[Openstack] Enabling logging in keystone.

Dolph Mathews dolph.mathews at gmail.com
Tue Oct 2 22:54:58 UTC 2012


Feel free to file a bug -- I'm reviewing the document right now.


http://docs.openstack.org/trunk/openstack-compute/install/apt/content/verifying-identity-install.html

As for the invalid tenant message, I'm guessing you don't have any roles
granted to "adminUser" on that tenant. Checkout the user-role-add command:

    $ keystone help user-role-add

You might also try the other tenant returned by tenant-list.

-Dolph


On Tue, Oct 2, 2012 at 5:48 PM, Ahmed Al-Mehdi <ahmed at coraid.com> wrote:

>   Hi Anne,
>
>  Thank you for pointing that out. I noticed the "adminTenant" string in
> the curl command, and it did bother me a bit, but I did not pursue it due
> to lack of experience with curl / Rest API / OpenStack but looking, I
> should have known better. Can this be addressed in the "Deploy and
> Install OpenStack - Red Hat Ubuntu" document, as I am sure others might
> be running into the same issue. Do I need to file a bug against
> documentation or email someone specifically.
>
> After making the change in the curl command, I am now getting a different
> error message:
>
> #> keystone --token 012345SECRET99TOKEN012345 --endpoint
> http://10.0.2.15:35357/v2.0 tenant-list
> +----------------------------------+---------------+---------+
> | id | name | enabled |
> +----------------------------------+---------------+---------+
> | 07a44f9d55694d638f41bc160c14b42e | openstackDemo | True |
> | 0e4cc20586ae42329db51e0c6f807731 | service | True |
> +----------------------------------+---------------+---------+
>
> #> curl -d '{"auth": {"tenantName": "service", "passwordCredentials":
> {"username": "adminUser", "password": "secretword"}}}' -H "Content-type:
> application/json" http://10.0.2.15:35357/v2.0/tokens | python -mjson.tool
>    % Total    % Received % Xferd  Average Speed   Time    Time     Time
> Current
>                                  Dload  Upload   Total   Spent    Left
> Speed
> 100   191    0    80  100   111    346    480 --:--:-- --:--:-- --:--:--
> 497
> {
>     "error": {
>         "code": 401,
>         "message": "Invalid tenant",
>         "title": "Not Authorized"
>     }
> }
>
>  Thank you,
> Ahmed.
>
>   ------------------------------
> *From:* annegentle at justwriteclick.com [annegentle at justwriteclick.com] On
> Behalf Of Anne Gentle [anne at openstack.org]
> *Sent:* Tuesday, October 02, 2012 1:26 PM
> *To:* Ahmed Al-Mehdi
> *Cc:* Dolph Mathews; openstack at lists.launchpad.net
>
> *Subject:* Re: [Openstack] Enabling logging in keystone.
>
>  Hi Ahmed -
>
> I believe you don't have a tenant named "adminTenant" - possibly try this?
>
> curl -d '{"auth": {"tenantName": "service", "passwordCredentials":
> {"username": "adminUser", "password": "secretword"}}}' -H "Content-type:
> application/json" http://10.0.2.15:35357/v2.0/tokens | python -mjson.tool
>
> Also, you can run keystone with the --debug parameter to see the curl
> output like so:
> keystone --debug --token
> 012345SECRET99TOKEN012345 --endpoint http://10.0.2.15:35357/v2.0tenant-list
>
> Generally, yes, you need to ensure keystone is working correctly before
> installing glance and nova (they require keystone), so you're correct to
> keep trying.
>
> Anne
>
> On Tue, Oct 2, 2012 at 3:09 PM, Ahmed Al-Mehdi <ahmed at coraid.com> wrote:
>
>>  Hi Dolph,
>>
>> Very sorry about that.  With the correct token, calling keystone from
>> the cli is working.    However, the curl command is failing.  Will this
>> cause an issue down the line as I start to install glance and nova?
>>
>>
>> #> keystone --token 012345SECRET99TOKEN012345 --endpoint
>> http://10.0.2.15:35357/v2.0 tenant-list
>> +----------------------------------+---------------+---------+
>> |                id                |      name     | enabled |
