<div dir="ltr">Are you able to authenticate in Keystone without introducing the additional service?<div><br></div><div>This should indicate if your default Keystone admin credentials are authenticating via user/pass versus PKI tokens (a little different but I like it):</div>
<div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><font face="courier new, monospace" size="1">$ unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT<br>
</font><font face="courier new, monospace" size="1">$ export OS_USERNAME=<admin_username><br></font><font face="courier new, monospace" size="1">$ export OS_PASSWORD=<admin_password><br></font><font face="courier new, monospace" size="1">$ export OS_TENANT_NAME=<admin_tenant_name><br>
</font><font face="courier new, monospace" size="1">$ export OS_AUTH_URL=<a href="http://IP_ADDRESS:35357/v2.0">http://IP_ADDRESS:35357/v2.0</a> (for instance)<br></font><font face="courier new, monospace" size="1">$ keystone user-list</font></blockquote>
<div><font face="courier new, monospace"><br></font></div><div>This unsets your env vars and takes a non-token approach. should display defined users. If not then your Keystone server isn't working or isn't hearing the request. a wget of the auth url should tell you if you can see the service. Are you getting success at this level at least?</div>
<div><br></div><div>Mahalo,</div><div>Adam</div></div><div class="gmail_extra"><br clear="all"><div><div dir="ltr"><div><font><div style="font-family:arial;font-size:small"><b><i><br>Adam Lawson</i></b></div><div><font><font color="#666666" size="1"><div style="font-family:arial;font-size:small">
AQORN, Inc.</div><div style="font-family:arial;font-size:small">427 North Tatnall Street</div><div style="font-family:arial;font-size:small">Ste. 58461</div><div style="font-family:arial;font-size:small">Wilmington, Delaware 19801-2230</div>
<div style="font-family:arial;font-size:small">Toll-free: (888) 406-7620</div></font></font></div></font></div><div style="font-family:arial;font-size:small"><img src="http://www.aqorn.com/images/logo.png" width="96" height="39"><br>
</div></div></div>
<br><br><div class="gmail_quote">On Mon, Mar 24, 2014 at 1:21 PM, Erich Weiler <span dir="ltr"><<a href="mailto:weiler@soe.ucsc.edu" target="_blank">weiler@soe.ucsc.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Ah, no, this is the first one. ;)<br>
<br>
I can auth users however with "keystone token-get" so I know that works at least.<br>
<br>
"glance-api-paste.ini" and "glance-registry-paste.ini" have been integrated into glance-api.conf and glance-registry.conf so I don't need to edit those (for RedHat RDO only). I have the service auth creds in those files.<br>
<br>
Thanks for the help!<div class=""><br>
<br>
On 3/24/14, 1:16 PM, Adam Lawson wrote:<br>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">
Do you have any other OpenStack services authenticating against Keystone<br>
successfully?<br>
<br></div>
*/<br>
Adam Lawson/*<div class=""><br>
AQORN, Inc.<br>
427 North Tatnall Street<br>
Ste. 58461<br>
Wilmington, Delaware 19801-2230<br>
Toll-free: <a href="tel:%28888%29%20406-7620" value="+18884067620" target="_blank">(888) 406-7620</a><br>
<br>
<br>
<br></div><div class="">
On Mon, Mar 24, 2014 at 11:43 AM, Erich Weiler <<a href="mailto:weiler@soe.ucsc.edu" target="_blank">weiler@soe.ucsc.edu</a><br></div><div class="">
