openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #11643
Re: glance keystone authentication problem
# cat /etc/keystone/keystone.conf
[DEFAULT]
bind_host = 0.0.0.0
public_port = 5000
admin_port = 35357
admin_token = 012345SECRET99TOKEN012345
compute_port = 8774
verbose = True
debug = True
log_config = /etc/keystone/logging.conf
# cat /etc/glance/glance-api-paste.ini
[filter:authtoken]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
service_protocol = http
service_host = 127.0.0.1
service_port = 5000
auth_host = 127.0.0.1
auth_port = 35357
auth_protocol = http
auth_uri = http://127.0.0.1:5000/
admin_tenant_name = service
admin_user = glance
admin_password = glance
#admin_token = 012345SECRET99TOKEN012345
#auth_token = 012345SECRET99TOKEN012345
[filter:authtoken]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
service_protocol = http
service_host = 127.0.0.1
service_port = 5000
auth_host = 127.0.0.1
auth_port = 35357
auth_protocol = http
auth_uri = http://127.0.0.1:5000/
admin_tenant_name = "HP Software"
admin_user = glance
admin_password = glance
#admin_token = 012345SECRET99TOKEN012345
#auth_token = 012345SECRET99TOKEN012345
On Sat, May 12, 2012 at 11:57 PM, Dolph Mathews <dolph.mathews@xxxxxxxxx>wrote:
> The admin_token config is being used to bypass to normal authentication
> process, thereby avoiding the issue.
>
> Can you paste the rest of your authtoken config? Also, try token-get
> against 5000, and then try the resulting token as your admin_token value.
>
> -Dolph Mathews
>
> On May 12, 2012, at 12:01 PM, Shashi Kanth Boddula <shashi.bsd@xxxxxxxxx>
> wrote:
>
> # keystone user-list
> +----------------------------------+---------+-------+--------+
> | id | enabled | email | name |
> +----------------------------------+---------+-------+--------+
> | 76a3cb1e5e7a427d8272838fc0a759fc | True | None | nova |
> | a19e7f6975984e7fa6c8774d688d690b | True | None | admin |
> | c92f9e064b884d5c8c140c98c4bb5fe2 | True | None | swift |
> | ebc043e91a304342ac091854b05a383b | True | None | glance |
> +----------------------------------+---------+-------+--------+
>
> # glance index
> Failed to show index. Got error:
> You are not authenticated.
> Details: 401 Unauthorized
>
> This server could not verify that you are authorized to access the
> document you requested. Either you supplied the wrong credentials (e.g.,
> bad password), or your browser does not understand how to supply the
> credentials required.
>
> Authentication required
>
>
> # keystone --os_username=glance --os_password=glance
> --os_tenant_name=service --os_auth_url=http://127.0.0.1:35357/v2.0token-get
> 'Client' object has no attribute 'service_catalog'
>
>
> But i am not getting this problem if i specify admin_token and auth_token
> in api/registry file
>
> admin_token = 012345SECRET99TOKEN012345
> auth_token = 012345SECRET99TOKEN012345
>
> If i add the above two lines, then it started working.
>
> The same case with swift also, "swift stat" command was not working, but
> if i add the above two lines, then it started working.
>
> But the openstack documents did not specify to add these lines in glance
> and swift config files.
>
> What could be the problem ?
>
> Thanks in advance.
>
> On Sat, May 12, 2012 at 4:24 PM, Dolph Mathews <dolph.mathews@xxxxxxxxx>wrote:
>
>> I think the key is this line:
>>
>> 2012-05-11 10:03:11 18461 INFO [keystone.middleware.auth_token]
>> Keystone rejected admin token {'X-Auth-Token': u'
>> 6f220a2e7e324bf4bd7a96040f364316'}, resetting
>>
>> It looks like your auth_token middleware isn't properly authenticating
>> itself with keystone. Verify that you can receive an admin token from the
>> admin endpoint using whatever credentials you've configured the auth_token
>> middleware to use via [filter:authtoken], (notice I'm using the admin
>> endpoint here):
>>
>> $ keystone --os_username=glance --os_password=glance --os_tenant=service
>> --os_auth_url=http://127.0.0.1:35357/v2.0 token-get
>>
>> I'm guessing this authentication is either failing, or doesn't have the
>> necessary admin privileges to validate other tokens? As shake.chen points
>> out, user-list will probably fail for this reason.
