openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #17119
Re: Enabling logging in keystone.
See the definition for "Token" on the concepts page:
http://docs.openstack.org/trunk/openstack-compute/install/apt/content/keystone-concepts.html
Yep! Authentication and authorization both appear to be behaving as
expected; the response you see reflects your configured OpenStack service
catalog, and the fact that you have the "admin" role on the "openstackDemo"
tenant.
-Dolph
On Wed, Oct 3, 2012 at 1:17 AM, Ahmed Al-Mehdi <ahmed@xxxxxxxxxx> wrote:
> Hi Dolph,
>
> When I use user the keystone command, I am able to get "proper" tokens:
>
> root@ubuntu1:~# keystone --os-username=adminUser --os-password=secretword--os
> -tenant-name=openstackDemo --os-auth-url=http:/
> /10.0.2.15:35357/v2.0 token-get
> +-----------+----------------------------------+
> | Property | Value |
> +-----------+----------------------------------+
> | expires | 2012-10-04T06:00:20Z |
> | id | f10375dbe4dd4a90912ae9e6da4512e1 |
> | tenant_id | 07a44f9d55694d638f41bc160c14b42e |
> | user_id | 3e674f7f64ba452cb20781b8d5e26b7f |
> +-----------+----------------------------------+
> root@ubuntu1:~# keystone --os-username=adminUser --os-password=secretword
> --os-auth-url=http://10.0.2.15:35357/v2.0 token-get
> No handlers could be found for logger "keystoneclient.v2_0.client"
> +----------+----------------------------------+
> | Property | Value |
> +----------+----------------------------------+
> | expires | 2012-10-04T06:00:41Z |
> | id | b65af77d1ada496a929fb4991d54c147 |
> | user_id | 3e674f7f64ba452cb20781b8d5e26b7f |
> +----------+----------------------------------+
> I have a naive question. What is this "token"? How is it used?
>
>
> However, when I use the curl command, I get a page worth of "something".
> I am sorry but I am not familiar with the curl command. Since the above
> two commands are working, my guess is it is safe to ignore the curl command
> output, and that my keystone setup is correct. Would that be a safe
> assumption.
>
> curl -d '{"auth": {"tenantName": "openstackDemo", "passwordCredentials":
> {"username": "adminUser", "password": "secretword"}}}' -H "Content-type:
> application/json" http://10.0.2.15:35357/v2.0/tokens | python -mjson.tool
> {
> "access": {
> "metadata": {
> "is_admin": 0,
> "roles": [
> "31ae9c8a9486481b9c25f9e8d7e2c2f2"
> ]
> },
> "serviceCatalog": [
> {
> "endpoints": [
> {
> "adminURL": "
> http://10.0.2.15:8774/v2/07a44f9d55694d638f41bc160c14b42e",
> "id": "92ed4291f5ce431cb3677953c620ef9d",
> "internalURL": "
> http://10.0.2.15:8774/v2/07a44f9d55694d638f41bc160c14b42e",
> "publicURL": "
> http://10.0.2.15:8774/v2/07a44f9d55694d638f41bc160c14b42e",
> "region": "RegionOne"
> }
> ],
> "endpoints_links": [],
> "name": "nova",
> "type": "compute"
> },
> {
> "endpoints": [
> {
> "adminURL": "http://10.0.2.15:9292/v1",
> "id": "8bb7d0241e144a61afb336ac7a37af68",
> "internalURL": "http://10.0.2.15:9292/v1",
> "publicURL": "http://10.0.2.15:9292/v1",
> "region": "RegionOne"
> }
> ],
> "endpoints_links": [],
> "name": "glance",
> "type": "image"
> },
> {
> "endpoints": [
> {
> "adminURL": "
> http://10.0.2.15:8776/v1/07a44f9d55694d638f41bc160c14b42e",
> "id": "6bccef05d60d49f78e50c8dab7a9a2eb",
> "internalURL": "
> http://10.0.2.15:8776/v1/07a44f9d55694d638f41bc160c14b42e",
