NotAuthorized: You are not authorized to complete this action

Bug #958568 reported by Peng Yong on 2012-03-18
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
Undecided
Unassigned

Bug Description

i install a multi node openstack. it works in contoller with a compute, i can run instances on it.
when i copy nova.conf to a new compute, and run instance, it reports:

2012-03-18 21:53:50 ERROR nova.rpc.common [-] Exception during message handling
(nova.rpc.common): TRACE: Traceback (most recent call last):
(nova.rpc.common): TRACE: File "/usr/lib/python2.7/site-packages/nova/rpc/amqp.py", line 250, in _process_data
(nova.rpc.common): TRACE: rval = node_func(context=ctxt, **node_args)
(nova.rpc.common): TRACE: File "/usr/lib/python2.7/site-packages/nova/exception.py", line 112, in wrapped
(nova.rpc.common): TRACE: return f(*args, **kw)
(nova.rpc.common): TRACE: File "/usr/lib/python2.7/site-packages/nova/compute/manager.py", line 180, in decorated_function
(nova.rpc.common): TRACE: sys.exc_info())
(nova.rpc.common): TRACE: File "/usr/lib64/python2.7/contextlib.py", line 24, in __exit__
(nova.rpc.common): TRACE: self.gen.next()
(nova.rpc.common): TRACE: File "/usr/lib/python2.7/site-packages/nova/compute/manager.py", line 174, in decorated_function
(nova.rpc.common): TRACE: return function(self, context, instance_uuid, *args, **kwargs)
(nova.rpc.common): TRACE: File "/usr/lib/python2.7/site-packages/nova/compute/manager.py", line 649, in run_instance
(nova.rpc.common): TRACE: self._run_instance(context, instance_uuid, **kwargs)
(nova.rpc.common): TRACE: File "/usr/lib/python2.7/site-packages/nova/compute/manager.py", line 452, in _run_instance
(nova.rpc.common): TRACE: self._set_instance_error_state(context, instance_uuid)
(nova.rpc.common): TRACE: File "/usr/lib64/python2.7/contextlib.py", line 24, in __exit__
(nova.rpc.common): TRACE: self.gen.next()
(nova.rpc.common): TRACE: File "/usr/lib/python2.7/site-packages/nova/compute/manager.py", line 421, in _run_instance
(nova.rpc.common): TRACE: image_meta = self._check_image_size(context, instance)
(nova.rpc.common): TRACE: File "/usr/lib/python2.7/site-packages/nova/compute/manager.py", line 499, in _check_image_size
(nova.rpc.common): TRACE: image_meta = _get_image_meta(context, instance['image_ref'])
(nova.rpc.common): TRACE: File "/usr/lib/python2.7/site-packages/nova/compute/manager.py", line 187, in _get_image_meta
(nova.rpc.common): TRACE: return image_service.show(context, image_id)
(nova.rpc.common): TRACE: File "/usr/lib/python2.7/site-packages/nova/image/glance.py", line 236, in show
(nova.rpc.common): TRACE: image_id)
(nova.rpc.common): TRACE: File "/usr/lib/python2.7/site-packages/nova/image/glance.py", line 145, in _call_retry
(nova.rpc.common): TRACE: return getattr(client, name)(*args, **kwargs)
(nova.rpc.common): TRACE: File "/usr/lib/python2.7/site-packages/glance/client.py", line 101, in get_image_meta
(nova.rpc.common): TRACE: res = self.do_request("HEAD", "/images/%s" % image_id)
(nova.rpc.common): TRACE: File "/usr/lib/python2.7/site-packages/glance/common/client.py", line 61, in wrapped
(nova.rpc.common): TRACE: return func(self, *args, **kwargs)
(nova.rpc.common): TRACE: File "/usr/lib/python2.7/site-packages/glance/common/client.py", line 390, in do_request
(nova.rpc.common): TRACE: headers=headers)
(nova.rpc.common): TRACE: File "/usr/lib/python2.7/site-packages/glance/common/client.py", line 75, in wrapped
(nova.rpc.common): TRACE: return func(self, method, url, body, headers)
(nova.rpc.common): TRACE: File "/usr/lib/python2.7/site-packages/glance/common/client.py", line 500, in _do_request
(nova.rpc.common): TRACE: raise exception.NotAuthorized(res.read())
(nova.rpc.common): TRACE: NotAuthorized: You are not authorized to complete this action.
(nova.rpc.common): TRACE: Details:
(nova.rpc.common): TRACE:

here is my nova.conf:

