Bug #1541656 “OAuth Identity token gives Forbidden” : Bugs : python-openstackclient

Steve Martinelli (stevemar) on 2016-02-04

Changed in keystone:
milestone:	none → mitaka-3

Revision history for this message

Steve Martinelli (stevemar) wrote on 2016-02-16:

#1

@bogdan, are you able to repeat the problem, but add --help to the openstackclient command? I'm wondering if openstackclient is attempting to re-authenticate instead of just using the token.

Revision history for this message

Steve Martinelli (stevemar) wrote on 2016-02-16:

#2

also, any steps you did to create the request and access tokens would be helpful to have documented as well

Revision history for this message

Bogdan (bogdan-vatkov) wrote on 2016-02-16:

#3

Download full text (26.6 KiB)

Hi Steve,

I am not sure what --help would give you (at my side it just prints the help without attempting execution of any of the commands), did you mean --debug?

Here is what --debug provides:

DEBUG: cliff.commandmanager found command 'hypervisor_stats_show'
DEBUG: cliff.commandmanager found command 'security_group_create'
DEBUG: cliff.commandmanager found command 'security_group_rule_list'
DEBUG: cliff.commandmanager found command 'keypair_list'
DEBUG: cliff.commandmanager found command 'keypair_delete'
DEBUG: cliff.commandmanager found command 'host_list'
DEBUG: cliff.commandmanager found command 'keypair_create'
DEBUG: cliff.commandmanager found command 'server_pause'
DEBUG: cliff.commandmanager found command 'server_reboot'
DEBUG: cliff.commandmanager found command 'server_migrate'
DEBUG: cliff.commandmanager found command 'server_set'
DEBUG: cliff.commandmanager found command 'host_show'
DEBUG: cliff.commandmanager found command 'server_unrescue'
DEBUG: cliff.commandmanager found command 'usage_list'
DEBUG: cliff.commandmanager found command 'server_add_volume'
DEBUG: cliff.commandmanager found command 'server_unlock'
DEBUG: cliff.commandmanager found command 'security_group_set'
DEBUG: cliff.commandmanager found command 'compute_agent_create'
DEBUG: cliff.commandmanager found command 'server_rescue'
DEBUG: cliff.commandmanager found command 'server_add_security_group'
DEBUG: cliff.commandmanager found command 'console_log_show'
DEBUG: cliff.commandmanager found command 'compute_agent_delete'
DEBUG: cliff.commandmanager found command 'server_ssh'
DEBUG: cliff.commandmanager found command 'server_lock'
DEBUG: cliff.commandmanager found command 'server_unset'
DEBUG: cliff.commandmanager found command 'server_show'
DEBUG: cliff.commandmanager found command 'server_suspend'
DEBUG: cliff.commandmanager found command 'keypair_show'
DEBUG: cliff.commandmanager found command 'server_image_create'
DEBUG: cliff.commandmanager found command 'flavor_list'
DEBUG: cliff.commandmanager found command 'server_remove_volume'
DEBUG: cliff.commandmanager found command 'security_group_delete'
DEBUG: cliff.commandmanager found command 'aggregate_add_host'
DEBUG: cliff.commandmanager found command 'aggregate_remove_host'
DEBUG: cliff.commandmanager found command 'server_remove_security_group'
DEBUG: cliff.commandmanager found command 'ip_floating_remove'
DEBUG: cliff.commandmanager found command 'aggregate_create'
DEBUG: cliff.commandmanager found command 'hypervisor_show'
DEBUG: cliff.commandmanager found command 'ip_floating_list'
DEBUG: cliff.commandmanager found command 'aggregate_delete'
DEBUG: cliff.commandmanager found command 'usage_show'
DEBUG: cliff.commandmanager found command 'security_group_rule_create'
DEBUG: cliff.commandmanager found command 'compute_agent_set'
DEBUG: cliff.commandmanager found command 'server_rebuild'
DEBUG: cliff.commandmanager found command 'flavor_delete'
DEBUG: cliff.commandmanager found command 'server_delete'
DEBUG: cliff.commandmanager found command 'server_resume'
DEBUG: cliff.commandmanager found command 'availability_zone_list'
DEBUG: cliff.commandmanager found command 'hypervisor_list'
DEBUG: cliff.commandmanage...

Hi Steve,

I am not sure what --help would give you (at my side it just prints the help without attempting execution of any of the commands), did you mean --debug?

