ERROR: Invalid OpenStack Nova credentials

Encontré un problema tratando de instalar OpenStack en Fedora 19 con esta guía

# nova --debug flavor-list
REQ: curl -i http://127.0.0.1:5000/v2.0/tokens -X POST -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-novaclient" -d '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "verybadpass"}}}'

INFO (connectionpool:236) Starting new HTTP connection (1): 127.0.0.1
DEBUG (connectionpool:330) “POST /v2.0/tokens HTTP/1.1” 401 116
RESP: [401] CaseInsensitiveDict({‘date’: ‘Fri, 11 Oct 2013 23:24:41 GMT’, ‘vary’: ‘X-Auth-Token’, ‘content-length’: ‘116’, ‘content-type’: ‘application/json’})
RESP BODY: {“error”: {“message”: “The request you have made requires authentication.”, “code”: 401, “title”: “Not Authorized”}}


DEBUG (shell:768) Invalid OpenStack Nova credentials.
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/novaclient/shell.py", line 765, in main
OpenStackComputeShell().main(map(strutils.safe_decode, sys.argv[1:]))
File "/usr/lib/python2.7/site-packages/novaclient/shell.py", line 697, in main
raise exc.CommandError("Invalid OpenStack Nova credentials.")
CommandError: Invalid OpenStack Nova credentials.
ERROR: Invalid OpenStack Nova credentials.

Mirando el archivo .keystorerc, parecía estar bien.

[root@localhost ~]# cat .keystonerc
export ADMIN_TOKEN=49ac57278d318dc7bb61
export OS_SERVICE_TOKEN=49ac57278d318dc7bb61
export OS_USERNAME=admin
export OS_PASSWORD=verybadpass
export OS_TENANT_NAME=admin
export OS_AUTH_URL=http://127.0.0.1:5000/v2.0/
export SERVICE_ENDPOINT=http://127.0.0.1:35357/v2.0/
export SERVICE_TOKEN=$ADMIN_TOKEN

La solución fue hacer que el usuario, rol e inquilino estén asociados.
1. Obtener el ID para el usuario admin:

[root@localhost ~]# keystone user-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------------------------------+--------+---------+-------+
| id | name | enabled | email |
+----------------------------------+--------+---------+-------+
| 4738e8d8819a47a5b0cd7b72db3f3fa6 | admin | True | |
| 157da897546e4ac8a98eaf6240683457 | ec2 | True | |
| 3819652ea963416a99aa6bc6dd1cd83c | glance | True | |
| 12c7844b7dc24aa3a7e704b49e026f33 | nova | True | |
| 8313970d7d524ef59983a062711916e8 | swift | True | |
+----------------------------------+--------+---------+-------+

2. Obtener el ID inquilino para admin, si no existe, lo creamos:

[root@localhost ~]# keystone tenant-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------------------------------+---------+---------+
| id | name | enabled |
+----------------------------------+---------+---------+
| afd9af7cd2604311be27646b4111f8d4 | demo | True |
| 9c85743eee994e28af10ea7b9d215af0 | service | True |
+----------------------------------+---------+---------+

[root@localhost ~]# keystone tenant-create –name admin
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+————-+———————————-+
| Property | Value |
+————-+———————————-+
| description | |
| enabled | True |
| id | 4aec780fe3374e46b4cea0de602c19c5 |
| name | admin |
+————-+———————————-+


3. Obetener el ID del rol:

[root@localhost ~]# keystone role-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------------------------------+----------+
| id | name |
+----------------------------------+----------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
| 9b4b3ec7153b4b48bf381db829108646 | admin |
+----------------------------------+----------+

Por ultimo, los asociamos:


[root@localhost ~]# keystone user-role-add --user 4738e8d8819a47a5b0cd7b72db3f3fa6 --role 9b4b3ec7153b4b48bf381db829108646[root@localhost ~]# keystone user-role-add --user 4738e8d8819a47a5b0cd7b72db3f3fa6 --role 9b4b3ec7153b4b48bf381db829108646 --tenant-id 4aec780fe3374e46b4cea0de602c19c5

Después de esto, el error de las credenciales desapareció. De todos modos, encontré otro error que decía que Nova no era capaz de firmar el token de autenticación.

Finalmente instale OpenStack utilizando RDO. Este método es mucho mas sencillo.

