0

Metrics are collected by Telemetry from Ceilometer and etc., and finaly sent to Gnocchi, but Gnocchi doesn't allow users to use commands such as gnocchi metric list or gnocchi resource list whilst using auth method equal to keystone or noauth.

So I tried to troubleshoot the issue by using a simpler command just to get status - gnocchi status.

Different "AUTH_MODE"s

Whilst using different auth methods in gnocchi.conf, the result of gnocchi status would be as shown below :

auth_mode = basic

(gnocchi) status

+--------------------------------------------------+-------+
| Field                                            | Value |
+--------------------------------------------------+-------+
| storage/number of metric having measures to      | 13    |
| process                                          |       |
| storage/total number of measures to process      | 444   |
+--------------------------------------------------+-------+

auth_mode = noauth

(gnocchi) status

Forbidden (HTTP 403)

auth_mode = keystone

(gnocchi) status

The request you have made requires authentication. (HTTP 401)

[keyston-authtoken] in gnocchi.conf

[keystone_authtoken]

auth_type = password
auth_url = http://mng-kh-lab-ctrl-vip-01.ocloud.ir:5000/v3
auth_uri = http://mng-kh-lab-ctrl-vip-01.ocloud.ir:35357
memcached_servers = mng-kh-lab-ctrl-01.ocloud.ir:11211,mng-kh-lab-ctrl-02.ocloud.ir:11211
project_domain_name = default
user_domain_name = default
project_name = service
username = gnocchi
password = 123456
interface = internalURL
region_name = Region_KH_LA

TCPDUMP on different auth_modes

basic :

2017-06-17 14:21:34.196634 IP (tos 0x0, ttl 64, id 27634, offset 0, flags [DF], proto TCP (6), length 300)
    127.0.0.1.31132 > 127.0.0.1.8041: Flags [P.], cksum 0xff20 (incorrect -> 0x9dcd), seq 1:261, ack 1, win 256, length 260
E..,k.@.@...........y..iUT      ...3.P.... ..GET /v1/status?details=False HTTP/1.1
Host: localhost:8041
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: application/json, */*
User-Agent: gnocchi keystoneauth1/2.20.0 python-requests/2.10.0 CPython/2.7.5
Authorization: basic YWRtaW46

2017-06-17 14:21:34.211613 IP (tos 0x0, ttl 64, id 20934, offset 0, flags [DF], proto TCP (6), length 334)
    127.0.0.1.8041 > 127.0.0.1.31132: Flags [P.], cksum 0xff42 (incorrect -> 0x4673), seq 1:295, ack 261, win 258, length 294
E..NQ.@.@............iy...3.UT
.P....B..HTTP/1.1 200 OK
Date: Sat, 17 Jun 2017 09:51:34 GMT
Server: Apache/2.4.6 (CentOS) mod_wsgi/3.4 Python/2.7.5
Content-Length: 58
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json; charset=UTF-8

noauth :

2017-06-17 14:23:54.901584 IP (tos 0x0, ttl 64, id 27048, offset 0, flags [DF], proto TCP (6), length 300)
    127.0.0.1.31150 > 127.0.0.1.8041: Flags [P.], cksum 0xff20 (incorrect -> 0xa6a5), seq 1:261, ack 1, win 256, length 260
E..,i.@.@..!........y..i......_.P.... ..GET /v1/status?details=False HTTP/1.1
Host: localhost:8041
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: application/json, */*
User-Agent: gnocchi keystoneauth1/2.20.0 python-requests/2.10.0 CPython/2.7.5
Authorization: basic YWRtaW46

2017-06-17 14:23:54.906964 IP (tos 0x0, ttl 64, id 55179, offset 0, flags [DF], proto TCP (6), length 337)
    127.0.0.1.8041 > 127.0.0.1.31150: Flags [P.], cksum 0xff45 (incorrect -> 0x8ca6), seq 1:298, ack 261, win 258, length 297
E..Q..@.@.d..........iy..._.....P....E..HTTP/1.1 403 Forbidden
Date: Sat, 17 Jun 2017 09:53:54 GMT
Server: Apache/2.4.6 (CentOS) mod_wsgi/3.4 Python/2.7.5
Content-Length: 54
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json; charset=UTF-8

keystone :

2017-06-17 14:25:20.801850 IP (tos 0x0, ttl 64, id 7904, offset 0, flags [DF], proto TCP (6), length 300)
    127.0.0.1.31196 > 127.0.0.1.8041: Flags [P.], cksum 0xff20 (incorrect -> 0x2217), seq 1:261, ack 1, win 256, length 260
E..,..@.@...........y..i7..IZ...P.... ..GET /v1/status?details=False HTTP/1.1
Host: localhost:8041
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: application/json, */*
User-Agent: gnocchi keystoneauth1/2.20.0 python-requests/2.10.0 CPython/2.7.5
Authorization: basic YWRtaW46

2017-06-17 14:25:20.804490 IP (tos 0x0, ttl 64, id 14196, offset 0, flags [DF], proto TCP (6), length 444)
    127.0.0.1.8041 > 127.0.0.1.31196: Flags [P.], cksum 0xffb0 (incorrect -> 0x4c7a), seq 1:405, ack 261, win 258, length 404
E...7t@.@............iy.Z...7..MP.......HTTP/1.1 401 Unauthorized
Date: Sat, 17 Jun 2017 09:55:20 GMT
Server: Apache/2.4.6 (CentOS) mod_wsgi/3.4 Python/2.7.5
WWW-Authenticate: Keystone uri='https://127.0.0.1:35357'
Content-Length: 114
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json

It's really odd that in all different methods, the request sent is using basic YWRtaW46 for its Authorization.

Parsa Samet
  • 217
  • 1
  • 3
  • 8
  • This is not a place to seek emergency support. If you need help **now**, then hire someone. – EEAA Jun 17 '17 at 13:24

1 Answers1

1

It's really odd that in all different methods, the request sent is using basic YWRtaW46 for its Authorization.

It's not odd: the default for the client is to use basic auth. If you do not provide the client the right authentication mechanism. Try do do this:

export OS_AUTH_TYPE=password

So that Keystone is used as authentication.

Julien Danjou
  • 126
  • 1