Here is what --debug provides:

DEBUG: cliff.commandmanager found command 'hypervisor_stats_show'
DEBUG: cliff.commandmanager found command 'security_group_create'
DEBUG: cliff.commandmanager found command 'security_group_rule_list'
DEBUG: cliff.commandmanager found command 'keypair_list'
DEBUG: cliff.commandmanager found command 'keypair_delete'
DEBUG: cliff.commandmanager found command 'host_list'
DEBUG: cliff.commandmanager found command 'keypair_create'
DEBUG: cliff.commandmanager found command 'server_pause'
DEBUG: cliff.commandmanager found command 'server_reboot'
DEBUG: cliff.commandmanager found command 'server_migrate'
DEBUG: cliff.commandmanager found command 'server_set'
DEBUG: cliff.commandmanager found command 'host_show'
DEBUG: cliff.commandmanager found command 'server_unrescue'
DEBUG: cliff.commandmanager found command 'usage_list'
DEBUG: cliff.commandmanager found command 'server_add_volume'
DEBUG: cliff.commandmanager found command 'server_unlock'
DEBUG: cliff.commandmanager found command 'security_group_set'
DEBUG: cliff.commandmanager found command 'compute_agent_create'
DEBUG: cliff.commandmanager found command 'server_rescue'
DEBUG: cliff.commandmanager found command 'server_add_security_group'
DEBUG: cliff.commandmanager found command 'console_log_show'
DEBUG: cliff.commandmanager found command 'compute_agent_delete'
DEBUG: cliff.commandmanager found command 'server_ssh'
DEBUG: cliff.commandmanager found command 'server_lock'
DEBUG: cliff.commandmanager found command 'server_unset'
DEBUG: cliff.commandmanager found command 'server_show'
DEBUG: cliff.commandmanager found command 'server_suspend'
DEBUG: cliff.commandmanager found command 'keypair_show'
DEBUG: cliff.commandmanager found command 'server_image_create'
DEBUG: cliff.commandmanager found command 'flavor_list'
DEBUG: cliff.commandmanager found command 'server_remove_volume'
DEBUG: cliff.commandmanager found command 'security_group_delete'
DEBUG: cliff.commandmanager found command 'aggregate_add_host'
DEBUG: cliff.commandmanager found command 'aggregate_remove_host'
DEBUG: cliff.commandmanager found command 'server_remove_security_group'
DEBUG: cliff.commandmanager found command 'ip_floating_remove'
DEBUG: cliff.commandmanager found command 'aggregate_create'
DEBUG: cliff.commandmanager found command 'hypervisor_show'
DEBUG: cliff.commandmanager found command 'ip_floating_list'
DEBUG: cliff.commandmanager found command 'aggregate_delete'
DEBUG: cliff.commandmanager found command 'usage_show'
DEBUG: cliff.commandmanager found command 'security_group_rule_create'
DEBUG: cliff.commandmanager found command 'compute_agent_set'
DEBUG: cliff.commandmanager found command 'server_rebuild'
DEBUG: cliff.commandmanager found command 'flavor_delete'
DEBUG: cliff.commandmanager found command 'server_delete'
DEBUG: cliff.commandmanager found command 'server_resume'
DEBUG: cliff.commandmanager found command 'availability_zone_list'
DEBUG: cliff.commandmanager found command 'hypervisor_list'
DEBUG: cliff.commandmanager found command 'flavor_create'
DEBUG: cliff.commandmanager found command 'console_url_show'
DEBUG: cliff.commandmanager found command 'ip_fixed_add'
DEBUG: cliff.commandmanager found command 'server_create'
DEBUG: cliff.commandmanager found command 'aggregate_show'
DEBUG: cliff.commandmanager found command 'compute_agent_list'
DEBUG: cliff.commandmanager found command 'flavor_show'
DEBUG: cliff.commandmanager found command 'ip_fixed_remove'
DEBUG: cliff.commandmanager found command 'ip_floating_create'
DEBUG: cliff.commandmanager found command 'server_list'
DEBUG: cliff.commandmanager found command 'ip_floating_pool_list'
DEBUG: cliff.commandmanager found command 'ip_floating_add'
DEBUG: cliff.commandmanager found command 'security_group_show'
DEBUG: cliff.commandmanager found command 'server_resize'
DEBUG: cliff.commandmanager found command 'ip_floating_delete'
DEBUG: cliff.commandmanager found command 'compute_service_set'
DEBUG: cliff.commandmanager found command 'security_group_list'
DEBUG: cliff.commandmanager found command 'project_usage_list'
DEBUG: cliff.commandmanager found command 'aggregate_set'
DEBUG: cliff.commandmanager found command 'aggregate_list'
DEBUG: cliff.commandmanager found command 'server_unpause'
DEBUG: cliff.commandmanager found command 'compute_service_list'
DEBUG: cliff.commandmanager found command 'security_group_rule_delete'
DEBUG: openstackclient.shell compute API version 2, cmd group openstack.compute.v2
DEBUG: cliff.commandmanager found command 'network_set'
DEBUG: cliff.commandmanager found command 'network_show'
DEBUG: cliff.commandmanager found command 'network_list'
DEBUG: cliff.commandmanager found command 'network_delete'
DEBUG: cliff.commandmanager found command 'network_create'
DEBUG: openstackclient.shell network API version 2, cmd group openstack.network.v2
DEBUG: cliff.commandmanager found command 'image_set'
DEBUG: cliff.commandmanager found command 'image_delete'
DEBUG: cliff.commandmanager found command 'image_create'
DEBUG: cliff.commandmanager found command 'image_list'
DEBUG: cliff.commandmanager found command 'image_show'
DEBUG: cliff.commandmanager found command 'image_save'
DEBUG: openstackclient.shell image API version 1, cmd group openstack.image.v1
DEBUG: cliff.commandmanager found command 'snapshot_show'
DEBUG: cliff.commandmanager found command 'backup_create'
DEBUG: cliff.commandmanager found command 'volume_list'
DEBUG: cliff.commandmanager found command 'snapshot_delete'
