can you add what version of gnocchi, gnocchiclient and oslo.policy you have? might be easier if open a bug[1]. i don't see anything wrong at first glance and i don't recall there being a similar issue in past.
[1] https://bugs.launchpad.net/gnocchi On 23/02/17 11:54 AM, Tracy Comstock Roesler wrote: > I’ve run into a problem with the gnocchi CLI. Whenever I run ‘gnocchi > status’ I get a 403 Forbidden, but I can run other commands like > 'gnocchi resource create’ no problem. > > I’ve checked the policy.json and it looks like “admin” has rights to get > status, the same as create resources. I cannot figure out why get > status would show a 403 forbidden, but I can run other commands just fine. > > [root ~] # gnocchi status --debug > REQ: curl -g -i -X GET http://keystone:35357/v3 -H "Accept: > application/json" -H "User-Agent: keystoneauth1/2.4.1 > python-requests/2.10.0 CPython/2.7.5" > Starting new HTTP connection (1): keystone > "GET /v3 HTTP/1.1" 200 277 > RESP: [200] Content-Type: application/json Content-Length: 277 > Connection: keep-alive Date: Thu, 23 Feb 2017 16:52:40 GMT Server: > Apache/2.4.6 (CentOS) mod_wsgi/3.4 Python/2.7.5 Vary: X-Auth-Token > x-openstack-request-id: req-189a8db8-6210-4735-bc66-b2dc90b00a38 > RESP BODY: {"version": {"status": "stable", "updated": > "2016-04-04T00:00:00Z", "media-types": [{"base": "application/json", > "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.6", > "links": [{"href": "http://keystone:35357/v3/";, "rel": "self"}]}} > > Making authentication request to http://keystone:35357/v3/auth/tokens > "POST /v3/auth/tokens HTTP/1.1" 201 3874 > REQ: curl -g -i -X GET http://gnocchi:8041/v1/status -H "User-Agent: > keystoneauth1/2.4.1 python-requests/2.10.0 CPython/2.7.5" -H "Accept: > application/json, */*" -H "X-Auth-Token: {SHA1}AAA" > Starting new HTTP connection (1): gnocchi > "GET /v1/status HTTP/1.1" 403 54 > RESP: [403] Content-Type: application/json; charset=UTF-8 > Content-Length: 54 Connection: keep-alive Server: Werkzeug/0.9.1 > Python/2.7.5 Date: Thu, 23 Feb 2017 16:52:40 GMT > RESP BODY: {"code": 403, "description": "", "title": "Forbidden"} > > Forbidden (HTTP 403) > Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/cliff/app.py", line 346, in > run_subcommand > result = cmd.run(parsed_args) > File "/usr/lib/python2.7/site-packages/cliff/display.py", line 79, in run > column_names, data = self.take_action(parsed_args) > File > "/usr/lib/python2.7/site-packages/gnocchiclient/v1/status_cli.py", line > 21, in take_action > status = self.app.client.status.get() > File "/usr/lib/python2.7/site-packages/gnocchiclient/v1/status.py", > line 21, in get > return self._get(self.url).json() > File "/usr/lib/python2.7/site-packages/gnocchiclient/v1/base.py", line > 37, in _get > return self.client.api.get(*args, **kwargs) > File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line > 173, in get > return self.request(url, 'GET', **kwargs) > File "/usr/lib/python2.7/site-packages/gnocchiclient/client.py", line > 38, in request > raise exceptions.from_response(resp, method) > Forbidden: Forbidden (HTTP 403) > Traceback (most recent call last): > File "/usr/bin/gnocchi", line 10, in <module> > sys.exit(main()) > File "/usr/lib/python2.7/site-packages/gnocchiclient/shell.py", line > 211, in main > return GnocchiShell().run(args) > File "/usr/lib/python2.7/site-packages/cliff/app.py", line 226, in run > result = self.run_subcommand(remainder) > File "/usr/lib/python2.7/site-packages/cliff/app.py", line 346, in > run_subcommand > result = cmd.run(parsed_args) > File "/usr/lib/python2.7/site-packages/cliff/display.py", line 79, in run > column_names, data = self.take_action(parsed_args) > File > "/usr/lib/python2.7/site-packages/gnocchiclient/v1/status_cli.py", line > 21, in take_action > status = self.app.client.status.get() > File "/usr/lib/python2.7/site-packages/gnocchiclient/v1/status.py", > line 21, in get > return self._get(self.url).json() > File "/usr/lib/python2.7/site-packages/gnocchiclient/v1/base.py", line > 37, in _get > return self.client.api.get(*args, **kwargs) > File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line > 173, in get > return self.request(url, 'GET', **kwargs) > File "/usr/lib/python2.7/site-packages/gnocchiclient/client.py", line > 38, in request > raise exceptions.from_response(resp, method) > gnocchiclient.exceptions.Forbidden: Forbidden (HTTP 403) > > > _______________________________________________ > OpenStack-operators mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > -- gord _______________________________________________ OpenStack-operators mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
