<div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif;color:rgb(0,0,102)">Dear Adam, <br><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif;color:rgb(0,0,102)">here is the audit.log content:<br><br>type=AVC msg=audit(1447271600.161:353): avc: denied { write } for pid=4616 comm="httpd" name="fernet-keys" dev="dm-1" ino=1706000 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=dir<br>type=SYSCALL msg=audit(1447271600.161:353): arch=c000003e syscall=21 success=no exit=-13 a0=7f2ebf240b10 a1=2 a2=7f2ed1d1af88 a3=0 items=0 ppid=2714 pid=4616 auid=4294967295 uid=163 gid=163 euid=163 suid=163 fsuid=163 egid=163 sgid=163 fsgid=163 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)<br>type=AVC msg=audit(1447271602.313:354): avc: denied { write } for pid=4648 comm="httpd" name="fernet-keys" dev="dm-1" ino=1706000 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=dir<br>type=SYSCALL msg=audit(1447271602.313:354): arch=c000003e syscall=21 success=no exit=-13 a0=7f2ebf60a4c0 a1=2 a2=7f2ed1d1af88 a3=0 items=0 ppid=2714 pid=4648 auid=4294967295 uid=163 gid=163 euid=163 suid=163 fsuid=163 egid=163 sgid=163 fsgid=163 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)<br><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 9 November 2015 at 18:22, Adam Young <span dir="ltr"><<a href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span class="">
<div>On 11/07/2015 01:08 PM, Reza
Bakhshayeshi wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_default" style="font-family:tahoma,sans-serif;color:rgb(0,0,102)">Thanks
all, specially Rahul,<br>
</div>
<div class="gmail_default" style="font-family:tahoma,sans-serif;color:rgb(0,0,102)">I
solved the problem temporarily by disabling selinux.<br>
</div>
</div>
</blockquote>
<br></span>
What did you have for an AVC? It sounds like the issue was The
Keystone WSGI process reading the Keys file? Can you post the
relevant sections from the audit log?<div><div class="h5"><br>
<br>
<blockquote type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 3 November 2015 at 07:43, 张家龙 <span dir="ltr"><<a href="mailto:zhangjl@awcloud.com" target="_blank">zhangjl@awcloud.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Maybe, you
should do like follows:<br>
<br>
chown -R keystone:keystone /etc/keystone<br>
<br>
Then, restart the keystone service:<br>
<br>
systemctl restart openstack-keystone<br>
<br>
<div>
<div style="color:#909090;font-family:Arial Narrow;font-size:12px"><br>
<br>
<br>
<br>
------------------</div>
<div style="font-size:14px;font-family:Verdana;color:#000">
<div>
<div>Best Regards</div>
<div> </div>
<div>ZhangJialong</div>
</div>
</div>
</div>
<div> </div>
<div>
<div> </div>
<div> </div>
<div style="font:Verdana normal 14px;color:#000">
<div style="FONT-SIZE:12px;FONT-FAMILY:Arial Narrow;padding:2px 0 2px 0">------------------ Original ------------------</div>
<div style="FONT-SIZE:12px;background:#efefef;padding:8px">
<div><b>From: </b> "Adam Young"<<a href="mailto:ayoung@redhat.com" target="_blank"></a><a href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>>;</div>
<div><b>Date: </b> Tue, Nov 3, 2015 11:01 AM</div>
<div><b>To: </b> "openstack"<<a href="mailto:openstack@lists.openstack.org" target="_blank"></a><a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a>>;
</div>
<div><b>Subject: </b> Re: [Openstack] Keystone Fernet
Token</div>
</div>
<div>
<div>
<div> </div>
