ERROR Alerts for Keystone, Cinder, Nova "Authorization failed."
Article ID: 321738
Updated On:
Products
VMware Integrated OpenStack
Issue/Introduction
- keystone-api.log shows error PasswordExpired
Nov 23 07:57:39 controller-########### keystone-api[774]: 2023-11-23 07:57:39.654722 2023-11-23 07:57:39.654 141 WARNING keystone.server.flask.application [req-fcfb355f-3144-45b6-ae57-68c250e5a52e - - - - -] Authorization failed. The password is expired and needs to be changed for user: ########################. from 169.254.169.10: keystone.exception.PasswordExpired: The password is expired and needs to be changed for user: ########################.
Environment
7.x
Cause
The keystone admin user account is locked due to some process trying to login with incorrect password.
Resolution
- Check the parameter "failed_auth_count" in the database.
root@photon-machine [ ~ ]# osctl exec -ti exampledb-server-0 -- mysql --defaults-file=/etc/mysql/admin_user.cnf
MariaDB [(none)]> use keystone;exampleDB [keystone]> select * from local_user where name='admin'\G
*************************** 1. row ***************************
id: 6
user_id: ########################
domain_id: default
name: admin
failed_auth_count: 0
failed_auth_at: NULL
1 row in set (0.00 sec)
MariaDB [keystone]>
MariaDB [(none)]> use keystone;exampleDB [keystone]> select * from local_user where name='admin'\G
*************************** 1. row ***************************
id: 6
user_id: ########################
domain_id: default
name: admin
failed_auth_count: 0
failed_auth_at: NULL
1 row in set (0.00 sec)
MariaDB [keystone]>
- If the parameter failed_auth_count is not 0, the account is locked. We need to set user failure count=0,
Note: the user_id is your locked admin user id.
MariaDB [keystone]> UPDATE local_user SET failed_auth_count = "0" and
failed_auth_at = 'NULL' WHERE user_id = '########################';
- Check password status for admin user, note the local_user_id is the admin user "id" in local_user table,
exampleDB [keystone]> select * from password WHERE local_user_id='6'\G
*************************** 1. row ***************************
id: 6
local_user_id: 6
expires_at: NULL
self_service: 0
password_hash: #####################################################
created_at_int: 1591496590474690
expires_at_int: NULL
created_at: 2020-06-07 02:23:10
1 row in set (0.00 sec
*************************** 1. row ***************************
id: 6
local_user_id: 6
expires_at: NULL
self_service: 0
password_hash: #####################################################
created_at_int: 1591496590474690
expires_at_int: NULL
created_at: 2020-06-07 02:23:10
1 row in set (0.00 sec
- Ensure that the latest password for the admin user never expires. Update the keystone table with below command:
exampleDB [keystone]>
UPDATE password SET expires_at = 'NULL' and expires_at_int = 'NULL' id =
'${the_latest_password_record_id}';
Login to toolbox pod and try some openstack commands with the admin user account.
UPDATE password SET expires_at = 'NULL' and expires_at_int = 'NULL' id =
'${the_latest_password_record_id}';
Login to toolbox pod and try some openstack commands with the admin user account.
Additional Information
Update the Keystone Admin Password
https://docs.vmware.com/en/VMware-Integrated-OpenStack/7.3/com.vmware.openstack.admin.doc/GUID-B535B1F2-7BFF-4903-BF31-A503B5D19C27.html
Feedback
Yes
No
Powered by