[DEFAULT]
verbose=True
logdir = /var/log/nova
state_path = /var/lib/nova
lock_path = /var/lib/nova/tmp
dhcpbridge = /usr/bin/nova-dhcpbridge
dhcpbridge_flagfile = /etc/nova/nova.conf

root_helper = sudo nova-rootwrap

force_dhcp_release = True
injected_network_template = /usr/share/nova/interfaces.template
libvirt_xml_template = /usr/share/nova/libvirt.xml.template
vpn_client_template = /usr/share/nova/client.ovpn.template
credentials_template = /usr/share/nova/novarc.template

api_paste_config=/etc/nova/api-paste.ini
sql_connection = mysql://nova:nova@192.168.28.5/nova

iscsi_ip_prefix = 192.168.28.5
iscsi_helper = tgtadm

connection_type = libvirt
libvirt_type = kvm

rabbit_host=192.168.28.5
rabbit_password=nova

firewall_driver = nova.virt.libvirt.firewall.IptablesFirewallDriver
network_manager=nova.network.manager.FlatDHCPManager
flat_network_bridge=br100
flat_injected=False
public_interface=em1
flat_interface=em2

auth_strategy=keystone
allow_resize_to_same_host=True
compute_scheduler_driver=nova.scheduler.simple.SimpleScheduler
#compute_scheduler_driver=nova.scheduler.distributed_scheduler.DistributedScheduler

image_service=nova.image.glance.GlanceImageService
#nova glance host
s3_host=192.168.28.5
glance_api_servers=192.168.28.5:9292

volume_group=nova-volumes
volume_name_template=volume-%08x
osapi_compute_extension=nova.api.openstack.compute.contrib.standard_extensions

Peng Yong (ppyy) wrote :

fedora 17 testing:

rpm -qa|grep openstack
openstack-nova-2012.1-0.8.e4.fc17.noarch
openstack-dashboard-2012.1-0.1.rc1.fc17.noarch
openstack-keystone-2012.1-0.10.e4.fc17.noarch
openstack-glance-2012.1-0.5.e4.fc17.noarch

Eoghan Glynn (eglynn) wrote :

Hi Peng Yong,

Have you got glance configured to use the keystone auth strategy?

Can you copy the content of your /etc/glance/glance-api.conf and /etc/glance/glance-paste.ini files into this bug report?

Thanks,
Eoghan

Peng Yong (ppyy) wrote :

# egrep -v "^#|^$" glance-api.conf
[DEFAULT]
verbose = True
debug = False
default_store = file
bind_host = 0.0.0.0
bind_port = 9292
log_file = /var/log/glance/api.log
backlog = 4096
workers = 0
use_syslog = False
registry_host = 0.0.0.0
registry_port = 9191
registry_client_protocol = http
notifier_strategy = noop
rabbit_host = localhost
rabbit_port = 5672
rabbit_use_ssl = false
rabbit_userid = guest
rabbit_password = guest
rabbit_virtual_host = /
rabbit_notification_exchange = glance
rabbit_notification_topic = glance_notifications
qpid_notification_exchange = glance
qpid_notification_topic = glance_notifications
qpid_host = localhost
qpid_port = 5672
qpid_username =
qpid_password =
qpid_sasl_mechanisms =
qpid_reconnect_timeout = 0
qpid_reconnect_limit = 0
qpid_reconnect_interval_min = 0
qpid_reconnect_interval_max = 0
qpid_reconnect_interval = 0
qpid_heartbeat = 5
qpid_protocol = tcp
qpid_tcp_nodelay = True
filesystem_store_datadir = /var/lib/glance/images/
swift_store_auth_address = 127.0.0.1:8080/v1.0/
swift_store_user = jdoe:jdoe
swift_store_key = a86850deb2742ec3cb41518e26aa2d89
swift_store_container = glance
swift_store_create_container_on_put = False
swift_store_large_object_size = 5120
swift_store_large_object_chunk_size = 200
swift_enable_snet = False
s3_store_host = 127.0.0.1:8080/v1.0/
s3_store_access_key = <20-char AWS access key>
s3_store_secret_key = <40-char AWS secret key>
s3_store_bucket = <lowercased 20-char aws access key>glance
s3_store_create_bucket_on_put = False
rbd_store_ceph_conf = /etc/ceph/ceph.conf
rbd_store_user = glance
rbd_store_pool = images
rbd_store_chunk_size = 8
delayed_delete = False
scrub_time = 43200
scrubber_datadir = /var/lib/glance/scrubber
image_cache_dir = /var/lib/glance/image-cache/
[paste_deploy]
flavor = keystone