English

I faced a problem while trying to configure OpenStack on Fedora 19 following this guide

# nova --debug flavor-list
REQ: curl -i http://127.0.0.1:5000/v2.0/tokens -X POST -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-novaclient" -d '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "verybadpass"}}}'

INFO (connectionpool:236) Starting new HTTP connection (1): 127.0.0.1
DEBUG (connectionpool:330) “POST /v2.0/tokens HTTP/1.1” 401 116
RESP: [401] CaseInsensitiveDict({‘date’: ‘Fri, 11 Oct 2013 23:24:41 GMT’, ‘vary’: ‘X-Auth-Token’, ‘content-length’: ‘116’, ‘content-type’: ‘application/json’})
RESP BODY: {“error”: {“message”: “The request you have made requires authentication.”, “code”: 401, “title”: “Not Authorized”}}


DEBUG (shell:768) Invalid OpenStack Nova credentials.
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/novaclient/shell.py", line 765, in main
OpenStackComputeShell().main(map(strutils.safe_decode, sys.argv[1:]))
File "/usr/lib/python2.7/site-packages/novaclient/shell.py", line 697, in main
raise exc.CommandError("Invalid OpenStack Nova credentials.")
CommandError: Invalid OpenStack Nova credentials.
ERROR: Invalid OpenStack Nova credentials.

Checking my .keystorerc file it looked good.

[root@localhost ~]# cat .keystonerc
export ADMIN_TOKEN=49ac57278d318dc7bb61
export OS_SERVICE_TOKEN=49ac57278d318dc7bb61
export OS_USERNAME=admin
export OS_PASSWORD=verybadpass
export OS_TENANT_NAME=admin
export OS_AUTH_URL=http://127.0.0.1:5000/v2.0/
export SERVICE_ENDPOINT=http://127.0.0.1:35357/v2.0/
export SERVICE_TOKEN=$ADMIN_TOKEN

The solution was to make sure that the user, role and tenant are associated.
1. Get the ID from the admin user:

[root@localhost ~]# keystone user-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------------------------------+--------+---------+-------+
| id | name | enabled | email |
+----------------------------------+--------+---------+-------+
| 4738e8d8819a47a5b0cd7b72db3f3fa6 | admin | True | |
| 157da897546e4ac8a98eaf6240683457 | ec2 | True | |
| 3819652ea963416a99aa6bc6dd1cd83c | glance | True | |
| 12c7844b7dc24aa3a7e704b49e026f33 | nova | True | |
| 8313970d7d524ef59983a062711916e8 | swift | True | |
+----------------------------------+--------+---------+-------+

2. Get the tenant admin id, if not there, create it:

[root@localhost ~]# keystone tenant-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------------------------------+---------+---------+
| id | name | enabled |
+----------------------------------+---------+---------+
| afd9af7cd2604311be27646b4111f8d4 | demo | True |
| 9c85743eee994e28af10ea7b9d215af0 | service | True |
+----------------------------------+---------+---------+

[root@localhost ~]# keystone tenant-create –name admin
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+————-+———————————-+
| Property | Value |
+————-+———————————-+
| description | |
| enabled | True |
| id | 4aec780fe3374e46b4cea0de602c19c5 |
| name | admin |
+————-+———————————-+


3. Get the role id:

[root@localhost ~]# keystone role-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------------------------------+----------+
| id | name |
+----------------------------------+----------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
| 9b4b3ec7153b4b48bf381db829108646 | admin |
+----------------------------------+----------+

Associate them all together.

[root@localhost ~]# keystone user-role-add --user 4738e8d8819a47a5b0cd7b72db3f3fa6 --role 9b4b3ec7153b4b48bf381db829108646[root@localhost ~]# keystone user-role-add --user 4738e8d8819a47a5b0cd7b72db3f3fa6 --role 9b4b3ec7153b4b48bf381db829108646 --tenant-id 4aec780fe3374e46b4cea0de602c19c5

After this, the credentials error disappeared. However, I faced a new error message saying that Nova wasn’t able to sign the token.

I’ve finally installed OpenStack trough RDO. This method is simpler.

CISL 2013

La semana pasada asistimos al CISL 2013. Tuve la oportunidad de dar una charla sobre virtualización y me impresionó lo interactiva y participativa que fue. Mucha gente tiene experiencia en este tema hoy en día y es muy bueno poder compartir experiencias.

English

Last week we attended the CISL 2013 event. I gave a talk about Virtualization and was very impressed by how interactive and participative it was. A lot of people have experience with this topic nowadays and it is nice to share experiences.