← Back to team overview

openstack team mailing list archive

Re: glance: "Invalid Openstack Identity Credentials"

 

All,

Thanks, that was a huge help.  The problem was indeed some stale
mismatching keys sitting in the signing_dir.  I removed those and reloaded
them from keystone and everything is working as expected.

Cheers,

-Matt


On Wed, Jul 24, 2013 at 10:42 AM, Syed Armani <syed.armani@xxxxxxxxxxx>wrote:

>
> Great post Adam. Thanks.
>
> Cheers,
> Syed
>
>
> On Wed, Jul 24, 2013 at 10:54 PM, Adam Young <ayoung@xxxxxxxxxx> wrote:
>
>>  I wrote this up as a general answer.  Hope it helps.
>>
>> https://adam.younglogic.com/2013/07/troubleshooting-pki-middleware/
>>
>>
>> On 07/24/2013 11:44 AM, Adam Young wrote:
>>
>> On 07/24/2013 10:45 AM, Salvatore Orlando wrote:
>>
>> Hav you tried checking the credentials that glance uses for validating
>> tokens with keystone?
>>
>>  They are defined in glance's conf files in the section:
>>
>>  [keystone_authtoken]
>> signing_dir = /var/cache/glance/api
>>
>>
>> make sure that the directory
>> /var/cache/glance/api
>> exists and has the certificates in it.  A good test is to remove the
>> certifcates and hit the server again, as they are fetched on demand.  If
>> there are no certificates there after another try, either glance can't talk
>> to Keystone or keystone is not handing out the certificates.
>>
>>   auth_uri = http://127.0.0.1:5000/
>> auth_host = 127.0.0.1
>> auth_port = 35357
>> auth_protocol = http
>>  admin_tenant_name = service
>> admin_user = glance
>> admin_password = password
>>
>>  Salvatore
>>
>>
>> On 18 July 2013 22:16, Matt Davis <mattd5574@xxxxxxxxx> wrote:
>>
>>>    Hello all,
>>>
>>>  I'm working on a deployment script to install and configure my
>>> OpenStack services and I'm getting a strange result with glance.  It's
>>> surely a bug with my script messing up a config file line, but I can't
>>> interpret the glance and keystone logs to track the issue down.  Here's the
>>> use case:
>>>
>>>  1)  Install keystone following the directions in the Grizzly
>>> installation guide for Ubuntu 12.04.
>>>  2)  Install glance following the directions in the Grizzly installation
>>> guide for Ubuntu 12.04.
>>>  3)  Run glance image-list to see if I can get an empty list.
>>>
>>>  My result:
>>>
>>> =====
>>> glance --os-username=admin --os-password=secrete --os-tenant-name demo
>>> --os-auth-url=http://localhost:5000/v2.0 image-list
>>>
>>> Request returned failure status.
>>> Invalid OpenStack Identity credentials.
>>> =====
>>>
>>>  The glance API log is as follows:
>>>
>>> =====
>>> 2013-07-18 11:18:24.301 6306 DEBUG
>>> glance.api.middleware.version_negotiation [-] Determining version of
>>> request: GET //v1/images/detail Accept:  process_request
>>> /usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:46
>>> 2013-07-18 11:18:24.302 6306 DEBUG
>>> glance.api.middleware.version_negotiation [-] Using url versioning
>>> process_request
>>> /usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:59
>>> 2013-07-18 11:18:24.302 6306 DEBUG
>>> glance.api.middleware.version_negotiation [-] Matched version: v1
>>> process_request
>>> /usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:71
>>> 2013-07-18 11:18:24.302 6306 DEBUG
>>> glance.api.middleware.version_negotiation [-] new uri /v1/images/detail
>>> process_request
>>> /usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:72
>>> =====
>>>
>>>  No entries are added to the glance registry log.  If I tweak the
>>> password to make the credentials invalid, I get this:
>>>
>>> =====
>>> glance --os-username=admin --os-password=wrong_pw --os-tenant-name demo
>>> --os-auth-url=http://localhost:5000/v2.0 image-list
>>> Unable to communicate with identity service: {"error": {"message":
>>> "Invalid user / password", "code": 401, "title": "Not Authorized"}}. (HTTP
>>> 401)
>>> =====
>>>
>>>  So keystone is definitely looking up my credentials and responding
>>> differently when they match.
>>>
>>>  Any ideas as to where should I be looking for the issue?
>>>
>>> Thanks for your time!
>>>
>>>  -Matt
>>>
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~openstack
>>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>>> Unsubscribe : https://launchpad.net/~openstack
>>> More help   : https://help.launchpad.net/ListHelp
>>>
>>>
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~openstack
>> More help   : https://help.launchpad.net/ListHelp
>>
>>
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~openstack
>> More help   : https://help.launchpad.net/ListHelp
>>
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~openstack
>> More help   : https://help.launchpad.net/ListHelp
>>
>>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>

References