错误信息如下:
ERROR nova.network.neutronv2.api - default default] Neutron client was not able to generate a valid admin token, please verify Neutron admin credential located in nova.conf: Unauthorized: 401-{u'error': {u'message': u'The request you have made requires authentication.', u'code': 401, u'title': u'Unauthorized'}}
ERROR nova.api.openstack.wsgi - default default] Unexpected exception in API method: NeutronAdminCredentialConfigurationInvalid: Networking client is experiencing an unauthorized exception.
ERROR nova.api.openstack.wsgi Traceback (most recent call last):
ERROR nova.api.openstack.wsgi File "/var/lib/kolla/venv/lib/python2.7/site-packages/nova/api/openstack/wsgi.py", line 801, in wrapped
ERROR nova.api.openstack.wsgi return f(*args, **kwargs)
ERROR nova.api.openstack.wsgi File "/var/lib/kolla/venv/lib/python2.7/site-packages/nova/api/openstack/compute/security_groups.py", line 210, in index
ERROR nova.api.openstack.wsgi for group in limited_list]
ERROR nova.api.openstack.wsgi File "/var/lib/kolla/venv/lib/python2.7/site-packages/nova/api/openstack/compute/security_groups.py", line 111, in _format_security_group
ERROR nova.api.openstack.wsgi context, rule, group_rule_data)
ERROR nova.api.openstack.wsgi File "/var/lib/kolla/venv/lib/python2.7/site-packages/nova/api/openstack/compute/security_groups.py", line 76, in _format_security_group_rule
ERROR nova.api.openstack.wsgi context, id=rule['group_id'])
ERROR nova.api.openstack.wsgi File "/var/lib/kolla/venv/lib/python2.7/site-packages/nova/network/security_group/neutron_driver.py", line 144, in get
ERROR nova.api.openstack.wsgi group = neutron.show_security_group(id).get('security_group')
ERROR nova.api.openstack.wsgi File "/var/lib/kolla/venv/lib/python2.7/site-packages/nova/network/neutronv2/api.py", line 126, in wrapper
ERROR nova.api.openstack.wsgi ret = obj(*args, **kwargs)
ERROR nova.api.openstack.wsgi File "/var/lib/kolla/venv/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 981, in show_security_group
ERROR nova.api.openstack.wsgi params=_params)
ERROR nova.api.openstack.wsgi File "/var/lib/kolla/venv/lib/python2.7/site-packages/nova/network/neutronv2/api.py", line 126, in wrapper
ERROR nova.api.openstack.wsgi ret = obj(*args, **kwargs)
ERROR nova.api.openstack.wsgi File "/var/lib/kolla/venv/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 354, in get
ERROR nova.api.openstack.wsgi headers=headers, params=params)
ERROR nova.api.openstack.wsgi File "/var/lib/kolla/venv/lib/python2.7/site-packages/nova/network/neutronv2/api.py", line 126, in wrapper
ERROR nova.api.openstack.wsgi ret = obj(*args, **kwargs)
ERROR nova.api.openstack.wsgi File "/var/lib/kolla/venv/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 331, in retry_request
ERROR nova.api.openstack.wsgi headers=headers, params=params)
ERROR nova.api.openstack.wsgi File "/var/lib/kolla/venv/lib/python2.7/site-packages/nova/network/neutronv2/api.py", line 126, in wrapper
ERROR nova.api.openstack.wsgi ret = obj(*args, **kwargs)
ERROR nova.api.openstack.wsgi File "/var/lib/kolla/venv/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 294, in do_request
ERROR nova.api.openstack.wsgi self._handle_fault_response(status_code, replybody, resp)
ERROR nova.api.openstack.wsgi File "/var/lib/kolla/venv/lib/python2.7/site-packages/nova/network/neutronv2/api.py", line 142, in wrapper
ERROR nova.api.openstack.wsgi raise exception.NeutronAdminCredentialConfigurationInvalid()
ERROR nova.api.openstack.wsgi NeutronAdminCredentialConfigurationInvalid: Networking client is experiencing an unauthorized exception.