<mailto:<a href="mailto:weiler@soe.ucsc.edu" target="_blank">weiler@soe.ucsc.edu</a>>> wrote:<br>
<br>
Hi Y'all,<br>
<br>
I'm trying to configure Glance on RedHat RDO Icehouse, but I'm<br>
getting an auth error when I try to upload an image to it. On the<br>
client I'm trying to upload from, I see:<br>
<br>
# glance -d image-create --name="CirrOS 0.3.1" --disk-format=qcow2<br>
--container-format=bare --is-public=true < cirros-0.3.1-x86_64-disk.img<br></div>
curl -i -X POST -H 'x-image-meta-container___<u></u>format: bare' -H<div class=""><br>
'Transfer-Encoding: chunked' -H 'User-Agent: python-glanceclient' -H<br>
'x-image-meta-size: 13147648' -H 'x-image-meta-is_public: True' -H<br>
'X-Auth-Token: <...removed token...>' -H 'Content-Type:<br>
application/octet-stream' -H 'x-image-meta-disk_format: qcow2' -H<br>
'x-image-meta-name: CirrOS 0.3.1' -d '<open file '<stdin>', mode 'r'<br></div>
at 0x7f49edd5d0c0>' https://my-public-server.com:_<u></u>_9292/v1/images<div class=""><br>
<<a href="https://my-public-server.com:9292/v1/images" target="_blank">https://my-public-server.com:<u></u>9292/v1/images</a>><br>
<br>
HTTP/1.1 500 Internal Server Error<br>
date: Mon, 24 Mar 2014 18:34:03 GMT<br>
content-length: 0<br>
content-type: text/plain<br>
connection: close<br>
<br>
Request returned failure status.<br>
HTTPInternalServerError (HTTP 500)<br>
<br>
I've launched glance-api in debug mode on the server side, and I see<br>
this when the above command is run:<br>
<br>
2014-03-24 11:36:14.202 14543 DEBUG<br></div>
glance.api.middleware.version_<u></u>__negotiation [-] Determining version<div class=""><br>
of request: POST /v1/images Accept: process_request<br></div>
/usr/lib/python2.6/site-__<u></u>packages/glance/api/__<u></u>middleware/version___<u></u>negotiation.py:44<div class=""><br>
2014-03-24 11:36:14.203 14543 DEBUG<br></div>
glance.api.middleware.version_<u></u>__negotiation [-] Using url versioning<br>
process_request<br>
/usr/lib/python2.6/site-__<u></u>packages/glance/api/__<u></u>middleware/version___<u></u>negotiation.py:57<div class=""><br>
2014-03-24 11:36:14.203 14543 DEBUG<br></div>
glance.api.middleware.version_<u></u>__negotiation [-] Matched version: v1<br>
process_request<br>
/usr/lib/python2.6/site-__<u></u>packages/glance/api/__<u></u>middleware/version___<u></u>negotiation.py:69<div class=""><br>
2014-03-24 11:36:14.204 14543 DEBUG<br></div>
glance.api.middleware.version_<u></u>__negotiation [-] new path /v1/images<br>
process_request<br>
/usr/lib/python2.6/site-__<u></u>packages/glance/api/__<u></u>middleware/version___<u></u>negotiation.py:70<div class=""><br>
2014-03-24 11:36:14.204 14543 DEBUG<br></div>
keystoneclient.middleware.__<u></u>auth_token [-] Authenticating user token<br>
__call__<br>
/usr/lib/python2.6/site-__<u></u>packages/keystoneclient/__<u></u>middleware/auth_token.py:558<div class=""><br>
2014-03-24 11:36:14.205 14543 DEBUG<br></div>
keystoneclient.middleware.__<u></u>auth_token [-] Removing headers from<br>
request environment:<br>
X-Identity-Status,X-Domain-Id,<u></u>__X-Domain-Name,X-Project-Id,<u></u>X-__Project-Name,X-Project-<u></u>Domain-__Id,X-Project-Domain-<u></u>Name,X-__User-Id,X-User-Name,<u></u>X-User-__Domain-Id,X-User-<u></u>Domain-Name,__X-Roles,X-<u></u>Service-Catalog,X-__User,X-<u></u>Tenant-Id,X-Tenant-__Name,X-<u></u>Tenant,X-Role<br>
