Hi, Problem resolved.
curl 10.16.37.221:5000 returned access denied. So I added a no proxy for the host ip in the browser after which it began returning the JSON data. After this I exported the same in my keystone_adminrc file as Chinmaya pointed out. That solved the problem and it no longer gives the forbidden error. But the funny thing here is that I have had this setup running for quite some time now and I have not added a no_proxy for the host ip and I also haven't faced this issue before. So I am not sure what triggered this error here now. Thanks a lot for your inputs. On Wed, Apr 27, 2016 at 5:30 PM, Dolph Mathews <dolph.math...@gmail.com> wrote: > > On Wed, Apr 27, 2016 at 6:53 AM, Dhvanan Shah <dhva...@gmail.com> wrote: > >> Hi, >> >> Enabling the debug flag didn't give any additional information. >> >> 2 node Cluster means that I have one controller that also runs the >> compute and an additional compute node, thus 2 node OpenStack Cluster. >> >> The problem here is not with the password as I am able to log in through >> the dashboard. Any action performed gives a Forbidden error and >> authorization failed for keystone. >> >> Any other things that I could look at? >> > > Another long shot, but you might have an unintended surprise in your > environment. > > $ env | grep ^OS_ > > More likely though, I'm guessing you don't actually have the "admin" role > on the "admin" tenant that you're expecting. The 403 is indicating that you > are authenticated successfully (your password is correct), but you don't > have authorization to make the request (listing users, for example). You'd > be able to login to horizon and spin up a VM, or do the same from the CLI, > but not make the requests you're using to exercise the cloud admin role. > > >> On Wed, Apr 27, 2016 at 4:55 PM, Dolph Mathews <dolph.math...@gmail.com> >> wrote: >> >>> Depending on which release of keystone you're running, try enabling >>> either insecure_debug (more recent releases) or debug (older releases) to >>> true in keystone.conf to get more detailed error messages from keystone. >>> >>> >>> https://github.com/openstack/keystone/blob/3c4fe622ac5da00b04ccc8bc4e207a2e9ab0f863/etc/keystone.conf.sample#L87-L91 >>> >>> That said, your configuration looks entirely correct to me, so I'm >>> curious what the outcome is here. The only other red flag I see is that you >>> mentioned a "2 node OpenStack cluster", and I'm not sure what that means in >>> this context, exactly. How are the 2 nodes utilized? >>> >>> On Wed, Apr 27, 2016 at 5:43 AM, Dhvanan Shah <dhva...@gmail.com> wrote: >>> >>>> keystone --debug user-list gives this: >>>> >>>> /usr/lib/python2.7/site-packages/keystoneclient/shell.py:65: >>>> DeprecationWarning: The keystone CLI is deprecated in favor of >>>> python-openstackclient. For a Python library, continue using >>>> python-keystoneclient. >>>> 'python-keystoneclient.', DeprecationWarning) >>>> DEBUG:keystoneclient.auth.identity.v2:Making authentication request to >>>> http://10.16.37.221:5000/v2.0/tokens >>>> INFO:requests.packages.urllib3.connectionpool:Starting new HTTP >>>> connection (1): proxy.serc.iisc.ernet.in >>>> DEBUG:requests.packages.urllib3.connectionpool:"POST >>>> http://10.16.37.221:5000/v2.0/tokens HTTP/1.1" 403 3370 >>>> DEBUG:keystoneclient.session:Request returned failure status: 403 >>>> Authorization Failed: Forbidden (HTTP 403) >>>> >>>> nova --debug user list gives this: >>>> >>>> DEBUG (session:195) REQ: curl -g -i -X GET >>>> http://10.16.37.221:5000/v2.0 -H "Accept: application/json" -H >>>> "User-Agent: python-keystoneclient" >>>> INFO (connectionpool:203) Starting new HTTP connection (1): >>>> proxy.serc.iisc.ernet.in >>>> DEBUG (connectionpool:383) "GET http://10.16.37.221:5000/v2.0 >>>> HTTP/1.1" 403 3275 >>>> DEBUG (session:224) RESP: >>>> DEBUG (session:396) Request returned failure status: 403 >>>> WARNING (base:133) Discovering versions from the identity service >>>> failed when creating the password plugin. Attempting to determine version >>>> from URL. >>>> DEBUG (v2:76) Making authentication request to >>>> http://10.16.37.221:5000/v2.0/tokens >>>> DEBUG (connectionpool:383) "POST http://10.16.37.221:5000/v2.0/tokens >>>> HTTP/1.1" 403 3370 >>>> DEBUG (session:396) Request returned failure status: 403 >>>> DEBUG (shell:914) Forbidden (HTTP 403) >>>> Forbidden: Forbidden (HTTP 403) >>>> ERROR (Forbidden): Forbidden (HTTP 403) >>>> >>>> >>>> >>>> On Wed, Apr 27, 2016 at 3:12 PM, Dhvanan Shah <dhva...