When logged in to openstack-dashboard got error "Unable to get service,usage info"

Asked by piyadol

I've installed openstack-dashboard from https://github.com/openstack/horizon everything is fine until I've logged in to openstack-dashboard it's say

Error: Unable to get service info: This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.

Error: Unable to get usage info: This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.

There are 2 errors that says Unable to get service&usage info I've tried in everyway but can't solved my problem.

Question information

Language:
English Edit question
Status:
Answered
For:
OpenStack Dashboard (Horizon) Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Gabriel Hurley (gabriel-hurley) said :
#1

This error is related to the rest of your openstack deployment. It is most often caused by mismatched service tokens between nova, keystone, etc. but similar errors can also be raised by failure to have the openstackx extensions properly installed with nova or bad service endpoint data in keystone causing connection errors.

My first suggestion, though, would be to check all your conf/proxy server files (nova, keystone, glance, etc.) and make sure they match the correct admin service token defined by keystone.

Revision history for this message
piyadol (piyadol-h) said :
#2

Thanks for your answered Gabriel but I've already checked all config files but still got the same error.Here is my config file keystone.conf,nova.conf,api-pase.ini

##Keystone.conf##

[DEFAULT]
# Show more verbose log output (sets INFO log level output)
verbose = False

# Show debugging output in logs (sets DEBUG log level output)
debug = False

# Which backend store should Keystone use by default.
# Default: 'sqlite'
# Available choices are 'sqlite' [future will include LDAP, PAM, etc]
default_store = sqlite

# Log to this file. Make sure you do not set the same log
# file for both the API and registry servers!
log_file = keystone.log
log_dir = .

# List of backends to be configured
backends = keystone.backends.sqlalchemy
#For LDAP support, add: ,keystone.backends.ldap

# Dictionary Maps every service to a header.Missing services would get header
# X_(SERVICE_NAME) Key => Service Name, Value => Header Name
service-header-mappings = {
    'nova' : 'X-Server-Management-Url',
    'swift' : 'X-Storage-Url',
    'cdn' : 'X-CDN-Management-Url'}

#List of extensions currently loaded.
#Refer docs for list of supported extensions.
extensions= osksadm,oskscatalog

# Address to bind the API server
# TODO Properties defined within app not available via pipeline.
service_host = 0.0.0.0

# Port the bind the API server to
service_port = 5000

# SSL for API server
service_ssl = False

# Address to bind the Admin API server
admin_host = 0.0.0.0

# Port the bind the Admin API server to
admin_port = 35357

# SSL for API Admin server
admin_ssl = False

# Keystone certificate file (modify as needed)
# Only required if *_ssl is set to True
certfile = /etc/keystone/ssl/certs/keystone.pem

# Keystone private key file (modify as needed)
# Only required if *_ssl is set to True
keyfile = /etc/keystone/ssl/private/keystonekey.pem

# Keystone trusted CA certificates (modify as needed)
# Only required if *_ssl is set to True
ca_certs = /etc/keystone/ssl/certs/ca.pem

# Client certificate required
# Only relevant if *_ssl is set to True
cert_required = True

#Role that allows to perform admin operations.
keystone-admin-role = Admin

#Role that allows to perform service admin operations.
keystone-service-admin-role = KeystoneServiceAdmin

#Tells whether password user need to be hashed in the backend
hash-password = True

[keystone.backends.sqlalchemy]
# SQLAlchemy connection string for the reference implementation registry
# server. Any valid SQLAlchemy connection string is fine.
# See: http://bit.ly/ideIpI
sql_connection = mysql://keystone:keystonedbadmin@172.0.0.1/keystone
backend_entities = ['UserRoleAssociation', 'Endpoints', 'Role', 'Tenant',
                    'User', 'Credentials', 'EndpointTemplates', 'Token',
                    'Service']

# Period in seconds after which SQLAlchemy should reestablish its connection
# to the database.
sql_idle_timeout = 30

[pipeline:admin]
pipeline =
    urlrewritefilter
    admin_api

[pipeline:keystone-legacy-auth]
pipeline =
    urlrewritefilter
    legacy_auth
    service_api

