Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

error creating provider client: Authentication failed #109

Open
anpolychrono opened this issue Oct 10, 2022 · 14 comments
Open

error creating provider client: Authentication failed #109

anpolychrono opened this issue Oct 10, 2022 · 14 comments

Comments

@anpolychrono
Copy link

Hi ,

I would like to test your plugin but it looks like I can't Authenticate with the Openstack cloud, could you please double check my config ?

The plugin installation worked but then the request new token failed.

Here is what I have configured:

# Cloud credentials
vault write /openstack/clouds/patras5g auth_url=http://*.*.*.*:5000/v3/ username=admin password=***** user_domain_name=Default

# temporary user token
vault write /openstack/roles/role-tmp-user cloud=patras5g project_name=project-01 domain_name=Default root=false secret_type=token


localadmin@admin-vault-9179230b-34f1-1316-1304-816d35d7ef03:~$ vault read /openstack/clouds/patras5g
Key                  Value
---                  -----
auth_url             http://*.*.*.*:5000/v3/
password_policy      n/a
user_domain_name     Default
username             admin
username_template    vault{{random 8 | lowercase}}

localadmin@admin-vault-9179230b-34f1-1316-1304-816d35d7ef03:~$ vault read /openstack/roles/role-tmp-user
Key             Value
---             -----
cloud           patras5g
domain_id       n/a
domain_name     Default
extensions      <nil>
project_id      n/a
project_name    project-01
root            false
secret_type     token
ttl             1h
user_groups     <nil>
user_roles      <nil>

localadmin@admin-vault-9179230b-34f1-1316-1304-816d35d7ef03:~$ vault read /openstack/creds/role-tmp-user
Error reading openstack/creds/role-tmp-user: Error making API request.

URL: GET http://*.*.*.*:8200/v1/openstack/creds/role-tmp-user
Code: 500. Errors:

* 1 error occurred:
        * error creating provider client: Authentication failed

When trying to issue a token from cli it works:

$ openstack --os-project-name="project-01" token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                   |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2022-10-10T09:29:01+0000                                                                                                                                                                |
| id         | gAAAAABjQ9fNYZCXsTwkAlOb0MrUQ5bHriSPI44kxQrB92sVvTiDTQrwIDr9wzpRFlDf0eaT49VVKTMLCKAbgUGWEt7I4Jcq7jnLwIu5P32iBczjGJ2ojYlJeP3Vfjyxtj54TuZ7i6xe98NoZFg1N0kA1fc8dxiWChJVknVPER-nsiFCdTBfzrw |
| project_id | 29a5a3c099834d5ba180ce1591f3599c                                                                                                                                                        |
| user_id    | 53ceb04136004295b2e8b7383576b98e                                                                                                                                                        |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Let me know if anything else is needed.
@lego963
Copy link
Contributor

lego963 commented Oct 10, 2022

@anpolychrono can you provide plugin version?

@anpolychrono
Copy link
Author

Sure

vault-plugin-secrets-openstack_1.3.0_linux_amd64.tar.gz

@gtema
Copy link
Member

gtema commented Oct 10, 2022

lego963 - some openstack installatiions require project_domain_id/name to be explicitly set once authorizing. Do we have this done?

@lego963
Copy link
Contributor

lego963 commented Oct 10, 2022
edited
Loading

@gtema issue is here

	opts := gophercloud.AuthOptions{
		IdentityEndpoint: cloud.AuthURL,
		Username:         cloud.Username,
		Password:         cloud.Password,
		DomainName:       cloud.UserDomainName,
		Scope: &gophercloud.AuthScope{
			DomainName: cloud.UserDomainName,
		},
	}

	pClient, err := openstack.AuthenticatedClient(opts)
	if err != nil {
		return fmt.Errorf("error creating provider client: %w", err)
	}

As I can see we don't use project_domain_*, need to have a research here.

@anpolychrono
Copy link
Author

Is there WA for now ?

@lego963
Copy link
Contributor

lego963 commented Oct 10, 2022

@anpolychrono what do you mean by WA?

@anpolychrono
Copy link
Author

WA == Work Around, for example if there is a config I can apply to bypass this issue.

@lego963
Copy link
Contributor

lego963 commented Oct 10, 2022
edited
Loading

@anpolychrono for now I can't give you any hint.
Can you provide clouds.yaml entry or env vars for this cmd? hide creds :) (if it's possible)

$ openstack --os-project-name="project-01" token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                   |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2022-10-10T09:29:01+0000                                                                                                                                                                |
| id         | gAAAAABjQ9fNYZCXsTwkAlOb0MrUQ5bHriSPI44kxQrB92sVvTiDTQrwIDr9wzpRFlDf0eaT49VVKTMLCKAbgUGWEt7I4Jcq7jnLwIu5P32iBczjGJ2ojYlJeP3Vfjyxtj54TuZ7i6xe98NoZFg1N0kA1fc8dxiWChJVknVPER-nsiFCdTBfzrw |
| project_id | 29a5a3c099834d5ba180ce1591f3599c                                                                                                                                                        |
| user_id    | 53ceb04136004295b2e8b7383576b98e                                                                                                                                                        |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