ERROR nova.api.openstack.wsgi
INFO nova.api.openstack.wsgi HTTP exception thrown: Unexpected API Error. Please report this at http://bugs.launchpad.net/nova/ and attach the Nova API log if possible.
追踪源码发现nova..network.neutronv2.api.py中提交异常:
class ClientWrapper(clientv20.Client):
"""A Neutron client wrapper class.
def proxy(self, obj):
def wrapper(*args, **kwargs):
try:
ret = obj(*args, **kwargs)
except neutron_client_exc.Unauthorized:
if not self.admin:
# Token is expired so Neutron is raising a
# unauthorized exception, we should convert it to
# raise a 401 to make client to handle a retry by
# regenerating a valid token and trying a new
# attempt.
raise exception.Unauthorized()
# In admin context if token is invalid Neutron client
# should be able to regenerate a valid by using the
# Neutron admin credential configuration located in
# nova.conf.
LOG.error("Neutron client was not able to generate a "
"valid admin token, please verify Neutron "
"admin credential located in nova.conf")
raise exception.NeutronAdminCredentialConfigurationInvalid()
except neutron_client_exc.Forbidden as e:
raise exception.Forbidden(six.text_type(e))
return ret
return wrapper
clientWrapper在get_client方法中被调用,如下:
#获取neutron_client客户端,但未验证token是否有效,只有在发送请求后才知道是否有效
def get_client(context, admin=False):
auth_plugin = _get_auth_plugin(context, admin=admin)
session = _get_session()
client_args = dict(session=session,
auth=auth_plugin,
global_request_id=context.global_id,
connect_retries=CONF.neutron.http_retries)
if CONF.neutron.url:
# TODO(efried): Remove in Rocky
client_args = dict(client_args,
endpoint_override=CONF.neutron.url,
# NOTE(efried): The legacy behavior was to default
# region_name in the conf.
region_name=CONF.neutron.region_name or 'RegionOne')
else:
# The new way
# NOTE(efried): We build an adapter
# to pull conf options
# to pass to neutronclient
# which uses them to build an Adapter.
# This should be unwound at some point.
adap = utils.get_ksa_adapter(
'network', ksa_auth=auth_plugin, ksa_session=session)
client_args = dict(client_args,
service_type=adap.service_type,
service_name=adap.service_name,
interface=adap.interface,
region_name=adap.region_name,
endpoint_override=adap.endpoint_override)
return ClientWrapper(clientv20.Client(**client_args),
admin=admin or context.is_admin)
def get_auth_plugin(context):
user_auth = context.get_auth_plugin()
#重点:这里的user_auth 存在偶尔失效问提, 可通过开启send_service_user_token
if CONF.service_user.send_service_user_token:
global _SERVICE_AUTH
if not _SERVICE_AUTH:
_SERVICE_AUTH = ks_loading.load_auth_from_conf_options(
CONF,
group=
nova.conf.service_token.SERVICE_USER_GROUP)
if _SERVICE_AUTH is None:
# This indicates a misconfiguration so log a warning and
# return the user_auth.
LOG.warning('Unable to load auth from [service_user] '
'configuration. Ensure "auth_type" is set.')
return user_auth
return service_token.ServiceTokenAuthWrapper(
user_auth=user_auth,
service_auth=_SERVICE_AUTH)
return user_auth
开启send_service_user_token,进行如下操作:
1. 创建一个用户: service_user
openstack user create --domain default --password-prompt service_user
openstack role add --project service --user service_user admin
2. 在nova-api/nova.conf中添加:
[service_user]
send_service_user_token = True
auth_type = password
project_domain_name = Default
project_name = service
user_domain_name = Default
password = <service_user的密码>
username = service_user
auth_url = http://<controller_ip>:35357
3. 重启nova-api服务