When I execute `heat list`, if I have auth_uri = http://keystone_server:5000/v2.0 in heat.conf, it will not pass the authentication in keystone, the message heat-engine.log shows as follow:
2014-09-17 08:50:38.809 334 WARNING keystonemiddleware.auth_token [-] Authorization failed for token
2014-09-17 08:50:38.810 334 INFO keystonemiddleware.auth_token [-] Invalid user token - rejecting request
after I revise it to auth_uri = http://keystone_server:5000 and added auth_version = 2.0 then `heat list` acts fine.
However, when I execute `heat stack-create`, it raised the following exception:
2014-09-17 08:42:56.365 32545 TRACE root RemoteError: Remote error: AuthorizationFailure Authorization failed: The resource could not be found. (HTTP 404)
2014-09-17 08:42:56.365 32545 TRACE root [u'Traceback (most recent call last):\n', u' File "/usr/local/lib/python2.7/dist-packages/oslo/messaging/rpc/dispatcher.py", line 134, in _dispatch_and_reply\n incoming.message))\n', u' File "/usr/local/lib/python2.7/dist-packages/oslo/messaging/rpc/dispatcher.py", line 177, in _dispatch\n return self._do_dispatch(endpoint, method, ctxt, args)\n', u' File "/usr/local/lib/python2.7/dist-packages/oslo/messaging/rpc/dispatcher.py", line 123, in _do_dispatch\n result = getattr(endpoint, method)(ctxt, **new_args)\n', u' File "/usr/local/lib/python2.7/dist-packages/heat/engine/service.py", line 67, in wrapped\n return func(self, ctx, *args, **kwargs)\n', u' File "/usr/local/lib/python2.7/dist-packages/heat/engine/service.py", line 614, in create_stack\n stack.store()\n', u' File "/usr/local/lib/python2.7/dist-packages/heat/engine/stack.py", line 315, in store\n trust_ctx = keystone.create_trust_context()\n', u' File "/usr/local/lib/python2.7/dist-packages/heat/common/heat_keystoneclient.py", line 278, in create_trust_context\n trustee_user_id = self.admin_client.auth_ref.user_id\n', u' File "/usr/local/lib/python2.7/dist-packages/heat/common/heat_keystoneclient.py", line 132, in admin_client\n if c.authenticate():\n', u' File "/usr/local/lib/python2.7/dist-packages/keystoneclient/utils.py", line 318, in inner\n return func(*args, **kwargs)\n', u' File "/usr/local/lib/python2.7/dist-packages/keystoneclient/httpclient.py", line 407, in authenticate\n resp = self.get_raw_token_from_identity_service(**kwargs)\n', u' File "/usr/local/lib/python2.7/dist-packages/keystoneclient/v3/client.py", line 266, in get_raw_token_from_identity_service\n \'%s\' % e)\n', u'AuthorizationFailure: Authorization failed: The resource could not be found. (HTTP 404)\n'].
According to the source code, I figure out it was triggered by lack of 'v2.0' in the auth_uri setting, so I revised code in heat/common/heat_keystoneclient.py in KeystoneClientV3.__init__ method, line 78 and line 82:
line 78 before:
self.v3_endpoint = self.context.auth_url.replace('v2.0', 'v3')
line 78 after:
self.v3_endpoint = '/'.join((self.context.auth_url, 'v3'))
line 82 before:
self.v3_endpoint = cfg.CONF.keystone_authtoken.auth_uri.replace(
'v2.0', 'v3')
line 82 after:
self.v3_endpoint = '/'.join((cfg.CONF.keystone_authtoken.auth_uri, 'v3'))
After doing this, `heat stack-create acts fine.
I don't understand. You need to have v2.0 in your auth_uri parameter. So the title of your bug is incorrect, or at least it's the expected behavior.
But in your description, you say that it doesn't work when v2.0 is in the URI. Which is which?