Issues when using fernet tokens in Keystone
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack-Ansible |
Invalid
|
Undecided
|
Unassigned |
Bug Description
When using fernet tokens in a 2 keystone container configuration behind haproxy I get a bunch of these in my keystone logs:
2015-10-26 14:08:31.771 7600 WARNING keystone.
2015-10-26 14:08:31.771 7600 WARNING keystone.
This commonly causes heat deployment to fail:
TASK: [os_heat | Ensure heat_stack_user role] *******
ok: [oscontroller5_
TASK: [os_heat | Ensure heat domain] *******
ok: [oscontroller5_
TASK: [os_heat | Ensure heat project] *******
ok: [oscontroller5_
TASK: [os_heat | Ensure heat user] *******
failed: [oscontroller5_
stderr: ERROR: openstack The request you have made requires authentication. (HTTP 401) (Request-ID: req-5a30cf63-
FATAL: all hosts have already failed -- aborting
And keystone logs during this..
2015-10-26 14:18:58.406 7605 INFO keystone.
2015-10-26 14:18:58.407 7605 WARNING keystone.
2015-10-26 14:18:58.422 7605 WARNING keystone.
2015-10-26 14:18:58.771 7611 INFO keystone.
2015-10-26 14:18:58.771 7611 WARNING keystone.
2015-10-26 14:18:59.378 7609 INFO keystone.
2015-10-26 14:18:59.545 7609 INFO keystone.
2015-10-26 14:18:59.545 7609 INFO keystone.
2015-10-26 14:18:59.719 7615 INFO keystone.
2015-10-26 14:18:59.825 7616 INFO keystone.
2015-10-26 14:18:59.826 7616 INFO keystone.
2015-10-26 14:18:59.827 7616 WARNING keystone.
2015-10-26 14:18:59.827 7616 WARNING keystone.
2015-10-26 14:19:00.012 7606 INFO keystone.
2015-10-26 14:19:00.014 7606 INFO keystone.
2015-10-26 14:19:00.015 7606 WARNING keystone.
2015-10-26 14:19:00.015 7606 WARNING keystone.
Also when this happens, deployment fails or horizon denies logins:
Log below while trying to log into horizon:
2015-10-26 14:08:31.673 7601 INFO keystone.
2015-10-26 14:08:31.674 7601 INFO keystone.
2015-10-26 14:08:31.675 7601 WARNING keystone.
2015-10-26 14:08:31.675 7601 WARNING keystone.
2015-10-26 14:08:31.769 7600 INFO keystone.
2015-10-26 14:08:31.770 7600 INFO keystone.
2015-10-26 14:08:31.771 7600 WARNING keystone.
2015-10-26 14:08:31.771 7600 WARNING keystone.
2015-10-26 14:08:32.585 7616 INFO keystone.
2015-10-26 14:08:33.842 7615 INFO keystone.
2015-10-26 14:08:33.842 7615 INFO keystone.
2015-10-26 14:08:33.924 7615 INFO keystone.
2015-10-26 14:08:33.925 7615 INFO keystone.
2015-10-26 14:08:33.926 7615 INFO keystone.
2015-10-26 14:08:33.926 7615 WARNING keystone.
Horizon login failure log:
[Mon Oct 26 19:11:47.492630 2015] [:error] [pid 2768:tid 140563208566528] Internal Server Error: /auth/login/
[Mon Oct 26 19:11:47.492669 2015] [:error] [pid 2768:tid 140563208566528] Traceback (most recent call last):
[Mon Oct 26 19:11:47.492681 2015] [:error] [pid 2768:tid 140563208566528] File "/usr/local/
[Mon Oct 26 19:11:47.492691 2015] [:error] [pid 2768:tid 140563208566528] response = wrapped_
[Mon Oct 26 19:11:47.492701 2015] [:error] [pid 2768:tid 140563208566528] File "/usr/local/
[Mon Oct 26 19:11:47.492710 2015] [:error] [pid 2768:tid 140563208566528] return view(request, *args, **kwargs)
[Mon Oct 26 19:11:47.492720 2015] [:error] [pid 2768:tid 140563208566528] File "/usr/local/
[Mon Oct 26 19:11:47.492732 2015] [:error] [pid 2768:tid 140563208566528] response = view_func(request, *args, **kwargs)
[Mon Oct 26 19:11:47.492742 2015] [:error] [pid 2768:tid 140563208566528] File "/usr/local/
[Mon Oct 26 19:11:47.492752 2015] [:error] [pid 2768:tid 140563208566528] response = view_func(request, *args, **kwargs)
[Mon Oct 26 19:11:47.492763 2015] [:error] [pid 2768:tid 140563208566528] File "/usr/local/
[Mon Oct 26 19:11:47.492774 2015] [:error] [pid 2768:tid 140563208566528] **kwargs)
[Mon Oct 26 19:11:47.492784 2015] [:error] [pid 2768:tid 140563208566528] File "/usr/local/
