor_show'
DEBUG: cliff.commandmanager found command 'ip_fixed_remove'
DEBUG: cliff.commandmanager found command 'ip_floating_create'
DEBUG: cliff.commandmanager found command 'server_list'
DEBUG: cliff.commandmanager found command 'server_create'
DEBUG: cliff.commandmanager found command 'ip_floating_pool_list'
DEBUG: cliff.commandmanager found command 'aggregate_show'
DEBUG: cliff.commandmanager found command 'security_group_show'
DEBUG: cliff.commandmanager found command 'keypair_delete'
DEBUG: cliff.commandmanager found command 'server_resize'
DEBUG: cliff.commandmanager found command 'security_group_rule_delete'
DEBUG: cliff.commandmanager found command 'ip_floating_delete'
DEBUG: cliff.commandmanager found command 'ip_floating_remove'
DEBUG: cliff.commandmanager found command 'security_group_list'
DEBUG: cliff.commandmanager found command 'server_resume'
DEBUG: cliff.commandmanager found command 'aggregate_set'
DEBUG: cliff.commandmanager found command 'aggregate_list'
DEBUG: cliff.commandmanager found command 'server_unpause'
DEBUG: cliff.commandmanager found command 'compute_service_list'
DEBUG: cliff.commandmanager found command 'server_unlock'
DEBUG: openstackclient.shell compute API version 2, cmd group openstack.compute.v2
DEBUG: cliff.commandmanager found command 'network_set'
DEBUG: cliff.commandmanager found command 'network_delete'
DEBUG: cliff.commandmanager found command 'network_list'
DEBUG: cliff.commandmanager found command 'network_show'
DEBUG: cliff.commandmanager found command 'network_create'
DEBUG: openstackclient.shell network API version 2, cmd group openstack.network.v2
DEBUG: cliff.commandmanager found command 'image_set'
DEBUG: cliff.commandmanager found command 'image_delete'
DEBUG: cliff.commandmanager found command 'image_create'
DEBUG: cliff.commandmanager found command 'image_list'
DEBUG: cliff.commandmanager found command 'image_show'
DEBUG: cliff.commandmanager found command 'image_save'
DEBUG: openstackclient.shell image API version 1, cmd group openstack.image.v1
DEBUG: cliff.commandmanager found command 'snapshot_show'
DEBUG: cliff.commandmanager found command 'backup_create'
DEBUG: cliff.commandmanager found command 'volume_list'
DEBUG: cliff.commandmanager found command 'volume_show'
DEBUG: cliff.commandmanager found command 'snapshot_unset'
DEBUG: cliff.commandmanager found command 'volume_set'
DEBUG: cliff.commandmanager found command 'backup_delete'
DEBUG: cliff.commandmanager found command 'volume_create'
DEBUG: cliff.commandmanager found command 'volume_type_list'
DEBUG: cliff.commandmanager found command 'volume_type_create'
DEBUG: cliff.commandmanager found command 'backup_restore'
DEBUG: cliff.commandmanager found command 'backup_list'
DEBUG: cliff.commandmanager found command 'volume_unset'
DEBUG: cliff.commandmanager found command 'backup_show'
DEBUG: cliff.commandmanager found command 'volume_type_delete'
DEBUG: cliff.commandmanager found command 'volume_type_set'
DEBUG: cliff.commandmanager found command 'snapshot_set'
DEBUG: cliff.commandmanager found command 'snapshot_list'
DEBUG: cliff.commandmanager found command 'snapshot_delete'
DEBUG: cliff.commandmanager found command 'volume_delete'
DEBUG: cliff.commandmanager found command 'snapshot_create'
DEBUG: cliff.commandmanager found command 'volume_type_unset'
DEBUG: openstackclient.shell volume API version 1, cmd group openstack.volume.v1
DEBUG: cliff.commandmanager found command 'project_create'
DEBUG: cliff.commandmanager found command 'project_list'
DEBUG: cliff.commandmanager found command 'ec2_credentials_list'
DEBUG: cliff.commandmanager found command 'service_list'
DEBUG: cliff.commandmanager found command 'role_add'
DEBUG: cliff.commandmanager found command 'project_show'
DEBUG: cliff.commandmanager found command 'role_show'
DEBUG: cliff.commandmanager found command 'endpoint_delete'
DEBUG: cliff.commandmanager found command 'project_set'
DEBUG: cliff.commandmanager found command 'service_create'
DEBUG: cliff.commandmanager found command 'service_show'
DEBUG: cliff.commandmanager found command 'endpoint_show'
