← Back to team overview

openstack team mailing list archive

  1. openstack team
  2. Mailing list archive
  3. Message #07178

Re: Glance authentication with Keystone woes...

  Thread PreviousDate PreviousThread Next 
Yep, Ross's attached conf files show that substitution in the admin_token line.

I'd like to ensure we can validate that glance and keystone are
talking. These steps happen prior to installing nova at all. So far
the validation steps are, get a token with a curl command, then use
glance details -A $token. [1] When the validation doesn't work, what
are good troubleshooting steps? I think they're:
- make sure you restarted the registry and api services with new configs
- double-check conf files
- double-check environment (source creds file properly)
- ensure endpointTemplates are correct IP addresses
- check the logs
- use netstat to ensure ports are listening (9191 and 9292 for glance)

I'm re-running the instructions myself and now I get this:

glance -A 21f07580-629e-4c8c-9689-b6fb1fff806f details
Failed to show details. Got error:
Connect error/bad request to Auth service at URL %(url)s.

I can tell the endpointTemplates in Keystone are fine with a
keystone-manage endpointTemplates list.

What else will help troubleshoot (and validate that an install is
working with keystone)?

Thanks for the help Jay!
Anne

[1] http://docs.openstack.org/diablo/openstack-compute/install/content/images-verifying-install.html

On Jan 31, 2012, at 8:53 PM, Jay Pipes <jaypipes@xxxxxxxxx> wrote:

> Hi Ann! cc'ing the mailing list since this is generally useful information...
>
> On 01/31/2012 08:59 PM, Anne Gentle wrote:
>> Hi Jay -
>>
>> I'm pretty sure this has tripped me up before and I'm going to have to
>> change the docs for the install/deploy guide. What exactly is the call
>> for the long-lived service token? Is it a keystone admin api call -
>> admin tenant, admin user on the admin tenant?
>
> Yeah, it's confusing, I know :( The best information on this particular subject is here:
>
> http://keystone.openstack.org/configuringservices.html#defining-an-administrative-service-token
>
> Basically, in Keystone, you can create a token that can be used by a service (for service-to-service communication, like that needed by the Glance API to Glance registry communication) by using the keystone-manage command like so:
>
> keystone-manage token add <TOKEN_ID> <SERVICE_USER> <SERVICE_TENANT> <TIMESTAMP>
>
> where <TIMESTAMP> is something like 2015-02-05T00:00
>
> Cheers!
> -jay

References

  Thread PreviousDate PreviousThread Next