[Mon Oct 26 19:11:47.492794 2015] [:error] [pid 2768:tid 140563208566528] return view(request, *args, **kwargs)
[Mon Oct 26 19:11:47.492804 2015] [:error] [pid 2768:tid 140563208566528] File "/usr/local/
[Mon Oct 26 19:11:47.492815 2015] [:error] [pid 2768:tid 140563208566528] response = view_func(request, *args, **kwargs)
[Mon Oct 26 19:11:47.492825 2015] [:error] [pid 2768:tid 140563208566528] File "/usr/local/
[Mon Oct 26 19:11:47.492836 2015] [:error] [pid 2768:tid 140563208566528] response = view_func(request, *args, **kwargs)
[Mon Oct 26 19:11:47.492846 2015] [:error] [pid 2768:tid 140563208566528] File "/usr/local/
[Mon Oct 26 19:11:47.492856 2015] [:error] [pid 2768:tid 140563208566528] if form.is_valid():
[Mon Oct 26 19:11:47.492894 2015] [:error] [pid 2768:tid 140563208566528] File "/usr/local/
[Mon Oct 26 19:11:47.492905 2015] [:error] [pid 2768:tid 140563208566528] return self.is_bound and not bool(self.errors)
[Mon Oct 26 19:11:47.492915 2015] [:error] [pid 2768:tid 140563208566528] File "/usr/local/
[Mon Oct 26 19:11:47.492926 2015] [:error] [pid 2768:tid 140563208566528] self.full_clean()
[Mon Oct 26 19:11:47.492936 2015] [:error] [pid 2768:tid 140563208566528] File "/usr/local/
[Mon Oct 26 19:11:47.492946 2015] [:error] [pid 2768:tid 140563208566528] self._clean_form()
[Mon Oct 26 19:11:47.492955 2015] [:error] [pid 2768:tid 140563208566528] File "/usr/local/
[Mon Oct 26 19:11:47.492966 2015] [:error] [pid 2768:tid 140563208566528] cleaned_data = self.clean()
[Mon Oct 26 19:11:47.492977 2015] [:error] [pid 2768:tid 140563208566528] File "/usr/local/
[Mon Oct 26 19:11:47.492987 2015] [:error] [pid 2768:tid 140563208566528] return func(*func_args, **func_kwargs)
[Mon Oct 26 19:11:47.492998 2015] [:error] [pid 2768:tid 140563208566528] File "/usr/local/
[Mon Oct 26 19:11:47.493009 2015] [:error] [pid 2768:tid 140563208566528] auth_url=region)
[Mon Oct 26 19:11:47.493019 2015] [:error] [pid 2768:tid 140563208566528] File "/usr/local/
[Mon Oct 26 19:11:47.493029 2015] [:error] [pid 2768:tid 140563208566528] user = backend.
[Mon Oct 26 19:11:47.493039 2015] [:error] [pid 2768:tid 140563208566528] File "/usr/local/
[Mon Oct 26 19:11:47.493050 2015] [:error] [pid 2768:tid 140563208566528] unscoped_auth_ref)
[Mon Oct 26 19:11:47.493060 2015] [:error] [pid 2768:tid 140563208566528] File "/usr/local/
[Mon Oct 26 19:11:47.493071 2015] [:error] [pid 2768:tid 140563208566528] msg = _('Unable to retrieve authorized projects.')
[Mon Oct 26 19:11:47.493081 2015] [:error] [pid 2768:tid 140563208566528] NameError: global name '_' is not defined
Same failure after quickly patching for https:/
[Mon Oct 26 14:14:54.376648 2015] [:info] [pid 3784:tid 140718753974016] [remote x.x.x.x:20906] mod_wsgi (pid=3784, process='horizon', application=
[Mon Oct 26 19:14:55.307609 2015] [:error] [pid 3784:tid 140718753974016] Login failed for user "admin".
If I deploy with keystone_
A few notes:
-oscontroller4 and oscontroller5 both host keystone nodes. the failures only occur on oscontroller5.
-both keystone containers have identical configurations
-the contents of /etc/keystone/
-deploying with ONLY 1 keystone container using fernet keys works fine, the bugs only happen when I deploy redundant containers
-I have tried failing the haproxy VIP between oscontroller4 and oscontroller5, no change in behavior. oscontroller4 logs remain clean and oscontroller5 logs show token issues
Changed in openstack-ansible: | |
status: | New → Fix Released |
Changed in openstack-ansible: | |
status: | Fix Released → New |
Hi Logan,
Have you tried restarting both keystone services (since you've already confirmed that the contents of the fernet-keys directory is identical)? Are there any TRACE logs in either keystone.log or the apache log file?