<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 11/07/2015 01:08 PM, Reza
Bakhshayeshi wrote:<br>
</div>
<blockquote
cite="mid:CAMGoRG3ALHSq8YOF3N+eqtYLGMTUY7sdL3+krp+zbGuXy39Wbg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_default"
style="font-family:tahoma,sans-serif;color:rgb(0,0,102)">Thanks
all, specially Rahul,<br>
</div>
<div class="gmail_default"
style="font-family:tahoma,sans-serif;color:rgb(0,0,102)">I
solved the problem temporarily by disabling selinux.<br>
</div>
</div>
</blockquote>
<br>
What did you have for an AVC? It sounds like the issue was The
Keystone WSGI process reading the Keys file? Can you post the
relevant sections from the audit log?<br>
<br>
<blockquote
cite="mid:CAMGoRG3ALHSq8YOF3N+eqtYLGMTUY7sdL3+krp+zbGuXy39Wbg@mail.gmail.com"
type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 3 November 2015 at 07:43, 张家龙 <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:zhangjl@awcloud.com" target="_blank">zhangjl@awcloud.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Maybe, you
should do like follows:<br>
<br>
chown -R keystone:keystone /etc/keystone<br>
<br>
Then, restart the keystone service:<br>
<br>
systemctl restart openstack-keystone<br>
<br>
<div>
<div style="color:#909090;font-family:Arial
Narrow;font-size:12px"><br>
<br>
<br>
<br>
------------------</div>
<div style="font-size:14px;font-family:Verdana;color:#000">
<div>
<div>Best Regards</div>
<div> </div>
<div>ZhangJialong</div>
</div>
</div>
</div>
<div> </div>
<div>
<div> </div>
<div> </div>
<div style="font:Verdana normal 14px;color:#000">
<div style="FONT-SIZE:12px;FONT-FAMILY:Arial
Narrow;padding:2px 0 2px 0">------------------ Original ------------------</div>
<div
style="FONT-SIZE:12px;background:#efefef;padding:8px">
<div><b>From: </b> "Adam Young"<<a
moz-do-not-send="true"
href="mailto:ayoung@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:ayoung@redhat.com">ayoung@redhat.com</a></a>>;</div>
<div><b>Date: </b> Tue, Nov 3, 2015 11:01 AM</div>
<div><b>To: </b> "openstack"<<a
moz-do-not-send="true"
href="mailto:openstack@lists.openstack.org"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a></a>>;
</div>
<div><b>Subject: </b> Re: [Openstack] Keystone Fernet
Token</div>
</div>
<div>
<div class="h5">
<div> </div>
<div>On 10/28/2015 02:23 PM, Reza Bakhshayeshi
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_default"
style="font-family:tahoma,sans-serif;color:rgb(0,0,102)">Hi
all,<br>
<br>
I'm going to use fernet token on OpenStack
Kilo (only Keystone service is installed),<br>
I've configured keystone.conf like:<br>
<br>
[token]<br>
provider =
keystone.token.providers.fernet.Provider<br>
<br>
when I'm running:<br>
keystone-manage fernet_setup --keystone-user
keystone --keystone-group keystone<br>
<br>
keys creating successfully in
/etc/keystone/fernet-keys directory.<br>
But when I'm going to creating a token I
receive the following error, here is the
complete log:<br>
<br>
2015-10-28 21:22:14.680 65218 INFO
keystone.common.wsgi [-] GET /?<br>
2015-10-28 23:50:25.343 9377 INFO
keystone.token.providers.fernet.utils [-]
[fernet_tokens] key_repository does not appear
to exist; attempting to create it<br>
2015-10-28 23:50:25.344 9377 INFO
keystone.token.providers.fernet.utils [-]
Created a new key: /etc/keystone/fernet-keys/0<br>
2015-10-28 23:50:25.344 9377 INFO
keystone.token.providers.fernet.utils [-]
Starting key rotation with 1 key files:
['/etc/keystone/fernet-keys/0']<br>
2015-10-28 23:50:25.344 9377 INFO
keystone.token.providers.fernet.utils [-]
Current primary key is: 0<br>
2015-10-28 23:50:25.345 9377 INFO
keystone.token.providers.fernet.utils [-] Next
primary key will be: 1<br>
2015-10-28 23:50:25.345 9377 INFO
keystone.token.providers.fernet.utils [-]
Promoted key 0 to be the primary: 1<br>
2015-10-28 23:50:25.345 9377 INFO
keystone.token.providers.fernet.utils [-]
Created a new key: /etc/keystone/fernet-keys/0<br>
2015-10-28 23:50:25.345 9377 INFO
keystone.token.providers.fernet.utils [-]
Excess keys to purge: []<br>
2015-10-28 23:50:52.632 8059 INFO
keystone.common.wsgi [-] POST /tokens?<br>
2015-10-28 23:50:52.889 8059 ERROR
keystone.token.providers.fernet.utils [-]
Either [fernet_tokens] key_repository does not
exist or Keystone does not have sufficient
permission to access it:
/etc/keystone/fernet-keys/<br>
2015-10-28 23:50:52.890 8059 WARNING
keystone.common.wsgi [-] No encryption keys
found; run keystone-manage fernet_setup to
bootstrap one.<br>
<br>
while the permissions seem to be correct:<br>
<br>
# ls -lah /etc/keystone/<br>
total 104K<br>
drwxr-x---. 3 root keystone 4.0K Oct 28
23:50 .<br>
drwxr-xr-x. 143 root root 12K Oct 28
12:56 ..<br>
-rw-r-----. 1 root keystone 1.5K Jul 29
00:21 default_catalog.templates<br>
drwx------. 2 keystone keystone 4.0K Oct 28
23:50 fernet-keys<br>
-rw-r-----. 1 root keystone 57K Oct 28
23:48 keystone.conf<br>
-rw-r-----. 1 root keystone 1.1K Jul 29
00:21 logging.conf<br>
-rw-r-----. 1 keystone keystone 8.6K Jul 29
00:21 policy.json<br>
-rw-r-----. 1 keystone keystone 665 Jul 29
00:21 sso_callback_template.html<br>
<br>
What am I missing?<br>
</div>
</div>
</blockquote>
<br>
No idea. When I get into these situations, I use
rpdb;<br>
<br>
<a moz-do-not-send="true"
href="http://adam.younglogic.com/2015/02/debugging-openstack-with-rpdb/"
target="_blank">http://adam.younglogic.com/2015/02/debugging-openstack-with-rpdb/</a><br>
<br>
<br>
Is there anything in /etc/keystone/fernet-keys ?<br>
<br>
<br>
<br>
<blockquote type="cite"> <br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Mailing list: <a moz-do-not-send="true" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
Post to : <a moz-do-not-send="true" href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a>
Unsubscribe : <a moz-do-not-send="true" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
</pre>
</blockquote>
<br>
</div>
</div>
</div>
</div>
<br>
_______________________________________________<br>
Mailing list: <a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack"
rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a moz-do-not-send="true"
href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
Unsubscribe : <a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack"
rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>