DEBUG: cliff.commandmanager found command 'volume_show'
DEBUG: cliff.commandmanager found command 'snapshot_unset'
DEBUG: cliff.commandmanager found command 'volume_set'
DEBUG: cliff.commandmanager found command 'backup_delete'
DEBUG: cliff.commandmanager found command 'volume_create'
DEBUG: cliff.commandmanager found command 'volume_type_list'
DEBUG: cliff.commandmanager found command 'volume_type_create'
DEBUG: cliff.commandmanager found command 'backup_restore'
DEBUG: cliff.commandmanager found command 'snapshot_list'
DEBUG: cliff.commandmanager found command 'volume_unset'
DEBUG: cliff.commandmanager found command 'backup_show'
DEBUG: cliff.commandmanager found command 'volume_type_delete'
DEBUG: cliff.commandmanager found command 'volume_type_set'
DEBUG: cliff.commandmanager found command 'snapshot_set'
DEBUG: cliff.commandmanager found command 'backup_list'
DEBUG: cliff.commandmanager found command 'volume_delete'
DEBUG: cliff.commandmanager found command 'snapshot_create'
DEBUG: cliff.commandmanager found command 'volume_type_unset'
DEBUG: openstackclient.shell volume API version 1, cmd group openstack.volume.v1
DEBUG: cliff.commandmanager found command 'project_show'
DEBUG: cliff.commandmanager found command 'role_show'
DEBUG: cliff.commandmanager found command 'domain_delete'
DEBUG: cliff.commandmanager found command 'request_token_create'
DEBUG: cliff.commandmanager found command 'consumer_create'
DEBUG: cliff.commandmanager found command 'role_list'
DEBUG: cliff.commandmanager found command 'endpoint_set'
DEBUG: cliff.commandmanager found command 'group_create'
DEBUG: cliff.commandmanager found command 'role_set'
DEBUG: cliff.commandmanager found command 'user_password_set'
DEBUG: cliff.commandmanager found command 'service_delete'
DEBUG: cliff.commandmanager found command 'consumer_list'
DEBUG: cliff.commandmanager found command 'domain_show'
DEBUG: cliff.commandmanager found command 'user_delete'
DEBUG: cliff.commandmanager found command 'identity_provider_delete'
DEBUG: cliff.commandmanager found command 'role_remove'
DEBUG: cliff.commandmanager found command 'role_assignment_list'
DEBUG: cliff.commandmanager found command 'role_create'
DEBUG: cliff.commandmanager found command 'request_token_authorize'
DEBUG: cliff.commandmanager found command 'region_delete'
DEBUG: cliff.commandmanager found command 'project_list'
DEBUG: cliff.commandmanager found command 'role_add'
DEBUG: cliff.commandmanager found command 'identity_provider_show'
DEBUG: cliff.commandmanager found command 'consumer_show'
DEBUG: cliff.commandmanager found command 'group_list'
DEBUG: cliff.commandmanager found command 'catalog_show'
DEBUG: cliff.commandmanager found command 'identity_provider_set'
DEBUG: cliff.commandmanager found command 'mapping_show'
DEBUG: cliff.commandmanager found command 'policy_create'
DEBUG: cliff.commandmanager found command 'group_show'
DEBUG: cliff.commandmanager found command 'federation_project_list'
DEBUG: cliff.commandmanager found command 'endpoint_show'
DEBUG: cliff.commandmanager found command 'credential_set'
DEBUG: cliff.commandmanager found command 'token_issue'
DEBUG: cliff.commandmanager found command 'access_token_create'
DEBUG: cliff.commandmanager found command 'identity_provider_create'
DEBUG: cliff.commandmanager found command 'identity_provider_list'
DEBUG: cliff.commandmanager found command 'policy_delete'
DEBUG: cliff.commandmanager found command 'credential_show'
DEBUG: cliff.commandmanager found command 'mapping_set'
DEBUG: cliff.commandmanager found command 'mapping_create'
DEBUG: cliff.commandmanager found command 'mapping_list'
DEBUG: cliff.commandmanager found command 'user_show'
DEBUG: cliff.commandmanager found command 'group_set'
DEBUG: cliff.commandmanager found command 'trust_delete'
DEBUG: cliff.commandmanager found command 'federation_protocol_show'
DEBUG: cliff.commandmanager found command 'user_set'
DEBUG: cliff.commandmanager found command 'policy_list'
DEBUG: cliff.commandmanager found command 'federation_protocol_delete'
DEBUG: cliff.commandmanager found command 'credential_create'
DEBUG: cliff.commandmanager found command 'domain_set'
DEBUG: cliff.commandmanager found command 'service_create'
DEBUG: cliff.commandmanager found command 'consumer_set'
DEBUG: cliff.commandmanager found command 'trust_list'
DEBUG: cliff.commandmanager found command 'policy_show'
DEBUG: cliff.commandmanager found command 'domain_create'
DEBUG: cliff.commandmanager found command 'federation_protocol_list'
DEBUG: cliff.commandmanager found command 'region_show'
DEBUG: cliff.commandmanager found command 'federation_protocol_set'
DEBUG: cliff.commandmanager found command 'catalog_list'
DEBUG: cliff.commandmanager found command 'group_delete'
DEBUG: cliff.commandmanager found command 'trust_show'
DEBUG: cliff.commandmanager found command 'endpoint_list'
DEBUG: cliff.commandmanager found command 'federation_domain_list'
DEBUG: cliff.commandmanager found command 'credential_list'
DEBUG: cliff.commandmanager found command 'group_contains_user'
DEBUG: cliff.commandmanager found command 'project_create'
DEBUG: cliff.commandmanager found command 'region_list'
DEBUG: cliff.commandmanager found command 'service_list'
DEBUG: cliff.commandmanager found command 'group_add_user'
DEBUG: cliff.commandmanager found command 'domain_list'
DEBUG: cliff.commandmanager found command 'endpoint_delete'
DEBUG: cliff.commandmanager found command 'project_set'
