[Openstack] glance: "Invalid Openstack Identity Credentials"
Adam Young
ayoung at redhat.com
Wed Jul 24 17:24:27 UTC 2013
I wrote this up as a general answer. Hope it helps.
https://adam.younglogic.com/2013/07/troubleshooting-pki-middleware/
On 07/24/2013 11:44 AM, Adam Young wrote:
> On 07/24/2013 10:45 AM, Salvatore Orlando wrote:
>> Hav you tried checking the credentials that glance uses for
>> validating tokens with keystone?
>>
>> They are defined in glance's conf files in the section:
>>
>> [keystone_authtoken]
>> signing_dir = /var/cache/glance/api
>
> make sure that the directory
> /var/cache/glance/api
> exists and has the certificates in it. A good test is to remove the
> certifcates and hit the server again, as they are fetched on demand.
> If there are no certificates there after another try, either glance
> can't talk to Keystone or keystone is not handing out the certificates.
>
>> auth_uri = http://127.0.0.1:5000/
>> auth_host = 127.0.0.1
>> auth_port = 35357
>> auth_protocol = http
>> admin_tenant_name = service
>> admin_user = glance
>> admin_password = password
>>
>> Salvatore
>>
>>
>> On 18 July 2013 22:16, Matt Davis <mattd5574 at gmail.com
>> <mailto:mattd5574 at gmail.com>> wrote:
>>
>> Hello all,
>>
>> I'm working on a deployment script to install and configure my
>> OpenStack services and I'm getting a strange result with glance.
>> It's surely a bug with my script messing up a config file line,
>> but I can't interpret the glance and keystone logs to track the
>> issue down. Here's the use case:
>>
>> 1) Install keystone following the directions in the Grizzly
>> installation guide for Ubuntu 12.04.
>> 2) Install glance following the directions in the Grizzly
>> installation guide for Ubuntu 12.04.
>> 3) Run glance image-list to see if I can get an empty list.
>>
>> My result:
>>
>> =====
>> glance --os-username=admin --os-password=secrete --os-tenant-name
>> demo --os-auth-url=http://localhost:5000/v2.0 image-list
>>
>> Request returned failure status.
>> Invalid OpenStack Identity credentials.
>> =====
>>
>> The glance API log is as follows:
>>
>> =====
>> 2013-07-18 11:18:24.301 6306 DEBUG
>> glance.api.middleware.version_negotiation [-] Determining version
>> of request: GET //v1/images/detail Accept: process_request
>> /usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:46
>> 2013-07-18 11:18:24.302 6306 DEBUG
>> glance.api.middleware.version_negotiation [-] Using url
>> versioning process_request
>> /usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:59
>> 2013-07-18 11:18:24.302 6306 DEBUG
>> glance.api.middleware.version_negotiation [-] Matched version: v1
>> process_request
>> /usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:71
>> 2013-07-18 11:18:24.302 6306 DEBUG
>> glance.api.middleware.version_negotiation [-] new uri
>> /v1/images/detail process_request
>> /usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:72
>> =====
>>
>> No entries are added to the glance registry log. If I tweak the
>> password to make the credentials invalid, I get this:
>>
>> =====
>> glance --os-username=admin --os-password=wrong_pw
>> --os-tenant-name demo --os-auth-url=http://localhost:5000/v2.0
>> image-list
>> Unable to communicate with identity service: {"error":
>> {"message": "Invalid user / password", "code": 401, "title": "Not
>> Authorized"}}. (HTTP 401)
>> =====
>>
>> So keystone is definitely looking up my credentials and
>> responding differently when they match.
>>
>> Any ideas as to where should I be looking for the issue?
>>
>> Thanks for your time!
>>
>> -Matt
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> <https://launchpad.net/%7Eopenstack>
>> Post to : openstack at lists.launchpad.net
>> <mailto:openstack at lists.launchpad.net>
>> Unsubscribe : https://launchpad.net/~openstack
>> <https://launchpad.net/%7Eopenstack>
>> More help : https://help.launchpad.net/ListHelp
>>
>>
>>
>>
>> _______________________________________________
>> Mailing list:https://launchpad.net/~openstack
>> Post to :openstack at lists.launchpad.net
>> Unsubscribe :https://launchpad.net/~openstack
>> More help :https://help.launchpad.net/ListHelp
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130724/1765c0fb/attachment.html>
More information about the Openstack
mailing list