the nova endpoint URL is throwing error

I have used single machine to install all the component of open-stack.

Just to check:
- you entered your service tenant, nova user and password at the end in the api-paste.ini?
- you granted the nova user the admin role in keystone?

Please let me know how to grant the nova user the admin role in keystone.I I haven't added the service tenant in the end of the api-paste.ini file.Here I have copied the end portion of api-paste.ini file.

[filter:keystonecontext]
paste.filter_factory = keystone.middleware.nova_keystone_context:NovaKeystoneContext.factory

[filter:authtoken]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
service_protocol = http
service_host = XX.XX.XX.XX
service_port = 35357
auth_host = XX.XX.XX.XX
auth_port = 5000
auth_protocol = http
auth_uri = http://XX.XX.XX.XX:5000/v2.0/
admin_token = 77da154a-53ee-4479-b805-6bd08f227eb2

-----------
But the nova user,password and tenant detail present in the environment variable.Here is the environment variable set for this.
NOVA_USERNAME=adminUser
NOVA_PROJECT_ID=openstackDemo
NOVA_PASSWORD=secretword
NOVA_API_KEY=secretword
NOVA_URL=http://XX.XX.XX.XX:5000/v2.0/
NOVA_VERSION=1.1
NOVA_REGION_NAME=RegionOne
OS_AUTH_USER=adminUser
OS_AUTH_KEY=secretword
OS_AUTH_TENANT=openstackDemo
OS_AUTH_URL=http://XX.XX.XX.XX:5000/v2.0/
OS_AUTH_STRATEGY=keystone

Instead of admin_token in the api-paste.ini try those lines:

admin_tenant_name = service
admin_user = nova
admin_password = nova

Make sure that you enter your service tentant and the credentials for your nova user.

If you haven't done so already, create at least the admin role according to this link:
http://docs.openstack.org/essex/openstack-compute/starter/content/Creating_Keystone_Roles-d1e460.html

And after that add the admin role to the nova user, as explained in this link:
http://docs.openstack.org/essex/openstack-compute/starter/content/Adding_Roles_to_Users-d1e465.html

I have made the necessary changes you have mentioned. But it didn't work..
I have executed the following command:
$ curl -H "X-Auth-Token:11121314151617181920" http://localhost:35357/v2.0/tokens/7f3618d9-668e-40f4-afe3-178d5f0f1ac0 |python -mjson.tool

output:
--------

{
    "access": {
        "token": {
            "expires": "2012-05-26T01:20:27",
            "id": "7f3618d9-668e-40f4-afe3-178d5f0f1ac0",
            "tenant": {
                "id": "1",
                "name": "openstackDemo"
            }
        },
        "user": {
            "id": "3",
            "roles": [
                {
                    "id": "1",
                    "name": "Admin",
                    "tenantId": "1"
                },
                {
                    "id": "1",
                    "name": "Admin"
                }
            ],
            "username": "adminUser"
        }
    }
}

But if I use the same auth_token for nova service purpose I got error.

example:

$ curl -H "X-Auth-Token:11121314151617181920" http:/ost:8774/v1.0/

output:
---------

<head>
  <title>401 Unauthorized</title>
 </head>
 <body>
  <h1>401 Unauthorized</h1>
  This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.<br /><br />

Still now I am not able to resolve the issue. Please help me to resole it.

Ok, there are a couple of issues here.

First you've got some errors in your service catalog entries, namely the internal urls of your services. They all direct to the nova api, please check that you create your endpoints according to this link: http://docs.openstack.org/essex/openstack-compute/starter/content/Creating_Endpoints-d1e469.html

The next thing is your curl itself to get the token. You use:
curl -d '{"auth": {"tenantName": "openstackDemo", "passwordCredentials":{"username": "adminUser", "password": "secretword"}}}' -H "Content-type: application/json" http://XX.XX.XX.XX:35357/v2.0/tokens | python -mjson.tool

It should work, but you're actually using the admin url here. Usually one would use either the internal or the public url for authentication: "http://XX.XX.XX.XX:5000/v2.0"

When you try to validate the glance and nova endpoints, why don't you use the "glance index" and "nova list" commands? Use them with the "--debug" option and they'll show you the http requests they make. Also remember that glance and nova will use their respective users from the service tenant to make those requests. So if you want to check that glance and nova are working correctly using curl than use the credentials of their users.

I am using keystone 2011.3 version and I felt this doesn't support normal keystone command to create the service end-point. So, I have created the end-point using the following command.

$ keystone-manage endpointTemplates add RegionOne nova http://XX.XX.XX.XX:8774/v1.1/%tenant_id% http://XX.XX.XX.XX:8774/v1.1/%tenant_id% http://XX.XX.XX.XX:8774/v1.1/%tenant_id% 1 1

I have followed the following link to create user,tenants, roles and service end-point.
http://docs.openstack.org/diablo/openstack-compute/install/openstack-install-guide-diablo.pdf

I have used both the admin port 35357 as well as service port 5000 and got the same result of curl command.

I have used nova list command and received the following error message.

$ nova --debug list

output
----------
connect: (XX.XX.XX.XX, 5000)
send: 'POST /v2.0/tokens HTTP/1.1\r\nHost: XX.XX.XX.XX:5000\r\nContent-Length: 117\r\ncontent-type: application/json\r\naccept-encoding: gzip, deflate\r\nuser-agent: python-novaclient\r\n\r\n{"auth": {"tenantName": "openstackDemo", "passwordCredentials": {"username": "adminUser", "password": "secretword"}}}'
reply: 'HTTP/1.1 200 OK\r\n'
header: Content-Type: application/json; charset=UTF-8
header: Content-Length: 955
header: Date: Fri, 25 May 2012 13:58:35 GMT
resp : {'date': 'Fri, 25 May 2012 13:58:35 GMT', 'status': '200', 'content-length': '955', 'content-type': 'application/json; charset=UTF-8'}
token: 7f3618d9-668e-40f4-afe3-178d5f0f1ac0
connect: (XX.XX.XX.XX, 8774)
send: u'GET /v1.1/1/servers/detail?fresh=1337954315.09 HTTP/1.1\r\nHost: XX.XX.XX.XX:8774\r\nx-auth-project-id: openstackDemo\r\nx-auth-token: 7f3618d9-668e-40f4-afe3-178d5f0f1ac0\r\naccept-encoding: gzip, deflate\r\nuser-agent: python-novaclient\r\n\r\n'
reply: 'HTTP/1.1 401 Unauthorized\r\n'
header: Content-Length: 253
header: Content-Type: text/plain; charset=UTF-8
header: Date: Fri, 25 May 2012 13:58:35 GMT
resp : {'date': 'Fri, 25 May 2012 13:58:35 GMT', 'status': '401', 'content-length': '253', 'content-type': 'text/plain; charset=UTF-8'}
n/a (HTTP 401)

Sorry, I didn't realize you were using an older version. I have no experience with that, so I can't help you there.

At least from the debug message it looks to me like keystone is working correctly, you get you're authentication token. The GET message that results in you 401 is to the nova api. So it looks like the the nova api does not accept your token.

So the first step would be to find out if the nova api is correctly configured, so that it uses keystone for authorization or not. One way to do this could be to manipulate the database. I suspect that the nova authentication token will be checked against the table "nova.auth_tokens" where as the keystone tokens are checked against "keystone.token". So for example you create your keystone token and use this to create a nova.auth_token. If the requests then work you know at least what's going wrong.