DEBUG: cliff.commandmanager found command 'ec2_credentials_create'
DEBUG: cliff.commandmanager found command 'catalog_list'
DEBUG: cliff.commandmanager found command 'ec2_credentials_delete'
DEBUG: cliff.commandmanager found command 'service_delete'
DEBUG: cliff.commandmanager found command 'token_issue'
DEBUG: cliff.commandmanager found command 'project_delete'
DEBUG: cliff.commandmanager found command 'endpoint_list'
DEBUG: cliff.commandmanager found command 'role_list'
DEBUG: cliff.commandmanager found command 'user_create'
DEBUG: cliff.commandmanager found command 'user_delete'
DEBUG: cliff.commandmanager found command 'user_show'
DEBUG: cliff.commandmanager found command 'role_create'
DEBUG: cliff.commandmanager found command 'role_remove'
DEBUG: cliff.commandmanager found command 'role_delete'
DEBUG: cliff.commandmanager found command 'catalog_show'
DEBUG: cliff.commandmanager found command 'token_revoke'
DEBUG: cliff.commandmanager found command 'endpoint_create'
DEBUG: cliff.commandmanager found command 'user_role_list'
DEBUG: cliff.commandmanager found command 'user_set'
DEBUG: cliff.commandmanager found command 'user_list'
DEBUG: cliff.commandmanager found command 'ec2_credentials_show'
DEBUG: openstackclient.shell identity API version 2, cmd group openstack.identity.v2
DEBUG: cliff.commandmanager found command 'object_create'
DEBUG: cliff.commandmanager found command 'object_list'
DEBUG: cliff.commandmanager found command 'object_delete'
DEBUG: cliff.commandmanager found command 'container_list'
DEBUG: cliff.commandmanager found command 'object_show'
DEBUG: cliff.commandmanager found command 'container_delete'
DEBUG: cliff.commandmanager found command 'container_create'
DEBUG: cliff.commandmanager found command 'container_show'
DEBUG: cliff.commandmanager found command 'container_save'
DEBUG: cliff.commandmanager found command 'object_save'
DEBUG: openstackclient.shell object_store API version 1, cmd group openstack.object_store.v1
DEBUG: cliff.commandmanager found command 'extension_list'
DEBUG: cliff.commandmanager found command 'quota_set'
DEBUG: cliff.commandmanager found command 'quota_show'
DEBUG: cliff.commandmanager found command 'limits_show'
INFO: openstackclient.shell command: <none> -> openstackclient.identity.v2_0.service.CreateService
DEBUG: openstackclient.api.auth Auth plugin token_endpoint selected
DEBUG: openstackclient.api.auth auth_type: token_endpoint
DEBUG: openstackclient.api.auth fetching option os_url
DEBUG: openstackclient.api.auth fetching option os_token
INFO: openstackclient.common.clientmanager Using auth plugin: token_endpoint
DEBUG: openstackclient.common.clientmanager Get auth_ref
DEBUG: openstackclient.identity.v2_0.service.CreateService take_action(Namespace(columns=[], description='OpenStack Identity', formatter='table', max_width=0, name='keystone', prefix='', type=None, type_or_name='identity', variables=[]))
DEBUG: openstackclient.identity.client Instantiating identity client: <class 'openstackclient.identity.client.IdentityClientv2'>
DEBUG: keystoneclient.session REQ: curl -g -i -X POST http://controller1:35357/v2.0/OS-KSADM/services -H "User-Agent: python-keystoneclient" -H "Content-Type: application/json" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}cf34ffb4133f4ad7e2a491568ac411c6ffe6ddeb" -d '{"OS-KSADM:service": {"type": "identity", "name": "keystone", "description": "OpenStack Identity"}}'
INFO: requests.packages.urllib3.connectionpool Starting new HTTP connection (1): controller1
DEBUG: requests.packages.urllib3.connectionpool "POST /v2.0/OS-KSADM/services HTTP/1.1" 401 114
DEBUG: keystoneclient.session RESP:
DEBUG: keystoneclient.session Request returned failure status: 401
ERROR: openstack The request you have made requires authentication. (HTTP 401) (Request-ID: req-040ddfee-fa4b-455e-be65-0fe8397365e7)
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/cliff/app.py", line 295, in run_subcommand
    result = cmd.run(parsed_args)
  File "/usr/lib/python2.7/site-packages/cliff/display.py", line 91, in run
    column_names, data = self.take_action(parsed_args)
