ERROR keystonemiddleware.auth_token [-] Bad response code while validating token: 400

Heat认证配置错误
解决Heat服务中因认证配置不当导致的错误响应问题,通过调整配置文件中的认证参数并重启相关服务来恢复正常。
2018-02-01 15:29:13.453 60498 WARNING keystonemiddleware.auth_token [-] Use of the auth_admin_prefix, auth_host, auth_port, auth_protocol, identity_uri, adm
in_token, admin_user, admin_password, and admin_tenant_name configuration options is deprecated in favor of auth_plugin and related options and may be removed in a future release.2018-02-01 15:29:13.454 60498 WARNING keystonemiddleware.auth_token [-] Configuring admin URI using auth fragments. This is deprecated, use 'identity_uri' i
nstead.2018-02-01 15:29:13.456 60498 INFO heat.api [-] Starting Heat REST API on 0.0.0.0:8004
2018-02-01 15:29:13.459 60498 INFO heat.common.wsgi [-] Starting 2 workers
2018-02-01 15:29:13.475 60498 INFO heat.common.wsgi [-] Started child 60560
2018-02-01 15:29:13.480 60498 INFO heat.common.wsgi [-] Started child 60564
2018-02-01 15:30:14.498 60564 ERROR keystonemiddleware.auth_token [-] Bad response code while validating token: 400
2018-02-01 15:30:14.512 60564 WARNING keystonemiddleware.auth_token [-] Identity response: {"error": {"message": "Expecting to find username or userId in pa
sswordCredentials - the server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.", "code": 400, "title": "Bad Request"}}2018-02-01 15:30:14.512 60564 CRITICAL keystonemiddleware.auth_token [-] Unable to validate token: Failed to fetch token data from identity server
2018-02-01 15:30:27.613 60564 ERROR keystonemiddleware.auth_token [-] Bad response code while validating token: 400
2018-02-01 15:30:27.615 60564 WARNING keystonemiddleware.auth_token [-] Identity response: {"error": {"message": "Expecting to find username or userId in pa
sswordCredentials - the server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.", "code": 400, "title": "Bad Request"}}2018-02-01 15:30:27.616 60564 CRITICAL keystonemiddleware.auth_token [-] Unable to validate token: Failed to fetch token data from identity server
2018-02-01 15:31:00.923 60564 ERROR keystonemiddleware.auth_token [-] Bad response code while validating token: 400
2018-02-01 15:31:00.924 60564 WARNING keystonemiddleware.auth_token [-] Identity response: {"error": {"message": "Expecting to find username or userId in pa
sswordCredentials - the server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.", "code": 400, "title": "Bad Request"}}2018-02-01 15:31:00.925 60564 CRITICAL keystonemiddleware.auth_token [-] Unable to validate token: Failed to fetch token data from identity server


安装heat之后,dashboard上报错 Error: Unable to retrieve stack list. 

log 显示:

ERROR keystonemiddleware.auth_token [-] Bad response code while validating token: 400

WARNING keystonemiddleware.auth_token [-] Identity response: {"error": {"message": "Expecting to find username or userId in passwordCredentials - the server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.", "code": 400, "title": "Bad Request"}}2018-02-01 15:31:00.925 60564 CRITICAL keystonemiddleware.auth_token [-] Unable to validate token: Failed to fetch token data from identity server


解决方法:

之前的heat 认证配置是:

[keystone_authtoken]
auth_host = 192.168.179.140
auth_port = 35357
auth_protocol = http
auth_uri = http://192.168.179.140:5000/v2.0
signing_dir = /tmp/keystone-signing-heat

改成如下配置:

[keystone_authtoken]
admin_tenant_name = services
admin_user = heat
admin_password= redhat
auth_host = 192.168.179.140
auth_port = 35357
auth_protocol = http
auth_uri = http://192.168.179.140:5000/v2.0
signing_dir = /tmp/keystone-signing-heat


重启服务:

# systemctl restart openstack-heat-api.service openstack-heat-api-cfn.service openstack-heat-engine.service


<think>好的,用户遇到了Keystone Middleware的auth_token模块返回401 Unauthorized错误的问题,需要找到解决方法。首先,我得回忆一下OpenStack中认证服务Keystone的相关知识,以及auth_token中间件的作用。根据用户提供的引用内容,有几个可能的原因:比如认证未完成、X-Auth-Token无效、或者用户、项目、域被禁用等。 用户提供的引用[1]提到403 Forbidden的情况,可能涉及密码不一致的问题,引用[2]中的例子就是因为配置文件中的密码与实际输入的密码不一致导致认证失败,需要修改glance的密码。这可能提示我需要检查相关服务的配置文件中关于Keystone的认证信息是否正确,比如密码、用户名、项目名称等是否正确匹配。 引用[3]中的cURL命令是用来获取token的,如果token获取失败,可能也会导致后续请求的401错误。因此,验证token是否正确生成是必要的步骤。此外,检查服务之间的通信是否正常,比如SSL证书是否有效,时间是否同步,这些都可能影响认证过程。 接下来,我需要将这些可能的原因整理成步骤,逐步排除问题。首先检查配置文件中的认证信息是否正确,包括密码、用户名、项目等,然后验证是否能成功获取token,接着检查服务端点是否正确配置,以及中间件配置是否正确。最后,日志分析是关键,通过查看Keystone和相关服务的日志,定位具体的错误信息。 同时,用户可能需要了解如何修改配置文件,如何生成新的token,以及如何重启服务。另外,权限问题也可能导致401错误,比如服务账号是否有足够的权限访问所需的资源。时间同步的问题也需要考虑,因为如果各个节点的时间不同步,可能导致token过期或被拒绝。 最后,生成相关问题时要覆盖常见的排查步骤、配置检查、日志分析、权限和时间同步等,帮助用户全面理解可能的解决方法。</think>### Keystone Middleware auth_token模块401 Unauthorized错误解决方法 #### 1. **检查认证信息一致性** - **配置文件中密码验证**:确保服务(如Glance、Nova)的配置文件中与Keystone相关的密码、用户名、项目名称等信息完全一致。例如,`/etc/glance/glance-api.conf`中的`admin_password`需与Keystone中注册的密码匹配[^2]。 - **示例配置项**: ```ini [keystone_authtoken] auth_url = http://<keystone_ip>:5000/v3 username = glance password = your_actual_password project_name = service ``` - **操作**:通过`openstack service list`验证服务账号状态是否正常,若被禁用需启用。 #### 2. **验证Token生成流程** - 使用cURL手动生成Token,确认Keystone服务可用性[^3]: ```bash curl -v -X POST $OS_AUTH_URL/auth/tokens \ -H "Content-Type: application/json" \ -d '{ "auth": { "identity": { "methods": ["password"], "password": { "user": { "domain": {"name": "'"$OS_USER_DOMAIN_NAME"'"}, "name": "'"$OS_USERNAME"'", "password": "'"$OS_PASSWORD"'" } } }, "scope": { "project": { "domain": {"name": "'"$OS_PROJECT_DOMAIN_NAME"'"}, "name": "'"$OS_PROJECT_NAME"'" } } } }' ``` - **预期结果**:返回`201 Created`及有效的Token。若失败,检查Keystone日志(`/var/log/keystone/keystone.log`)。 #### 3. **检查服务端点(Endpoints)** - 确保服务在Keystone中注册的端点URL正确且可访问: ```bash openstack endpoint list | grep <service_name> ``` - **常见问题**:端点指向错误IP或端口,或未启用SSL但配置了HTTPS。 #### 4. **中间件配置验证** - 确认`auth_token`中间件配置正确,包括: - `auth_url`指向Keystone的v3接口(如`http://<keystone_ip>:5000/v3`)。 - `memcached_servers`配置正确(若使用缓存)。 - `service_token_roles_required`设为`false`(若服务间通信未启用角色校验)[^4]。 #### 5. **时间同步与证书验证** - **NTP同步**:确保所有节点时间同步,避免Token因时间偏差失效: ```bash ntpq -p ``` - **SSL证书**:若使用HTTPS,检查证书是否过期或未正确配置。临时关闭SSL验证(测试用): ```ini [keystone_authtoken] insecure = True ``` #### 6. **日志分析** - 查看相关服务日志定位具体错误: ```bash tail -f /var/log/<service>/<service>.log ``` - **典型错误**: - `Invalid user credentials`:密码或用户信息不匹配[^1]。 - `Token not found`:Token未正确传递或已过期。 #### 7. **服务重启** - 修改配置后重启服务以生效: ```bash systemctl restart <service_name> ``` ---
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值