yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #41866
[Bug 1520095] [NEW] Missing user credentials in token request
Public bug reported:
I am running Ubuntu 14.04.3 and try to install OpenStack Liberty.
Keystone is running, but I had no luck with Glance. I always get a 401
and I am sure that all credentials ar correct:
The Keystone log contains:
2015-11-25 17:43:54.913446 2015-11-25 17:43:54.913 2255 WARNING keystone.common.wsgi [req-0982767e-5a26-4acb-86f3-5ffbda5c2198 - - - - -] Expecting to find id or name in user - the server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.
Have look to the following trace:
openstack --debug image list
START with options: ['--debug', 'image', 'list']
options: Namespace(access_token_endpoint='', auth_type='password', auth_url='http://os-controller:35357/v3', cacert='', client_id='', client_secret='', cloud='', debug=True, default_domain='default', deferred_help=False, domain_id='', domain_name='', endpoint='', identity_provider='', insecure=None, interface='', log_file=None, os_compute_api_version='', os_identity_api_version='3', os_image_api_version='2', os_network_api_version='', os_object_api_version='', os_project_id=None, os_project_name=None, os_volume_api_version='', password='XYZ', project_domain_id='default', project_domain_name='', project_id='', project_name='admin', protocol='', region_name='', scope='', timing=False, token='', trust_id='', url='', user_domain_id='default', user_domain_name='', user_id='', username='admin', verbose_level=3, verify=None)
defaults: {'auth_type': 'password', 'compute_api_version': '2', 'database_api_version': '1.0', 'api_timeout': None, 'baremetal_api_version': '1', 'cacert': None, 'image_api_use_tasks': False, 'floating_ip_source': 'neutron', 'key': None, 'interface': None, 'network_api_version': '2', 'image_format': 'qcow2', 'object_api_version': '1', 'image_api_version': '1', 'verify': True, 'identity_api_version': '2', 'volume_api_version': '1', 'cert': None, 'secgroup_source': 'neutron', 'dns_api_version': '2', 'disable_vendor_agent': {}}
cloud cfg: {'auth_type': 'password', 'compute_api_version': '2', 'database_api_version': '1.0', 'interface': None, 'network_api_version': '2', 'image_format': 'qcow2', 'object_api_version': '1', 'image_api_version': '2', 'verify': True, 'timing': False, 'dns_api_version': '2', 'verbose_level': 3, 'region_name': '', 'api_timeout': None, 'baremetal_api_version': '1', 'auth': {'username': 'admin', 'project_name': 'admin', 'user_domain_id': 'default', 'tenant_name': 'admin', 'auth_url': 'http://os-controller:35357/v3', 'password': 'XYZ', 'project_domain_id': 'default'}, 'default_domain': 'default', 'image_api_use_tasks': False, 'floating_ip_source': 'neutron', 'key': None, 'cacert': None, 'deferred_help': False, 'identity_api_version': '3', 'volume_api_version': '1', 'cert': None, 'secgroup_source': 'neutron', 'debug': True, 'disable_vendor_agent': {}}
compute API version 2, cmd group openstack.compute.v2
network API version 2, cmd group openstack.network.v2
image API version 2, cmd group openstack.image.v2
volume API version 1, cmd group openstack.volume.v1
identity API version 3, cmd group openstack.identity.v3
object_store API version 1, cmd group openstack.object_store.v1
command: image list -> openstackclient.image.v2.image.ListImage
Auth plugin password selected
auth_type: password
Using auth plugin: password
Using parameters {'username': 'admin', 'project_name': 'admin', 'auth_url': 'http://os-controller:35357/v3', 'user_domain_id': 'default', 'tenant_name': 'admin', 'password': 'XYZ', 'project_domain_id': 'default'}
Get auth_ref
REQ: curl -g -i -X GET http://os-controller:35357/v3 -H "Accept: application/json" -H "User-Agent: python-openstackclient"
Starting new HTTP connection (1): os-controller
"GET /v3 HTTP/1.1" 200 269
