When trying to loing to horizon I get: client denied by server configuration: /usr/bin/keystone-wsgi-public

I recently reformatted all of my openstack servers (they were on a really old version) and I installed Victoria on a fresh install of Ubuntu 20. I am starting with one controller and one compute node for simplicity, then I will add the other compute nodes.

I am installing manually using the docs here: https://docs.openstack.org/install-guide/openstack-services.html

When I am at the horizon docs: https://docs.openstack.org/horizon/victoria/install/install-ubuntu.html

and I go to verify, I see two issues:

  1. I see no option for which domain I am logging into. This used to say "Default" and when I added more I could choose them
  2. I am getting "Invalid credentials." when I login.

I know I have the correct pass. In the apache error log, I see:

[wsgi:error] [pid 1387564:tid 139949121787648] [remote 10.131.39.250:53860] INFO openstack_auth.forms Login failed for user "admin" using domain "Default", remote address 10.131.39.250.
[Fri Feb 12 15:46:29.473914 2021] [authz_core:error] [pid 1387576:tid 139947818350336] [client 10.131.39.40:42436] AH01630: client denied by server configuration: /usr/bin/keystone-wsgi-public

I do not see other errors, except that neutron is not working presently (I am going with option 2, and the previous openstack install was option 1). I am figuring that I should still be able to login even if neutron is broken (it keeps restarting every few moments and giving errors about VLANs, which would make sense as I have not added any VLANS yet... I guess).

Advice? I really do not see any more errors in the logs. Not sure what else to check (other than my configs, but I had a running openstack for a few years before this...)

I have read this post and response, but it did not help.

Update: when I look in the normal apache/error.log, I also see:

[Fri Feb 12 16:37:42.324305 2021] [core:notice] [pid 1387561:tid 139949150809152] AH00094: Command line: '/usr/sbin/apache2'

[Fri Feb 12 16:38:03.236892 2021] [wsgi:error] [pid 1397748:tid 139949113394944] /usr/lib/python3.8/warnings.py:30: DeprecationWarning: PY_SSIZE_T_CLEAN will be required for '#' formats

[Fri Feb 12 16:38:03.236961 2021] [wsgi:error] [pid 1397748:tid 139949113394944]   file.write(text)

[Fri Feb 12 16:38:03.236974 2021] [wsgi:error] [pid 1397748:tid 139949113394944] /usr/lib/python3/dist-packages/scss/types.py:6: DeprecationWarning: Using or importing the ABCs from 'collections' instead of from 'collections.abc' is deprecated since Python 3.3, and in 3.9 it will stop working

[Fri Feb 12 16:38:03.236981 2021] [wsgi:error] [pid 1397748:tid 139949113394944]   from collections import Iterable

[Fri Feb 12 16:38:03.258459 2021] [wsgi:error] [pid 1397748:tid 139949113394944] /usr/lib/python3/dist-packages/scss/namespace.py:172: DeprecationWarning: inspect.getargspec() is deprecated since Python 3.0, use inspect.signature() or inspect.getfullargspec()

[Fri Feb 12 16:38:03.258494 2021] [wsgi:error] [pid 1397748:tid 139949113394944]   argspec = inspect.getargspec(function)

[Fri Feb 12 16:38:03.263775 2021] [wsgi:error] [pid 1397748:tid 139949113394944] /usr/lib/python3/dist-packages/scss/selector.py:26: FutureWarning: Possible nested set at position 329

[Fri Feb 12 16:38:03.263789 2021] [wsgi:error] [pid 1397748:tid 139949113394944]   SELECTOR_TOKENIZER = re.compile(r'''

[Fri Feb 12 16:38:04.056002 2021] [authz_core:error] [pid 1397759:tid 139948682372864] [client 10.131.39.40:44268] AH01630: client denied by server configuration: /usr/bin/keystone-wsgi-public

[Fri Feb 12 16:38:04.058335 2021] [wsgi:error] [pid 1397748:tid 139949113394944] [remote 10.131.39.250:54556] /usr/lib/python3.8/logging/__init__.py:1084: DeprecationWarning: PY_SSIZE_T_CLEAN will be required for '#' formats

[Fri Feb 12 16:38:04.058355 2021] [wsgi:error] [pid 1397748:tid 139949113394944] [remote 10.131.39.250:54556]   stream.write(msg + self.terminator)

[Fri Feb 12 16:38:04.058366 2021] [wsgi:error] [pid 1397748:tid 139949113394944] [remote 10.131.39.250:54556] INFO openstack_auth.forms Login failed for user "demo" using domain "Default", remote address 10.131.39.250.

[Fri Feb 12 16:38:06.142850 2021] [wsgi:error] [pid 1397746:tid 139949046253312] /usr/lib/python3.8/warnings.py:30: DeprecationWarning: PY_SSIZE_T_CLEAN will be required for '#' formats

[Fri Feb 12 16:38:06.142921 2021] [wsgi:error] [pid 1397746:tid 139949046253312]   file.write(text)

[Fri Feb 12 16:38:06.142934 2021] [wsgi:error] [pid 1397746:tid 139949046253312] /usr/lib/python3/dist-packages/scss/types.py:6: DeprecationWarning: Using or importing the ABCs from 'collections' instead of from 'collections.abc' is deprecated since Python 3.3, and in 3.9 it will stop working

[Fri Feb 12 16:38:06.142940 2021] [wsgi:error] [pid 1397746:tid 139949046253312]   from collections import Iterable