  File "/usr/lib/python2.7/site-packages/openstackclient/identity/v2_0/service.py", line 88, in take_action
    parsed_args.description)
  File "/usr/lib/python2.7/site-packages/keystoneclient/v2_0/services.py", line 43, in create
    return self._create("/OS-KSADM/services", body, "OS-KSADM:service")
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 151, in _create
    return self._post(url, body, response_key, return_raw, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 165, in _post
    resp, body = self.client.post(url, body=body, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/adapter.py", line 176, in post
    return self.request(url, 'POST', **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/adapter.py", line 206, in request
    resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/adapter.py", line 95, in request
    return self.session.request(url, method, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/utils.py", line 318, in inner
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/session.py", line 397, in request
    raise exceptions.from_response(resp, method, url)
Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-040ddfee-fa4b-455e-be65-0fe8397365e7)
DEBUG: openstackclient.shell clean_up CreateService
DEBUG: openstackclient.shell got an error: The request you have made requires authentication. (HTTP 401) (Request-ID: req-040ddfee-fa4b-455e-be65-0fe8397365e7)
ERROR: openstackclient.shell Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/openstackclient/shell.py", line 176, in run
    return super(OpenStackShell, self).run(argv)
  File "/usr/lib/python2.7/site-packages/cliff/app.py", line 230, in run
    result = self.run_subcommand(remainder)
  File "/usr/lib/python2.7/site-packages/cliff/app.py", line 295, in run_subcommand
    result = cmd.run(parsed_args)
  File "/usr/lib/python2.7/site-packages/cliff/display.py", line 91, in run
    column_names, data = self.take_action(parsed_args)
  File "/usr/lib/python2.7/site-packages/openstackclient/identity/v2_0/service.py", line 88, in take_action
    parsed_args.description)
  File "/usr/lib/python2.7/site-packages/keystoneclient/v2_0/services.py", line 43, in create
    return self._create("/OS-KSADM/services", body, "OS-KSADM:service")
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 151, in _create
    return self._post(url, body, response_key, return_raw, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 165, in _post
    resp, body = self.client.post(url, body=body, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/adapter.py", line 176, in post
    return self.request(url, 'POST', **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/adapter.py", line 206, in request
    resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/adapter.py", line 95, in request
    return self.session.request(url, method, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/utils.py", line 318, in inner
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/session.py", line 397, in request
    raise exceptions.from_response(resp, method, url)
Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-040ddfee-fa4b-455e-be65-0fe8397365e7)

Output of keystone.log

  2015-12-09 12:03:34.635 3061 WARNING keystone.middleware.core [-] RBAC: Invalid token
2015-12-09 12:03:34.635 3061 WARNING keystone.common.wsgi [-] The request you have made requires authentication.

keystone.conf

admin_token =831751e080fe2a5cfd03
#connection = mysql://keystone:KEYSTONE_DBPASS@controller1/keystone

env variables:

OS_TOKEN=831751e080fe2a5cfd03
SHLVL=1
HOME=/root
LOGNAME=root
LESSOPEN=||/usr/bin/lesspipe.sh %s
OS_URL=http://controller1:35357/v2.0
XDG_RUNTIME_DIR=/run/user/0
_=/usr/bin/env

Thanks for your time and let me know if you have any questions.

Answer

user1411260 picture user1411260 · Dec 11, 2015

I believe the 401 error can happen when you have an unscoped token, that is, one without a tenant identified with it. See

https://ask.openstack.org/en/question/56243/keystone-authentication-to-publicadmin-port-and-scopedunscoped-token/