使用OpenStack API時發生未經授權的錯誤，無法從Keystone獲取身份驗證令牌

Question

我想使用RESTful API，例如

https://nova.rc.nectar.org.au:8774/v1.1/1f283209946f428998e8d3930bb038d1

但是無法獲取身份驗證令牌。

我嘗試了以下命令來獲取它（我沒有管理員訪問權限）：

curl -d '{"auth":{"passwordCredentials":{"username": "miranda.zhang", "password": "mypass"}}}' -H "Content-type: application/json"  https://keystone.rc.nectar.org.au:5000/v2.0/tokens

但還是得到

{"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}

我也看過我嘗試安裝的python-keystoneclient

python setup.py install

但它返回錯誤

Traceback (most recent call last):
  File "setup.py", line 18, in <module>
    import setuptools
ImportError: No module named setuptools

這是我的雲提供商生成的openrc.sh文件 ，似乎沒有幫助。

#!/bin/bash

# With the addition of Keystone, to use an openstack cloud you should
# authenticate against keystone, which returns a **Token** and **Service
# Catalog**.  The catalog contains the endpoint for all services the
# user/tenant has access to - including nova, glance, keystone, swift.
#
# *NOTE*: Using the 2.0 *auth api* does not mean that compute api is 2.0.  We
# will use the 1.1 *compute api*
export OS_AUTH_URL=https://keystone.rc.nectar.org.au:5000/v2.0/

# With the addition of Keystone we have standardized on the term **tenant**
# as the entity that owns the resources.
export OS_TENANT_ID=1f283209946f428998e8d3930bb038d1
export OS_TENANT_NAME="pt-1114"

# In addition to the owning entity (tenant), openstack stores the entity
# performing the action as the **user**.
export OS_USERNAME="miranda.zhang"

# With Keystone you pass the keystone password.
echo "Please enter your OpenStack Password: "
read -sr OS_PASSWORD_INPUT
export OS_PASSWORD=$OS_PASSWORD_INPUT

參考：

1. http://docs.openstack.org/developer/keystone/api_curl_examples.html
2. http://api.openstack.org/api-ref-identity.html#identity
3. http://docs.openstack.org/api/openstack-identity-service/2.0/content/POST_authenticate_v2.0_tokens_.html

---

我嘗試了Barak的建議以包括租戶名稱，但仍然得到以下信息：

HTTP/1.1 401 Unauthorized
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 114
Date: Sun, 29 Dec 2013 08:54:28 GMT

{"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}

---

我已經在Barak的幫助下安裝了Keystone客戶端：

sudo apt-get install python-setuptools
sudo easy_install pip
sudo pip install python-keystoneclient

但是像這樣使用它：

keystone --os-tenant-name pt-1114 --os-username USERNAME --os-password PASSWORD --os-auth-url https://keystone.rc.nectar.org.au:5000/v2.0/tokens -os-identity-api-version 2.0 --debug token-get

我收到此錯誤，而token-get顯然是有效的選擇。

usage: keystone [--version] [--timeout <seconds>]
                [--os-username <auth-user-name>]
                [--os-password <auth-password>]
                [--os-tenant-name <auth-tenant-name>]
                [--os-tenant-id <tenant-id>] [--os-auth-url <auth-url>]
                [--os-region-name <region-name>]
                [--os-identity-api-version <identity-api-version>]
                [--os-token <service-token>]
                [--os-endpoint <service-endpoint>]
                [--os-cacert <ca-certificate>] [--insecure]
                [--os-cert <certificate>] [--os-key <key>] [--os-cache]
                [--force-new-token] [--stale-duration <seconds>]
                <subcommand> ...
keystone: error: argument <subcommand>: invalid choice: '2.0' (choose from 'catalog', 'ec2-credentials-create', 'ec2-credentials-delete', 'ec2-credentials-get', 'ec2-credentials-list', 'endpoint-create', 'endpoint-delete', 'endpoint-get', 'endpoint-list', 'password-update', 'role-create', 'role-delete', 'role-get', 'role-list', 'service-create', 'service-delete', 'service-get', 'service-list', 'tenant-create', 'tenant-delete', 'tenant-get', 'tenant-list', 'tenant-update', 'token-get', 'user-create', 'user-delete', 'user-get', 'user-list', 'user-password-update', 'user-role-add', 'user-role-list', 'user-role-remove', 'user-update', 'discover', 'bootstrap', 'bash-completion', 'help', 'bash_completion')

---

我只是意識到我現有的用於登錄Web門戶的密碼無法正常工作

要使用OpenStack API訪問Nectar Cloud，您將需要生成一個密碼。 這樣一來，所有現有密碼都將被忘記。 要生成新密碼，請單擊“重置密碼”按鈕。

問題解決了。

Answer 1

您在json塊中缺少租戶名稱。 這是一個有效的curl請求：

curl -i 'http://192.168.9.70:5000/v2.0/tokens' -X POST -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-novaclient" -d '{"auth": {"tenantName": "TENANT", "passwordCredentials": {"username": "USERNAME", "password": "PASSWORD"}}}'

我建議您使用pip安裝Keystone客戶端：

sudo apt-get install pip
sudo pip install python-keystoneclient

然后使用'--debug'選項運行任何梯形失真校正命令，以查看實際的json。

Answer 2

請參見以下代碼作為示例：

1. 使用curl命令：

curl http://<controller_ip>:5000/v2.0/tokens \
-X POST \
-d '{"auth":{"tenantName":"demo", "passwordCredentials":{"username":"demo", "password":"*****"}}}' \
-H "Content-type: application/json" | python -m json.tool

這里python -m json.tool用於以json可讀格式輸出輸出。

2. 使用Python API

url="<controller_ip>:5000"
params='{"auth":{"tenantName":"demo", "passwordCredentials":{"username":"demo", "password":"*****"}}}'
headers={"Content-Type": "application/json"}
conn=httplib.HTTPConnection(url)
conn.request("POST", "/v2.0/tokens", params,headers)
response=conn.getresponse()
data=response.read()
verify_services=json.loads(data)
auth_token=verify_services ['access']['token']['id']
print("Token=%s\n" % auth_token)