_remove_auth_headers<br>
/usr/lib/python2.6/site-__<u></u>packages/keystoneclient/__<u></u>middleware/auth_token.py:617<div class=""><br>
2014-03-24 11:36:14.226 14543 INFO urllib3.connectionpool [-]<br>
Starting new HTTP connection (1):<br></div>
genome-cloud-0-10.kilokluster.<u></u>__<a href="http://ucsc.edu" target="_blank">ucsc.edu</a><br>
<<a href="http://genome-cloud-0-10.kilokluster.ucsc.edu" target="_blank">http://genome-cloud-0-10.<u></u>kilokluster.ucsc.edu</a>><div class=""><br>
2014-03-24 11:36:14.339 14543 DEBUG urllib3.connectionpool [-] "POST<br>
/v2.0/tokens HTTP/1.1" 200 3446 _make_request<br></div>
/usr/lib/python2.6/site-__<u></u>packages/urllib3/__<u></u>connectionpool.py:295<div class=""><br>
2014-03-24 11:36:14.382 14543 INFO urllib3.connectionpool [-]<br>
Starting new HTTP connection (1):<br></div>
genome-cloud-0-10.kilokluster.<u></u>__<a href="http://ucsc.edu" target="_blank">ucsc.edu</a><br>
<<a href="http://genome-cloud-0-10.kilokluster.ucsc.edu" target="_blank">http://genome-cloud-0-10.<u></u>kilokluster.ucsc.edu</a>><div class=""><br>
2014-03-24 11:36:14.422 14543 DEBUG urllib3.connectionpool [-] "GET<br>
/v2.0/tokens/revoked HTTP/1.1" 200 686 _make_request<br></div>
/usr/lib/python2.6/site-__<u></u>packages/urllib3/__<u></u>connectionpool.py:295<div class=""><br>
2014-03-24 11:36:14.433 14543 INFO urllib3.connectionpool [-]<br>
Starting new HTTP connection (1):<br></div>
genome-cloud-0-10.kilokluster.<u></u>__<a href="http://ucsc.edu" target="_blank">ucsc.edu</a><br>
<<a href="http://genome-cloud-0-10.kilokluster.ucsc.edu" target="_blank">http://genome-cloud-0-10.<u></u>kilokluster.ucsc.edu</a>><div class=""><br>
2014-03-24 11:36:14.439 14543 DEBUG urllib3.connectionpool [-] "GET<br>
/v2.0/certificates/signing HTTP/1.1" 200 4251 _make_request<br></div>
/usr/lib/python2.6/site-__<u></u>packages/urllib3/__<u></u>connectionpool.py:295<div class=""><br>
2014-03-24 11:36:14.451 14543 INFO urllib3.connectionpool [-]<br>
Starting new HTTP connection (1):<br></div>
genome-cloud-0-10.kilokluster.<u></u>__<a href="http://ucsc.edu" target="_blank">ucsc.edu</a><br>
<<a href="http://genome-cloud-0-10.kilokluster.ucsc.edu" target="_blank">http://genome-cloud-0-10.<u></u>kilokluster.ucsc.edu</a>><div class=""><br>
2014-03-24 11:36:14.455 14543 DEBUG urllib3.connectionpool [-] "GET<br>
/v2.0/certificates/ca HTTP/1.1" 200 1277 _make_request<br></div>
/usr/lib/python2.6/site-__<u></u>packages/urllib3/__<u></u>connectionpool.py:295<div class=""><br>
2014-03-24 11:36:14.476 14543 DEBUG<br></div>
keystoneclient.middleware.__<u></u>auth_token [-] Storing<br>
326d8c391f19d07c9f5a69d40da33f<u></u>__0a token in memcache _cache_put<br>
/usr/lib/python2.6/site-__<u></u>packages/keystoneclient/__<u></u>middleware/auth_token.py:1061<div class=""><br>
2014-03-24 11:36:14.477 14543 DEBUG<br></div>
keystoneclient.middleware.__<u></u>auth_token [-] Received request from<br>
user: f8fdf7f84ad34c439c4075b5e37202<u></u>__11 with project_id :<br>
f7e61747885045d8b266a161310c00<u></u>__94 and roles: _member_<br>
_build_user_headers<br>
/usr/lib/python2.6/site-__<u></u>packages/keystoneclient/__<u></u>middleware/auth_token.py:922<div class=""><br>
2014-03-24 11:36:14.487 14543 DEBUG routes.middleware [-] Matched<br>
