openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #07187
Re: Glance authentication with Keystone woes...
Hi Jay,
Yes, this confused me, however I get the same error using the token I generated and added (via the keystone-manage command). To wit:
root@nova:~# keystone-manage token list
token user expiration tenant
-------------------------------------------------------------------------------
10111213141516171819 1 2022-01-01 00:00:00 2
fa89fb9a-60d2-4921-b12d-6aee1c177823 1 2012-02-01 15:24:33 1
b06c5e4e-5e59-4293-aa54-ce6879f11371 2 2012-02-01 15:26:41 1
where the first token is the long-lived one I supplied during installation. Running the glance command yields identical results:
root@nova:~# glance -v -A 10111213141516171819 details
Failed to show details. Got error:
Internal Server error: Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/eventlet/wsgi.py", line 336, in handle_one_response
result = self.application(self.environ, start_response)
File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 147, in __call__
resp = self.call_func(req, *args, **self.kwargs)
File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 208, in call_func
return self.func(req, *args, **kwargs)
File "/usr/lib/python2.7/dist-packages/glance/common/wsgi.py", line 113, in __call__
response = req.get_response(self.application)
File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1053, in get_response
application, catch_exc_info=False)
File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1022, in call_application
app_iter = application(self.environ, start_response)
File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 147, in __call__
resp = self.call_func(req, *args, **self.kwargs)
File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 208, in call_func
return self.func(req, *args, **kwargs)
File "/usr/lib/python2.7/dist-packages/glance/common/wsgi.py", line 110, in __call__
response = self.process_request(req)
File "/usr/lib/python2.7/dist-packages/glance/common/context.py", line 104, in process_request
raise exception.NotAuthorized()
NotAuthorized: None
Completed in 0.0031 sec.
Interestingly (perhaps) I see nothing in the keystone.log file. In fact, I don't even see the keystone log file. Keystone opens to log files named 'admin.log' and 'keystone_legacy_auth.log'. Is this right? Also, if I run keystone interactively (keystone -v -d) then issue the glance command, I see nothing in the keystone window. This doesn't seem right to me, but I'm just getting started with keystone integration.
Thanks in advance for any insight...
Regards,
Ross
On Jan 31, 2012, at 6:48 PM, Jay Pipes wrote:
> On 01/31/2012 06:28 PM, Lillie Ross-CDSR11 wrote:
>> I'm reinstalling the various Openstack services from packages in the
>> ManagedIT PPA to pull in the latest Diablo bug fixes. I'm following the
>> latest directions in the newly release installation guide as I perform
>> these upgrades
>> (http://docs.openstack.org/diablo/openstack-compute/install/content/index.html).
>>
>> However, I'm having trouble getting Glance to authenticate with
>> Keystone. All config files have been copied from the examples posted in
>> the installation guide (and modified accordingly for my admin token, IP
>> addresses, etc.). Regardless, I continually get the following error
>> message and stack dump when trying to verify the Glance/Keystone
>> integration:
>>
>> Step 1: Grab a token
>>
>> # curl -d '{"auth": {"tenantName": "default",
>> "passwordCredentials":{"username": "admin", "password": "admin"}}}' -H
>> "Content-type: application/json" http://173.23.181.1:35357/v2.0/tokens |
>> python -mjson.tool
>>
>> ...
>> "token": {
>> "expires": "2012-02-01T15:24:33",
>> "id": "fa89fb9a-60d2-4921-b12d-6aee1c177823",
>> "tenant": {
>> "id": "1",
>> "name": "default"
>> }
>> }
>
> You're going to want to grab a long-lived token (sometimes called a service token) to use for the Glance API <-> Glance Registry connection. This service token should be used in the glance-registry.conf file.
>
> In glance-registry.conf, you'll see a section looking like this:
>
> [filter:authtoken]
> paste.filter_factory = keystone.middleware.auth_token:filter_factory
> service_protocol = http
> service_host = 127.0.0.1
> service_port = 5000
> auth_host = 127.0.0.1
> auth_port = 35357
> auth_protocol = http
> auth_uri = http://127.0.0.1:5000/
> admin_token = 999888777666
>
> Replace admin_token = 999888777666 with the relevant long-lived service token.
>
> Cheers!
> -jay
>
>
>> Step 2: Try a Glance command
>>
>> # glance details -A fa89fb9a-60d2-4921-b12d-6aee1c177823
>> Failed to show details. Got error:
>> Internal Server error: Traceback (most recent call last):
>> File "/usr/lib/python2.7/dist-packages/eventlet/wsgi.py", line 336, in
>> handle_one_response
>> result = self.application(self.environ, start_response)
>> File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 147, in __call__
>> resp = self.call_func(req, *args, **self.kwargs)
>> File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 208, in call_func
>> return self.func(req, *args, **kwargs)
>> File "/usr/lib/python2.7/dist-packages/glance/common/wsgi.py", line 113,
>> in __call__
>> response = req.get_response(self.application)
>> File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1053, in
>> get_response
>> application, catch_exc_info=False)
>> File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1022, in
>> call_application
>> app_iter = application(self.environ, start_response)
>> File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 147, in __call__
>> resp = self.call_func(req, *args, **self.kwargs)
>> File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 208, in call_func
>> return self.func(req, *args, **kwargs)
>> File "/usr/lib/python2.7/dist-packages/glance/common/wsgi.py", line 110,
>> in __call__
>> response = self.process_request(req)
>> File "/usr/lib/python2.7/dist-packages/glance/common/context.py", line
>> 104, in process_request
>> raise exception.NotAuthorized()
>> NotAuthorized: None
>>
>> From the Glance api.log file we see the following (with the traceback
>> identical to above removed):
>>
>> 2012-01-31 17:14:30 DEBUG [glance.api.middleware.version_negotiation]
>> Processing request: GET /v1/images/detail Accept:
>> 2012-01-31 17:14:30 DEBUG [glance.api.middleware.version_negotiation]
>> Matched versioned URI. Version: 1.0
>> 2012-01-31 17:14:30 DEBUG [eventlet.wsgi.server] Traceback (most recent
>> call last):
>> ? (traceback removed)
>> 2012-01-31 17:14:30 DEBUG [eventlet.wsgi.server] 127.0.0.1 - -
>> [31/Jan/2012 17:14:30] "GET /v1/images/detail?limit=10 HTTP/1.1" 500
>> 1528 0.001163
>>
>> This is probably a config blunder on my part, but I've poured over the
>> config files numerous times. Regardless, I've attached the glance-api
>> and registry conf files.
>>
>> Any suggestions?
>>
>> Regards,
>> Ross
>>
>>
>>
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to : openstack@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~openstack
>> More help : https://help.launchpad.net/ListHelp
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>
>
Follow ups
References