> "publicURL": "
> http://10.0.2.15:8776/v1/07a44f9d55694d638f41bc160c14b42e",
> "region": "RegionOne"
> }
> ],
> "endpoints_links": [],
> "name": "volume",
> "type": "volume"
> },
> {
> "endpoints": [
> {
> "adminURL": "http://10.0.2.15:8773/services/Admin
> ",
> "id": "3efbabfc7e634bb0ac779a1e39ce385a",
> "internalURL": "
> http://10.0.2.15:8773/services/Cloud",
> "publicURL": "http://10.0.2.15:8773/services/Cloud
> ",
> "region": "RegionOne"
> }
> ],
> "endpoints_links": [],
> "name": "ec2",
> "type": "ec2"
> },
> {
> "endpoints": [
> {
> "adminURL": "http://10.0.2.15:8888/v1",
> "id": "1bf33c68cd70421797f05b55349abddc",
> "internalURL": "
> http://10.0.2.15:8888/v1/AUTH_07a44f9d55694d638f41bc160c14b42e",
> "publicURL": "
> http://10.0.2.15:8888/v1/AUTH_07a44f9d55694d638f41bc160c14b42e",
> "region": "RegionOne"
> }
> ],
> "endpoints_links": [],
> "name": "swift",
> "type": "object-store"
> },
> {
> "endpoints": [
> {
> "adminURL": "http://10.0.2.15:35357/v2.0",
> "id": "ca29bb2a675d4f52bd0c8f0b0d163795",
> "internalURL": "http://10.0.2.15:5000/v2.0",
> "publicURL": "http://10.0.2.15:5000/v2.0",
> "region": "RegionOne"
> }
> ],
> "endpoints_links": [],
> "name": "keystone",
> "type": "identity"
> }
> ],
> "token": {
> "expires": "2012-10-04T06:03:49Z",
> "id": "1320c1df67eb4519b3545b91bdaa1f05",
> "tenant": {
> "description": "Default Tenant",
> "enabled": true,
> "id": "07a44f9d55694d638f41bc160c14b42e",
> "name": "openstackDemo"
> }
> },
> "user": {
> "id": "3e674f7f64ba452cb20781b8d5e26b7f",
> "name": "adminUser",
> "roles": [
> {
> "name": "admin"
> }
> ],
> "roles_links": [],
> "username": "adminUser"
> }
> }
> }
>
> Thank you,
> Ahmed.
>
>
>
>
> ------------------------------
> *From:* openstack-bounces+ahmed=coraid.com@xxxxxxxxxxxxxxxxxxx[openstack-bounces+ahmed=
> coraid.com@xxxxxxxxxxxxxxxxxxx] On Behalf Of Ahmed Al-Mehdi [
> ahmed@xxxxxxxxxx]
> *Sent:* Tuesday, October 02, 2012 4:42 PM
> *To:* Dolph Mathews
>
> *Cc:* openstack@xxxxxxxxxxxxxxxxxxx
> *Subject:* Re: [Openstack] Enabling logging in keystone.
>
> Hi Dolph,
>
> I am now getting the same output as the "curl" command, basically
> "Invalid Tenant". At this point
>
> root@ubuntu1:~# keystone --os-username=adminUser --os-password=secretword--os-tenant-name=service
> --os-auth-url=http://10.0.
> 2.15:35357/v2.0 token-get
> No handlers could be found for logger "keystoneclient.client"
> Invalid tenant (HTTP 401)
>
> Without the "os-tenant-name" parameter, I seem to get "good' response.
>
> root@ubuntu1:~# keystone --os-username=adminUser --os-password=secretword--os
> -auth-url=http://10.0.2.15:35357/v2.0 token-get
> No handlers could be found for logger "keystoneclient.v2_0.client"
> +----------+----------------------------------+
> | Property | Value |
> +----------+----------------------------------+
> | expires | 2012-10-03T23:31:17Z |
> | id | 31078072aae94f5aab5c8e46ff5f6373 |
> | user_id | 3e674f7f64ba452cb20781b8d5e26b7f |
> +----------+----------------------------------+
> At this point, I feel like I am running into issues with/in the python /
> PyYAML script (https://github.com/nimbis/keystone-init.git) which must
> not be populating info into keystone "accurately" and most probably not
> equivalent to manual steps mentioned in "Deploy and Install OpenStack -
> Red Hat Ubuntu". I will look into the script.
>
> Regards,
> Ahmed.
>
> ------------------------------
> *From:* Dolph Mathews [dolph.mathews@xxxxxxxxx]
> *Sent:* Tuesday, October 02, 2012 2:19 PM
> *To:* Ahmed Al-Mehdi
> *Cc:* heckj; openstack@xxxxxxxxxxxxxxxxxxx
> *Subject:* Re: [Openstack] Enabling logging in keystone.
>
> No worries, that's what a second set of eyes is for!
>
> By specifying a token and endpoint, you're bypassing the authentication
> process that your curl command is performing.
>
> You can test authentication with the keystone client using:
>
> $ keystone --os-username=adminUser --os-password=secretword
> --os-tenant-name=adminTenant --os-authurl=http://10.0.2.15:35357/v2.0<http://10.0.2.15:35357/v2.0/tokens>
> token-get
>
> But as Anne pointed out, you don't have a tenant named "adminTenant".
> You'll also need to make sure you've granted a role to your user on the
> specified tenant for authorization to succeed. You can remove the tenant
> name argument from the token-get call to test authentication without
> authorization (therefore without requiring anything but a valid user in
> your keystone install).
>
> -Dolph
>
> On Tuesday, October 2, 2012, Ahmed Al-Mehdi wrote:
>
>> Hi Dolph,
>>
>> Very sorry about that. With the correct token, calling keystone from
>> the cli is working. However, the curl command is failing. Will this
>> cause an issue down the line as I start to install glance and nova?
>>
>>
>> #> keystone --token 012345SECRET99TOKEN012345 --endpoint
>> http://10.0.2.15:35357/v2.0 tenant-list
>> +----------------------------------+---------------+---------+
>> | id | name | enabled |
>> +----------------------------------+---------------+---------+
>> | 07a44f9d55694d638f41bc160c14b42e | openstackDemo | True |
>> | 0e4cc20586ae42329db51e0c6f807731 | service | True |
>> +----------------------------------+---------------+---------+
>> #> curl -d '{"auth": {"tenantName": "adminTenant", "passwordCredentials":
>> {"username": "adminUser", "password": "secretword"}}}' -H "Content-type:
>> application/json" http://10.0.2.15:35357/v2.0/tokens | python -mjson.tool
>> % Total % Received % Xferd Average Speed Time Time Time
>> Current
>> Dload Upload Total Spent Left
>> Speed
>> 100 231 0 116 100 115 2771 2747 --:--:-- --:--:-- --:--:--
>> 3052
>> {
>> "error": {
>> "code": 401,
>> "message": "The request you have made requires authentication.",
>> "title": "Not Authorized"
>> }
>> }
>>
>> Regards,
>> Ahmed.
>>
>>
>> ------------------------------
>> *From:* Dolph Mathews [dolph.mathews@xxxxxxxxx<https://exg5.exghost.com/owa/UrlBlockedError.aspx>
>> ]
>> *Sent:* Tuesday, October 02, 2012 12:12 PM
>> *To:* Ahmed Al-Mehdi
>> *Cc:* heckj; openstack@xxxxxxxxxxxxxxxxxxx<https://exg5.exghost.com/owa/UrlBlockedError.aspx>
>> *Subject:* Re: [Openstack] Enabling logging in keystone.
>>
>> You're missing a "5" on the admin_token you've specified on the command
>> line.
>>
>> 012345SECRET99TOKEN01234 (your CLI arg)
>> 012345SECRET99TOKEN012345 (keystone.conf)
>>
>> -Dolph
>>
>>
>> On Tue, Oct 2, 2012 at 1:08 PM, Ahmed Al-Mehdi <ahmed@xxxxxxxxxx> wrote:
>>
>> Hi Joe,
>>
>> I have put the conf file (renamed to ahmed_keystone.conf) into gist.