<div>On 10/28/2015 02:23 PM, Reza Bakhshayeshi
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_default" style="font-family:tahoma,sans-serif;color:rgb(0,0,102)">Hi
all,<br>
<br>
I'm going to use fernet token on OpenStack
Kilo (only Keystone service is installed),<br>
I've configured keystone.conf like:<br>
<br>
[token]<br>
provider =
keystone.token.providers.fernet.Provider<br>
<br>
when I'm running:<br>
keystone-manage fernet_setup --keystone-user
keystone --keystone-group keystone<br>
<br>
keys creating successfully in
/etc/keystone/fernet-keys directory.<br>
But when I'm going to creating a token I
receive the following error, here is the
complete log:<br>
<br>
2015-10-28 21:22:14.680 65218 INFO
keystone.common.wsgi [-] GET /?<br>
2015-10-28 23:50:25.343 9377 INFO
keystone.token.providers.fernet.utils [-]
[fernet_tokens] key_repository does not appear
to exist; attempting to create it<br>
2015-10-28 23:50:25.344 9377 INFO
keystone.token.providers.fernet.utils [-]
Created a new key: /etc/keystone/fernet-keys/0<br>
2015-10-28 23:50:25.344 9377 INFO
keystone.token.providers.fernet.utils [-]
Starting key rotation with 1 key files:
['/etc/keystone/fernet-keys/0']<br>
2015-10-28 23:50:25.344 9377 INFO
keystone.token.providers.fernet.utils [-]
Current primary key is: 0<br>
2015-10-28 23:50:25.345 9377 INFO
keystone.token.providers.fernet.utils [-] Next
primary key will be: 1<br>
2015-10-28 23:50:25.345 9377 INFO
keystone.token.providers.fernet.utils [-]
Promoted key 0 to be the primary: 1<br>
2015-10-28 23:50:25.345 9377 INFO
keystone.token.providers.fernet.utils [-]
Created a new key: /etc/keystone/fernet-keys/0<br>
2015-10-28 23:50:25.345 9377 INFO
keystone.token.providers.fernet.utils [-]
Excess keys to purge: []<br>
2015-10-28 23:50:52.632 8059 INFO
keystone.common.wsgi [-] POST /tokens?<br>
2015-10-28 23:50:52.889 8059 ERROR
keystone.token.providers.fernet.utils [-]
Either [fernet_tokens] key_repository does not
exist or Keystone does not have sufficient
permission to access it:
/etc/keystone/fernet-keys/<br>
2015-10-28 23:50:52.890 8059 WARNING
keystone.common.wsgi [-] No encryption keys
found; run keystone-manage fernet_setup to
bootstrap one.<br>
<br>
while the permissions seem to be correct:<br>
<br>
# ls -lah /etc/keystone/<br>
total 104K<br>
drwxr-x---. 3 root keystone 4.0K Oct 28
23:50 .<br>
drwxr-xr-x. 143 root root 12K Oct 28
12:56 ..<br>
-rw-r-----. 1 root keystone 1.5K Jul 29
00:21 default_catalog.templates<br>
drwx------. 2 keystone keystone 4.0K Oct 28
23:50 fernet-keys<br>
-rw-r-----. 1 root keystone 57K Oct 28
23:48 keystone.conf<br>
-rw-r-----. 1 root keystone 1.1K Jul 29
00:21 logging.conf<br>
-rw-r-----. 1 keystone keystone 8.6K Jul 29
00:21 policy.json<br>
-rw-r-----. 1 keystone keystone 665 Jul 29
00:21 sso_callback_template.html<br>
<br>
What am I missing?<br>
</div>
</div>
</blockquote>
<br>
No idea. When I get into these situations, I use
rpdb;<br>
<br>
<a href="http://adam.younglogic.com/2015/02/debugging-openstack-with-rpdb/" target="_blank">http://adam.younglogic.com/2015/02/debugging-openstack-with-rpdb/</a><br>
<br>
<br>
Is there anything in /etc/keystone/fernet-keys ?<br>
<br>
<br>
<br>
<blockquote type="cite"> <br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
</pre>
</blockquote>
<br>
</div>
</div>
</div>
</div>
<br>
_______________________________________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>