[Openstack] glance: "Invalid Openstack Identity Credentials"

Adam Young ayoung at redhat.com
Wed Jul 24 17:24:27 UTC 2013 

I wrote this up as a general answer. Hope it helps.

https://adam.younglogic.com/2013/07/troubleshooting-pki-middleware/

On 07/24/2013 11:44 AM, Adam Young wrote:
> On 07/24/2013 10:45 AM, Salvatore Orlando wrote:
>> Hav you tried checking the credentials that glance uses for 
>> validating tokens with keystone?
>>
>> They are defined in glance's conf files in the section:
>>
>> [keystone_authtoken]
>> signing_dir = /var/cache/glance/api
>
> make sure that the directory
> /var/cache/glance/api
> exists and has the certificates in it.  A good test is to remove the 
> certifcates and hit the server again, as they are fetched on demand.  
> If there are no certificates there after another try, either glance 
> can't talk to Keystone or keystone is not handing out the certificates.
>
>> auth_uri = http://127.0.0.1:5000/
>> auth_host = 127.0.0.1
>> auth_port = 35357
>> auth_protocol = http
>> admin_tenant_name = service
>> admin_user = glance
>> admin_password = password
>>
>> Salvatore
>>
>>
>> On 18 July 2013 22:16, Matt Davis <mattd5574 at gmail.com 
>> <mailto:mattd5574 at gmail.com>> wrote:
>>
>>     Hello all,
>>
>>     I'm working on a deployment script to install and configure my
>>     OpenStack services and I'm getting a strange result with glance. 
>>     It's surely a bug with my script messing up a config file line,
>>     but I can't interpret the glance and keystone logs to track the
>>     issue down.  Here's the use case:
>>
>>     1)  Install keystone following the directions in the Grizzly
>>     installation guide for Ubuntu 12.04.
>>     2)  Install glance following the directions in the Grizzly
>>     installation guide for Ubuntu 12.04.
>>     3)  Run glance image-list to see if I can get an empty list.
>>
>>     My result:
>>
>>     =====
>>     glance --os-username=admin --os-password=secrete --os-tenant-name
>>     demo --os-auth-url=http://localhost:5000/v2.0 image-list
>>
>>     Request returned failure status.
>>     Invalid OpenStack Identity credentials.
>>     =====
>>
>>     The glance API log is as follows:
>>
>>     =====
>>     2013-07-18 11:18:24.301 6306 DEBUG
>>     glance.api.middleware.version_negotiation [-] Determining version
>>     of request: GET //v1/images/detail Accept:  process_request
>>     /usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:46
>>     2013-07-18 11:18:24.302 6306 DEBUG
>>     glance.api.middleware.version_negotiation [-] Using url
>>     versioning process_request
>>     /usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:59
>>     2013-07-18 11:18:24.302 6306 DEBUG
>>     glance.api.middleware.version_negotiation [-] Matched version: v1
>>     process_request
>>     /usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:71
>>     2013-07-18 11:18:24.302 6306 DEBUG
>>     glance.api.middleware.version_negotiation [-] new uri
>>     /v1/images/detail process_request
>>     /usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:72
>>     =====
>>
>>     No entries are added to the glance registry log.  If I tweak the
>>     password to make the credentials invalid, I get this:
>>
>>     =====
>>     glance --os-username=admin --os-password=wrong_pw
>>     --os-tenant-name demo --os-auth-url=http://localhost:5000/v2.0
>>     image-list
>>     Unable to communicate with identity service: {"error":
>>     {"message": "Invalid user / password", "code": 401, "title": "Not
>>     Authorized"}}. (HTTP 401)
>>     =====
>>
>>     So keystone is definitely looking up my credentials and
>>     responding differently when they match.
>>
>>     Any ideas as to where should I be looking for the issue?
>>
>>     Thanks for your time!
>>
>>     -Matt
>>
>>     _______________________________________________
>>     Mailing list: https://launchpad.net/~openstack
>>     <https://launchpad.net/%7Eopenstack>
>>     Post to     : openstack at lists.launchpad.net
>>     <mailto:openstack at lists.launchpad.net>
>>     Unsubscribe : https://launchpad.net/~openstack
>>     <https://launchpad.net/%7Eopenstack>
>>     More help   : https://help.launchpad.net/ListHelp
>>
>>
>>
>>
>> _______________________________________________
>> Mailing list:https://launchpad.net/~openstack
>> Post to     :openstack at lists.launchpad.net
>> Unsubscribe :https://launchpad.net/~openstack
>> More help   :https://help.launchpad.net/ListHelp
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130724/1765c0fb/attachment.html>

More information about the Openstack mailing list