Peng Yong (ppyy) wrote :

# egrep -v "^#|^$" /etc/glance/glance-api-paste.ini
[pipeline:glance-api]
pipeline = versionnegotiation context apiv1app
[pipeline:glance-api-keystone]
pipeline = versionnegotiation authtoken auth-context apiv1app
[pipeline:glance-api-caching]
pipeline = versionnegotiation context cache apiv1app
[pipeline:glance-api-keystone+caching]
pipeline = versionnegotiation authtoken auth-context cache apiv1app
[pipeline:glance-api-cachemanagement]
pipeline = versionnegotiation context cache cachemanage apiv1app
[pipeline:glance-api-keystone+cachemanagement]
pipeline = versionnegotiation authtoken auth-context cache cachemanage apiv1app
[app:apiv1app]
paste.app_factory = glance.common.wsgi:app_factory
glance.app_factory = glance.api.v1.router:API
[filter:versionnegotiation]
paste.filter_factory = glance.common.wsgi:filter_factory
glance.filter_factory = glance.api.middleware.version_negotiation:VersionNegotiationFilter
[filter:cache]
paste.filter_factory = glance.common.wsgi:filter_factory
glance.filter_factory = glance.api.middleware.cache:CacheFilter
[filter:cachemanage]
paste.filter_factory = glance.common.wsgi:filter_factory
glance.filter_factory = glance.api.middleware.cache_manage:CacheManageFilter
[filter:context]
paste.filter_factory = glance.common.wsgi:filter_factory
glance.filter_factory = glance.common.context:ContextMiddleware
[filter:authtoken]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
service_protocol = http
service_host = 127.0.0.1
service_port = 5000
auth_host = 127.0.0.1
auth_port = 35357
auth_protocol = http
auth_uri = http://127.0.0.1:5000/
admin_token = 3e6e6c5032d3b70857d4
[filter:auth-context]
paste.filter_factory = glance.common.wsgi:filter_factory
glance.filter_factory = keystone.middleware.glance_auth_token:KeystoneContextMiddleware

Peng Yong (ppyy) wrote :

 BTW, i can use "glance index" to show images in compute node:

# cat keystonerc
export ADMIN_TOKEN=3e6e6c5032d3b70857d4
export OS_USERNAME=admin
export OS_PASSWORD=nova
export OS_TENANT_NAME=admin
export OS_AUTH_URL=http://192.168.28.5:5000/v2.0/

Eoghan Glynn (eglynn) wrote :

Shouldn't the glance authtoken config reference 192.168.28.5 instead of the loopback?

i.e. change:

[filter:authtoken]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
service_protocol = http
service_host = 127.0.0.1
service_port = 5000
auth_host = 127.0.0.1
auth_port = 35357
auth_protocol = http
auth_uri = http://127.0.0.1:5000/

to:

[filter:authtoken]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
service_protocol = http
service_host = 192.168.28.5
service_port = 5000
auth_host = 192.168.28.5
auth_port = 35357
auth_protocol = http
auth_uri = http://192.168.28.5:5000/

Changed in glance:
assignee: nobody → Eoghan Glynn (eglynn)
status: New → In Progress
Brian Waldon (bcwaldon) on 2012-03-27
Changed in glance:
status: In Progress → Incomplete
Brian Waldon (bcwaldon) on 2012-06-07
Changed in glance:
status: Incomplete → Invalid
assignee: Eoghan Glynn (eglynn) → nobody
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers