[Openstack-operators] Authentication problems with cinder

Juan José Pavlik Salles jjpavlik at gmail.com
Tue Apr 30 17:29:09 UTC 2013 

Hi Jay, you are right, i'm trying to balance API calls with HAProxy. I
installed HAproxy on 172.19.136.1 and configured all the openstack services
to make the calls to that IP, then i use HAproxy to redirect the API calls
to the real API servers (172.19.136.10 and 172.19.136.11), this is my
configuration:

I've these 4 nodes:

172.19.136.245:
-Cinder

172.19.136.10:
-Keystone
-Glance (glance, api, registry)
-Nova (compute, scheduler, etc)

172.19.136.11:
-Keystone
-Glance (glance, api, registry)
-Nova (compute, scheduler, etc)

172.19.136.2 / 172.19.136.1:
-Quantum server
-RabbitMQ
-MySQL
-HAProxy (Listening on 172.19.136.1 for all the API calls, and balancing
them to either 172.19.136.10 or 172.19.136.11, it also listens for cinder
api calls and redirects them to 172.19.136.245)

I didn't change all the endpoints yet, but all of them should redirect to
172.19.136.1, maybe that's the problem. What do you think?

This configuration might look odd or strange, but i'm trying to build a
redundant and scalable cloud (like in this article
http://www.mirantis.com/blog/software-high-availability-load-balancing-openstack-cloud-api-servic/).
Thanks!!!

2013/4/30 Jay Pipes <jaypipes at gmail.com>

> On 04/29/2013 04:56 PM, Juan José Pavlik Salles wrote:
> > Hi, i have spent the last days trying to solve this problem. I can't
> > list my cinder volumes from my shell:
> >
> > root at locro:~# cinder --os-username=admin --os-tenant-name=admin
> > --os-password=XXX --os-auth-url=http://172.19.136.1:35357/v2.0 --debug
> list
> >
> > REQ: curl -i http://172.19.136.1:35357/v2.0/tokens -X POST -H
> > "Content-Type: application/json" -H "Accept: application/json" -H
> > "User-Agent: python-cinderclient" -d '{"auth": {"tenantName": "admin",
> > "passwordCredentials": {"username": "admin", "password": "zGp05Nsa"}}}'
> >
> > RESP: [200] {'date': 'Mon, 29 Apr 2013 17:24:44 GMT', 'content-type':
> > 'application/json', 'content-length': '7096', 'vary': 'X-Auth-Token'}
> > RESP BODY: {"access": {"token": {"issued_at":
> > "2013-04-29T17:24:44.044013", "expires": "2013-04-30T17:24:43Z", "id":
> > "MIIMaQYJKoZIhvcNAQcC...", "tenant": {"description": null, "enabled":
> > true, "id": "6aa3bf1ab68040218873a782f90cffa7", "name": "admin"}},
> > "serviceCatalog": [{"endpoints": [{"adminURL":
> > "http://172.19.136.11:8774/v2/6aa3bf1ab68040218873a782f90cffa7",
> > "region": "RegionOne", "internalURL":
> > "http://172.19.136.10:8774/v2/6aa3bf1ab68040218873a782f90cffa7", "id":
> > "26178391275a42cfa3b786ab151c8f8a", "publicURL":
> > "http://172.19.136.11:8774/v2/6aa3bf1ab68040218873a782f90cffa7"}],
> > "endpoints_links": [], "type": "compute", "name": "nova"}, {"endpoints":
> > [{"adminURL": "http://172.19.136.11:9696/", "region": "RegionOne",
> > "internalURL": "http://172.19.136.11:9696/", "id":
> > "1d0f394d83804ecaaa5ba708ccf0417b", "publicURL":
> > "http://172.19.136.11:9696/"}], "endpoints_links": [], "type":
> > "network", "name": "quantum"}, {"endpoints": [{"adminURL":
> > "http://172.19.136.10:9292/v2", "region": "RegionOne", "internalURL":
> > "http://172.19.136.11:9292/v2", "id":
> > "11f37a313bad47f28b846cb9b94d458c", "publicURL":
> > "http://172.19.136.11:9292/v2"}], "endpoints_links": [], "type":
> > "image", "name": "glance"}, {"endpoints": [{"adminURL":
> > "http://172.19.136.1:8776/v1/6aa3bf1ab68040218873a782f90cffa7",
> > "region": "RegionOne", "internalURL":
> > "http://172.19.136.1:8776/v1/6aa3bf1ab68040218873a782f90cffa7", "id":
> > "1ebe70478edd45d087263a4dc457f03a", "publicURL":
> > "http://172.19.136.1:8776/v1/6aa3bf1ab68040218873a782f90cffa7"}],
> > "endpoints_links": [], "type": "volume", "name": "cinder"},
> > {"endpoints": [{"adminURL": "http://172.19.136.11:8773/services/Admin",
> > "region": "RegionOne", "internalURL":
> > "http://172.19.136.10:8773/services/Cloud", "id":
> > "4fd5bcbee3584c2b883b08f22f81de54", "publicURL":
> > "http://172.19.136.10:8773/services/Cloud"}], "endpoints_links": [],
> > "type": "ec2", "name": "ec2"}, {"endpoints": [{"adminURL":
> > "http://172.19.136.10:8080/v1", "region": "RegionOne", "internalURL":
> > "http://172.19.136.11:8080/v1/AUTH_6aa3bf1ab68040218873a782f90cffa7",
> > "id": "65911114c36341a19006c328c6d0a2ae", "publicURL":
> > "http://172.19.136.10:8080/v1/AUTH_6aa3bf1ab68040218873a782f90cffa7"}],
> > "endpoints_links": [], "type": "object-store", "name": "swift"},
> > {"endpoints": [{"adminURL": "http://172.19.136.11:35357/v2.0", "region":
> > "RegionOne", "internalURL": "http://172.19.136.10:5000/v2.0", "id":
> > "0f9389d0485e4f2f9f7874c41181bd28", "publicURL":
> > "http://172.19.136.10:5000/v2.0"}], "endpoints_links": [], "type":
> > "identity", "name": "keystone"}], "user": {"username": "admin",
> > "roles_links": [], "id": "3f82673b5fe0411ab5fd8216bdb693c6", "roles":
> > [{"name": "KeystoneServiceAdmin"}, {"name": "KeystoneAdmin"}, {"name":
> > "admin"}], "name": "admin"}, "metadata": {"is_admin": 0, "roles":
> > ["6666fa99078a4f07a070e7e858c32f02", "36bba9ef0178448c8a654b75feb3a0f4",
> > "a25581dd3470460b91ecaa29eca7205c"]}}}
> >
> > REQ: curl -i
> >
> http://172.19.136.1:8776/v1/6aa3bf1ab68040218873a782f90cffa7/volumes/detail
> > -X GET -H "X-Auth-Project-Id: admin" -H "User-Agent:
> > python-cinderclient" -H "Accept: application/json" -H "X-Auth-Token:
> > MIIMaQYJKoZIhvcNAQcCo..."
> >
> > RESP: [401] {'date': 'Mon, 29 Apr 2013 17:24:44 GMT', 'content-length':
> > '276', 'content-type': 'text/plain; charset=UTF-8', 'www-authenticate':
> > "Keystone uri='http://172.19.136.1:35357'"}
> > RESP BODY: 401 Unauthorized
>
> From the above, the authentication URI that you are supplying to
> cinderclient is http://172.19.136.1:35357, which is not the same as what
> is returned in the service catalog above, which has the internalURL for
> the identity endpoint as http://172.19.136.10:5000/v2.0.
>
> Is this intended?
>
> -jay
>
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>



-- 
Pavlik Juan José
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20130430/c4b62e69/attachment.html>

More information about the OpenStack-operators mailing list