<div dir="ltr">Jonathan,<div><br></div><div>Are you using caching for tokens (not the middleware cache but keystone cache)? There's a bug in the caching so that when it tries to read the cache and unpack the token its missing some fields. It's been fixed and backported but may not be in your packages: <a href="https://bugs.launchpad.net/keystone/+bug/1592169">https://bugs.launchpad.net/keystone/+bug/1592169</a></div><div><br></div><div>Until that is fixed you can just flush memcache in a loop during the upgrade.</div><div><br></div><div>Also - heads-up that you will have this issue if you use caching in Mitaka that will lead to intermittent API call failures - <a href="https://bugs.launchpad.net/keystone/+bug/1600394">https://bugs.launchpad.net/keystone/+bug/1600394</a></div><div><br></div><div>And finally, this Cinder bug will show up once you're on Keystone Mitaka: <a href="https://bugs.launchpad.net/cinder/+bug/1597045">https://bugs.launchpad.net/cinder/+bug/1597045</a></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Aug 25, 2016 at 10:55 AM, Jonathan Proulx <span dir="ltr"><<a href="mailto:jon@csail.mit.edu" target="_blank">jon@csail.mit.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi All,<br>
<br>
working on testing our Kilo-> Mitaka keystone upgrade, and I've<br>
clearly missied something I need to do or undo.<br>
<br>
After DB migration and the edits I belive are required to paste and<br>
conf files I can get tokens (using password auth) but it won't seem to<br>
accept them (for example with an admin user I get 'action requires<br>
authorization' errors when trying to show users )<br>
<br>
Current setup is pretty simple and past upgrades of keystone have been<br>
super easy, so other that reread and recheck not sure where I should<br>
focus my attention.<br>
<br>
using:<br>
fernet tokens<br>
mysql local users<br>
apache/wsgi<br>
Ubuntu 14.04 cloud archive packages<br>
<br>
This is what I can see with --debug the client (both<br>
python-keystoneclient and python-openstackclient) after getting the<br>
initial auth token through password exchange:<br>
<br>
REQ: curl -g -i -X GET <a href="https://controller:35358/v2.0/users" rel="noreferrer" target="_blank">https://controller:35358/v2.0/<wbr>users</a> -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}<redacted>"<br>
"GET /v2.0/users HTTP/1.1" 401 114<br>
RESP: [401] Content-Length: 114 Vary: X-Auth-Token Keep-Alive: timeout=5 Server: Apache/2.4.7 (Ubuntu) Connection: Keep-Alive Date: Thu, 25 Aug 2016 14:41:26 GMT WWW-Authenticate: Keystone uri="<a href="https://nimbus.csail.mit.edu:35358" rel="noreferrer" target="_blank">https://nimbus.csail.mit.<wbr>edu:35358</a>" Content-Type: application/json X-Distribution: Ubuntu<br>
RESP BODY: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}<br>
<br>
(v3 requests are similar modulo API differences)<br>
<br>
Keysote.log in debug mode issues a couple deprecation warnings but no<br>
errors (<a href="http://pastebin.com/WriB6u6i" rel="noreferrer" target="_blank">http://pastebin.com/WriB6u6i</a>)<wbr>. Not this log is for the same<br>
event but response is UTC where log is local time (-0400)<br>
<br>
Any pointer to where I should focus my investigations woudl be most<br>
welcome :)<br>
<br>
Thanks,<br>
-Jon<br>
<br>
______________________________<wbr>_________________<br>
OpenStack-operators mailing list<br>
<a href="mailto:OpenStack-operators@lists.openstack.org">OpenStack-operators@lists.<wbr>openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" rel="noreferrer" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-operators</a><br>
</blockquote></div><br></div>