<div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif;color:rgb(0,0,102)">Thanks all, specially Rahul,<br></div><div class="gmail_default" style="font-family:tahoma,sans-serif;color:rgb(0,0,102)">I solved the problem temporarily by disabling selinux.<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 3 November 2015 at 07:43, 张家龙 <span dir="ltr"><<a href="mailto:zhangjl@awcloud.com" target="_blank">zhangjl@awcloud.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Maybe, you should do like follows:<br><br> chown -R keystone:keystone /etc/keystone<br><br>Then, restart the keystone service:<br><br> systemctl restart openstack-keystone<br><br><div><u></u><div style="color:#909090;font-family:Arial Narrow;font-size:12px"><br><br><br><br>------------------</div><div style="font-size:14px;font-family:Verdana;color:#000"><div>
<div>Best Regards</div>
<div> </div>
<div>ZhangJialong</div></div></div><u></u></div><div><u></u><u></u></div><div> </div><div><u></u><div> </div><div> </div><div style="font:Verdana normal 14px;color:#000"><div style="FONT-SIZE:12px;FONT-FAMILY:Arial Narrow;padding:2px 0 2px 0">------------------ Original ------------------</div><div style="FONT-SIZE:12px;background:#efefef;padding:8px"><div><b>From: </b> "Adam Young"<<a href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>>;</div><div><b>Date: </b> Tue, Nov 3, 2015 11:01 AM</div><div><b>To: </b> "openstack"<<a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a>>; </div><div></div><div><b>Subject: </b> Re: [Openstack] Keystone Fernet Token</div></div><div><div class="h5"><div> </div>
<div>On 10/28/2015 02:23 PM, Reza
Bakhshayeshi wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_default" style="font-family:tahoma,sans-serif;color:rgb(0,0,102)">Hi
all,<br>
<br>
I'm going to use fernet token on OpenStack Kilo (only Keystone
service is installed),<br>
I've configured keystone.conf like:<br>
<br>
[token]<br>
provider = keystone.token.providers.fernet.Provider<br>
<br>
when I'm running:<br>
keystone-manage fernet_setup --keystone-user keystone
--keystone-group keystone<br>
<br>
keys creating successfully in /etc/keystone/fernet-keys
directory.<br>
But when I'm going to creating a token I receive the following
error, here is the complete log:<br>
<br>
2015-10-28 21:22:14.680 65218 INFO keystone.common.wsgi [-]
GET /?<br>
2015-10-28 23:50:25.343 9377 INFO
keystone.token.providers.fernet.utils [-] [fernet_tokens]
key_repository does not appear to exist; attempting to create
it<br>
2015-10-28 23:50:25.344 9377 INFO
keystone.token.providers.fernet.utils [-] Created a new key:
/etc/keystone/fernet-keys/0<br>
2015-10-28 23:50:25.344 9377 INFO
keystone.token.providers.fernet.utils [-] Starting key
rotation with 1 key files: ['/etc/keystone/fernet-keys/0']<br>
2015-10-28 23:50:25.344 9377 INFO
keystone.token.providers.fernet.utils [-] Current primary key
is: 0<br>
2015-10-28 23:50:25.345 9377 INFO
keystone.token.providers.fernet.utils [-] Next primary key
will be: 1<br>
2015-10-28 23:50:25.345 9377 INFO
keystone.token.providers.fernet.utils [-] Promoted key 0 to be
the primary: 1<br>
2015-10-28 23:50:25.345 9377 INFO
keystone.token.providers.fernet.utils [-] Created a new key:
/etc/keystone/fernet-keys/0<br>
2015-10-28 23:50:25.345 9377 INFO
keystone.token.providers.fernet.utils [-] Excess keys to
purge: []<br>
2015-10-28 23:50:52.632 8059 INFO keystone.common.wsgi [-]
POST /tokens?<br>
2015-10-28 23:50:52.889 8059 ERROR
keystone.token.providers.fernet.utils [-] Either
[fernet_tokens] key_repository does not exist or Keystone does
not have sufficient permission to access it:
/etc/keystone/fernet-keys/<br>
2015-10-28 23:50:52.890 8059 WARNING keystone.common.wsgi [-]
No encryption keys found; run keystone-manage fernet_setup to
bootstrap one.<br>
<br>
while the permissions seem to be correct:<br>
<br>
# ls -lah /etc/keystone/<br>
total 104K<br>
drwxr-x---. 3 root keystone 4.0K Oct 28 23:50 .<br>
drwxr-xr-x. 143 root root 12K Oct 28 12:56 ..<br>
-rw-r-----. 1 root keystone 1.5K Jul 29 00:21
default_catalog.templates<br>
drwx------. 2 keystone keystone 4.0K Oct 28 23:50
fernet-keys<br>
-rw-r-----. 1 root keystone 57K Oct 28 23:48
keystone.conf<br>
-rw-r-----. 1 root keystone 1.1K Jul 29 00:21
logging.conf<br>
-rw-r-----. 1 keystone keystone 8.6K Jul 29 00:21
policy.json<br>
-rw-r-----. 1 keystone keystone 665 Jul 29 00:21
sso_callback_template.html<br>
<br>
What am I missing?<br>
</div>
</div>
</blockquote>
<br>
No idea. When I get into these situations, I use rpdb;<br>
<br>
<a href="http://adam.younglogic.com/2015/02/debugging-openstack-with-rpdb/" target="_blank">http://adam.younglogic.com/2015/02/debugging-openstack-with-rpdb/</a><br>
<br>
<br>
Is there anything in /etc/keystone/fernet-keys ?<br>
<br>
<br>
<br>
<blockquote type="cite">
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
</pre>
</blockquote>
<br>
</div></div></div><u></u></div><br>_______________________________________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
<br></blockquote></div><br></div>