When trying to loing to horizon I get: client denied by server configuration: /usr/bin/keystone-wsgi-public
I recently reformatted all of my openstack servers (they were on a really old version) and I installed Victoria on a fresh install of Ubuntu 20. I am starting with one controller and one compute node for simplicity, then I will add the other compute nodes.
I am installing manually using the docs here: https://docs.openstack.org/install-guide/openstack-services.html
When I am at the horizon docs: https://docs.openstack.org/horizon/victoria/install/install-ubuntu.html
and I go to verify, I see two issues:
- I see no option for which domain I am logging into. This used to say "Default" and when I added more I could choose them
- I am getting "Invalid credentials." when I login.
I know I have the correct pass. In the apache error log, I see:
[wsgi:error] [pid 1387564:tid 139949121787648] [remote 10.131.39.250:53860] INFO openstack_auth.forms Login failed for user "admin" using domain "Default", remote address 10.131.39.250.
[Fri Feb 12 15:46:29.473914 2021] [authz_core:error] [pid 1387576:tid 139947818350336] [client 10.131.39.40:42436] AH01630: client denied by server configuration: /usr/bin/keystone-wsgi-public
I do not see other errors, except that neutron is not working presently (I am going with option 2, and the previous openstack install was option 1). I am figuring that I should still be able to login even if neutron is broken (it keeps restarting every few moments and giving errors about VLANs, which would make sense as I have not added any VLANS yet... I guess).
Advice? I really do not see any more errors in the logs. Not sure what else to check (other than my configs, but I had a running openstack for a few years before this...)
I have read this post and response, but it did not help.
Update: when I look in the normal apache/error.log, I also see:
[Fri Feb 12 16:37:42.324305 2021] [core:notice] [pid 1387561:tid 139949150809152] AH00094: Command line: '/usr/sbin/apache2'
[Fri Feb 12 16:38:03.236892 2021] [wsgi:error] [pid 1397748:tid 139949113394944] /usr/lib/python3.8/warnings.py:30: DeprecationWarning: PY_SSIZE_T_CLEAN will be required for '#' formats
[Fri Feb 12 16:38:03.236961 2021] [wsgi:error] [pid 1397748:tid 139949113394944] file.write(text)
[Fri Feb 12 16:38:03.236974 2021] [wsgi:error] [pid 1397748:tid 139949113394944] /usr/lib/python3/dist-packages/scss/types.py:6: DeprecationWarning: Using or importing the ABCs from 'collections' instead of from 'collections.abc' is deprecated since Python 3.3, and in 3.9 it will stop working
[Fri Feb 12 16:38:03.236981 2021] [wsgi:error] [pid 1397748:tid 139949113394944] from collections import Iterable
[Fri Feb 12 16:38:03.258459 2021] [wsgi:error] [pid 1397748:tid 139949113394944] /usr/lib/python3/dist-packages/scss/namespace.py:172: DeprecationWarning: inspect.getargspec() is deprecated since Python 3.0, use inspect.signature() or inspect.getfullargspec()
[Fri Feb 12 16:38:03.258494 2021] [wsgi:error] [pid 1397748:tid 139949113394944] argspec = inspect.getargspec(function)
[Fri Feb 12 16:38:03.263775 2021] [wsgi:error] [pid 1397748:tid 139949113394944] /usr/lib/python3/dist-packages/scss/selector.py:26: FutureWarning: Possible nested set at position 329
[Fri Feb 12 16:38:03.263789 2021] [wsgi:error] [pid 1397748:tid 139949113394944] SELECTOR_TOKENIZER = re.compile(r'''
[Fri Feb 12 16:38:04.056002 2021] [authz_core:error] [pid 1397759:tid 139948682372864] [client 10.131.39.40:44268] AH01630: client denied by server configuration: /usr/bin/keystone-wsgi-public
[Fri Feb 12 16:38:04.058335 2021] [wsgi:error] [pid 1397748:tid 139949113394944] [remote 10.131.39.250:54556] /usr/lib/python3.8/logging/__init__.py:1084: DeprecationWarning: PY_SSIZE_T_CLEAN will be required for '#' formats
[Fri Feb 12 16:38:04.058355 2021] [wsgi:error] [pid 1397748:tid 139949113394944] [remote 10.131.39.250:54556] stream.write(msg + self.terminator)
[Fri Feb 12 16:38:04.058366 2021] [wsgi:error] [pid 1397748:tid 139949113394944] [remote 10.131.39.250:54556] INFO openstack_auth.forms Login failed for user "demo" using domain "Default", remote address 10.131.39.250.