@anpolychrono
Copy link
Author

Sure here you are:

~$ cat ~/.config/openstack/clouds.yaml
clouds:
  openstack:
    auth:
      auth_url: http://*.*.*.*:5000/v3/
      username: "admin"
      project_id: 29a5a3c099834d5ba180ce1591f3599c
      project_name: "project-01"
      user_domain_name: "Default"
    region_name: "RegionOne"
    interface: "public"
    identity_api_version: 3

Example cli :

openstack --os-cloud=openstack token issue
Password:
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                   |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2022-10-10T14:38:56+0000                                                                                                                                                                |
| id         | gAAAAABjRCBwJkvkCNsA6wnDHvXv_3-PFN47dKu9OOS9S2ayFaYQG1FwGZgwNgyunzFDeW9pdyz8s1uRhAsvH3DtWs_4SV3HgxFMI7ILXQXQrioP0-vwq9LTuO9H2lAe4iNp6rAKu02xl_5YgRqewerwer4rmOrY7NQ2Mj70Qdcam-tjpfe7M1Ul9oX9zHQ |
| project_id | 29a5a3c099834d5ba180ce1591f3599c                                                                                                                                                        |
| user_id    | 53ceb04136004295b2efefefs8b7383576b98e                                                                                                                                                        |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

@lego963 lego963 mentioned this issue Oct 18, 2022
Closed
@artem-lifshits
Copy link
Member

Hello @anpolychrono I've updated vault with more detailed error messages, could you try again on the newer version of vault? Thanks!

@anpolychrono
Copy link
Author

Hello @artem-lifshits see below the error:

vault secrets enable \
 -path="openstack" \
 -plugin-name="vault-plugin-secrets-openstack" plugin
vault write /openstack/clouds/patras5g-cloud1 \
 auth_url=http://oscontrollerpub.patras5g.eu:5000/v3/ \
 username="******" \
 password="******" \
 user_domain_name="Default"
vault write /openstack/roles/patras5g-role1 \
 cloud="patras5g-cloud1" \
 project_name="apolychrono_upatras" \
 domain_name="Default" \
 user_roles="member" \
 root=false

Error getting in the last command:

Error writing data to openstack/roles/patras5g-role1: Error making API request.

URL: PUT http://vault.patras5g.eu:8200/v1/openstack/roles/patras5g-role1
Code: 401. Errors:

* 1 error occurred:
        * error creating provider client: Authentication failed
 {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}

When defining admin credentials for the cloud I am using the same credentials from the clouds.yaml

$ openstack --os-project-name="apolychrono_upatras" token issue --os-cloud=openstack
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                   |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2022-12-08T10:35:48+0000                                                                                                                                                                |
| id         | gAAAAABjka_0-Lzj6skNAs1Yr5TVc3rFpnbHLkZ45fZj483thrwN6VwwtQwn8q6PEPX5W6ku2TJUWK7WPQPoXz9osfKeSCx3OiDtdFKKJ5y-hpjgu07OU2f4Dh6q4Q7S9si20m0ASdg2-IJ7JqrsdtVYGlwlm5Qub1pZ4AhAjh_koU5lmmaP7j4 |
| project_id | f7543f8938484d1cb83c132128ff77c7                                                                                                                                                        |
| user_id    | 53ceb04136004295b2e8b7383576b98e                                                                                                                                                        |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

@anpolychrono
Copy link
Author

Adding also the payload from the POST request during authentication:

POST /v3/auth/tokens HTTP/1.1
Host: oscontrollerpub.patras5g.eu:5000
User-Agent: gophercloud/2.0.0
Content-Length: 168
Accept: application/json
Content-Type: application/json
X-Auth-Token: 
Accept-Encoding: gzip

{
 "auth":{
    "identity":{
        "methods":["password"],"password":{
            "user":{
                "domain":{
                    "name":"Default"
                },
                "name":"****",
                "password":"****"
            }
        }
    },"scope":{
        "domain":{
            "name":"Default"
        }
    }
 }
}

@lego963
Copy link
Contributor

lego963 commented Dec 8, 2022
edited
Loading

@anpolychrono here

$ openstack --os-project-name="apolychrono_upatras" token issue --os-cloud=openstack

you request token for the admin user. Am I right?
If yes, can you try to create a role with the next lines?

 domain_name="Default" \ // drop it
 user_roles="member" \   // drop it
 root=true              // set to true

@anpolychrono
Copy link
Author

@lego963

Yes you are right it is for the admin user.

vault write /openstack/roles/patras5g-role1  cloud="patras5g-cloud1"  project_name="apolychrono_upatras"  root=true
Success! Data written to: openstack/roles/patras5g-role1

However the token creation fails:

vault read /openstack/creds/patras5g-role1
Error reading openstack/creds/patras5g-role1: Error making API request.

URL: GET http://vault.patras5g.eu:8200/v1/openstack/creds/patras5g-role1
Code: 409. Errors:

* 1 error occurred:
        * error creating provider client: Authentication failed
 {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@anpolychrono @gtema @lego963 @artem-lifshits