[app:service_api]
paste.app_factory = keystone.server:service_app_factory

[app:admin_api]
paste.app_factory = keystone.server:admin_app_factory

[filter:urlrewritefilter]
paste.filter_factory = keystone.middleware.url:filter_factory

[filter:legacy_auth]
paste.filter_factory = keystone.frontends.legacy_token_auth:filter_factory

[filter:debug]
paste.filter_factory = keystone.common.wsgi:debug_filter_factory

## nova.conf ##

# configured using KVM, Flat, MySQL, and Glance, API is OpenStack (or EC2)
--daemonize=1
--dhcpbridge_flagfile=/etc/nova/nova.conf
--dhcpbridge=/usr/bin/nova-dhcpbridge
--flat_network_bridge=br100
--lock_path=/var/lock/nova
--logdir=/var/log/nova
--state_path=/var/lib/nova
--verbose
--use_deprecated_auth
--network_manager=nova.network.manager.FlatDHCPManager
--sql_connection=mysql://nova:novadbadmin@172.0.0.1/nova
--osapi_host=10.29.9.81
--rabbit_host=10.29.9.81
--ec2_host=10.29.9.81
--image_service=nova.image.glance.GlanceImageService
--glance_api_servers=10.29.9.81:9292
# first 3 octets of the network your volume service is on, substitute with real numbers
--iscsi_ip_prefix=192.168
--fixed_range=192.168.0.0/16
--routing_source_ip=10.29.9.81
--ec2_api=10.29.9.81
--ec2_url=http://10.29.9.81:8773/services/Cloud
--libvirt_type=kvm
--flat_network_dhcp_start=192.168.7.2
--flat_network_bridge=br100
--flat_interface=eth1
--flat_injected=False
--public_interface=eth0

## api-paste.ini ##

#######
# EC2 #
#######

[composite:ec2]
use = egg:Paste#urlmap
/: ec2versions
/services/Cloud: ec2cloud
/services/Admin: ec2admin
/latest: ec2metadata
/2007-01-19: ec2metadata
/2007-03-01: ec2metadata
/2007-08-29: ec2metadata
/2007-10-10: ec2metadata
/2007-12-15: ec2metadata
/2008-02-01: ec2metadata
/2008-09-01: ec2metadata
/2009-04-04: ec2metadata
/1.0: ec2metadata

[pipeline:ec2cloud]
# pipeline = logrequest ec2noauth cloudrequest authorizer ec2executor
# NOTE(vish): use the following pipeline for deprecated auth
pipeline = logrequest authenticate cloudrequest authorizer ec2executor

[pipeline:ec2admin]
# pipeline = logrequest ec2noauth adminrequest authorizer ec2executor
# NOTE(vish): use the following pipeline for deprecated auth
pipeline = logrequest authenticate adminrequest authorizer ec2executor

[pipeline:ec2metadata]
pipeline = logrequest ec2md

[pipeline:ec2versions]
pipeline = logrequest ec2ver

[filter:logrequest]
paste.filter_factory = nova.api.ec2:RequestLogging.factory

[filter:ec2lockout]
paste.filter_factory = nova.api.ec2:Lockout.factory

[filter:ec2noauth]
paste.filter_factory = nova.api.ec2:NoAuth.factory

[filter:authenticate]
paste.filter_factory = nova.api.ec2:Authenticate.factory

[filter:cloudrequest]
controller = nova.api.ec2.cloud.CloudController
paste.filter_factory = nova.api.ec2:Requestify.factory

[filter:adminrequest]
controller = nova.api.ec2.admin.AdminController
paste.filter_factory = nova.api.ec2:Requestify.factory

[filter:authorizer]
paste.filter_factory = nova.api.ec2:Authorizer.factory

[app:ec2executor]
paste.app_factory = nova.api.ec2:Executor.factory

[app:ec2ver]
paste.app_factory = nova.api.ec2:Versions.factory

[app:ec2md]
paste.app_factory = nova.api.ec2.metadatarequesthandler:MetadataRequestHandler.factory

#############
# Openstack #
#############

[composite:osapi]
use = egg:Paste#urlmap
/: osversions
/v1.0: openstackapi10
/v1.1: openstackapi11

