openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #25408
Re: glance: "Invalid Openstack Identity Credentials"
Great post Adam. Thanks.
Cheers,
Syed
On Wed, Jul 24, 2013 at 10:54 PM, Adam Young <ayoung@xxxxxxxxxx> wrote:
> I wrote this up as a general answer. Hope it helps.
>
> https://adam.younglogic.com/2013/07/troubleshooting-pki-middleware/
>
>
> On 07/24/2013 11:44 AM, Adam Young wrote:
>
> On 07/24/2013 10:45 AM, Salvatore Orlando wrote:
>
> Hav you tried checking the credentials that glance uses for validating
> tokens with keystone?
>
> They are defined in glance's conf files in the section:
>
> [keystone_authtoken]
> signing_dir = /var/cache/glance/api
>
>
> make sure that the directory
> /var/cache/glance/api
> exists and has the certificates in it. A good test is to remove the
> certifcates and hit the server again, as they are fetched on demand. If
> there are no certificates there after another try, either glance can't talk
> to Keystone or keystone is not handing out the certificates.
>
> auth_uri = http://127.0.0.1:5000/
> auth_host = 127.0.0.1
> auth_port = 35357
> auth_protocol = http
> admin_tenant_name = service
> admin_user = glance
> admin_password = password
>
> Salvatore
>
>
> On 18 July 2013 22:16, Matt Davis <mattd5574@xxxxxxxxx> wrote:
>
>> Hello all,
>>
>> I'm working on a deployment script to install and configure my OpenStack
>> services and I'm getting a strange result with glance. It's surely a bug
>> with my script messing up a config file line, but I can't interpret the
>> glance and keystone logs to track the issue down. Here's the use case:
>>
>> 1) Install keystone following the directions in the Grizzly
>> installation guide for Ubuntu 12.04.
>> 2) Install glance following the directions in the Grizzly installation
>> guide for Ubuntu 12.04.
>> 3) Run glance image-list to see if I can get an empty list.
>>
>> My result:
>>
>> =====
>> glance --os-username=admin --os-password=secrete --os-tenant-name demo
>> --os-auth-url=http://localhost:5000/v2.0 image-list
>>
>> Request returned failure status.
>> Invalid OpenStack Identity credentials.
>> =====
>>
>> The glance API log is as follows:
>>
>> =====
>> 2013-07-18 11:18:24.301 6306 DEBUG
>> glance.api.middleware.version_negotiation [-] Determining version of
>> request: GET //v1/images/detail Accept: process_request
>> /usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:46
>> 2013-07-18 11:18:24.302 6306 DEBUG
>> glance.api.middleware.version_negotiation [-] Using url versioning
>> process_request
>> /usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:59
>> 2013-07-18 11:18:24.302 6306 DEBUG
>> glance.api.middleware.version_negotiation [-] Matched version: v1
>> process_request
>> /usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:71
>> 2013-07-18 11:18:24.302 6306 DEBUG
>> glance.api.middleware.version_negotiation [-] new uri /v1/images/detail
>> process_request
>> /usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:72
>> =====
>>
>> No entries are added to the glance registry log. If I tweak the
>> password to make the credentials invalid, I get this:
>>
>> =====
>> glance --os-username=admin --os-password=wrong_pw --os-tenant-name demo
>> --os-auth-url=http://localhost:5000/v2.0 image-list
>> Unable to communicate with identity service: {"error": {"message":
>> "Invalid user / password", "code": 401, "title": "Not Authorized"}}. (HTTP
>> 401)
>> =====
>>
>> So keystone is definitely looking up my credentials and responding
>> differently when they match.
>>
>> Any ideas as to where should I be looking for the issue?
>>
>> Thanks for your time!
>>
>> -Matt
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to : openstack@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~openstack
>> More help : https://help.launchpad.net/ListHelp
>>
>>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>
Follow ups
References