← Back to team overview

openstack team mailing list archive

Re: Getting keystone to work with nova/glance

 

On Mon, 2011-08-01 at 15:31 +0200, Marc Peiser wrote:
> Now I'm not sure what to do from here, 'nova-manage user list' still
> shows old users that I used in nova, nothing from keystone? 

The nova_auth_token.py middleware does lazy synchronization; that is, if
you connect authenticated as a user that nova doesn't know about, it
adds you to its database then, not later.

(That's the current action, not necessarily the future action...)

> And I can't find any help for glance/keystone integration?

First, check that your glance has my patch--bzr trunk does, but the
released d3 might not.  You can check by looking for "filter:context" in
glance-api.conf and glance-registry.conf.

If your glance does have my patch, then the procedure is similar to what
you did for nova--download keystone, make sure
keystone/middleware/glance_auth_token.py is available, then copy over
and appropriately edit examples/paste/glance-{api,registry}.conf.

Note that glance does not really have the concept of users, per se; with
my patch, it attaches the tenant as the owner of images and places
reasonable behavior on the 'is_public' attribute.  You should also note
that the glance client does not currently support any kind of
authentication; if you're consuming the Python API, you can set the
keystone authentication token (auth_tok argument to constructor or
set_auth_token() method on the client object).  Finally, note that nova
does not currently delegate the token when it accesses glance; I have a
patch to add that behavior, but it's not yet merged.

That's all the caveats I can think of for the moment; hope this helps,
and remember, the keystone integration area of nova, glance, and
probably swift is a rapidly moving target :)
-- 
Kevin L. Mitchell <kevin.mitchell@xxxxxxxxxxxxx>

This email may include confidential information. If you received it in error, please delete it.

References