RESP: [200] Content-Length: 269 Vary: X-Auth-Token Keep-Alive: timeout=5, max=100 Server: Apache/2.4.7 (Ubuntu) Connection: Keep-Alive Date: Wed, 25 Nov 2015 16:43:54 GMT x-openstack-request-id: req-c2fe880b-6478-4522-bcd3-bc48c98548cc Content-Type: application/json X-Distribution: Ubuntu
RESP BODY: {"version": {"status": "stable", "updated": "2015-03-30T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.4", "links": [{"href": "http://os-controller:35357/v3/";, "rel": "self"}]}}
Making authentication request to http://os-controller:35357/v3/auth/tokens
"POST /v3/auth/tokens HTTP/1.1" 201 1721
take_action(Namespace(columns=[], formatter='table', long=False, max_width=0, page_size=None, private=False, property=None, public=False, quote_mode='nonnumeric', shared=False, sort=None))
Instantiating image client: <class 'glanceclient.v2.client.Client'>
Making authentication request to http://os-controller:35357/v3/auth/tokens
"POST /v3/auth/tokens HTTP/1.1" 201 1721
Instantiating image api: <class 'openstackclient.api.image_v2.APIv2'>
REQ: curl -g -i -X GET http://os-controller:9292/v2/images -H "User-Agent: python-openstackclient" -H "X-Auth-Token: {SHA1}55b922fec869336969e8e6e1cf78aa2765d17fcb"
Starting new HTTP connection (1): os-controller
"GET /v2/images HTTP/1.1" 401 358
RESP: [401] Date: Wed, 25 Nov 2015 16:43:54 GMT Connection: keep-alive Content-Type: text/html; charset=UTF-8 Content-Length: 358 Www-Authenticate: Keystone uri='http://os-controller:5000'
RESP BODY: <html>
<head>
<title>401 Unauthorized</title>
</head>
<body>
<h1>401 Unauthorized</h1>
This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.<br /><br />
</body>
</html>
Making authentication request to http://os-controller:35357/v3/auth/tokens
"POST /v3/auth/tokens HTTP/1.1" 201 1721
"GET /v2/images HTTP/1.1" 401 358
RESP: [401] Date: Wed, 25 Nov 2015 16:43:54 GMT Connection: keep-alive Content-Type: text/html; charset=UTF-8 Content-Length: 358 Www-Authenticate: Keystone uri='http://os-controller:5000'
RESP BODY: <html>
<head>
<title>401 Unauthorized</title>
</head>
<body>
<h1>401 Unauthorized</h1>
This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.<br /><br />
</body>
</html>
Request returned failure status: 401
Unauthorized (HTTP 401)
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/cliff/app.py", line 374, in run_subcommand
result = cmd.run(parsed_args)
File "/usr/lib/python2.7/dist-packages/cliff/display.py", line 92, in run
column_names, data = self.take_action(parsed_args)
File "/usr/lib/python2.7/dist-packages/openstackclient/image/v2/image.py", line 425, in take_action
page = image_client.api.image_list(marker=marker, **kwargs)
File "/usr/lib/python2.7/dist-packages/openstackclient/api/image_v2.py", line 71, in image_list
return self.list(url, **filter)['images']
File "/usr/lib/python2.7/dist-packages/openstackclient/api/api.py", line 196, in list
params=params,
File "/usr/lib/python2.7/dist-packages/openstackclient/api/api.py", line 82, in _request
return session.request(url, method, **kwargs)
File "/usr/lib/python2.7/dist-packages/openstackclient/common/session.py", line 40, in request
resp = super(TimingSession, self).request(url, method, **kwargs)
File "/usr/lib/python2.7/dist-packages/keystoneclient/utils.py", line 337, in inner
return func(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/keystoneclient/session.py", line 401, in request
raise exceptions.from_response(resp, method, url)
Unauthorized: Unauthorized (HTTP 401)
clean_up ListImage: Unauthorized (HTTP 401)
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/openstackclient/shell.py", line 108, in run
ret_val = super(OpenStackShell, self).run(argv)
File "/usr/lib/python2.7/dist-packages/cliff/app.py", line 255, in run
result = self.run_subcommand(remainder)
File "/usr/lib/python2.7/dist-packages/cliff/app.py", line 374, in run_subcommand
result = cmd.run(parsed_args)
