openstack team mailing list archive

Thread
Date

Re: glance: "Invalid Openstack Identity Credentials"

To: Adam Young <ayoung@xxxxxxxxxx>
From: Syed Armani <syed.armani@xxxxxxxxxxx>
Date: Wed, 24 Jul 2013 23:12:52 +0530
Cc: "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <51F00DCB.2010509@redhat.com>

Great post Adam. Thanks.

Cheers,
Syed


On Wed, Jul 24, 2013 at 10:54 PM, Adam Young <ayoung@xxxxxxxxxx> wrote:

>  I wrote this up as a general answer.  Hope it helps.
>
> https://adam.younglogic.com/2013/07/troubleshooting-pki-middleware/
>
>
> On 07/24/2013 11:44 AM, Adam Young wrote:
>
> On 07/24/2013 10:45 AM, Salvatore Orlando wrote:
>
> Hav you tried checking the credentials that glance uses for validating
> tokens with keystone?
>
>  They are defined in glance's conf files in the section:
>
>  [keystone_authtoken]
> signing_dir = /var/cache/glance/api
>
>
> make sure that the directory
> /var/cache/glance/api
> exists and has the certificates in it.  A good test is to remove the
> certifcates and hit the server again, as they are fetched on demand.  If
> there are no certificates there after another try, either glance can't talk
> to Keystone or keystone is not handing out the certificates.
>
>   auth_uri = http://127.0.0.1:5000/
> auth_host = 127.0.0.1
> auth_port = 35357
> auth_protocol = http
>  admin_tenant_name = service
> admin_user = glance
> admin_password = password
>
>  Salvatore
>
>
> On 18 July 2013 22:16, Matt Davis <mattd5574@xxxxxxxxx> wrote:
>
>>    Hello all,
>>
>>  I'm working on a deployment script to install and configure my OpenStack
>> services and I'm getting a strange result with glance.  It's surely a bug
>> with my script messing up a config file line, but I can't interpret the
>> glance and keystone logs to track the issue down.  Here's the use case:
>>
>>  1)  Install keystone following the directions in the Grizzly
>> installation guide for Ubuntu 12.04.
>>  2)  Install glance following the directions in the Grizzly installation
>> guide for Ubuntu 12.04.
>>  3)  Run glance image-list to see if I can get an empty list.
>>
>>  My result:
>>
>> =====
>> glance --os-username=admin --os-password=secrete --os-tenant-name demo
>> --os-auth-url=http://localhost:5000/v2.0 image-list
>>
>> Request returned failure status.
>> Invalid OpenStack Identity credentials.
>> =====
>>
>>  The glance API log is as follows:
>>
>> =====
>> 2013-07-18 11:18:24.301 6306 DEBUG
>> glance.api.middleware.version_negotiation [-] Determining version of
>> request: GET //v1/images/detail Accept:  process_request
>> /usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:46
>> 2013-07-18 11:18:24.302 6306 DEBUG
>> glance.api.middleware.version_negotiation [-] Using url versioning
>> process_request
>> /usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:59
>> 2013-07-18 11:18:24.302 6306 DEBUG
>> glance.api.middleware.version_negotiation [-] Matched version: v1
>> process_request
>> /usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:71
>> 2013-07-18 11:18:24.302 6306 DEBUG
>> glance.api.middleware.version_negotiation [-] new uri /v1/images/detail
>> process_request
>> /usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:72
>> =====
>>
>>  No entries are added to the glance registry log.  If I tweak the
>> password to make the credentials invalid, I get this:
>>
>> =====
>> glance --os-username=admin --os-password=wrong_pw --os-tenant-name demo
>> --os-auth-url=http://localhost:5000/v2.0 image-list
>> Unable to communicate with identity service: {"error": {"message":
>> "Invalid user / password", "code": 401, "title": "Not Authorized"}}. (HTTP
>> 401)
>> =====
>>
>>  So keystone is definitely looking up my credentials and responding
>> differently when they match.
>>
>>  Any ideas as to where should I be looking for the issue?
>>
>> Thanks for your time!
>>
>>  -Matt
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~openstack
>> More help   : https://help.launchpad.net/ListHelp
>>
>>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>

Follow ups

Re: glance: "Invalid Openstack Identity Credentials"
From: Matt Davis, 2013-07-24

References

glance: "Invalid Openstack Identity Credentials"
From: Matt Davis, 2013-07-18
Re: glance: "Invalid Openstack Identity Credentials"
From: Salvatore Orlando, 2013-07-24
Re: glance: "Invalid Openstack Identity Credentials"
From: Adam Young, 2013-07-24
Re: glance: "Invalid Openstack Identity Credentials"
From: Adam Young, 2013-07-24