<div dir="ltr"><div>All,<br><br></div>Thanks, that was a huge help. The problem was indeed some stale mismatching keys sitting in the signing_dir. I removed those and reloaded them from keystone and everything is working as expected. <br>
<br>Cheers,<br><br>-Matt<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Jul 24, 2013 at 10:42 AM, Syed Armani <span dir="ltr"><<a href="mailto:syed.armani@hastexo.com" target="_blank">syed.armani@hastexo.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><br></div>Great post Adam. Thanks.<br><br></div>Cheers,<br></div>Syed<br></div><div class="HOEnZb">
<div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Jul 24, 2013 at 10:54 PM, Adam Young <span dir="ltr"><<a href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>I wrote this up as a general answer.
Hope it helps.<br>
<br>
<a href="https://adam.younglogic.com/2013/07/troubleshooting-pki-middleware/" target="_blank">https://adam.younglogic.com/2013/07/troubleshooting-pki-middleware/</a><div><div><br>
<br>
On 07/24/2013 11:44 AM, Adam Young wrote:<br>
</div></div></div><div><div>
<blockquote type="cite">
<div>On 07/24/2013 10:45 AM, Salvatore
Orlando wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hav you tried checking the credentials that
glance uses for validating tokens with keystone?
<div><br>
</div>
<div>They are defined in glance's conf files in the section:</div>
<div><br>
</div>
<div>
<div>[keystone_authtoken]</div>
<div>signing_dir = /var/cache/glance/api</div>
</div>
</div>
</blockquote>
<br>
make sure that the directory <br>
/var/cache/glance/api<br>
exists and has the certificates in it. A good test is to remove
the certifcates and hit the server again, as they are fetched on
demand. If there are no certificates there after another try,
either glance can't talk to Keystone or keystone is not handing
out the certificates.<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>auth_uri = <a href="http://127.0.0.1:5000/" target="_blank">http://127.0.0.1:5000/</a></div>
<div>auth_host = 127.0.0.1</div>
<div>auth_port = 35357</div>
<div>auth_protocol = http</div>
<div> admin_tenant_name = service</div>
<div>admin_user = glance</div>
<div>admin_password = password</div>
</div>
<div><br>
</div>
<div>Salvatore</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On 18 July 2013 22:16, Matt Davis <span dir="ltr"><<a href="mailto:mattd5574@gmail.com" target="_blank">mattd5574@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>Hello all,<br>
<br>
</div>
I'm working on a deployment script to install
and configure my OpenStack services and I'm
getting a strange result with glance. It's
surely a bug with my script messing up a
config file line, but I can't interpret the
glance and keystone logs to track the issue
down. Here's the use case:<br>
<br>
</div>
1) Install keystone following the directions in
the Grizzly installation guide for Ubuntu 12.04.<br>
</div>
2) Install glance following the directions in the
Grizzly installation guide for Ubuntu 12.04.<br>
</div>
<div>3) Run glance image-list to see if I can get
an empty list. <br>
<br>
</div>
<div>My result:<br>
<br>
=====<br>
glance --os-username=admin --os-password=secrete
--os-tenant-name demo --os-auth-url=<a href="http://localhost:5000/v2.0" target="_blank">http://localhost:5000/v2.0</a>
image-list<br>
<br>
Request returned failure status.<br>
Invalid OpenStack Identity credentials.<br>
=====<br>
<br>
</div>
<div>The glance API log is as follows:<br>
<br>
=====<br>
2013-07-18 11:18:24.301 6306 DEBUG
glance.api.middleware.version_negotiation [-]
Determining version of request: GET
//v1/images/detail Accept: process_request
/usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:46<br>
2013-07-18 11:18:24.302 6306 DEBUG
glance.api.middleware.version_negotiation [-]
Using url versioning process_request
/usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:59<br>
2013-07-18 11:18:24.302 6306 DEBUG
glance.api.middleware.version_negotiation [-]
Matched version: v1 process_request
/usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:71<br>
2013-07-18 11:18:24.302 6306 DEBUG
glance.api.middleware.version_negotiation [-] new
uri /v1/images/detail process_request
/usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:72<br>
=====<br>
<br>
</div>
<div>No entries are added to the glance registry
log. If I tweak the password to make the
credentials invalid, I get this:<br>
<br>
=====<br>
glance --os-username=admin --os-password=wrong_pw
--os-tenant-name demo --os-auth-url=<a href="http://localhost:5000/v2.0" target="_blank">http://localhost:5000/v2.0</a>
image-list<br>
Unable to communicate with identity service:
{"error": {"message": "Invalid user / password",
"code": 401, "title": "Not Authorized"}}. (HTTP
401)<br>
=====<br>
<br>
</div>
<div> So keystone is definitely looking up my
credentials and responding differently when they
match.<br>
</div>
<br>
</div>
Any ideas as to where should I be looking for the
issue?<br>
<br>
Thanks for your time!<span><font color="#888888"><br>
<br>
</font></span></div>
<span><font color="#888888">-Matt<br>
</font></span></div>
<br>
_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Mailing list: <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a>
Unsubscribe : <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a>
</pre>
</blockquote>
<br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a>
</pre>
</blockquote>
<br>
</div></div></div>
<br>_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br></blockquote></div><br></div>