<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">I wrote this up as a general answer.
Hope it helps.<br>
<br>
<a class="moz-txt-link-freetext" href="https://adam.younglogic.com/2013/07/troubleshooting-pki-middleware/">https://adam.younglogic.com/2013/07/troubleshooting-pki-middleware/</a><br>
<br>
On 07/24/2013 11:44 AM, Adam Young wrote:<br>
</div>
<blockquote cite="mid:51EFF66E.7080608@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 07/24/2013 10:45 AM, Salvatore
Orlando wrote:<br>
</div>
<blockquote
cite="mid:CAGR=i3hd7ZfQFBWE-f4iC10qcVAKNs6hHLEeqXEn+FsttkBDSg@mail.gmail.com"
type="cite">
<div dir="ltr">Hav you tried checking the credentials that
glance uses for validating tokens with keystone?
<div><br>
</div>
<div>They are defined in glance's conf files in the section:</div>
<div><br>
</div>
<div>
<div>[keystone_authtoken]</div>
<div>signing_dir = /var/cache/glance/api</div>
</div>
</div>
</blockquote>
<br>
make sure that the directory <br>
/var/cache/glance/api<br>
exists and has the certificates in it. A good test is to remove
the certifcates and hit the server again, as they are fetched on
demand. If there are no certificates there after another try,
either glance can't talk to Keystone or keystone is not handing
out the certificates.<br>
<br>
<blockquote
cite="mid:CAGR=i3hd7ZfQFBWE-f4iC10qcVAKNs6hHLEeqXEn+FsttkBDSg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>auth_uri = <a moz-do-not-send="true"
href="http://127.0.0.1:5000/">http://127.0.0.1:5000/</a></div>
<div>auth_host = 127.0.0.1</div>
<div>auth_port = 35357</div>
<div>auth_protocol = http</div>
<div> admin_tenant_name = service</div>
<div>admin_user = glance</div>
<div>admin_password = password</div>
</div>
<div><br>
</div>
<div>Salvatore</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On 18 July 2013 22:16, Matt Davis <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:mattd5574@gmail.com" target="_blank">mattd5574@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>Hello all,<br>
<br>
</div>
I'm working on a deployment script to install
and configure my OpenStack services and I'm
getting a strange result with glance. It's
surely a bug with my script messing up a
config file line, but I can't interpret the
glance and keystone logs to track the issue
down. Here's the use case:<br>
<br>
</div>
1) Install keystone following the directions in
the Grizzly installation guide for Ubuntu 12.04.<br>
</div>
2) Install glance following the directions in the
Grizzly installation guide for Ubuntu 12.04.<br>
</div>
<div>3) Run glance image-list to see if I can get
an empty list. <br>
<br>
</div>
<div>My result:<br>
<br>
=====<br>
glance --os-username=admin --os-password=secrete
--os-tenant-name demo --os-auth-url=<a
moz-do-not-send="true"
href="http://localhost:5000/v2.0"
target="_blank">http://localhost:5000/v2.0</a>
image-list<br>
<br>
Request returned failure status.<br>
Invalid OpenStack Identity credentials.<br>
=====<br>
<br>
</div>
<div>The glance API log is as follows:<br>
<br>
=====<br>
2013-07-18 11:18:24.301 6306 DEBUG
glance.api.middleware.version_negotiation [-]
Determining version of request: GET
//v1/images/detail Accept: process_request
/usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:46<br>
2013-07-18 11:18:24.302 6306 DEBUG
glance.api.middleware.version_negotiation [-]
Using url versioning process_request
/usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:59<br>
2013-07-18 11:18:24.302 6306 DEBUG
glance.api.middleware.version_negotiation [-]
Matched version: v1 process_request
/usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:71<br>
2013-07-18 11:18:24.302 6306 DEBUG
glance.api.middleware.version_negotiation [-] new
uri /v1/images/detail process_request
/usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:72<br>
=====<br>
<br>
</div>
<div>No entries are added to the glance registry
log. If I tweak the password to make the
credentials invalid, I get this:<br>
<br>
=====<br>
glance --os-username=admin --os-password=wrong_pw
--os-tenant-name demo --os-auth-url=<a
moz-do-not-send="true"
href="http://localhost:5000/v2.0"
target="_blank">http://localhost:5000/v2.0</a>
image-list<br>
Unable to communicate with identity service:
{"error": {"message": "Invalid user / password",
"code": 401, "title": "Not Authorized"}}. (HTTP
401)<br>
=====<br>
<br>
</div>
<div> So keystone is definitely looking up my
credentials and responding differently when they
match.<br>
</div>
<br>
</div>
Any ideas as to where should I be looking for the
issue?<br>
<br>
Thanks for your time!<span class="HOEnZb"><font
color="#888888"><br>
<br>
</font></span></div>
<span class="HOEnZb"><font color="#888888">-Matt<br>
</font></span></div>
<br>
_______________________________________________<br>
Mailing list: <a moz-do-not-send="true"
href="https://launchpad.net/%7Eopenstack"
target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a moz-do-not-send="true"
href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a moz-do-not-send="true"
href="https://launchpad.net/%7Eopenstack"
target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a moz-do-not-send="true"
href="https://help.launchpad.net/ListHelp"
target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Mailing list: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://launchpad.net/%7Eopenstack">https://launchpad.net/~openstack</a>
Post to : <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a>
Unsubscribe : <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://launchpad.net/%7Eopenstack">https://launchpad.net/~openstack</a>
More help : <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://help.launchpad.net/ListHelp">https://help.launchpad.net/ListHelp</a>
</pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Mailing list: <a class="moz-txt-link-freetext" href="https://launchpad.net/~openstack">https://launchpad.net/~openstack</a>
Post to : <a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a>
Unsubscribe : <a class="moz-txt-link-freetext" href="https://launchpad.net/~openstack">https://launchpad.net/~openstack</a>
More help : <a class="moz-txt-link-freetext" href="https://help.launchpad.net/ListHelp">https://help.launchpad.net/ListHelp</a>
</pre>
</blockquote>
<br>
</body>
</html>