>>
>> git://gist.github.com/3821846.git
>>
>> Please let me know if you have any issues accessing the file.
>>
>> Thank you very much for helping me out. I have a feeling the issue might
>> be in the python script to populate keystone. When I previously input the
>> data manually, I got keystone configured properly.
>>
>> Regards,
>> Ahmed.
>>
>>
>> ________________________________________
>> From: heckj [heckj@xxxxxxx]
>> Sent: Tuesday, October 02, 2012 10:56 AM
>> To: Ahmed Al-Mehdi
>> Cc: openstack@xxxxxxxxxxxxxxxxxxx
>> Subject: Re: [Openstack] Enabling logging in keystone.
>>
>> Ahmed - can you put your keystone.conf into a paste or gist and share it
>> with me? I'd be happy to help you debug this.
>>
>> I'm assuming you're running keystone on the system with the IP address
>> 10.0.2.15, correct?
>>
>> -joe
>>
>> On Oct 2, 2012, at 10:45 AM, Ahmed Al-Mehdi <ahmed@xxxxxxxxxx> wrote:
>>
>> > Hi Joe,
>> >
>> > I noticed I did not put the port number in the URL, now I am getting a
>> more meaningful error:
>> >
>> > #> keystone --token 012345SECRET99TOKEN01234 --endpoint
>> http://10.0.2.15:35357/v2.0 tenant-list
>> > No handlers could be found for logger "keystoneclient.client"
>> > Unable to authorize user
>> >
>> > Regards,
>> > Ahmed.
>> >
>> > ________________________________________
>> > From: openstack-bounces+ahmed=coraid.com@xxxxxxxxxxxxxxxxxxx[openstack-bounces+ahmed
>> =coraid.com@xxxxxxxxxxxxxxxxxxx] On Behalf Of Ahmed Al-Mehdi [
>> ahmed@xxxxxxxxxx]
>> > Sent: Tuesday, October 02, 2012 10:30 AM
>> > To: heckj
>> > Cc: openstack@xxxxxxxxxxxxxxxxxxx
>> > Subject: Re: [Openstack] Enabling logging in keystone.
>> >
>> > Hi Joe,
>> >
>> > Unfortunately before I read your response I re-installed my Ubuntuserver. I repeated the same steps mentioned in the OpenStackdocument "Deploy and Install OpenStack- RedHatUbuntu"
>> and also used the script mentioned in it (
>> https://github.com/nimbis/keystone-init/blob/master/keystone-init.py) to
>> populate keystone. I reboot the server prior to running your suggested
>> command and now running into a different issue, which I feel maybe due to
>> not starting some service. Btw, my host OS is Ubuntu 12.04 (32 bit)
>> running inVirtualBox.
>> >
>> > Currently I am getting the following error:
>> >
>> > #> keystone --token 012345SECRET99TOKEN01234 --endpoint
>> http://10.0.2.15/v2.0 tenant-lis
>>
>>
>
> --
>
> -Dolph
>
References
-
Re: Enabling logging in keystone.
From: Ahmed Al-Mehdi, 2012-10-02
-
Re: Enabling logging in keystone.
From: heckj, 2012-10-02
-
Re: Enabling logging in keystone.
From: Ahmed Al-Mehdi, 2012-10-02
-
Re: Enabling logging in keystone.
From: Ahmed Al-Mehdi, 2012-10-02
-
Re: Enabling logging in keystone.
From: heckj, 2012-10-02
-
Re: Enabling logging in keystone.
From: Ahmed Al-Mehdi, 2012-10-02
-
Re: Enabling logging in keystone.
From: Dolph Mathews, 2012-10-02
-
Re: Enabling logging in keystone.
From: Ahmed Al-Mehdi, 2012-10-02
-
Re: Enabling logging in keystone.
From: Dolph Mathews, 2012-10-02
-
Re: Enabling logging in keystone.
From: Ahmed Al-Mehdi, 2012-10-02
-
Re: Enabling logging in keystone.
From: Ahmed Al-Mehdi, 2012-10-03