openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #11641
Re: glance keystone authentication problem
The admin_token config is being used to bypass to normal authentication process, thereby avoiding the issue.
Can you paste the rest of your authtoken config? Also, try token-get against 5000, and then try the resulting token as your admin_token value.
-Dolph Mathews
On May 12, 2012, at 12:01 PM, Shashi Kanth Boddula <shashi.bsd@xxxxxxxxx> wrote:
> # keystone user-list
> +----------------------------------+---------+-------+--------+
> | id | enabled | email | name |
> +----------------------------------+---------+-------+--------+
> | 76a3cb1e5e7a427d8272838fc0a759fc | True | None | nova |
> | a19e7f6975984e7fa6c8774d688d690b | True | None | admin |
> | c92f9e064b884d5c8c140c98c4bb5fe2 | True | None | swift |
> | ebc043e91a304342ac091854b05a383b | True | None | glance |
> +----------------------------------+---------+-------+--------+
>
> # glance index
> Failed to show index. Got error:
> You are not authenticated.
> Details: 401 Unauthorized
>
> This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.
>
> Authentication required
>
>
> # keystone --os_username=glance --os_password=glance --os_tenant_name=service --os_auth_url=http://127.0.0.1:35357/v2.0 token-get
> 'Client' object has no attribute 'service_catalog'
>
>
> But i am not getting this problem if i specify admin_token and auth_token in api/registry file
>
> admin_token = 012345SECRET99TOKEN012345
> auth_token = 012345SECRET99TOKEN012345
>
> If i add the above two lines, then it started working.
>
> The same case with swift also, "swift stat" command was not working, but if i add the above two lines, then it started working.
>
> But the openstack documents did not specify to add these lines in glance and swift config files.
>
> What could be the problem ?
>
> Thanks in advance.
>
> On Sat, May 12, 2012 at 4:24 PM, Dolph Mathews <dolph.mathews@xxxxxxxxx> wrote:
> I think the key is this line:
>
> 2012-05-11 10:03:11 18461 INFO [keystone.middleware.auth_token] Keystone rejected admin token {'X-Auth-Token': u'6f220a2e7e324bf4bd7a96040f364316'}, resetting
>
> It looks like your auth_token middleware isn't properly authenticating itself with keystone. Verify that you can receive an admin token from the admin endpoint using whatever credentials you've configured the auth_token middleware to use via [filter:authtoken], (notice I'm using the admin endpoint here):
>
> $ keystone --os_username=glance --os_password=glance --os_tenant=service --os_auth_url=http://127.0.0.1:35357/v2.0 token-get
>
> I'm guessing this authentication is either failing, or doesn't have the necessary admin privileges to validate other tokens? As shake.chen points out, user-list will probably fail for this reason.
>
> -Dolph
>
>
> On Sat, May 12, 2012 at 3:03 AM, Shake Chen <shake.chen@xxxxxxxxx> wrote:
> you can check your keystone whether work correctly.
>
> keystone user-list
>
>
>
> On Fri, May 11, 2012 at 12:42 PM, Shashi Kanth Boddula <shashi.bsd@xxxxxxxxx> wrote:
> Ubuntu 12.04 Essex.
>
> # glance index
> Failed to show index. Got error:
> You are not authenticated.
> Details: 401 Unauthorized
>
> This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.
>
> Authentication required
>
> # glance --os_username=glance --os_password=glance --os_tenant=service --os_auth_url=http://127.0.0.1:5000/v2.0 index
>
> Failed to show index. Got error:
> You are not authenticated.
> Details: 401 Unauthorized
>
> This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.
>
> Authentication required
>
>
> ---------------------------------------
>
> In the keystone log file i see the error bellow.
>
>
> 2012-05-11 10:03:11 18461 INFO [keystone.middleware.auth_token] Retrying validation
> 2012-05-11 10:03:11 18461 INFO [keystone.middleware.auth_token] Keystone rejected admin token {'X-Auth-Token': u'6f220a2e7e324bf4bd7a96040f364316'}, resetting
> 2012-05-11 10:03:11 18461 WARNING [keystone.middleware.auth_token] Invalid user token: 238dc305de1e418b8b81bee4f648f984. Keystone response: {u'error': {u'message': u'The request you have made requires authentication.', u'code': 401, u'title': u'Not Authorized'}}.
> 2012-05-11 10:03:11 18461 INFO [keystone.middleware.auth_token] Invalid user token - rejecting request
>
>
>
> Not understanding where could be the problem.
>
> glace user is mapped to admin role in the service tenant.
>
> glance endpoint is created.
>
> I have specified glance user name, password and the service tenant in glance-api/registry files, and keystone authentication specified.
>
>
> Anyone tell me what could be the problem? Thank you.
>
>
>
> --
> Thanks & Regards,
> Shashi Kanth
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>
>
>
> --
> Shake Chen
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>
>
>
>
> --
> Thanks & Regards,
> Shashi Kanth
>
Follow ups
References