[Fri Feb 12 16:38:06.164363 2021] [wsgi:error] [pid 1397746:tid 139949046253312] /usr/lib/python3/dist-packages/scss/namespace.py:172: DeprecationWarning: inspect.getargspec() is deprecated sincePython 3.0, use inspect.signature() or inspect.getfullargspec()

[Fri Feb 12 16:38:06.164384 2021] [wsgi:error] [pid 1397746:tid 139949046253312]   argspec = inspect.getargspec(function)

[Fri Feb 12 16:38:06.169658 2021] [wsgi:error] [pid 1397746:tid 139949046253312] /usr/lib/python3/dist-packages/scss/selector.py:26: FutureWarning: Possible nested set at position 329

[Fri Feb 12 16:38:06.169672 2021] [wsgi:error] [pid 1397746:tid 139949046253312]   SELECTOR_TOKENIZER = re.compile(r'''

[Fri Feb 12 16:38:09.381662 2021] [wsgi:error] [pid 1397747:tid 139949088216832] /usr/lib/python3.8/warnings.py:30: DeprecationWarning: PY_SSIZE_T_CLEAN will be required for '#' formats

[Fri Feb 12 16:38:09.381736 2021] [wsgi:error] [pid 1397747:tid 139949088216832]   file.write(text)

[Fri Feb 12 16:38:09.381748 2021] [wsgi:error] [pid 1397747:tid 139949088216832] /usr/lib/python3/dist-packages/scss/types.py:6: DeprecationWarning: Using or importing the ABCs from 'collections'instead of from 'collections.abc' is deprecated since Python 3.3, and in 3.9 it will stop working

[Fri Feb 12 16:38:09.381755 2021] [wsgi:error] [pid 1397747:tid 139949088216832]   from collections import Iterable

[Fri Feb 12 16:38:09.403181 2021] [wsgi:error] [pid 1397747:tid 139949088216832] /usr/lib/python3/dist-packages/scss/namespace.py:172: DeprecationWarning: inspect.getargspec() is deprecated sincePython 3.0, use inspect.signature() or inspect.getfullargspec()

[Fri Feb 12 16:38:09.403201 2021] [wsgi:error] [pid 1397747:tid 139949088216832]   argspec = inspect.getargspec(function)

[Fri Feb 12 16:38:09.408530 2021] [wsgi:error] [pid 1397747:tid 139949088216832] /usr/lib/python3/dist-packages/scss/selector.py:26: FutureWarning: Possible nested set at position 329

[Fri Feb 12 16:38:09.408545 2021] [wsgi:error] [pid 1397747:tid 139949088216832]   SELECTOR_TOKENIZER = re.compile(r'''

I have some new info here. The default domain does come up thanks to berndbauschs comment.

I do have a keystone error in the log file, it is:

2021-02-13 06:03:46.789 1585439 WARNING keystone.server.flask.application [req-4d8bb568-3024-4506-8100-cb9ec77b21c5 - - - - -] Expecting to find application/json in Content-Type header. The server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.: keystone.exception.ValidationError: Expecting to find application/json in Content-Type header. The server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.

2021-02-13 14:26:28.665 2104630 WARNING keystone.common.rbac_enforcer.enforcer [req-d557ae42-2432-46cf-a0d4-bb60a83334df 59cd620ab38b42ab82dcc93f2bc75f60 21486012e6174f69a62a2957731d6caf - default default] Deprecated policy rules found. Use oslopolicy-policy-generator and oslopolicy-policy-upgrade to detect and resolve deprecated policies in your configuration.

I can not replicate the first error from the above. Using oslopolicy-policy-generator gives python errors. I am not sure if that is supposed to work or not. I am guessing I am supposed to do it on the keystone dir... for example

oslopolicy-policy-generator --config-dir /etc/keystone
Traceback (most recent call last):
  File "/usr/bin/oslopolicy-policy-generator", line 10, in <module>
    sys.exit(generate_policy())
  File "/usr/lib/python3/dist-packages/oslo_policy/generator.py", line 520, in generate_policy
    _check_for_namespace_opt(conf)
  File "/usr/lib/python3/dist-packages/oslo_policy/generator.py", line 499, in _check_for_namespace_opt
    raise cfg.RequiredOptError('namespace', 'DEFAULT')
oslo_config.cfg.RequiredOptError: <exception str() failed>

Not sure where to go from here. I see no other apache errors.

UPDATE with SOLUTION from neal_utas:

The docs for horizon at docs.openstack.org (at least for ubuntu) are incorrect. When editing /etc/openstack-dashboard/local_settings.py, the online docs are missing port 5000. The correct entry for OPENSTACK_KEYSTONE_URL is:

OPENSTACK_KEYSTONE_URL = "http://%s:5000/identity/v3" % OPENSTACK_HOST

After making that change and then restarting (systemctl reload apache2.service) it works.


I am also in the same state. Fresh Install of Ubuntu 20.04 and OpenStack Victoria. Everything is working from openstack client - can start Instances, etc. Dashboard login fails with the errors described by number9.

I was able to generate the oslo policies using:

`oslopolicy-policy-generator --namespace keystone > keystone.policy.yaml`

But this hasn't fixed the dashboard authentication error.

AH01630: client denied by server configuration: /usr/bin/keystone-wsgi-public
DEBUG keystoneauth.session Request returned failure status: 403
DEBUG openstack_auth.plugin.base Forbidden (HTTP 403)

UPDATE: Including the port for KEYSTONE_URL in the file /etc/openstack_dashboard/local_settings.py fixed this for me and I can now login.

OPENSTACK_KEYSTONE_URL = "http://%s:5000/identity/v3" % OPENSTACK_HOST