@gmail.com> >>>> wrote: >>>> >>>>> On running openstack-status this is what I get (all the services are >>>>> running, so not included that here) >>>>> >>>>> == Keystone users == >>>>> /usr/lib/python2.7/site-packages/keystoneclient/shell.py:65: >>>>> DeprecationWarning: The keystone CLI is deprecated in favor of >>>>> python-openstackclient. For a Python library, continue using >>>>> python-keystoneclient. >>>>> 'python-keystoneclient.', DeprecationWarning) >>>>> Authorization Failed: Forbidden (HTTP 403) >>>>> == Glance images == >>>>> Forbidden (HTTP 403) >>>>> == Nova managed services == >>>>> No handlers could be found for logger >>>>> "keystoneclient.auth.identity.generic.base" >>>>> ERROR (Forbidden): Forbidden (HTTP 403) >>>>> == Nova networks == >>>>> No handlers could be found for logger >>>>> "keystoneclient.auth.identity.generic.base" >>>>> ERROR (Forbidden): Forbidden (HTTP 403) >>>>> == Nova instance flavors == >>>>> No handlers could be found for logger >>>>> "keystoneclient.auth.identity.generic.base" >>>>> ERROR (Forbidden): Forbidden (HTTP 403) >>>>> == Nova instances == >>>>> No handlers could be found for logger >>>>> "keystoneclient.auth.identity.generic.base" >>>>> ERROR (Forbidden): Forbidden (HTTP 403) >>>>> >>>>> >>>>> On Wed, Apr 27, 2016 at 3:09 PM, Dhvanan Shah <dhva...@gmail.com> >>>>> wrote: >>>>> >>>>>> Hi Jens, >>>>>> >>>>>> The password is correct when I echo $OS_PASSWORD. >>>>>> I downloaded the admin-openrc.sh file from the dashboard and sourced. >>>>>> I ran a nova list after that: >>>>>> No handlers could be found for logger >>>>>> "keystoneclient.auth.identity.generic.base" >>>>>> ERROR (Forbidden): Forbidden (HTTP 403) >>>>>> >>>>>> It still gives the error of forbidden access. >>>>>> I think the password is not the issue. Forbidden access might be >>>>>> something else. Do you want me to share anything else? >>>>>> >>>>>> On Wed, Apr 27, 2016 at 2:56 PM, Jens Rosenboom <j.rosenb...@x-ion.de >>>>>> > wrote: >>>>>> >>>>>>> 2016-04-27 10:30 GMT+02:00 Dhvanan Shah <dhva...@gmail.com>: >>>>>>> > UPDATE: >>>>>>> > I am able to log into Horizon and perform all actions without any >>>>>>> issue but >>>>>>> > on my terminal, I am not able to do the same. The password that I >>>>>>> thought >>>>>>> > was wrong is not the issue as I logged in with the same password. >>>>>>> > My keystone_adminrc file looks like this: >>>>>>> > >>>>>>> > unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT >>>>>>> > export OS_USERNAME=admin >>>>>>> > export OS_PASSWORD=**************** >>>>>>> > export OS_AUTH_URL=http://10.16.37.221:35357/v2.0 >>>>>>> > export PS1='[\u@\h \W(keystone_admin)]\$ ' >>>>>>> > >>>>>>> > export OS_TENANT_NAME=admin >>>>>>> > export OS_REGION_NAME=RegionOne >>>>>>> > >>>>>>> > >>>>>>> > Please suggest what I could do! >>>>>>> >>>>>>> Does your password contain special characters that might get mangled >>>>>>> by the shell? You could compare the output of "echo $OS_PASSWORD" to >>>>>>> verify. >>>>>>> >>>>>>> Otherwise, if the dashboard is working for you, you can go to >>>>>>> Project/Compute/Access&Security/API Access and use the "Download >>>>>>> OpenStack RC File" link there. >>>>>>> >>>>>>> >>>>>>> __________________________________________________________________________ >>>>>>> OpenStack Development Mailing List (not for usage questions) >>>>>>> Unsubscribe: >>>>>>> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >>>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Dhvanan Shah >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Dhvanan Shah >>>>> >>>> >>>> >>>> >>>> -- >>>> Dhvanan Shah >>>> >>>> >>>> __________________________________________________________________________ >>>> OpenStack Development Mailing List (not for usage questions) >>>> Unsubscribe: >>>> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>>> >>>> >>> >>> >>> __________________________________________________________________________ >>> OpenStack Development Mailing List (not for usage questions) >>> Unsubscribe: >>> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>> >>> >> >> >> -- >> Dhvanan Shah >> > > -- Dhvanan Shah
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev