Canonical Juju

login failures on Openstack should include better logging

Bug #1688337 reported by John A Meinel
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Canonical Juju
Expired
Medium
Unassigned

Bug Description

We currently see errors trying to connect to "http://IP.ADDR/v2.0/tokens" and it complains that you must have authorization.

1) We are passing authorization, it is just invalid. It may be a limitation of Openstack, but we should be logging this as "authentication incorrect" not "unauthorized request"

2) When we are failing to login to a provider, we should be including enough information to assist in debugging what account is failing. Something like Tenant + Username and probably Model-UUID are all things that would help understanding what is failing and how to fix it.

Anastasia (anastasia-macmood)
Changed in juju:
milestone: 2.2-beta4 → 2.2-rc1
Tim Penhey (thumper)
Changed in juju:
milestone: 2.2-rc1 → none
importance: High → Medium
Revision history for this message
Heather Lanigan (hmlanigan) wrote :

See also: https://bugs.launchpad.net/juju/+bug/1690004

Revision history for this message
Heather Lanigan (hmlanigan) wrote :

In general, the OpenStack provider checks the credentials at bootstrap, if they fail it says:
ERROR authentication failed.

Please ensure the credentials are correct. A common mistake is
to specify the wrong tenant. Use the OpenStack "project" name
for tenant-name in your model configuration.

Though apparently there are other places a notice like this is needed. juju autoload-credentials also works well with the OpenStack clouds.

So far, I've been unable to reproduce this error with different incorrect credentials at bootstrap. Can you please supply more information about when this error was encountered? And what, if anything, was incorrect about the credentials.

This type of error could be an expired token problem.

Revision history for this message
John A Meinel (jameinel) wrote : Re: [Bug 1688337] Re: login failures on Openstack should include better logging

AIUI this was a case of AddModel using different credentials which may have
then been revoked after. The original issue was the underlying workers kept
restarting without an indication of who or what was wrong.

John
=:->

On Jun 21, 2017 03:41, "Heather Lanigan" <email address hidden> wrote:

> In general, the OpenStack provider checks the credentials at bootstrap, if
> they fail it says:
> ERROR authentication failed.
>
> Please ensure the credentials are correct. A common mistake is
> to specify the wrong tenant. Use the OpenStack "project" name
> for tenant-name in your model configuration.
>
> Though apparently there are other places a notice like this is needed.
> juju autoload-credentials also works well with the OpenStack clouds.
>
> So far, I've been unable to reproduce this error with different
> incorrect credentials at bootstrap. Can you please supply more
> information about when this error was encountered? And what, if
> anything, was incorrect about the credentials.
>
> This type of error could be an expired token problem.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1688337
>
> Title:
> login failures on Openstack should include better logging
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/juju/+bug/1688337/+subscriptions
>

Revision history for this message
Heather Lanigan (hmlanigan) wrote :

I was able to reproduce by adding a second user to openstack, adding those credentials to juju for add-model and deploy a few charms. You can then do a `openstack user set <username> --disable`

Side note: OpenStack docs, mention that with a 401 error, to retry the username/password in case the token is expired.

Revision history for this message
Canonical Juju QA Bot (juju-qa-bot) wrote :

This bug has not been updated in 5 years, so we're marking it Expired. If you believe this is incorrect, please update the status.

Changed in juju:
status: Triaged → Expired
tags: added: expirebugs-bot
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.