POST /images __call__<br></div>
/usr/lib/python2.6/site-__<u></u>packages/Routes-1.12.3-py2.6._<u></u>_egg/routes/middleware.py:100<div class=""><br>
2014-03-24 11:36:14.487 14543 DEBUG routes.middleware [-] Route<br>
path: '/images', defaults: {'action': u'create', 'controller':<br>
<glance.common.wsgi.Resource object at 0x34c7450>} __call__<br></div>
/usr/lib/python2.6/site-__<u></u>packages/Routes-1.12.3-py2.6._<u></u>_egg/routes/middleware.py:102<div class=""><br>
2014-03-24 11:36:14.487 14543 DEBUG routes.middleware [-] Match<br>
dict: {'action': u'create', 'controller':<br>
<glance.common.wsgi.Resource object at 0x34c7450>} __call__<br></div>
/usr/lib/python2.6/site-__<u></u>packages/Routes-1.12.3-py2.6._<u></u>_egg/routes/middleware.py:103<div class=""><br>
2014-03-24 11:36:14.488 14543 DEBUG glance.registry.client.v1.api<br></div>
[3f58e73a-6eb0-4747-ab61-__<u></u>e8b81fbe55d3<br>
f8fdf7f84ad34c439c4075b5e37202<u></u>__11<br>
f7e61747885045d8b266a161310c00<u></u>__94] Adding image metadata...<br>
add_image_metadata<br>
/usr/lib/python2.6/site-__<u></u>packages/glance/registry/__<u></u>client/v1/api.py:159<div class=""><br>
2014-03-24 11:36:14.488 14543 DEBUG glance.common.client<br></div>
[3f58e73a-6eb0-4747-ab61-__<u></u>e8b81fbe55d3<br>
f8fdf7f84ad34c439c4075b5e37202<u></u>__11<br>
f7e61747885045d8b266a161310c00<u></u>__94] Constructed URL:<br>
<a href="http://0.0.0.0:9191/images" target="_blank">http://0.0.0.0:9191/images</a> _construct_url<br>
/usr/lib/python2.6/site-__<u></u>packages/glance/common/client.<u></u>__py:407<div class=""><br>
2014-03-24 11:36:14.556 14543 DEBUG glance.common.client<br></div>
[3f58e73a-6eb0-4747-ab61-__<u></u>e8b81fbe55d3<br>
f8fdf7f84ad34c439c4075b5e37202<u></u>__11<br>
f7e61747885045d8b266a161310c00<u></u>__94] Constructed URL:<br>
<a href="http://0.0.0.0:9191/images" target="_blank">http://0.0.0.0:9191/images</a> _construct_url<br>
/usr/lib/python2.6/site-__<u></u>packages/glance/common/client.<u></u>__py:407<div class=""><br>
2014-03-24 11:36:14.560 14543 INFO<br></div>
glance.registry.client.v1.__<u></u>client<br>
[3f58e73a-6eb0-4747-ab61-__<u></u>e8b81fbe55d3<br>
f8fdf7f84ad34c439c4075b5e37202<u></u>__11<br>
f7e61747885045d8b266a161310c00<u></u>__94] Registry client request POST<div class=""><br>
/images raised NotAuthenticated<br>
2014-03-24 11:36:14.564 14543 INFO glance.wsgi.server<br></div>
[3f58e73a-6eb0-4747-ab61-__<u></u>e8b81fbe55d3<br>
f8fdf7f84ad34c439c4075b5e37202<u></u>__11<br>
f7e61747885045d8b266a161310c00<u></u>__94] Traceback (most recent call last):<br>
File "/usr/lib/python2.6/site-__<u></u>packages/eventlet/wsgi.py", line<div class=""><br>
382, in handle_one_response<br>
result = self.application(self.environ, start_response)<br></div>
File "/usr/lib/python2.6/site-__<u></u>packages/webob/dec.py", line 130,<div class=""><br>
in __call__<br>
resp = self.call_func(req, *args, **self.kwargs)<br></div>
File "/usr/lib/python2.6/site-__<u></u>packages/webob/dec.py", line 195,<div class=""><br>
in call_func<br>
return self.func(req, *args, **kwargs)<br>
File<br></div>
"/usr/lib/python2.6/site-__<u></u>packages/glance/common/wsgi.__<u></u>py", line<br>
372, in __call__<br>
response = req.get_response(self.__<u></u>application)<br>
File "/usr/lib/python2.6/site-__<u></u>packages/webob/request.py", line<div class=""><br>
1296, in send<br>
application, catch_exc_info=False)<br></div>
File "/usr/lib/python2.6/site-__<u></u>packages/webob/request.py", line<div class=""><br>
1260, in call_application<br>
app_iter = application(self.environ, start_response)<br>
File<br></div>
"/usr/lib/python2.6/site-__<u></u>packages/keystoneclient/__<u></u>middleware/auth_token.py",<div class=""><br>
line 571, in __call__<br>
return self.app(env, start_response)<br></div>
File "/usr/lib/python2.6/site-__<u></u>packages/webob/dec.py", line 130,<div class=""><br>
in __call__<br>
resp = self.call_func(req, *args, **self.kwargs)<br></div>
File "/usr/lib/python2.6/site-__<u></u>packages/webob/dec.py", line 195,<div class=""><br>
in call_func<br>
return self.func(req, *args, **kwargs)<br>
File<br></div>
"/usr/lib/python2.6/site-__<u></u>packages/glance/common/wsgi.__<u></u>py", line<br>
372, in __call__<br>
response = req.get_response(self.__<u></u>application)<br>
File "/usr/lib/python2.6/site-__<u></u>packages/webob/request.py", line<div class=""><br>
1296, in send<br>
application, catch_exc_info=False)<br></div>
File "/usr/lib/python2.6/site-__<u></u>packages/webob/request.py", line<div class=""><br>
1260, in call_application<br>
app_iter = application(self.environ, start_response)<br></div>
File "/usr/lib/python2.6/site-__<u></u>packages/paste/urlmap.py", line<div class=""><br>
203, in __call__<br>
return app(environ, start_response)<br></div>
File "/usr/lib/python2.6/site-__<u></u>packages/webob/dec.py", line 144,<div class=""><br>
in __call__<br>
return resp(environ, start_response)<br>
File<br></div>
"/usr/lib/python2.6/site-__<u></u>packages/Routes-1.12.3-py2.6._<u></u>_egg/routes/middleware.py",<div class=""><br>
line 131, in __call__<br>
response = self.app(environ, start_response)<br></div>
File "/usr/lib/python2.6/site-__<u></u>packages/webob/dec.py", line 144,<div class=""><br>
in __call__<br>
return resp(environ, start_response)<br></div>
File "/usr/lib/python2.6/site-__<u></u>packages/webob/dec.py", line 130,<div class=""><br>
in __call__<br>
resp = self.call_func(req, *args, **self.kwargs)<br></div>
File "/usr/lib/python2.6/site-__<u></u>packages/webob/dec.py", line 195,<div class=""><br>
in call_func<br>
return self.func(req, *args, **kwargs)<br>
File<br></div>
"/usr/lib/python2.6/site-__<u></u>packages/glance/common/wsgi.__<u></u>py", line<div class=""><br>
604, in __call__<br>
request, **action_args)<br>
File<br></div>
"/usr/lib/python2.6/site-__<u></u>packages/glance/common/wsgi.__<u></u>py", line<div class=""><br>
623, in dispatch<br>
return method(*args, **kwargs)<br>
File<br></div>
"/usr/lib/python2.6/site-__<u></u>packages/glance/common/utils._<u></u>_py", line<div class=""><br>
435, in wrapped<br>
return func(self, req, *args, **kwargs)<br>
File<br></div>
"/usr/lib/python2.6/site-__<u></u>packages/glance/api/v1/images.<u></u>__py", line<div class=""><br>
781, in create<br>
image_meta = self._reserve(req, image_meta)<br>
File<br></div>
"/usr/lib/python2.6/site-__<u></u>packages/glance/api/v1/images.<u></u>__py", line<br>
514, in _reserve<br>
image_meta = registry.add_image_metadata(__<u></u>req.context, image_meta)<br>
File<br>
"/usr/lib/python2.6/site-__<u></u>packages/glance/registry/__<u></u>client/v1/api.py",<div class=""><br>
line 161, in add_image_metadata<br>
return c.add_image(image_meta)<br>
File<br></div>
"/usr/lib/python2.6/site-__<u></u>packages/glance/registry/__<u></u>client/v1/client.py",<div class=""><br>
line 163, in add_image<br>
res = self.do_request("POST", "/images", body=body,<br>
headers=headers)<br>
File<br></div>
"/usr/lib/python2.6/site-__<u></u>packages/glance/registry/__<u></u>client/v1/client.py",<div class=""><br>
line 107, in do_request<br>
**kwargs)<br>
File<br></div>
"/usr/lib/python2.6/site-__<u></u>packages/glance/common/client.<u></u>__py", line<div class=""><br>
65, in wrapped<br>
return func(self, *args, **kwargs)<br>
File<br></div>
"/usr/lib/python2.6/site-__<u></u>packages/glance/common/client.<u></u>__py", line<br>
382, in do_request<br>
headers=copy.deepcopy(headers)<u></u>__)<br>
File<br>
"/usr/lib/python2.6/site-__<u></u>packages/glance/common/client.<u></u>__py", line<div class=""><br>
79, in wrapped<br>
return func(self, method, url, body, headers)<br>
File<br></div>
"/usr/lib/python2.6/site-__<u></u>packages/glance/common/client.<u></u>__py", line<br>
523, in _do_request<br>
raise exception.NotAuthenticated(__<u></u>res.read())<div class=""><br>
NotAuthenticated: Authentication required<br>
<br>
<br>
2014-03-24 11:36:14.967 14543 INFO glance.wsgi.server<br></div>
[3f58e73a-6eb0-4747-ab61-__<u></u>e8b81fbe55d3<br>
f8fdf7f84ad34c439c4075b5e37202<u></u>__11<br>
f7e61747885045d8b266a161310c00<u></u>__94] 111.213.225.79,10.1.1.137 - -<div class=""><br>
[24/Mar/2014 11:36:14] "POST /v1/images HTTP/1.1" 500 139 0.765716<br>
<br>
So I see some Auth errors in that, but I can't tell _what_ kind of<br>
Auth errors they are. User auth errors from the user uploading the<br>
file? Service Auth errors from the glance service trying to auth to<br>
keystone? QPID auth errors?<br>
<br>
Can anyone see what's wrong? Then I can better debug where my<br>
problem is... I've confirmed the user can auth ok with "keystone<br>
token-get'", that seems OK, I have the service user in keystone, not<br>
sure where it's failing...<br>
<br>
keystone logs don't really show anything other than:<br>
<br>
2014-03-24 11:41:52.420 16503 WARNING keystone.common.wsgi [-]<br>
Authorization failed. The request you have made requires<br>
authentication. from 10.1.1.148<br>
<br>
Where 10.1.1.148 is the glance-api server on my internal network.<br>
<br>
Thanks for any hints!!<br>
<br>
-erich<br>
<br></div>
______________________________<u></u>___________________<br>
Mailing list:<br>
<a href="http://lists.openstack.org/__cgi-bin/mailman/listinfo/__openstack" target="_blank">http://lists.openstack.org/__<u></u>cgi-bin/mailman/listinfo/__<u></u>openstack</a><div class=""><br>
<<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/<u></u>cgi-bin/mailman/listinfo/<u></u>openstack</a>><br>
Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br></div>
<mailto:<a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.<u></u>openstack.org</a>><br>
Unsubscribe :<br>
<a href="http://lists.openstack.org/__cgi-bin/mailman/listinfo/__openstack" target="_blank">http://lists.openstack.org/__<u></u>cgi-bin/mailman/listinfo/__<u></u>openstack</a><br>
<<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/<u></u>cgi-bin/mailman/listinfo/<u></u>openstack</a>><br>
<br>
<br>
</blockquote>
</blockquote></div><br></div>