DEBUG: cliff.commandmanager found command 'policy_set'
DEBUG: cliff.commandmanager found command 'service_show'
DEBUG: cliff.commandmanager found command 'group_remove_user'
DEBUG: cliff.commandmanager found command 'federation_protocol_create'
DEBUG: cliff.commandmanager found command 'project_delete'
DEBUG: cliff.commandmanager found command 'trust_create'
DEBUG: cliff.commandmanager found command 'credential_delete'
DEBUG: cliff.commandmanager found command 'user_create'
DEBUG: cliff.commandmanager found command 'mapping_delete'
DEBUG: cliff.commandmanager found command 'consumer_delete'
DEBUG: cliff.commandmanager found command 'region_create'
DEBUG: cliff.commandmanager found command 'role_delete'
DEBUG: cliff.commandmanager found command 'service_set'
DEBUG: cliff.commandmanager found command 'endpoint_create'
DEBUG: cliff.commandmanager found command 'region_set'
DEBUG: cliff.commandmanager found command 'user_list'
DEBUG: openstackclient.shell identity API version 3, cmd group openstack.identity.v3
DEBUG: cliff.commandmanager found command 'object_create'
DEBUG: cliff.commandmanager found command 'object_list'
DEBUG: cliff.commandmanager found command 'object_delete'
DEBUG: cliff.commandmanager found command 'container_list'
DEBUG: cliff.commandmanager found command 'object_show'
DEBUG: cliff.commandmanager found command 'container_delete'
DEBUG: cliff.commandmanager found command 'container_create'
DEBUG: cliff.commandmanager found command 'container_show'
DEBUG: cliff.commandmanager found command 'container_save'
DEBUG: cliff.commandmanager found command 'object_save'
DEBUG: openstackclient.shell object_store API version 1, cmd group openstack.object_store.v1
DEBUG: cliff.commandmanager found command 'extension_list'
DEBUG: cliff.commandmanager found command 'quota_set'
DEBUG: cliff.commandmanager found command 'quota_show'
DEBUG: cliff.commandmanager found command 'limits_show'
INFO: openstackclient.shell command: <none> -> openstackclient.compute.v2.server.ListServer
DEBUG: openstackclient.api.auth Auth plugin v3token selected
DEBUG: openstackclient.api.auth auth_type: v3token
DEBUG: openstackclient.api.auth fetching option os_auth_url
DEBUG: openstackclient.api.auth fetching option os_domain_id
DEBUG: openstackclient.api.auth fetching option os_domain_name
DEBUG: openstackclient.api.auth fetching option os_project_id
DEBUG: openstackclient.api.auth fetching option os_project_name
DEBUG: openstackclient.api.auth fetching option os_project_domain_id
DEBUG: openstackclient.api.auth fetching option os_project_domain_name
DEBUG: openstackclient.api.auth fetching option os_trust_id
DEBUG: openstackclient.api.auth fetching option os_token
INFO: openstackclient.common.clientmanager Using auth plugin: v3token
DEBUG: openstackclient.common.clientmanager Get auth_ref
Traceback (most recent call last):
  File "/usr/lib64/python2.7/logging/__init__.py", line 859, in emit
    msg = self.format(record)
  File "/usr/lib64/python2.7/logging/__init__.py", line 732, in format
    return fmt.format(record)
  File "/usr/lib64/python2.7/logging/__init__.py", line 471, in format
    record.message = record.getMessage()
  File "/usr/lib64/python2.7/logging/__init__.py", line 335, in getMessage
    msg = msg % self.args
TypeError: not all arguments converted during string formatting
Logged from file base.py, line 172
INFO: requests.packages.urllib3.connectionpool Starting new HTTPS connection (1): host
DEBUG: requests.packages.urllib3.connectionpool "POST /v3/auth/tokens HTTP/1.1" 403 164
DEBUG: keystoneclient.session Request returned failure status: 403 for url https://host:5000/v3/auth/tokens
DEBUG: openstackclient.compute.v2.server.ListServer take_action(Namespace(all_projects=False, columns=[], flavor=None, formatter='table', host=None, image=None, instance_name=None, ip=None, ip6=None, long=False, max_width=0, name=None, quote_mode='nonnumeric', reservation_id=None, status=None))
DEBUG: openstackclient.compute.client Instantiating compute client: <class 'novaclient.v2.client.Client'>
DEBUG: openstackclient.compute.v2.server.ListServer search options: {'instance_name': None, 'status': None, 'host': None, 'ip6': None, 'name': None, 'ip': None, 'flavor': None, 'reservation_id': None, 'image': None, 'all_tenants': False}
Traceback (most recent call last):
  File "/usr/lib64/python2.7/logging/__init__.py", line 859, in emit
    msg = self.format(record)
  File "/usr/lib64/python2.7/logging/__init__.py", line 732, in format
    return fmt.format(record)
  File "/usr/lib64/python2.7/logging/__init__.py", line 471, in format
    record.message = record.getMessage()
  File "/usr/lib64/python2.7/logging/__init__.py", line 335, in getMessage
    msg = msg % self.args
TypeError: not all arguments converted during string formatting
Logged from file base.py, line 172
DEBUG: requests.packages.urllib3.connectionpool "POST /v3/auth/tokens HTTP/1.1" 403 164
DEBUG: keystoneclient.session Request returned failure status: 403 for url https://host:5000/v3/auth/tokens
ERROR: openstack You are not authorized to perform the requested action. (Disable debug mode to suppress these details.) (HTTP 403) (Request-ID: req-0fafaa6e-802e-460e-bdee-2edcf942d8f7)
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/cliff/app.py", line 303, in run_subcommand
    result = cmd.run(parsed_args)
  File "/usr/lib/python2.7/site-packages/cliff/display.py", line 91, in run
    column_names, data = self.take_action(parsed_args)