>>
>> -Dolph
>>
>>
>> On Sat, May 12, 2012 at 3:03 AM, Shake Chen <shake.chen@xxxxxxxxx> wrote:
>>
>>> you can check your keystone whether work correctly.
>>>
>>> keystone user-list
>>>
>>>
>>>
>>> On Fri, May 11, 2012 at 12:42 PM, Shashi Kanth Boddula <
>>> shashi.bsd@xxxxxxxxx> wrote:
>>>
>>>> Ubuntu 12.04 Essex.
>>>>
>>>> # glance index
>>>> Failed to show index. Got error:
>>>> You are not authenticated.
>>>> Details: 401 Unauthorized
>>>>
>>>> This server could not verify that you are authorized to access the
>>>> document you requested. Either you supplied the wrong credentials (e.g.,
>>>> bad password), or your browser does not understand how to supply the
>>>> credentials required.
>>>>
>>>> Authentication required
>>>>
>>>> # glance --os_username=glance --os_password=glance --os_tenant=service
>>>> --os_auth_url=http://127.0.0.1:5000/v2.0 index
>>>>
>>>> Failed to show index. Got error:
>>>> You are not authenticated.
>>>> Details: 401 Unauthorized
>>>>
>>>> This server could not verify that you are authorized to access the
>>>> document you requested. Either you supplied the wrong credentials (e.g.,
>>>> bad password), or your browser does not understand how to supply the
>>>> credentials required.
>>>>
>>>> Authentication required
>>>>
>>>>
>>>> ---------------------------------------
>>>>
>>>> In the keystone log file i see the error bellow.
>>>>
>>>>
>>>> 2012-05-11 10:03:11 18461 INFO [keystone.middleware.auth_token]
>>>> Retrying validation
>>>> 2012-05-11 10:03:11 18461 INFO [keystone.middleware.auth_token]
>>>> Keystone rejected admin token {'X-Auth-Token':
>>>> u'6f220a2e7e324bf4bd7a96040f364316'}, resetting
>>>> 2012-05-11 10:03:11 18461 WARNING [keystone.middleware.auth_token]
>>>> Invalid user token: 238dc305de1e418b8b81bee4f648f984. Keystone response:
>>>> {u'error': {u'message': u'The request you have made requires
>>>> authentication.', u'code': 401, u'title': u'Not Authorized'}}.
>>>> 2012-05-11 10:03:11 18461 INFO [keystone.middleware.auth_token]
>>>> Invalid user token - rejecting request
>>>>
>>>>
>>>>
>>>> Not understanding where could be the problem.
>>>>
>>>> glace user is mapped to admin role in the service tenant.
>>>>
>>>> glance endpoint is created.
>>>>
>>>> I have specified glance user name, password and the service tenant in
>>>> glance-api/registry files, and keystone authentication specified.
>>>>
>>>>
>>>> Anyone tell me what could be the problem? Thank you.
>>>>
>>>>
>>>>
>>>> --
>>>> Thanks & Regards,
>>>> Shashi Kanth
>>>>
>>>>
>>>> _______________________________________________
>>>> Mailing list: https://launchpad.net/~openstack
>>>> Post to : openstack@xxxxxxxxxxxxxxxxxxx
>>>> Unsubscribe : https://launchpad.net/~openstack
>>>> More help : https://help.launchpad.net/ListHelp
>>>>
>>>>
>>>
>>>
>>> --
>>> Shake Chen
>>>
>>>
>>>
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~openstack
>>> Post to : openstack@xxxxxxxxxxxxxxxxxxx
>>> Unsubscribe : https://launchpad.net/~openstack
>>> More help : https://help.launchpad.net/ListHelp
>>>
>>>
>>
>
>
> --
> Thanks & Regards,
> Shashi Kanth
>
>
--
Thanks & Regards,
Shashi Kanth
References