File "/usr/lib/python2.7/dist-packages/cliff/display.py", line 92, in run
column_names, data = self.take_action(parsed_args)
File "/usr/lib/python2.7/dist-packages/openstackclient/image/v2/image.py", line 425, in take_action
page = image_client.api.image_list(marker=marker, **kwargs)
File "/usr/lib/python2.7/dist-packages/openstackclient/api/image_v2.py", line 71, in image_list
return self.list(url, **filter)['images']
File "/usr/lib/python2.7/dist-packages/openstackclient/api/api.py", line 196, in list
params=params,
File "/usr/lib/python2.7/dist-packages/openstackclient/api/api.py", line 82, in _request
return session.request(url, method, **kwargs)
File "/usr/lib/python2.7/dist-packages/openstackclient/common/session.py", line 40, in request
resp = super(TimingSession, self).request(url, method, **kwargs)
File "/usr/lib/python2.7/dist-packages/keystoneclient/utils.py", line 337, in inner
return func(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/keystoneclient/session.py", line 401, in request
raise exceptions.from_response(resp, method, url)
Unauthorized: Unauthorized (HTTP 401)
END return value: 1
I am using:
[keystone_authtoken]
auth_uri = http://os-controller:5000
auth_url = http://os-controller:35357
auth_plugin = password
project_domain_id = default
user_domain_id = default
project_name = service
user-name = glance
password = XYZ
I made some testing and attached a screenshot from tcp dump run... On
the left you find the token request submitted by glance, on the right
you see a token request submitted manually using: openstack token
issue. You may recognize that the user credentials submitted by glance
are incomplete. It misses e.g. the username. That's the reason, why
Keystone complains about a malformed token request.
Can you fix it? Is there a quick workaround possible?
** Affects: glance
Importance: Undecided
Status: New
** Attachment added: "Glance_missing_username.png"
https://bugs.launchpad.net/bugs/1520095/+attachment/4525630/+files/Glance_missing_username.png
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1520095
Title:
Missing user credentials in token request
Status in Glance:
New
Bug description:
I am running Ubuntu 14.04.3 and try to install OpenStack Liberty.
Keystone is running, but I had no luck with Glance. I always get a 401
and I am sure that all credentials ar correct:
The Keystone log contains:
2015-11-25 17:43:54.913446 2015-11-25 17:43:54.913 2255 WARNING keystone.common.wsgi [req-0982767e-5a26-4acb-86f3-5ffbda5c2198 - - - - -] Expecting to find id or name in user - the server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.
Have look to the following trace:
openstack --debug image list
START with options: ['--debug', 'image', 'list']
options: Namespace(access_token_endpoint='', auth_type='password', auth_url='http://os-controller:35357/v3', cacert='', client_id='', client_secret='', cloud='', debug=True, default_domain='default', deferred_help=False, domain_id='', domain_name='', endpoint='', identity_provider='', insecure=None, interface='', log_file=None, os_compute_api_version='', os_identity_api_version='3', os_image_api_version='2', os_network_api_version='', os_object_api_version='', os_project_id=None, os_project_name=None, os_volume_api_version='', password='XYZ', project_domain_id='default', project_domain_name='', project_id='', project_name='admin', protocol='', region_name='', scope='', timing=False, token='', trust_id='', url='', user_domain_id='default', user_domain_name='', user_id='', username='admin', verbose_level=3, verify=None)
defaults: {'auth_type': 'password', 'compute_api_version': '2', 'database_api_version': '1.0', 'api_timeout': None, 'baremetal_api_version': '1', 'cacert': None, 'image_api_use_tasks': False, 'floating_ip_source': 'neutron', 'key': None, 'interface': None, 'network_api_version': '2', 'image_format': 'qcow2', 'object_api_version': '1', 'image_api_version': '1', 'verify': True, 'identity_api_version': '2', 'volume_api_version': '1', 'cert': None, 'secgroup_source': 'neutron', 'dns_api_version': '2', 'disable_vendor_agent': {}}