  File "/usr/lib/python2.7/site-packages/openstackclient/compute/v2/server.py", line 691, in take_action
    data = compute_client.servers.list(search_opts=search_opts)
  File "/usr/lib/python2.7/site-packages/novaclient/v2/servers.py", line 583, in list
    return self._list("/servers%s%s" % (detail, query_string), "servers")
  File "/usr/lib/python2.7/site-packages/novaclient/base.py", line 64, in _list
    _resp, body = self.api.client.get(url)
  File "/usr/lib/python2.7/site-packages/keystoneclient/adapter.py", line 170, in get
    return self.request(url, 'GET', **kwargs)
  File "/usr/lib/python2.7/site-packages/novaclient/client.py", line 90, in request
    **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/adapter.py", line 206, in request
    resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/adapter.py", line 95, in request
    return self.session.request(url, method, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/utils.py", line 318, in inner
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/session.py", line 315, in request
    auth_headers = self.get_auth_headers(auth)
  File "/usr/lib/python2.7/site-packages/keystoneclient/session.py", line 615, in get_auth_headers
    return auth.get_headers(self, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/auth/base.py", line 114, in get_headers
    token = self.get_token(session)
  File "/usr/lib/python2.7/site-packages/keystoneclient/auth/identity/base.py", line 104, in get_token
    return self.get_access(session).auth_token
  File "/usr/lib/python2.7/site-packages/keystoneclient/auth/identity/base.py", line 144, in get_access
    self.auth_ref = self.get_auth_ref(session)
  File "/usr/lib/python2.7/site-packages/keystoneclient/auth/identity/v3/base.py", line 174, in get_auth_ref
    authenticated=False, log=False, **rkwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/session.py", line 514, in post
    return self.request(url, 'POST', **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/utils.py", line 318, in inner
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/session.py", line 407, in request
    raise exceptions.from_response(resp, method, url)
Forbidden: You are not authorized to perform the requested action. (Disable debug mode to suppress these details.) (HTTP 403) (Request-ID: req-0fafaa6e-802e-460e-bdee-2edcf942d8f7)
DEBUG: openstackclient.shell clean_up ListServer
DEBUG: openstackclient.shell got an error: You are not authorized to perform the requested action. (Disable debug mode to suppress these details.) (HTTP 403) (Request-ID: req-0fafaa6e-802e-460e-bdee-2edcf942d8f7)
ERROR: openstackclient.shell Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/openstackclient/shell.py", line 176, in run
    return super(OpenStackShell, self).run(argv)
  File "/usr/lib/python2.7/site-packages/cliff/app.py", line 238, in run
    result = self.run_subcommand(remainder)
  File "/usr/lib/python2.7/site-packages/cliff/app.py", line 303, in run_subcommand
    result = cmd.run(parsed_args)
  File "/usr/lib/python2.7/site-packages/cliff/display.py", line 91, in run
    column_names, data = self.take_action(parsed_args)
  File "/usr/lib/python2.7/site-packages/openstackclient/compute/v2/server.py", line 691, in take_action
    data = compute_client.servers.list(search_opts=search_opts)
  File "/usr/lib/python2.7/site-packages/novaclient/v2/servers.py", line 583, in list
    return self._list("/servers%s%s" % (detail, query_string), "servers")
  File "/usr/lib/python2.7/site-packages/novaclient/base.py", line 64, in _list
    _resp, body = self.api.client.get(url)
  File "/usr/lib/python2.7/site-packages/keystoneclient/adapter.py", line 170, in get
    return self.request(url, 'GET', **kwargs)
  File "/usr/lib/python2.7/site-packages/novaclient/client.py", line 90, in request
    **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/adapter.py", line 206, in request
    resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/adapter.py", line 95, in request
    return self.session.request(url, method, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/utils.py", line 318, in inner
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/session.py", line 315, in request
    auth_headers = self.get_auth_headers(auth)
  File "/usr/lib/python2.7/site-packages/keystoneclient/session.py", line 615, in get_auth_headers
    return auth.get_headers(self, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/auth/base.py", line 114, in get_headers
    token = self.get_token(session)
  File "/usr/lib/python2.7/site-packages/keystoneclient/auth/identity/base.py", line 104, in get_token
    return self.get_access(session).auth_token
  File "/usr/lib/python2.7/site-packages/keystoneclient/auth/identity/base.py", line 144, in get_access
    self.auth_ref = self.get_auth_ref(session)
  File "/usr/lib/python2.7/site-packages/keystoneclient/auth/identity/v3/base.py", line 174, in get_auth_ref
    authenticated=False, log=False, **rkwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/session.py", line 514, in post
    return self.request(url, 'POST', **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/utils.py", line 318, in inner
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/session.py", line 407, in request
    raise exceptions.from_response(resp, method, url)
Forbidden: You are not authorized to perform the requested action. (Disable debug mode to suppress these details.) (HTTP 403) (Request-ID: req-0fafaa6e-802e-460e-bdee-2edcf942d8f7)

