[Openstack-operators] Keystone upgrade issues

Jonathan Proulx jon at csail.mit.edu
Thu Aug 25 14:55:51 UTC 2016

Hi All,

working on testing our Kilo-> Mitaka keystone upgrade, and I've
clearly missied something I need to do or undo.

After DB migration and the edits I belive are required to paste and
conf files I can get tokens (using password auth) but it won't seem to
accept them (for example with an admin user I get 'action requires
authorization' errors when trying to show users )

Current setup is pretty simple and past upgrades of keystone have been
super easy, so other that reread and recheck not sure where I should
focus my attention.

fernet tokens 
mysql local users
Ubuntu 14.04 cloud archive packages 

This is what I can see with --debug the client (both
python-keystoneclient and python-openstackclient) after getting the
initial auth token through password exchange:

REQ: curl -g -i -X GET https://controller:35358/v2.0/users -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}<redacted>"
"GET /v2.0/users HTTP/1.1" 401 114
RESP: [401] Content-Length: 114 Vary: X-Auth-Token Keep-Alive: timeout=5 Server: Apache/2.4.7 (Ubuntu) Connection: Keep-Alive Date: Thu, 25 Aug 2016 14:41:26 GMT WWW-Authenticate: Keystone uri="https://nimbus.csail.mit.edu:35358" Content-Type: application/json X-Distribution: Ubuntu 
RESP BODY: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}

(v3 requests are similar modulo API differences)

Keysote.log in debug mode issues a couple deprecation warnings but no
errors (http://pastebin.com/WriB6u6i).  Not this log is for the same
event but response is UTC where log is local time (-0400)

Any pointer to where I should focus my investigations woudl be most
welcome :)


More information about the OpenStack-operators mailing list