[pipeline:openstackapi10]
# pipeline = faultwrap noauth ratelimit osapiapp10
# NOTE(vish): use the following pipeline for deprecated auth
pipeline = faultwrap auth ratelimit osapiapp10

[pipeline:openstackapi11]
# pipeline = faultwrap noauth ratelimit extensions osapiapp11
# NOTE(vish): use the following pipeline for deprecated auth
pipeline = faultwrap auth ratelimit extensions osapiapp11

[filter:faultwrap]
paste.filter_factory = nova.api.openstack:FaultWrapper.factory

[filter:auth]
paste.filter_factory = nova.api.openstack.auth:AuthMiddleware.factory

[filter:noauth]
paste.filter_factory = nova.api.openstack.auth:NoAuthMiddleware.factory

[filter:ratelimit]
paste.filter_factory = nova.api.openstack.limits:RateLimitingMiddleware.factory

[filter:extensions]
paste.filter_factory = nova.api.openstack.extensions:ExtensionMiddleware.factory

[app:osapiapp10]
paste.app_factory = nova.api.openstack:APIRouterV10.factory

[app:osapiapp11]
paste.app_factory = nova.api.openstack:APIRouterV11.factory

[pipeline:osversions]
pipeline = faultwrap osversionapp

[app:osversionapp]
paste.app_factory = nova.api.openstack.versions:Versions.factory
##########
# Shared #
##########

[filter:keystonecontext]
paste.filter_factory = keystone.middleware.nova_keystone_context:NovaKeystoneContext.factory

[filter:authtoken]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
service_protocol = http
service_host = 127.0.0.1
service_port = 5000
auth_host = 127.0.0.1
auth_port = 35357
auth_protocol = http
auth_uri = http://127.0.0.1:5000/
admin_token = LPACloud

Revision history for this message
Thomas Spycher (me-ngeefk4xayt3t) said :
#3

Same Error here in Switzerland...

Revision history for this message
Gabriel Hurley (gabriel-hurley) said :
#4

A second thought is that this could also be related to the openstackx nova extensions being configured. Despite openstackx being deprecated it is not completely excised from the horizon codebase yet (the nova API doesn't support everything openstackx did yet).

Off the top of my head, with devstack's directory structure as a reference, on diablo nova you needed to make sure --osapi_extensions_path=/opt/stack/openstackx/extensions in nova.conf.

I believe the flag name changed in essex nova, though. You should consult the current nova/devstack docs for what the right thing to set is.

Hopefully that helps this time!

Revision history for this message
Thomas Spycher (me-ngeefk4xayt3t) said :
#5

Thanks for your fast reply
I've just tested your advice.
The Message in Dashboard changed now: Unable to get service info: [Errno 111] ECONNREFUSED

Checking to logs tells me the following:

DEBUG:django_openstack.api:extras_api connection created using token "7df0ae9b-6f0a-478e-950b-e9f2b3dc446a" and url "http://192.168.77.135:8774/v1.1/2"
ERROR:django_openstack.api:ApiException fetching usage list in instance usage on date range "2011-12-01 00:00:00 to 2011-12-14 09:56:34.233693"
Traceback (most recent call last):
  File "/usr/share/openstack-dashboard-dev/django-openstack/django_openstack/api.py", line 1021, in usage
    datetime_end)
  File "/usr/share/openstack-dashboard-dev/django-openstack/django_openstack/api.py", line 324, in inner
    return f(*args, **kwargs)
  File "/usr/share/openstack-dashboard-dev/django-openstack/django_openstack/api.py", line 719, in usage_list
    return [Usage(u) for u in extras_api(request).usage.list(start, end)]
  File "/usr/share/openstack-dashboard-dev/openstack-dashboard/.dashboard-venv/src/openstackx/openstackx/extras/usage.py", line 12, in list
    return self._list("/extras/usage?start=%s&end=%s" % (start.isoformat(), end.isoformat()), "usage")
  File "/usr/share/openstack-dashboard-dev/openstack-dashboard/.dashboard-venv/src/openstackx/openstackx/api/base.py", line 27, in _list
    resp, body = self.api.connection.get(url)
  File "/usr/share/openstack-dashboard-dev/openstack-dashboard/.dashboard-venv/src/openstackx/openstackx/api/connection.py", line 78, in get
    return self._cs_request(url, 'GET', **kwargs)
  File "/usr/share/openstack-dashboard-dev/openstack-dashboard/.dashboard-venv/src/openstackx/openstackx/api/connection.py", line 63, in _cs_request
    **kwargs)
  File "/usr/share/openstack-dashboard-dev/openstack-dashboard/.dashboard-venv/src/openstackx/openstackx/api/connection.py", line 48, in request
    raise exceptions.from_response(resp, body)
BadRequest: [Errno 111] ECONNREFUSED (HTTP 400)