For obtaining the token I am using a small script that I wrote which does the conversation and relies on the curlicue script:

#!/bin/bash

echo Obtaining a scoped token from Keyston via OAuth1 authentication

if [ -z "$OAUTH_REQUEST_DOMAIN_NAME" ]; then
  echo -n Enter OAUTH_REQUEST_DOMAIN_NAME:
  read OAUTH_REQUEST_DOMAIN_NAME
else
  echo Using OAUTH_REQUEST_DOMAIN_NAME=$OAUTH_REQUEST_DOMAIN_NAME
fi

if [ -z "$OAUTH_REQUEST_PROJECT_NAME" ]; then
  echo -n Enter OAUTH_REQUEST_PROJECT_NAME:
  read OAUTH_REQUEST_PROJECT_NAME
else
  echo Using OAUTH_REQUEST_PROJECT_NAME=$OAUTH_REQUEST_PROJECT_NAME
fi

if [ -z "$OAUTH_REQUEST_ROLE" ]; then
  echo -n Enter OAUTH_REQUEST_ROLE:
  read OAUTH_REQUEST_ROLE
else
  echo Using OAUTH_REQUEST_ROLE=$OAUTH_REQUEST_ROLE
fi

if [ -z "$OAUTH_CONSUMER_KEY" ]; then
  echo -n Enter OAUTH_CONSUMER_KEY:
  read OAUTH_CONSUMER_KEY
else
  echo Using OAUTH_CONSUMER_KEY=$OAUTH_CONSUMER_KEY
fi

if [ -z "$OAUTH_CONSUMER_SECRET" ]; then
  echo -n Enter OAUTH_CONSUMER_SECRET:
  read OAUTH_CONSUMER_SECRET
else
  echo Using OAUTH_CONSUMER_SECRET=$OAUTH_CONSUMER_SECRET
fi

echo
echo "Obtaining Request Token"

OUTPUT="$(openstack request token create --consumer-key $OAUTH_CONSUMER_KEY --consumer-secret $OAUTH_CONSUMER_SECRET --project $OAUTH_REQUEST_PROJECT_NAME --domain $OAUTH_REQUEST_DOMAIN_NAME)"

if (grep -q "+---------+----------------------------------+" <<< "$OUTPUT" ) then
  echo -e "Result:\e[92m[OK]\e[0m"
else
  echo -e "\e[91m[ERROR] No result was found in output:\n\e[0m\e[33m$OUTPUT \e[0m"
fi

#echo "$OUTPUT"

echo
echo "Authorizing Request Token"
OUTPUT="$(openstack request token authorize --request-key $OAUTH_REQUEST_TOKEN_KEY --role $OAUTH_REQUEST_ROLE)"

if (grep -q "+----------------+----------+" <<< "$OUTPUT" ) then
  echo -e "Result:\e[92m[OK]\e[0m"
else
  echo -e "\e[91m[ERROR] No result was found in output:\n\e[0m\e[33m$OUTPUT \e[0m"
fi

