<div dir="ltr">Hi all,<div> I am slowly putting my OpenStack deployment together and have run into an issue with Glance and Keystone.</div><div><br></div><div>If I set my paste_deploy flavour to empty glance works perfectly fine. I can upload and list images.</div>
<div><br></div><div>Keystone related options in glance-api.conf</div><div><div>[keystone_authtoken]</div><div>auth_host = localhost</div><div>auth_port = 35357</div><div>auth_protocol = http</div><div>admin_tenant_name = services</div>
<div>admin_user = glance</div><div>admin_password = glance_password</div><div>auth_uri=<a href="http://api.openstack.home:5000/">http://api.openstack.home:5000/</a></div><div><br></div><div>[paste_deploy]</div><div>flavor=keystone</div>
</div><div><br></div><div>Keystone related options in glance-api-paste.ini<br></div><div><div>[filter:authtoken]</div><div>paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory</div><div>delay_auth_decision = true</div>
<div>auth_host=api01.openstack.home</div><div>admin_user=glance</div><div>admin_tenant_name=services</div><div>admin_password=glance_password</div></div><div><br></div><div><br></div><div>I only added the auth_host and admin_* in glance-api-paste.ini after reading the havana documentation</div>
<div><br></div><div>I know my glance credentials are fine as they work fine with the keystone client:</div><div><div>openstack@admin:~$ keystone --os-username glance --os-password glance_password --os-tenant-name services user-list</div>
<div>+----------------------------------+--------+---------+------------------------+</div><div>| id | name | enabled | email |</div><div>+----------------------------------+--------+---------+------------------------+</div>
<div>| 6cf5d29c132949679f730dd9a4ccdf75 | admin | True | <a href="mailto:clark.adam.p@gmail.com">clark.adam.p@gmail.com</a> |</div><div>| d29b9eeb8321427a9f5eed9dfb495ed1 | glance | True | glance@localhost |</div>
<div>| a0ffc44433314c71bc9bfb979045735d | test | True | <a href="mailto:test@example.com">test@example.com</a> |</div><div>+----------------------------------+--------+---------+------------------------+</div></div>
<div><br></div><div>But when I use the same against glance with my flavor=keystone I get:</div><div><div>openstack@admin:~$ glance --os-username glance --os-password glance_password --os-tenant-name services image-list</div>
<div>Request returned failure status.</div><div>Invalid OpenStack Identity credentials.</div></div><div><br></div><div><br></div><div>And the associated api log entries are:</div><div><div>2014-04-07 17:10:46.866 15375 DEBUG keystoneclient.middleware.auth_token [-] Authenticating user token __call__ /usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py:526</div>
<div>2014-04-07 17:10:46.867 15375 DEBUG keystoneclient.middleware.auth_token [-] Removing headers from request environment: X-Identity-Status,X-Domain-Id,X-Domain-Name,X-Project-Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-User-Id,X-User-Name,X-User-Domain-Id,X-User-Domain-Name,X-Roles,X-Service-Catalog,X-User,X-Tenant-Id,X-Tenant-Name,X-Tenant,X-Role _remove_auth_headers /usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py:585</div>
<div>2014-04-07 17:10:46.918 15375 DEBUG keystoneclient.middleware.auth_token [-] Token expired a 2014-04-07T08:10:46Z _confirm_token_not_expired /usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py:1024</div>
<div>2014-04-07 17:10:46.919 15375 DEBUG keystoneclient.middleware.auth_token [-] Token validation failure. _validate_user_token /usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py:790</div><div>2014-04-07 17:10:46.919 15375 TRACE keystoneclient.middleware.auth_token Traceback (most recent call last):</div>
<div>2014-04-07 17:10:46.919 15375 TRACE keystoneclient.middleware.auth_token File "/usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py", line 782, in _validate_user_token</div><div>2014-04-07 17:10:46.919 15375 TRACE keystoneclient.middleware.auth_token expires = self._confirm_token_not_expired(data)</div>
<div>2014-04-07 17:10:46.919 15375 TRACE keystoneclient.middleware.auth_token File "/usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py", line 1025, in _confirm_token_not_expired</div><div>
2014-04-07 17:10:46.919 15375 TRACE keystoneclient.middleware.auth_token raise InvalidUserToken('Token authorization failed')</div><div>2014-04-07 17:10:46.919 15375 TRACE keystoneclient.middleware.auth_token InvalidUserToken: Token authorization failed</div>
<div>2014-04-07 17:10:46.919 15375 TRACE keystoneclient.middleware.auth_token </div><div>2014-04-07 17:10:46.919 15375 DEBUG keystoneclient.middleware.auth_token [-] Marking token <token removed for clarity> as unauthorized in memcache _cache_store_invalid /usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py:1043</div>
<div>2014-04-07 17:10:46.920 15375 WARNING keystoneclient.middleware.auth_token [-] Authorization failed for token <token removed for clarity></div><div>2014-04-07 17:10:46.920 15375 INFO keystoneclient.middleware.auth_token [-] Invalid user token - deferring reject downstream</div>
<div><br></div><div>My time between all of my hosts are synced, and token expiry is well past (my time zone is +10 hours)</div><div>root@api01:~# date --utc</div><div>Mon Apr 7 07:10:54 UTC 2014</div></div><div><br></div>
<div>I'm pretty sure I have all my keystone config options correct.</div><div><br></div><div>Cheers</div><div><br></div><div>Adam</div></div>