OpenStack - KeyStone 需要身份验证 401

问题描述 投票:0回答:2

我正在尝试列出项目(但无论我尝试这样做还是尝试列出用户,都会发生同样的事情,所以让我们将错误概括为任何 API 调用)。每次执行此操作时,我都会收到以下 HTTP 401 代码:

    File "/usr/lib/python2.7/site-packages/cherrypy/_cprequest.py", line 656, in respond
    response.body = self.handler()
  File "/usr/lib/python2.7/site-packages/cherrypy/lib/encoding.py", line 188, in __call__
    self.body = self.oldhandler(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/cherrypy/lib/jsontools.py", line 61, in json_handler
    value = cherrypy.serving.request._json_inner_handler(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/cherrypy/_cpdispatch.py", line 34, in __call__
    return self.callable(*self.args, **self.kwargs)
  File "/var/www/frontend/controllers/api/user.py", line 63, in PUT
    print keystoneClient.projects.list()
  File "/usr/lib/python2.7/site-packages/positional/__init__.py", line 101, in inner
    return wrapped(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/v3/projects.py", line 107, in list
    **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 75, in func
    return f(*args, **new_kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 383, in list
    self.collection_key)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 124, in _list
    resp, body = self.client.get(url, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 173, in get
    return self.request(url, 'GET', **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 331, in request
    resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 98, in request
    return self.session.request(url, method, **kwargs)
  File "/usr/lib/python2.7/site-packages/positional/__init__.py", line 101, in inner
    return wrapped(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 387, in request
    auth_headers = self.get_auth_headers(auth)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 647, in get_auth_headers
    return auth.get_headers(self, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/plugin.py", line 84, in get_headers
    token = self.get_token(session)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/base.py", line 90, in get_token
    return self.get_access(session).auth_token
  File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/base.py", line 136, in get_access
    self.auth_ref = self.get_auth_ref(session)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/v3/base.py", line 167, in get_auth_ref
    authenticated=False, log=False, **rkwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 595, in post
    return self.request(url, 'POST', **kwargs)
  File "/usr/lib/python2.7/site-packages/positional/__init__.py", line 101, in inner
    return wrapped(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 484, in request
    raise exceptions.from_response(resp, method, url)
Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-39d02130-6f47-4cae-bc30-0b645296752e)

代码:

import cherrypy
import ldap
from keystoneauth1 import loading
from keystoneauth1 import session as session
from keystoneclient.v3 import client as client
from keystoneauth1.identity import v3
import json

    # Storing username and password in a cherrypy session
    cherrypy.session['username'] = data.get("username")
    cherrypy.session['password'] = data.get("password").replace(" ","%20")

    # Setting up KeyStone Client
    auth = v3.Password(
        auth_url = KEYSTONE_URL,
        username = cherrypy.session['username'],
        password = cherrypy.session['password'],
        user_domain_name="default",
        domain_name = "default"
    )
    sess = session.Session(auth=auth, verify='/etc/ssl/certs/ca-bundle.crt')
    keystoneClient = client.Client(session=sess)

    # Getting list of projects
    print keystoneClient.projects.list()

使用普通用户的凭据时会发生这种情况。如果我使用管理员凭据登录,则不会出现错误并且会列出项目。我想知道:

  • 为什么会出现整体错误? (从我读到的内容来看,它似乎必须重新验证凭据,但它不喜欢它?)
  • 为什么当我使用管理员凭据但使用“普通”用户凭据时不会发生这种情况?
  • 我该如何解决这个问题?
python authentication openstack keystone
2个回答
1
投票

要回答第一个问题,您需要一个项目范围的令牌,因为无范围的令牌没有任何与之关联的角色。您无法使用无作用域令牌执行任何操作。这是获取项目范围令牌的方法:

auth = v3.Password(auth_url=auth_url,
                   username=username, 
                   password=password,
                   user_domain_name="default",
                   project_name=project_name,
                   project_domain_name="default")
sess = session.Session(auth=auth, verify='/etc/ssl/certs/ca-bundle.crt')
keystoneClient = client.Client(session=sess)

对于普通用户来说,您无法取回提供程序中的整个项目列表,这就是为什么它可以很好地使用管理员凭据,但不适用于普通用户。

为了解决这个问题,您需要知道该普通用户的

user_id
。一种方法是使用管理员凭据获取 keystone 客户端并调用

keystone.users.get(user="username")

或者仅使用 OpenStack 仪表板并转到身份仪表板。有一个名为 

User
的面板,您可以从那里看到 
user_id

一旦有了 

user_id
,您就可以:

keystoneClient.projects.list(user=user_id)

HTH.

0
投票

普通用户需要将其范围限定在其项目范围内才能执行任何 API 调用。

这里是 Keystone 中作用域与无作用域令牌之间的区别

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.