Depending on which release of keystone you're running, try enabling either insecure_debug (more recent releases) or debug (older releases) to true in keystone.conf to get more detailed error messages from keystone.
https://github.com/openstack/keystone/blob/3c4fe622ac5da00b04ccc8bc4e207a2e9ab0f863/etc/keystone.conf.sample#L87-L91 That said, your configuration looks entirely correct to me, so I'm curious what the outcome is here. The only other red flag I see is that you mentioned a "2 node OpenStack cluster", and I'm not sure what that means in this context, exactly. How are the 2 nodes utilized? On Wed, Apr 27, 2016 at 5:43 AM, Dhvanan Shah <dhva...@gmail.com> wrote: > keystone --debug user-list gives this: > > /usr/lib/python2.7/site-packages/keystoneclient/shell.py:65: > DeprecationWarning: The keystone CLI is deprecated in favor of > python-openstackclient. For a Python library, continue using > python-keystoneclient. > 'python-keystoneclient.', DeprecationWarning) > DEBUG:keystoneclient.auth.identity.v2:Making authentication request to > http://10.16.37.221:5000/v2.0/tokens > INFO:requests.packages.urllib3.connectionpool:Starting new HTTP connection > (1): proxy.serc.iisc.ernet.in > DEBUG:requests.packages.urllib3.connectionpool:"POST > http://10.16.37.221:5000/v2.0/tokens HTTP/1.1" 403 3370 > DEBUG:keystoneclient.session:Request returned failure status: 403 > Authorization Failed: Forbidden (HTTP 403) > > nova --debug user list gives this: > > DEBUG (session:195) REQ: curl -g -i -X GET http://10.16.37.221:5000/v2.0 > -H "Accept: application/json" -H "User-Agent: python-keystoneclient" > INFO (connectionpool:203) Starting new HTTP connection (1): > proxy.serc.iisc.ernet.in > DEBUG (connectionpool:383) "GET http://10.16.37.221:5000/v2.0 HTTP/1.1" > 403 3275 > DEBUG (session:224) RESP: > DEBUG (session:396) Request returned failure status: 403 > WARNING (base:133) Discovering versions from the identity service failed > when creating the password plugin. Attempting to determine version from URL. > DEBUG (v2:76) Making authentication request to > http://10.16.37.221:5000/v2.0/tokens > DEBUG (connectionpool:383) "POST http://10.16.37.221:5000/v2.0/tokens > HTTP/1.1" 403 3370 > DEBUG (session:396) Request returned failure status: 403 > DEBUG (shell:914) Forbidden (HTTP 403) > Forbidden: Forbidden (HTTP 403) > ERROR (Forbidden): Forbidden (HTTP 403) > > > > On Wed, Apr 27, 2016 at 3:12 PM, Dhvanan Shah <dhva...@gmail.com> wrote: > >> On running openstack-status this is what I get (all the services are >> running, so not included that here) >> >> == Keystone users == >> /usr/lib/python2.7/site-packages/keystoneclient/shell.py:65: >> DeprecationWarning: The keystone CLI is deprecated in favor of >> python-openstackclient. For a Python library, continue using >> python-keystoneclient. >> 'python-keystoneclient.', DeprecationWarning) >> Authorization Failed: Forbidden (HTTP 403) >> == Glance images == >> Forbidden (HTTP 403) >> == Nova managed services == >> No handlers could be found for logger >> "keystoneclient.auth.identity.generic.base" >> ERROR (Forbidden): Forbidden (HTTP 403) >> == Nova networks == >> No handlers could be found for logger >> "keystoneclient.auth.identity.generic.base" >> ERROR (Forbidden): Forbidden (HTTP 403) >> == Nova instance flavors == >> No handlers could be found for logger >> "keystoneclient.auth.identity.generic.base" >> ERROR (Forbidden): Forbidden (HTTP 403) >> == Nova instances == >> No handlers could be found for logger >> "keystoneclient.auth.identity.generic.base" >> ERROR (Forbidden): Forbidden (HTTP 403) >> >> >> On Wed, Apr 27, 2016 at 3:09 PM, Dhvanan Shah <dhva...@gmail.com> wrote: >> >>> Hi Jens, >>> >>> The password is correct when I echo $OS_PASSWORD. >>> I downloaded the admin-openrc.sh file from the dashboard and sourced. I >>> ran a nova list after that: >>> No handlers could be found for logger >>> "keystoneclient.auth.identity.generic.base" >>> ERROR (Forbidden): Forbidden (HTTP 403) >>> >>> It still gives the error of forbidden access. >>> I think the password is not the issue. Forbidden access might be >>> something else. Do you want me to share anything else? >>> >>> On Wed, Apr 27, 2016 at 2:56 PM, Jens Rosenboom <j.rosenb...@x-ion.de> >>> wrote: >>> >>>> 2016-04-27 10:30 GMT+02:00 Dhvanan Shah <dhva...@gmail.com>: >>>> > UPDATE: >>>> > I am able to log into Horizon and perform all actions without any >>>> issue but >>>> > on my terminal, I am not able to do the same. The password that I >>>> thought >>>> > was wrong is not the issue as I logged in with the same password. >>>> > My keystone_adminrc file looks like this: >>>> > >>>> > unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT >>>> > export OS_USERNAME=admin >>>> > export OS_PASSWORD=**************** >>>> > export OS_AUTH_URL=http://10.16.37.221:35357/v2.0 >>>> > export PS1='[\u@\h \W(keystone_admin)]\$ ' >>>> > >>>> > export OS_TENANT_NAME=admin >>>> > export OS_REGION_NAME=RegionOne >>>> > >>>> > >>>> > Please suggest what I could do! >>>> >>>> Does your password contain special characters that might get mangled >>>> by the shell? You could compare the output of "echo $OS_PASSWORD" to >>>> verify. >>>> >>>> Otherwise, if the dashboard is working for you, you can go to >>>> Project/Compute/Access&Security/API Access and use the "Download >>>> OpenStack RC File" link there. >>>> >>>> >>>> __________________________________________________________________________ >>>> OpenStack Development Mailing List (not for usage questions) >>>> Unsubscribe: >>>> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>>> >>> >>> >>> >>> -- >>> Dhvanan Shah >>> >> >> >> >> -- >> Dhvanan Shah >> > > > > -- > Dhvanan Shah > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev