Resource CREATE failed: AuthorizationFailure: resources.VDU1: Authorization failed.

Asked by Damir Besic on 2017-01-17

I've got an AllInOne Openstack setup where I've got main OS components + Heat installed, and working well.

Installation procedure of Tacker was held up to the letter according to http://docs.openstack.org/developer/tacker/install/manual_installation.html

When i try to create a VNF from a "hello world" template in Tacker sample folder, i get an error "Resource CREATE failed: AuthorizationFailure: resources.VDU1: Authorization failed."

I see no errors in tacker log, only error is in keystone log:

2017-01-17 11:10:09.890 61338 INFO keystone.common.wsgi [req-af610ccf-49d9-4b49-bcbc-f5b0180d324b - - - - -] GET http://172.16.93.131:35357/v3/
2017-01-17 11:10:09.898 61334 INFO keystone.common.wsgi [req-a15c3d55-ca04-4117-ac5a-f8c4f2d2f71b - - - - -] POST http://172.16.93.131:35357/v3/auth/tokens
2017-01-17 11:10:10.035 61334 WARNING keystone.common.wsgi [req-a15c3d55-ca04-4117-ac5a-f8c4f2d2f71b - - - - -] Authorization failed. The request you have made requires authentication. from 172.16.93.131

Do you have any suggestions on what else to check? What could be wrong?

Question information

Language:
English Edit question
Status:
Solved
For:
tacker Edit question
Assignee:
No assignee Edit question
Solved by:
Gianpietro Lavado
Solved:
2017-02-21
Last query:
2017-02-21
Last reply:
2017-01-24
Sridhar Ramaswamy (srics-r) said : #1

Can you double check the credentials used in the vim-config yaml file used in vim-register cmd [1] ?

[1] http://docs.openstack.org/developer/tacker/install/manual_installation.html#registering-default-vim

Damir Besic (dbesic) said : #2

Hi Sridhar,

Yes, the credentials are correct. I triple checked, and even recreated the user.

As i mentioned, i followed the installation to the letter

Hi Damir Besic,

Can you paste the tacker.conf file and vim-config.yaml file which you have used to register the vim here ?

Damir Besic (dbesic) said : #4

Of course:

/usr/local/etc/tacker/tacker.conf
-----------------------------------------------------------------------------------------------
[DEFAULT]
auth_strategy = keystone
policy_file = /usr/local/etc/tacker/policy.json
debug = True
use_syslog = False
bind_host = 172.16.93.131
bind_port = 9890
service_plugins = nfvo,vnfm

state_path = /var/lib/tacker

[nfvo]
vim_drivers = openstack

[keystone_authtoken]
memcached_servers = 172.16.93.131:11211
region_name = RegionOne
auth_type = password
project_domain_name = default
user_domain_name = default
username = tacker
project_name = service
password = kapsch
auth_url = http://172.16.93.131:35357
auth_uri = http://172.16.93.131:5000
identity_uri = http://172.16.93.131:5000

[agent]
root_helper = sudo /usr/local/bin/tacker-rootwrap /usr/local/etc/tacker/rootwrap.conf

[database]
connection = mysql://tacker:kapsch@172.16.93.131:3306/tacker?charset=utf8

[tacker]
monitor_driver = ping,http_ping

-----------------------------------------------------------------------------------------------
config.yaml
-----------------------------------------------------------------------------------------------

auth_url: http://172.16.93.131:5000
username: tacker
password: kapsch
project_name: service
project_domain_name: default
user_domain_name: default

Hi, I have the same issue, similar configs, where config.yaml matches [keystone_authtoken] section credentials. Maybe it has to do with Heat authentication?

Damir Besic (dbesic) said : #6

Well,
When i deploy a HEAT template, it works as expected.
But when i try over Tacker, i get the above mentioned errors

Same thing here, not sure if related but when I start the tacker server, I can see there's no admin user being passed:

2017-01-20 11:13:58.242 6348 DEBUG tacker.service [req-a815a58b-33fb-470c-8a18-820107c0b5bd - - - - -] keystone_authtoken.admin_tenant_name = admin log_opt_values /usr/lib/python2.7/dist-packages/oslo_config/cfg.py:2626
2017-01-20 11:13:58.242 6348 DEBUG tacker.service [req-a815a58b-33fb-470c-8a18-820107c0b5bd - - - - -] keystone_authtoken.admin_token = **** log_opt_values /usr/lib/python2.7/dist-packages/oslo_config/cfg.py:2626
2017-01-20 11:13:58.243 6348 DEBUG tacker.service [req-a815a58b-33fb-470c-8a18-820107c0b5bd - - - - -] keystone_authtoken.admin_user = None log_opt_values /usr/lib/python2.7/dist-packages/oslo_config/cfg.py:2626

There seems to be a token anyway, but it's not clear to me from which part in the conf it's picking the admin tenant and not the service tenant where the Tacker service is configured.

This is related to the stage of the process where HEAT comes into play and needs to authenticate to deploy the stack, specifically in relation to these configuration lines in heat.conf

[clients_keystone]
auth_uri = http://controller:5000
[trustee]
auth_type = password
auth_url = http://controller:35357
username = heat
password = heat
user_domain_name = default

However, can't find why it's failing yet...