#echo "$OUTPUT"

echo
echo "Obtaining Access Token"
OUTPUT="$(openstack access token create --consumer-key $OAUTH_CONSUMER_KEY --consumer-secret $OAUTH_CONSUMER_SECRET --request-key $OAUTH_REQUEST_TOKEN_KEY --request-secret $OAUTH_REQUEST_TOKEN_SECRET --verifier $OAUTH_VERIFIER)"

if (grep -q "+---------+----------------------------------+" <<< "$OUTPUT" ) then
  echo -e "Result:\e[92m[OK]\e[0m"
else
  echo -e "\e[91m[ERROR] No result was found in output:\n\e[0m\e[33m$OUTPUT \e[0m"
fi

echo "$OUTPUT"

cat << EOF > /tmp/consumer
oauth_consumer_key=$OAUTH_CONSUMER_KEY&oauth_consumer_secret=$OAUTH_CONSUMER_SECRET
EOF

cat << EOF > /tmp/access_token
oauth_token=$OAUTH_ACCESS_TOKEN_KEY&oauth_token_secret=$OAUTH_ACCESS_TOKEN_SECRET&oauth_expires_at=$OAUTH_ACCESS_TOKEN_EXPIRES
EOF

OUTPUT="$(curlicue -f /tmp/consumer -f /tmp/access_token -- \
-H "Content-Type: application/json" \
-d "{\"auth\":{\"identity\":{\"methods\":[\"oauth1\"],\"oauth1\":{}}}}" \
https://host:35357/v3/auth/tokens \
--compressed --insecure -si)"

rm /tmp/consumer
rm /tmp/access_token

echo "$OUTPUT"
SUBJECT_TOKEN=`echo "$OUTPUT" | grep X-Subject-Token | sed 's/X-Subject-Token: $.*$.*$/\1/g' | tr -d '\r\n'`

echo
echo -e "Obtained scoped token: \e[92m$SUBJECT_TOKEN\e[0m"

There are also some small fixes I had to apply to the curlicue script (a wrapper of curl which compiles the oauth header):
Original code: oauth_nonce="$(openssl rand -base64 12)"
Fixed code   : oauth_nonce="$(openssl rand -hex 12)"

Original code: params="$(mk_params "$url_params" | join_params '&')"
Fixed code   : params="$(mk_params | join_params '&')"

Best regards,
Bogdan

Revision history for this message

Bogdan (bogdan-vatkov) wrote on 2016-02-16:

#4

One more update. Since I wanted to debug the process I changed the line 172 in

/usr/lib/python2.7/site-packages/keystoneclient/auth/identity/v3/base.py

which was
        _logger.debug('Making authentication request to %s', token_url)
so I wanted to adjust it to:
        _logger.debug('Making authentication request to %s with body= %s', token_url, str(body))
but mistyped and wrote:
        _logger.debug('Making authentication request to %s with body= $s', token_url, str(body))
that is why I had this in the error log:

Traceback (most recent call last):
  File "/usr/lib64/python2.7/logging/__init__.py", line 859, in emit
    msg = self.format(record)
  File "/usr/lib64/python2.7/logging/__init__.py", line 732, in format
    return fmt.format(record)
  File "/usr/lib64/python2.7/logging/__init__.py", line 471, in format
    record.message = record.getMessage()
  File "/usr/lib64/python2.7/logging/__init__.py", line 335, in getMessage
    msg = msg % self.args
TypeError: not all arguments converted during string formatting
Logged from file base.py, line 172

but after correcting it I have some more info in the log now - instead of the trace above I now have the body logged:

DEBUG: keystoneclient.auth.identity.v3.base Making authentication request to https://host:5000/v3/auth/tokens with body= {'auth': {'scope': {'project': {'domain': {'id': 'default'}, 'name': 'Project1'}}, 'identity': {'token': {'id': '935259242f3c46c6853863394b9882f6'}, 'methods': ['token']}}}

where 935259242f3c46c6853863394b9882f6 is the scoped token.

Sorry for the inconvenience.

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2016-02-19:

#5

So, this might be by design. The OAuth1 token would need to be pre-scoped to the project you're working on and you wouldn't use --os-project-name in the CLI. This is because that is effectively rescoping the token (which is not allowed).

If the OAuth token is already scoped to the intended project and --os-project-name is left off the CLI argument does this work as intended (I'm sorry it's been a while since i've looked at this so I need to ask some questions to be sure I am interpreting the bug correctly).

Revision history for this message

Bogdan (bogdan-vatkov) wrote on 2016-02-19:

#6

Hi Morgan,

I do have the project scoping in my token {"token": {"methods": ["oauth1"], "roles": [{"id": "9fe2ff9ee4384b1894a90878d3e92bab", "name": "_member_"}], "expires_at": "2016-02-19T11:50:48.085682Z", "project": {"domain": {"id": "default", "name": "Default"}, "id": "f38f21172dcf4dc59660490da8b091f1", "name": .....

And now I tried the CLI without the --os-project-name but it gives me the very same error (Forbidden) and it is caused by the very same lines of code:

        # Do not allow tokens used for delegation to
        # create another token, or perform any changes of
        # state in Keystone. To do so is to invite elevation of
        # privilege attacks

if token_ref.oauth_scoped or token_ref.trust_scoped:
raise exception.Forbidden()

What else could be the reason for this behavior?

