Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

C

certification

10 Posts

2295

July 27th, 2016 11:00

Openstack Data Protection Extension for Avamar

Hi Folks,

I'm trying to run Openstack DPE on my lab, with no success for the moment.

When I start the DPE proxy service which is expected to authenticate to Keystone, I get the following error from keystone.log:

2016-07-26 12:48:16.892835 2016-07-26 12:48:16.892 2464 WARNING keystone.common.wsgi [req-4cd1d447-45fd-4f35-a924-af068fabf62a - - - - -] You are not authorized to perform the requested action: identity:list_domains

From the DPE proxy service, the error is similar which states the action is forbidden.

  1. requests.exceptions.HTTPError: 403 Client Error: Forbidden

Yet, I have configured a new user backup_admin with admin rights on its project named avamar, and I followed the installation guide step by step. Am I missing something?

I also tried with different release of Openstack such as Kilo, Liberty and Mitaka and I’m still facing the same issue.

Any tip/advice/help would be  highly appreciated.

Vijay__Avamar_

16 Posts

July 27th, 2016 17:00

Hello - There are several possibe ways you could have got that message.

1. Incorrect Openstack credentials for the DPE proxy service

    Please verify the credentials using "curl" or horizon login.

2. Openstack "Domains" enabled:

    We do not support Domains yet.

3. An openstack configuration issue

   Please see  https://ask.openstack.org/en/question/69418/not-authorized-to-list-projects-with-keystone-v3/

4. Openstack bug or bad parameter sequence

     Please see  https://review.openstack.org/#/c/311206/

You may also find login issues in the syslog of the controller node.

certification

10 Posts

July 28th, 2016 00:00

Hi Vijay,

1. Nothing wrong with my credentials. It's setup correctly.

Excerpt of my conf file:

[Keystone]

href=http://controller:5000/

username=backup_admin

password=password

#ssl_verify=/path/to/sslcert.pem

[Tenant]

name=avamar

If i try to run curl command instead, i'm getting the list of domains.

First, i request a token based on the file:

    {
        "auth": {
            "identity": {
            "methods": [
                    "password"
                ],
                "password": {
                    "user": {
                        "domain": {
                            "name": "Default"
                        },
                        "name": "backup_admin",
                        "password": "password"
                    }
                }
            },
            "scope": {
                "project": {
                    "domain": {
                        "name": "Default"
                    },
                    "name": "avamar"
                }
            }
        }
    }

export TOKEN=`curl -si -d @token-request.json -H "Content-type: application/json" http://localhost:35357/v3/auth/tokens | awk '/X-Subject-Token/ {print $2}'`

Then use this token with my curl command.

root@Controller-POC:~/API-scripts# curl -si -H"X-Auth-Token:$TOKEN" -H "Content-type: application/json" http://localhost:5000/v3/domains

HTTP/1.1 200 OK

Date: Thu, 28 Jul 2016 07:46:35 GMT

Server: Apache/2.4.7 (Ubuntu)

Vary: X-Auth-Token

X-Distribution: Ubuntu

x-openstack-request-id: req-04c78c60-7146-4ba5-af9c-af4ae081d7e7

Content-Length: 305

Content-Type: application/json

{"domains": [{"links": {"self": "http://localhost:5000/v3/domains/default"}, "enabled": true, "description": "Owns users and tenants (i.e. projects) available on Identity API v2.", "name": "Default", "id": "default"}], "links": {"self": "http://localhost:5000/v3/domains", "previous": null, "next": null}}

2. I did not activate domains. I'm using Liberty which is supposed to work. Yet, i can notice there is a reference to domains, how can i verify this feature is not activated by mistake?

Do you know if there is some restrictions about the openstack deployment methode?

At this moment, i'm using a 3 nodes architecture, based on Ubuntu 14.04 and Liberty released deployed manually.

Anyway, thanks for your help.

JP

Anonymous

5 Practitioner

 • 

274.2K Posts

July 28th, 2016 10:00

Please ensure the backup_admin user is a member of:

  • admin project
  • avamar project
  • backup tenant project(s)

Find Keystone group membership from the CLI using:

keystone user-list --tenant_id=admin

As for curl calls to Keystone, please refer to:

API Examples using Curl — keystone 10.0.0.0b3.dev149 documentation

*initially you may use the default scope vs domain-scope or project-scope for the backup_admin user

certification

10 Posts

July 28th, 2016 12:00

I've just finished to deploy once again the dpe-proxy-service within a fresh new installation of Openstack Liberty on Ubuntu 14.04. Everything was working well unti i start the service:

2016-07-28 21:18:05.944860 2016-07-28 21:18:05.941 2885 ERROR keystone.auth.plugins.core raise exception.DomainNotFound(domain_id=domain_id)

2016-07-28 21:18:05.944863 2016-07-28 21:18:05.941 2885 ERROR keystone.auth.plugins.core DomainNotFound: Could not find domain: Default

2016-07-28 21:18:05.944866 2016-07-28 21:18:05.941 2885 ERROR keystone.auth.plugins.core

2016-07-28 21:18:05.947243 2016-07-28 21:18:05.945 2885 WARNING keystone.common.wsgi [req-bb5045e5-fce4-44dd-9b54-21836cba2749 - - - - -] Authorization failed. The request you have made requires authentication. from ::1

i'm struggling with this plugin, and i need to deliver a POC next week. Don't really know where to start. I've followed the installation guide with no success so far.

sddc_guy

159 Posts

September 19th, 2016 02:00

check your neutron and metadat conf !

metadata_agent.ini

project_domain_id = default

user_domain_id = default

neutron.conf:

project_domain_id = default

user_domain_id = default

this is the manual / default domain form OS Setup

alos, looks as if you are defaulting to an IPv6 controller ?

Do you use ip or dns names for the controller names in the scripts ?

is you DNS workin correctly ?

View More

View All

No Events found!

Top