2017-01-20 22:26:00.756 4210 INFO heat.engine.resource [req-62df8f48-dd08-4945-875c-86ceddeb9966 a39cf575afa948e7a17ef460a54569e2 9f007514e3c44538814bc48bd3536bdf - - -] creating Server "VDU1" Stack "tacker.vnfm.infra_drivers.openstack.openstack_OpenStack-b87688b2-9f6a-4149-b8d7-c5b4557115fc" [4ab7b93f-279b-46df-ac5f-ddb64a428347]
2017-01-20 22:26:01.498 4210 ERROR heat.engine.clients.keystoneclient [req-62df8f48-dd08-4945-875c-86ceddeb9966 a39cf575afa948e7a17ef460a54569e2 9f007514e3c44538814bc48bd3536bdf - - -] Domain admin client authentication failed
2017-01-20 22:26:01.499 4210 INFO heat.engine.resource [req-62df8f48-dd08-4945-875c-86ceddeb9966 a39cf575afa948e7a17ef460a54569e2 9f007514e3c44538814bc48bd3536bdf - - -] CREATE: Server "VDU1" Stack "tacker.vnfm.infra_drivers.openstack.openstack_OpenStack-b87688b2-9f6a-4149-b8d7-c5b4557115fc" [4ab7b93f-279b-46df-ac5f-ddb64a428347]
2017-01-20 22:26:01.499 4210 ERROR heat.engine.resource Traceback (most recent call last):
2017-01-20 22:26:01.499 4210 ERROR heat.engine.resource File "/usr/lib/python2.7/dist-packages/heat/engine/resource.py", line 753, in _action_recorder
2017-01-20 22:26:01.499 4210 ERROR heat.engine.resource yield
2017-01-20 22:26:01.499 4210 ERROR heat.engine.resource File "/usr/lib/python2.7/dist-packages/heat/engine/resource.py", line 855, in _do_action
2017-01-20 22:26:01.499 4210 ERROR heat.engine.resource yield self.action_handler_task(action, args=handler_args)
2017-01-20 22:26:01.499 4210 ERROR heat.engine.resource File "/usr/lib/python2.7/dist-packages/heat/engine/scheduler.py", line 336, in wrapper
2017-01-20 22:26:01.499 4210 ERROR heat.engine.resource step = next(subtask)
2017-01-20 22:26:01.499 4210 ERROR heat.engine.resource File "/usr/lib/python2.7/dist-packages/heat/engine/resource.py", line 800, in action_handler_task
2017-01-20 22:26:01.499 4210 ERROR heat.engine.resource handler_data = handler(*args)
2017-01-20 22:26:01.499 4210 ERROR heat.engine.resource File "/usr/lib/python2.7/dist-packages/heat/engine/resources/openstack/nova/server.py", line 842, in handle_create
2017-01-20 22:26:01.499 4210 ERROR heat.engine.resource self._create_transport_credentials(self.properties)
2017-01-20 22:26:01.499 4210 ERROR heat.engine.resource File "/usr/lib/python2.7/dist-packages/heat/engine/resources/openstack/nova/server.py", line 768, in _create_transport_credentials
2017-01-20 22:26:01.499 4210 ERROR heat.engine.resource self._create_user()
2017-01-20 22:26:01.499 4210 ERROR heat.engine.resource File "/usr/lib/python2.7/dist-packages/heat/engine/resources/stack_user.py", line 44, in _create_user
2017-01-20 22:26:01.499 4210 ERROR heat.engine.resource self.stack.id)
2017-01-20 22:26:01.499 4210 ERROR heat.engine.resource File "/usr/lib/python2.7/dist-packages/heat/engine/clients/os/keystone/heat_keystoneclient.py", line 391, in create_stack_domain_project
2017-01-20 22:26:01.499 4210 ERROR heat.engine.resource domain_project = self.domain_admin_client.projects.create(
2017-01-20 22:26:01.499 4210 ERROR heat.engine.resource File "/usr/lib/python2.7/dist-packages/heat/engine/clients/os/keystone/heat_keystoneclient.py", line 150, in domain_admin_client
2017-01-20 22:26:01.499 4210 ERROR heat.engine.resource auth=self.domain_admin_auth)
2017-01-20 22:26:01.499 4210 ERROR heat.engine.resource File "/usr/lib/python2.7/dist-packages/heat/engine/clients/os/keystone/heat_keystoneclient.py", line 139, in domain_admin_auth
2017-01-20 22:26:01.499 4210 ERROR heat.engine.resource raise exception.AuthorizationFailure()
2017-01-20 22:26:01.499 4210 ERROR heat.engine.resource AuthorizationFailure: Authorization failed.
2017-01-20 22:26:01.499 4210 ERROR heat.engine.resource
2017-01-20 22:26:01.596 4210 INFO heat.engine.stack [req-62df8f48-dd08-4945-875c-86ceddeb9966 a39cf575afa948e7a17ef460a54569e2 9f007514e3c44538814bc48bd3536bdf - - -] Stack CREATE FAILED (tacker.vnfm.infra_drivers.openstack.openstack_OpenStack-b87688b2-9f6a-4149-b8d7-c5b4557115fc): Resource CREATE failed: AuthorizationFailure: resources.VDU1: Authorization failed.

Solved!

I had two errors at heat.conf:
1. A password had a space at the end under [trustee]
2. The heat_domain_admin user 's was misconfigured and did not match "stack_domain_admin_password" setting.

Damir, look for authentication settings at heat.conf, the root cause is there for sure.

Damir Besic (dbesic) said : #10

I've played with permissions, and now i'm ending up with this issue: https://answers.launchpad.net/tacker/+question/404191

You solved the authorization issue, I hit exactly the same issue afterwards, take a look at my answer here: https://answers.launchpad.net/tacker/+question/404191

Damir Besic (dbesic) said : #12

Thanks Gianpietro Lavado, that solved my question.