[openstack-dev] Barbican : Unable to authenticate with keystone V3 for Barbican curl command

John Wood john.wood at RACKSPACE.COM
Tue Apr 7 23:26:28 UTC 2015


Hello Asha,

Please following the steps in the pending CR [1]. That configures v3 usage with Keystone, and if you use the Docker Keystone instance mentioned, it syncs the passwords with it as well. Note the need to execute the setup script noted to configure Keystone properly as well.

Thanks,
John

[1] https://review.openstack.org/#/c/169114/2/doc/source/setup/keystone.rst

From: Asha Seshagiri <asha.seshagiri at gmail.com<mailto:asha.seshagiri at gmail.com>>
Date: Tuesday, April 7, 2015 at 2:49 PM
To: John Wood <john.wood at rackspace.com<mailto:john.wood at rackspace.com>>
Cc: openstack-dev <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>, "Reller, Nathan S." <Nathan.Reller at jhuapl.edu<mailto:Nathan.Reller at jhuapl.edu>>, Douglas Mendizabal <douglas.mendizabal at RACKSPACE.COM<mailto:douglas.mendizabal at RACKSPACE.COM>>, "alee at redhat.com<mailto:alee at redhat.com>" <alee at redhat.com<mailto:alee at redhat.com>>, Paul Kehrer <paul.kehrer at RACKSPACE.COM<mailto:paul.kehrer at RACKSPACE.COM>>, Adam Harwell <adam.harwell at RACKSPACE.COM<mailto:adam.harwell at RACKSPACE.COM>>, Alexis Lee <alexisl at hp.com<mailto:alexisl at hp.com>>
Subject: Re: Barbican : Unable to authenticate with keystone V3 for Barbican curl command

Thanks a lot John for your help and response.

I had followed the same set of instructions as given in the link 1 initially changing the version to v3  , it did not work and hence followed with link 2 and is not working though.

The link 1 provided  below points to keystone v2 changes with barbican  and not v3
[1]  http://docs.openstack.org/developer/barbican/setup/keystone.html .
But in this link  2 for Integration keystone V3 with barbican we have to modify both the configuriation files
 barbican-api-paste.ini and barbican-admin-paste.ini files . There are some changes in the filter and pipline names  names tied with v3


pipeline = keystone_v3_authtoken context apiapp
.....
[filter:keystone_v3_authtoken]

[2] https://github.com/cloudkeep/barbican/wiki/Integration-with-Keystone-V3-API

Could you please confirm that we need to follow the link 1 changing the version from v2 to v3 with only modification in barbican-api-paste.ini  file and not barbican-admin-paste.ini so that I can start looking into the issue with the changes mentioned in link1 alone.

Thanks and Regards,
Asha Seshagiri

On Tue, Apr 7, 2015 at 2:08 PM, John Wood <john.wood at rackspace.com<mailto:john.wood at rackspace.com>> wrote:
Hello Asha,

We are in the process of migrating our documentation to Sphinx, so I'd suggest following this link for Keystone configuration options [1].

I'd also note that a CR is pending with a bit more details to setup via a Docker Keystone here [2].

Thanks,
John


[1]  http://docs.openstack.org/developer/barbican/setup/keystone.html
[2]  https://review.openstack.org/#/c/169114/

From: Asha Seshagiri <asha.seshagiri at gmail.com<mailto:asha.seshagiri at gmail.com>>
Date: Tuesday, April 7, 2015 at 1:34 PM
To: openstack-dev <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Cc: John Wood <john.wood at rackspace.com<mailto:john.wood at rackspace.com>>, "Reller, Nathan S." <Nathan.Reller at jhuapl.edu<mailto:Nathan.Reller at jhuapl.edu>>, Douglas Mendizabal <douglas.mendizabal at RACKSPACE.COM<mailto:douglas.mendizabal at RACKSPACE.COM>>, "alee at redhat.com<mailto:alee at redhat.com>" <alee at redhat.com<mailto:alee at redhat.com>>, Paul Kehrer <paul.kehrer at RACKSPACE.COM<mailto:paul.kehrer at RACKSPACE.COM>>, Adam Harwell <adam.harwell at RACKSPACE.COM<mailto:adam.harwell at RACKSPACE.COM>>, Alexis Lee <alexisl at hp.com<mailto:alexisl at hp.com>>
Subject: Barbican : Unable to authenticate with keystone V3 for Barbican curl command

Hi All ,

Could anyone please help me on this integration issue.
I am unable to authenticate with keystone V3  for Barbican curl command   .I have followed the procedure given in the following link :

https://github.com/cloudkeep/barbican/wiki/Integration-with-Keystone-V3-API

I was unable to authenticate with the keystone V3 even though the right token was provided in the curl command
Please find the command to get the token and the curl command to post the secret .

[root at keystone-versiontest ~]# openstack --insecure token issue (Command to get token from keystone v3)
+------------+----------------------------------+
| Field      | Value                            |
+------------+----------------------------------+
| expires    | 2015-04-07T18:26:13.835641Z      |
| id         | f28b93f27cce4bc09f9ac50d84bde736 |
| project_id | 9d37f9ecc481422aa8ab53674cb82410 |
| user_id    | e7d02ed8e7e64b01a1d66bb86ffa90d8 |
+------------+----------------------------------+

[root at keystone-versiontest ~]# curl -X POST -H 'content-type:application/json' -H 'X-Project-Id:12345' \
> -H "X-Auth-Token:f28b93f27cce4bc09f9ac50d84bde736" -d '{"payload": "my-secret-here", "payload_content_type": "text/plain"}' http://localhost:9311/v1/secrets
Authentication required[root at keystone-versiontest ~]#

The contents of the admin.opensrc file is as given below :

[root at keystone-versiontest ~]# cat admin.openrc
export OS_USERNAME=admin
export OS_TENANT_NAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=https://169.54.204.69:35357/v3
export OS_REGION_NAME=RegionOne
export OS_IDENTITY_API_VERSION=3
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_DOMAIN_ID=default


And also I have attached the  barbican-api-paste.ini and barbican-admin-paste.ini files.

I would like to know why the curl command for posting the secret is not geting authenticated with Keystone V3

Any help would highly be appreciated.
--
Thanks and Regards,
Asha Seshagiri



--
Thanks and Regards,
Asha Seshagiri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150407/31084a86/attachment.html>


More information about the OpenStack-dev mailing list