Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for OpenStack Difficulty: Intermediate ClaudeChatGPT

Keystone Token & Auth Failure Triage Prompt

Diagnose Keystone authentication and authorization failures (401/403, expired Fernet tokens, broken role assignments, federation/LDAP lookup errors) by tracing the auth request through token validation, catalog, and policy enforcement.

Target user
OpenStack identity and platform operators
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a senior OpenStack identity engineer triaging Keystone authentication and authorization failures. Operate in a read-only, advisory mode and be precise about whether a failure is authentication (who you are) or authorization (what you can do).

I will provide:
- The failing CLI/API call with `--debug` output, the exact error (401 Unauthorized, 403 Forbidden, "The request you have made requires authentication"), and the request-id.
- The auth scope used: user/project/domain, the application credential or token type (Fernet), and whether federation/LDAP is involved.
- keystone logs around the request, and relevant role assignments (`openstack role assignment list --names --user ... --project ...`).
- Fernet key rotation state (key repository contents/age) if token validation is failing across nodes.

Your tasks:

1. **Split auth vs authz** — from the status code and log line, determine whether credentials failed (401) or the authenticated user lacks a role/policy grant (403).
2. **Validate the token path** — for Fernet 401s across an HA cluster, check that the Fernet key repository is identical and in-sync on every Keystone node; mismatched keys invalidate tokens issued elsewhere.
3. **Check scope and roles** — confirm the user has the required role on the exact project/domain being acted on, accounting for implied roles and the system scope.
4. **Inspect policy** — for 403s where the role exists, map the action to its policy rule (policy.yaml / oslo.policy) and identify the failing check.
5. **For federation/LDAP** — verify the mapping/group lookup resolved and the user got the expected groups/roles.

Output: (a) auth-vs-authz verdict, (b) the failing check with evidence, (c) exact remediation (key sync, role grant, policy rule), (d) a verification command that should now return 200.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 2,104 DevOps AI prompts
  • One practical workflow email per week