openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #18075
Re: Verification of Keystone Installation fails
There are basically two rules at work:
1) an existing token takes precedence over username+password credentials.
2) CLI options take precedence over configuration from the environment.
In Folsom, these options look like:
(existing token)
--os-token / OS_SERVICE_TOKEN
--os-endpoint / OS_SERVICE_ENDPOINT
(credentials)
--os-username / OS_USERNAME
--os-password / OS_PASSWORD
--os-tenant-name / OS_TENANT_NAME
--os-auth-url / OS_AUTH_URL
(there are also a few other options like region, api version, etc)
Rule 1 is universally applied before rule 2, which means the token +
endpoint from the environment is taking precedence over username + password
from the CLI. IMO, it's a bug that rule 2 isn't applied before rule 1.
-Dolph
On Wed, Oct 31, 2012 at 3:32 PM, Joshua Harlow <harlowja@xxxxxxxxxxxxx>wrote:
> I think the overall issue is connected to
> https://bugs.launchpad.net/keystone/+bug/962600
>
> Right? Seems like that is still happening :-(
>
> From: Ahmed Al-Mehdi <ahmed@xxxxxxxxxx>
> Date: Wednesday, October 31, 2012 1:15 PM
> To: Dolph Mathews <dolph.mathews@xxxxxxxxx>
> Cc: Joseph Heck <Joe.Heck@xxxxxxxxxx>, "openstack@xxxxxxxxxxxxxxxxxxx" <
> openstack@xxxxxxxxxxxxxxxxxxx>
>
> Subject: Re: [Openstack] Verification of Keystone Installation fails
>
> Hi Dolph,
>
> Awesome, that worked. Thank you very much. Just out of curiosity, what
> was the exact conflict? Between which environment variable and option
> passed to the CLI?
>
> Regards,
> Ahmed.
>
>
> From: Dolph Mathews <dolph.mathews@xxxxxxxxx>
> Date: Wednesday, October 31, 2012 10:46 AM
> To: Ahmed Al-Mehdi <ahmed@xxxxxxxxxx>
> Cc: "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>,
> Joseph Heck <Joe.Heck@xxxxxxxxxx>
> Subject: Re: [Openstack] Verification of Keystone Installation fails
>
> I was able to reproduce by defining SERVICE_ENDPOINT and SERVICE_TOKEN in
> my own environment, which appear to be overriding the credentials provided
> on the CLI -- I don't think that's the intended behavior.
>
> If you unset them, you should be able to verify the install.
>
> If you skip verifying keystone and something is wrong with it, you'll
> likely find out pretty quick when another service calls keystone for the
> first time :)
>
> -Dolph
>
>
> On Wed, Oct 31, 2012 at 12:22 PM, Ahmed Al-Mehdi <ahmed@xxxxxxxxxx> wrote:
>
>> Hi Dolph,
>>
>> Thank you very much for helping me on this issue. Following is the
>> environment variables related to openstack:
>>
>> root@bodega:~# env | egrep "OS_|SERVICE_"
>> SERVICE_ENDPOINT=http://10.176.20.158:35357/v2.0/
>> SERVICE_TOKEN=012345SECRET99TOKEN012345
>> root@bodega:~# ifconfig eth0
>> eth0 Link encap:Ethernet HWaddr 00:1e:67:06:1b:67
>> inet addr:10.176.20.158 Bcast:10.176.255.255 Mask:255.255.0.0
>> inet6 addr: fe80::21e:67ff:fe06:1b67/64 Scope:Link
>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:12760203 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:203944 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:1000
>> RX bytes:1044985224 (1.0 GB) TX bytes:22642912 (22.6 MB)
>> Interrupt:16 Memory:b2000000-b2020000
>> root@bodega:~#
>>
>> I am attaching keystone.conf file.
>>
>> Would you happen to know if there is a high level document document on
>> keystone (more than just a user guide, but a architectural/functional doc,
>> but not a API doc). Something similar to
>> http://docs.openstack.org/trunk/openstack-identity/admin/os-identity-starter-guide-trunk.pdf but
>> updated.
>>
>> Does my current issue prohibit me from progressing forward with the next
>> steps in the install document, setting up glance, nova, etc.?
>>
>> Regards,
>> Ahmed.
>>
>>
>>
>> From: Dolph Mathews <dolph.mathews@xxxxxxxxx>
>> Date: Wednesday, October 31, 2012 9:44 AM
>> To: Ahmed Al-Mehdi <ahmed@xxxxxxxxxx>
>> Cc: "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
>> Subject: Re: [Openstack] Verification of Keystone Installation fails
>>
>> The error you're seeing is actually client-side, so there won't be
>> anything in keystone's logs. It indicates that you're not actually
>> authenticating with keystone (and instead bypassing authentication using
>> --token and --endpoint, for example) ... however, that's obviously not the
>> case, as you're explicitly providing --os-username, etc.
>>
>> Unfortunately, I'm not able to reproduce this issue. Can you share your
>> OS_* environment variables? I suspect something there
>> is unexpectedly overriding what you're providing on the CLI... which would
>> be a legitimate bug.
>>
>> Thanks,
>>
>> -Dolph
>>
>>
>> On Wed, Oct 31, 2012 at 2:08 AM, Ahmed Al-Mehdi <ahmed@xxxxxxxxxx> wrote:
>>
>>> Hello,
>>>
>>> I followed the steps in the "OpenStack Install Deploy for Ubuntu" manual
>>> to install Keystone. However, when I issue the commands in section
>>> "Verifying the Identity Service Installation" (
>>> http://docs.openstack.org/trunk/openstack-compute/install/apt/content/verifying-identity-install.html ),
>>> I am getting the following error:
>>>
>>> # keystone --os-username=admin --os-password=admin --os-auth-url=
>>> http://10.176.20.158:35357/v2.0 token-get
>>> 'Client' object has no attribute 'service_catalog'
>>>
>>> I don't see any additional info in keystone.log. Can someone please
>>> help me.
>>>
>>> Thank you,
>>> Ahmed.
>>>
>>>
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~openstack
>>> Post to : openstack@xxxxxxxxxxxxxxxxxxx
>>> Unsubscribe : https://launchpad.net/~openstack
>>> More help : https://help.launchpad.net/ListHelp
>>>
>>>
>>
>
Follow ups
References