Revision history for this message
Thomas Spycher (me-ngeefk4xayt3t) said :
#6

Oukay Port 8774 is the osapi port. Looks like my setting for osapi osapi_extensions_path is wrong...

Revision history for this message
Thomas Spycher (me-ngeefk4xayt3t) said :
#7

Hey folks...

I've worked many hours in this issue with no progress...
The whole infrastructure is working perfectly...

I'm working on a simple installerscript located here:
https://github.com/tspycher/CloudInstaller/issues/2

Revision history for this message
Thomas Spycher (me-ngeefk4xayt3t) said :
#8

Got it!!!

Just need to change in /etc/nova/api-paste.ini the following

from:
[pipeline:openstackapi10]
# pipeline = faultwrap noauth ratelimit osapiapp10
# NOTE(vish): use the following pipeline for deprecated auth
#pipeline = faultwrap auth ratelimit osapiapp10

[pipeline:openstackapi11]
# pipeline = faultwrap noauth ratelimit extensions osapiapp11
# NOTE(vish): use the following pipeline for deprecated auth
pipeline = faultwrap auth ratelimit extensions osapiapp11

to:
[pipeline:openstackapi10]
pipeline = faultwrap noauth ratelimit osapiapp10
# NOTE(vish): use the following pipeline for deprecated auth
#pipeline = faultwrap auth ratelimit osapiapp10

[pipeline:openstackapi11]
pipeline = faultwrap noauth ratelimit extensions osapiapp11
# NOTE(vish): use the following pipeline for deprecated auth
#pipeline = faultwrap auth ratelimit extensions osapiapp11

and

from:
[pipeline:ec2cloud]
# pipeline = logrequest ec2noauth cloudrequest authorizer ec2executor
# NOTE(vish): use the following pipeline for deprecated auth
pipeline = logrequest authenticate cloudrequest authorizer ec2executor

[pipeline:ec2admin]
# pipeline = logrequest ec2noauth adminrequest authorizer ec2executor
# NOTE(vish): use the following pipeline for deprecated auth
pipeline = logrequest authenticate adminrequest authorizer ec2executor

to:

[pipeline:ec2cloud]
pipeline = logrequest ec2noauth cloudrequest authorizer ec2executor
# NOTE(vish): use the following pipeline for deprecated auth
#pipeline = logrequest authenticate cloudrequest authorizer ec2executor

[pipeline:ec2admin]
pipeline = logrequest ec2noauth adminrequest authorizer ec2executor
# NOTE(vish): use the following pipeline for deprecated auth
#pipeline = logrequest authenticate adminrequest authorizer ec2executor

Revision history for this message
Reza (reza-b2008) said :
#9

Hi,
modifying /etc/nova/api-paste.ini did help to remove the first error you mentioned.
thanks for that.

how did you fix the error "Unable to get usage info: [Errno 111] ECONNREFUSED" ?

Revision history for this message
Prashant (pczanwar) said :
#10

I am getting this issue, and i am not able to see lines above in my config .. I am using redhat 7.1 ..

Revision history for this message
Matthias Runge (mrunge) said :
#11

Prashant,

please note, Horizon changed a lot since 2011/early 2012.

This section here is deprecated and discouraged to use.

You could either use ask.openstack.org

or (preferred) file a bug in your distributions issue tracker.
If you're a customer of Red Hat Entrprise OpenStack platform, feel free to either file a bug at bugzilla.redhat.com, horizon is a component named python-django-horizon; or you could directly contact customer support.

If you're using RDO packages from rdoproject.org, please file a bug in bugzilla, component is same as named above.

Can you help with this problem?

Provide an answer of your own, or ask piyadol for more information if necessary.

To post a message you must log in.