cloud cfg: {'auth_type': 'password', 'compute_api_version': '2', 'database_api_version': '1.0', 'interface': None, 'network_api_version': '2', 'image_format': 'qcow2', 'object_api_version': '1', 'image_api_version': '2', 'verify': True, 'timing': False, 'dns_api_version': '2', 'verbose_level': 3, 'region_name': '', 'api_timeout': None, 'baremetal_api_version': '1', 'auth': {'username': 'admin', 'project_name': 'admin', 'user_domain_id': 'default', 'tenant_name': 'admin', 'auth_url': 'http://os-controller:35357/v3', 'password': 'XYZ', 'project_domain_id': 'default'}, 'default_domain': 'default', 'image_api_use_tasks': False, 'floating_ip_source': 'neutron', 'key': None, 'cacert': None, 'deferred_help': False, 'identity_api_version': '3', 'volume_api_version': '1', 'cert': None, 'secgroup_source': 'neutron', 'debug': True, 'disable_vendor_agent': {}}
compute API version 2, cmd group openstack.compute.v2
network API version 2, cmd group openstack.network.v2
image API version 2, cmd group openstack.image.v2
volume API version 1, cmd group openstack.volume.v1
identity API version 3, cmd group openstack.identity.v3
object_store API version 1, cmd group openstack.object_store.v1
command: image list -> openstackclient.image.v2.image.ListImage
Auth plugin password selected
auth_type: password
Using auth plugin: password
Using parameters {'username': 'admin', 'project_name': 'admin', 'auth_url': 'http://os-controller:35357/v3', 'user_domain_id': 'default', 'tenant_name': 'admin', 'password': 'XYZ', 'project_domain_id': 'default'}
Get auth_ref
REQ: curl -g -i -X GET http://os-controller:35357/v3 -H "Accept: application/json" -H "User-Agent: python-openstackclient"
Starting new HTTP connection (1): os-controller
"GET /v3 HTTP/1.1" 200 269
RESP: [200] Content-Length: 269 Vary: X-Auth-Token Keep-Alive: timeout=5, max=100 Server: Apache/2.4.7 (Ubuntu) Connection: Keep-Alive Date: Wed, 25 Nov 2015 16:43:54 GMT x-openstack-request-id: req-c2fe880b-6478-4522-bcd3-bc48c98548cc Content-Type: application/json X-Distribution: Ubuntu
RESP BODY: {"version": {"status": "stable", "updated": "2015-03-30T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.4", "links": [{"href": "http://os-controller:35357/v3/";, "rel": "self"}]}}
Making authentication request to http://os-controller:35357/v3/auth/tokens
"POST /v3/auth/tokens HTTP/1.1" 201 1721
take_action(Namespace(columns=[], formatter='table', long=False, max_width=0, page_size=None, private=False, property=None, public=False, quote_mode='nonnumeric', shared=False, sort=None))
Instantiating image client: <class 'glanceclient.v2.client.Client'>
Making authentication request to http://os-controller:35357/v3/auth/tokens
"POST /v3/auth/tokens HTTP/1.1" 201 1721
Instantiating image api: <class 'openstackclient.api.image_v2.APIv2'>
REQ: curl -g -i -X GET http://os-controller:9292/v2/images -H "User-Agent: python-openstackclient" -H "X-Auth-Token: {SHA1}55b922fec869336969e8e6e1cf78aa2765d17fcb"
Starting new HTTP connection (1): os-controller
"GET /v2/images HTTP/1.1" 401 358
RESP: [401] Date: Wed, 25 Nov 2015 16:43:54 GMT Connection: keep-alive Content-Type: text/html; charset=UTF-8 Content-Length: 358 Www-Authenticate: Keystone uri='http://os-controller:5000'
RESP BODY: <html>
<head>
<title>401 Unauthorized</title>
</head>
<body>
<h1>401 Unauthorized</h1>
This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.<br /><br />
</body>
</html>
Making authentication request to http://os-controller:35357/v3/auth/tokens
"POST /v3/auth/tokens HTTP/1.1" 201 1721
"GET /v2/images HTTP/1.1" 401 358
RESP: [401] Date: Wed, 25 Nov 2015 16:43:54 GMT Connection: keep-alive Content-Type: text/html; charset=UTF-8 Content-Length: 358 Www-Authenticate: Keystone uri='http://os-controller:5000'
RESP BODY: <html>
<head>
<title>401 Unauthorized</title>
</head>
<body>
<h1>401 Unauthorized</h1>
This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.<br /><br />
</body>
</html>
Request returned failure status: 401
Unauthorized (HTTP 401)
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/cliff/app.py", line 374, in run_subcommand
result = cmd.run(parsed_args)
File "/usr/lib/python2.7/dist-packages/cliff/display.py", line 92, in run
column_names, data = self.take_action(parsed_args)
File "/usr/lib/python2.7/dist-packages/openstackclient/image/v2/image.py", line 425, in take_action
page = image_client.api.image_list(marker=marker, **kwargs)
File "/usr/lib/python2.7/dist-packages/openstackclient/api/image_v2.py", line 71, in image_list
return self.list(url, **filter)['images']
File "/usr/lib/python2.7/dist-packages/openstackclient/api/api.py", line 196, in list
params=params,
File "/usr/lib/python2.7/dist-packages/openstackclient/api/api.py", line 82, in _request
return session.request(url, method, **kwargs)
File "/usr/lib/python2.7/dist-packages/openstackclient/common/session.py", line 40, in request
resp = super(TimingSession, self).request(url, method, **kwargs)
File "/usr/lib/python2.7/dist-packages/keystoneclient/utils.py", line 337, in inner
return func(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/keystoneclient/session.py", line 401, in request
raise exceptions.from_response(resp, method, url)
Unauthorized: Unauthorized (HTTP 401)
clean_up ListImage: Unauthorized (HTTP 401)
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/openstackclient/shell.py", line 108, in run
ret_val = super(OpenStackShell, self).run(argv)
File "/usr/lib/python2.7/dist-packages/cliff/app.py", line 255, in run
result = self.run_subcommand(remainder)
File "/usr/lib/python2.7/dist-packages/cliff/app.py", line 374, in run_subcommand
result = cmd.run(parsed_args)
File "/usr/lib/python2.7/dist-packages/cliff/display.py", line 92, in run
column_names, data = self.take_action(parsed_args)
File "/usr/lib/python2.7/dist-packages/openstackclient/image/v2/image.py", line 425, in take_action
page = image_client.api.image_list(marker=marker, **kwargs)
File "/usr/lib/python2.7/dist-packages/openstackclient/api/image_v2.py", line 71, in image_list
return self.list(url, **filter)['images']
File "/usr/lib/python2.7/dist-packages/openstackclient/api/api.py", line 196, in list
params=params,
File "/usr/lib/python2.7/dist-packages/openstackclient/api/api.py", line 82, in _request
return session.request(url, method, **kwargs)
File "/usr/lib/python2.7/dist-packages/openstackclient/common/session.py", line 40, in request
resp = super(TimingSession, self).request(url, method, **kwargs)
File "/usr/lib/python2.7/dist-packages/keystoneclient/utils.py", line 337, in inner
return func(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/keystoneclient/session.py", line 401, in request
raise exceptions.from_response(resp, method, url)
Unauthorized: Unauthorized (HTTP 401)
END return value: 1
I am using:
[keystone_authtoken]
auth_uri = http://os-controller:5000
auth_url = http://os-controller:35357
auth_plugin = password
project_domain_id = default
user_domain_id = default
project_name = service
user-name = glance
password = XYZ
I made some testing and attached a screenshot from tcp dump run... On
the left you find the token request submitted by glance, on the right
you see a token request submitted manually using: openstack token
issue. You may recognize that the user credentials submitted by glance
are incomplete. It misses e.g. the username. That's the reason, why
Keystone complains about a malformed token request.
Can you fix it? Is there a quick workaround possible?
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1520095/+subscriptions
Follow ups