Thanks in advance!

Best regards,
Bogdan

Steve Martinelli (stevemar) on 2016-02-26

Changed in keystone:
milestone:	mitaka-3 → none

Revision history for this message

Steve Martinelli (stevemar) wrote on 2016-02-26:

#7

Hey Bogdan, yes, I meant --debug earlier!

Can you try using the generated token in a curl call to list servers?

curl -H "X-Auth-Token: $oauth_scoped_token" -X GET http://nova_endpoint/v2.1/{tenant_id}/servers | python -m json.tool

I am wondering why the request is going back to that portion of keystone which is reserved for re-scoping...

Revision history for this message

Bogdan (bogdan-vatkov) wrote on 2016-02-26:

#8

Just wondering if there are any success stories with OAuth authentication documented.
Looking at the code I can't figure out how could it work at all. Could it be that I am missing something?

I am about to re-test the setup with Liberty soon. Will come back with the findings.

Revision history for this message

Bogdan (bogdan-vatkov) wrote on 2016-02-26:

#9

I posted my comment before I see yours Steve, let me test it now...

Revision history for this message

Bogdan (bogdan-vatkov) wrote on 2016-02-26:

#10

Yes, curl request to nova with the oauth scoped token works just fine! What does that mean now? How is the flow that goes to the keystone piece you mentioned happening? Could it be some api-paste.ini misconfiguration?

curl -H "X-Auth-Token: 81fe2525836549039d3ecd25fa5167cc" -X GET http://localhost:8774/v2.1/f38f21172dcf4dc59660490da8b091f1/servers | python -m json.tool
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
100 690 100 690 0 0 648 0 0:00:01 0:00:01 --:--:-- 649
{
    "servers": [
        {
            "id": "eaec87f9-6e7c-46c8-8936-39f882843b52",
            "links": [
                {
                    "href": "http://localhost:8774/v2.1/f38f21172dcf4dc59660490da8b091f1/servers/eaec87f9-6e7c-46c8-8936-39f882843b52",
                    "rel": "self"
                },
                {
                    "href": "http://localhost:8774/f38f21172dcf4dc59660490da8b091f1/servers/eaec87f9-6e7c-46c8-8936-39f882843b52",
                    "rel": "bookmark"
                }
            ],
            "name": "pp"
        },
        {
            "id": "571516cb-378c-4eaf-955c-94286c3ae4bc",
            "links": [
                {
                    "href": "http://localhost:8774/v2.1/f38f21172dcf4dc59660490da8b091f1/servers/571516cb-378c-4eaf-955c-94286c3ae4bc",
                    "rel": "self"
                },
                {
                    "href": "http://localhost:8774/f38f21172dcf4dc59660490da8b091f1/servers/571516cb-378c-4eaf-955c-94286c3ae4bc",
                    "rel": "bookmark"
                }
            ],
            "name": "vm1"
        }
    ]
}

Revision history for this message

Bogdan (bogdan-vatkov) wrote on 2016-02-29:

#11

Browsing through the code I do not see much conditions where the call could execute in a different way - the Openstack client always does "POST" to the /v3/auth/tokens API

resp = session.post(token_url, json=body, headers=headers,
authenticated=False, log=False, **rkwargs)

(in /usr/lib/python2.7/site-packages/keystoneclient/auth/identity/v3/base.py)

..., so I do not see how could we expect for the execution not go through the re-scoping code.

Revision history for this message

Dolph Mathews (dolph) wrote on 2016-03-09:

#12

This seems like a missing use case in openstackclient? If you give it an existing token, why is it trying to rescope it? What is it trying to rescope the token to?

Changed in keystone:
status:	New → Incomplete

Revision history for this message

Bogdan (bogdan-vatkov) wrote on 2016-03-09:

#13

Hi Dolph,

Looking at the code it seems like a missing use case, but this is not what an average OpenStack user would expect - the expectation is that once an auth token is obtained (no matter if using OAuth auth flow or other) it should be possible to use it against the OpenStack APIs as well as the openstack CLI.

If this is intended behavior that one cannot use OAuth tokens with the CLI then it should at least be documented.

Just wondering what the Incomplete status in this case means. I read the description - "Cannot be verified, the reporter needs to give more info."

I followed the official doc on how to obtain an auth token via the OAuth mechanism - did that successfully.
If I try to use the token against the openstackclient I get the failure, if I use it against the REST API directly then it works.

Isn't this explanation enough to get the bug verified? What other information do you need?
I would be glad to help, just tell me how.

Best regards,
Bogdan

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2018-10-24:

#14

Marking as incomplete for OSC, please re-visit if it is still an issue (many things have changed across the board) and invalid for keystone.

Changed in keystone:
status:	Incomplete → Won't Fix

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2018-10-24:

#15

Ah, i can't mark as anything in OSC, someone else may need to circle up on this.

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Won't Fix	Undecided	Unassigned
	python-openstackclient	New	Undecided	Unassigned

python-openstackclient

OAuth Identity token gives Forbidden

Bug Description

Other bug subscribers

Remote bug watches