[Fri Feb 12 16:38:06.142850 2021] [wsgi:error] [pid 1397746:tid 139949046253312] /usr/lib/python3.8/warnings.py:30: DeprecationWarning: PY_SSIZE_T_CLEAN will be required for '#' formats
[Fri Feb 12 16:38:06.142921 2021] [wsgi:error] [pid 1397746:tid 139949046253312] file.write(text)
[Fri Feb 12 16:38:06.142934 2021] [wsgi:error] [pid 1397746:tid 139949046253312] /usr/lib/python3/dist-packages/scss/types.py:6: DeprecationWarning: Using or importing the ABCs from 'collections' instead of from 'collections.abc' is deprecated since Python 3.3, and in 3.9 it will stop working
[Fri Feb 12 16:38:06.142940 2021] [wsgi:error] [pid 1397746:tid 139949046253312] from collections import Iterable
[Fri Feb 12 16:38:06.164363 2021] [wsgi:error] [pid 1397746:tid 139949046253312] /usr/lib/python3/dist-packages/scss/namespace.py:172: DeprecationWarning: inspect.getargspec() is deprecated sincePython 3.0, use inspect.signature() or inspect.getfullargspec()
[Fri Feb 12 16:38:06.164384 2021] [wsgi:error] [pid 1397746:tid 139949046253312] argspec = inspect.getargspec(function)
[Fri Feb 12 16:38:06.169658 2021] [wsgi:error] [pid 1397746:tid 139949046253312] /usr/lib/python3/dist-packages/scss/selector.py:26: FutureWarning: Possible nested set at position 329
[Fri Feb 12 16:38:06.169672 2021] [wsgi:error] [pid 1397746:tid 139949046253312] SELECTOR_TOKENIZER = re.compile(r'''
[Fri Feb 12 16:38:09.381662 2021] [wsgi:error] [pid 1397747:tid 139949088216832] /usr/lib/python3.8/warnings.py:30: DeprecationWarning: PY_SSIZE_T_CLEAN will be required for '#' formats
[Fri Feb 12 16:38:09.381736 2021] [wsgi:error] [pid 1397747:tid 139949088216832] file.write(text)
[Fri Feb 12 16:38:09.381748 2021] [wsgi:error] [pid 1397747:tid 139949088216832] /usr/lib/python3/dist-packages/scss/types.py:6: DeprecationWarning: Using or importing the ABCs from 'collections'instead of from 'collections.abc' is deprecated since Python 3.3, and in 3.9 it will stop working
[Fri Feb 12 16:38:09.381755 2021] [wsgi:error] [pid 1397747:tid 139949088216832] from collections import Iterable
[Fri Feb 12 16:38:09.403181 2021] [wsgi:error] [pid 1397747:tid 139949088216832] /usr/lib/python3/dist-packages/scss/namespace.py:172: DeprecationWarning: inspect.getargspec() is deprecated sincePython 3.0, use inspect.signature() or inspect.getfullargspec()
[Fri Feb 12 16:38:09.403201 2021] [wsgi:error] [pid 1397747:tid 139949088216832] argspec = inspect.getargspec(function)
[Fri Feb 12 16:38:09.408530 2021] [wsgi:error] [pid 1397747:tid 139949088216832] /usr/lib/python3/dist-packages/scss/selector.py:26: FutureWarning: Possible nested set at position 329
[Fri Feb 12 16:38:09.408545 2021] [wsgi:error] [pid 1397747:tid 139949088216832] SELECTOR_TOKENIZER = re.compile(r'''
I have some new info here. The default domain does come up thanks to berndbauschs comment.
I do have a keystone error in the log file, it is:
2021-02-13 06:03:46.789 1585439 WARNING keystone.server.flask.application [req-4d8bb568-3024-4506-8100-cb9ec77b21c5 - - - - -] Expecting to find application/json in Content-Type header. The server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.: keystone.exception.ValidationError: Expecting to find application/json in Content-Type header. The server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.
2021-02-13 14:26:28.665 2104630 WARNING keystone.common.rbac_enforcer.enforcer [req-d557ae42-2432-46cf-a0d4-bb60a83334df 59cd620ab38b42ab82dcc93f2bc75f60 21486012e6174f69a62a2957731d6caf - default default] Deprecated policy rules found. Use oslopolicy-policy-generator and oslopolicy-policy-upgrade to detect and resolve deprecated policies in your configuration.
I can not replicate the first error from the above. Using oslopolicy-policy-generator gives python errors. I am not sure if that is supposed to work or not. I am guessing I am supposed to do it on the keystone dir... for example
oslopolicy-policy-generator --config-dir /etc/keystone
Traceback (most recent call last):
File "/usr/bin/oslopolicy-policy-generator", line 10, in <module>
sys.exit(generate_policy())
File "/usr/lib/python3/dist-packages/oslo_policy/generator.py", line 520, in generate_policy
_check_for_namespace_opt(conf)
File "/usr/lib/python3/dist-packages/oslo_policy/generator.py", line 499, in _check_for_namespace_opt
raise cfg.RequiredOptError('namespace', 'DEFAULT')
oslo_config.cfg.RequiredOptError: <exception str() failed>
Not sure where to go from here. I see no other apache errors.
UPDATE with SOLUTION from neal_utas:
The docs for horizon at docs.openstack.org (at least for ubuntu) are incorrect. When editing /etc/openstack-dashboard/local_settings.py, the online docs are missing port 5000. The correct entry for OPENSTACK_KEYSTONE_URL is:
OPENSTACK_KEYSTONE_URL = "http://%s:5000/identity/v3" % OPENSTACK_HOST
After making that change and then restarting (systemctl reload apache2.service) it works.
I am also in the same state. Fresh Install of Ubuntu 20.04 and OpenStack Victoria. Everything is working from openstack client - can start Instances, etc. Dashboard login fails with the errors described by number9.
I was able to generate the oslo policies using:
`oslopolicy-policy-generator --namespace keystone > keystone.policy.yaml`
But this hasn't fixed the dashboard authentication error.
AH01630: client denied by server configuration: /usr/bin/keystone-wsgi-public
DEBUG keystoneauth.session Request returned failure status: 403
DEBUG openstack_auth.plugin.base Forbidden (HTTP 403)
UPDATE:
Including the port for KEYSTONE_URL in the file /etc/openstack_dashboard/local_settings.py fixed this for me and I can now login.
OPENSTACK_KEYSTONE_URL = "http://%s:5000/identity/v3" % OPENSTACK_HOST