>> +----------------------------------+---------------+---------+
>> | 07a44f9d55694d638f41bc160c14b42e | openstackDemo |   True  |
>> | 0e4cc20586ae42329db51e0c6f807731 |    service    |   True  |
>> +----------------------------------+---------------+---------+
>>  #> curl -d '{"auth": {"tenantName": "adminTenant", "passwordCredentials":
>> {"username": "adminUser", "password": "secretword"}}}' -H "Content-type:
>> application/json" http://10.0.2.15:35357/v2.0/tokens | python
>> -mjson.tool
>>
>>   % Total    % Received % Xferd  Average Speed   Time    Time     Time
>> Current
>>                                  Dload  Upload   Total   Spent    Left
>> Speed
>>  100   231    0   116  100   115   2771   2747 --:--:-- --:--:--
>> --:--:--  3052
>>
>> {
>>     "error": {
>>         "code": 401,
>>         "message": "The request you have made requires authentication.",
>>         "title": "Not Authorized"
>>     }
>> }
>>
>> Regards,
>> Ahmed.
>>
>>
>>  ------------------------------
>>  *From:* Dolph Mathews [dolph.mathews at gmail.com]
>> *Sent:* Tuesday, October 02, 2012 12:12 PM
>> *To:* Ahmed Al-Mehdi
>> *Cc:* heckj; openstack at lists.launchpad.net
>>
>> *Subject:* Re: [Openstack] Enabling logging in keystone.
>>
>>   You're missing a "5" on the admin_token you've specified on the
>> command line.
>>
>>  012345SECRET99TOKEN01234 (your CLI arg)
>> 012345SECRET99TOKEN012345 (keystone.conf)
>>
>>  -Dolph
>>
>>
>> On Tue, Oct 2, 2012 at 1:08 PM, Ahmed Al-Mehdi <ahmed at coraid.com> wrote:
>>
>>> Hi Joe,
>>>
>>> I have put the conf file (renamed to ahmed_keystone.conf)  into gist.
>>>
>>> git://gist.github.com/3821846.git
>>>
>>> Please let me know if you have any issues accessing the file.
>>>
>>> Thank you very much for helping me out.  I have a feeling the issue
>>> might be in the python script to populate keystone. When I previously input
>>> the data manually, I got keystone configured properly.
>>>
>>> Regards,
>>> Ahmed.
>>>
>>>
>>> ________________________________________
>>> From: heckj [heckj at mac.com]
>>>  Sent: Tuesday, October 02, 2012 10:56 AM
>>>  To: Ahmed Al-Mehdi
>>> Cc: openstack at lists.launchpad.net
>>> Subject: Re: [Openstack] Enabling logging in keystone.
>>>
>>> Ahmed - can you put your keystone.conf into a paste or gist and share
>>> it with me? I'd be happy to help you debug this.
>>>
>>> I'm assuming you're running keystone on the system with the IP address
>>> 10.0.2.15, correct?
>>>
>>> -joe
>>>
>>> On Oct 2, 2012, at 10:45 AM, Ahmed Al-Mehdi <ahmed at coraid.com> wrote:
>>>
>>> > Hi Joe,
>>> >
>>> > I noticed I did not put the port number in the URL, now I am getting a
>>> more meaningful error:
>>> >
>>> > #> keystone --token 012345SECRET99TOKEN01234 --endpoint
>>> http://10.0.2.15:35357/v2.0  tenant-list
>>> > No handlers could be found for logger "keystoneclient.client"
>>> > Unable to authorize user
>>> >
>>> > Regards,
>>> > Ahmed.
>>> >
>>> > ________________________________________
>>> > From: openstack-bounces+ahmed=coraid.com at lists.launchpad.net[openstack-bounces+ahmed
>>> =coraid.com at lists.launchpad.net] On Behalf Of Ahmed Al-Mehdi [
>>> ahmed at coraid.com]
>>> > Sent: Tuesday, October 02, 2012 10:30 AM
>>> > To: heckj
>>> > Cc: openstack at lists.launchpad.net
>>> > Subject: Re: [Openstack] Enabling logging in keystone.
>>> >
>>> > Hi Joe,
>>> >
>>> > Unfortunately before I read your response I re-installed my Ubuntuserver.  I repeated the same steps mentioned in the OpenStackdocument "Deploy and Install OpenStack- RedHatUbuntu"
>>> and also used the script mentioned in it  (
>>> https://github.com/nimbis/keystone-init/blob/master/keystone-init.py)
>>> to populate keystone.  I reboot the server prior to running your suggested
>>> command and now running into a different issue, which I feel maybe due to
>>> not starting some service.  Btw, my host OS is Ubuntu 12.04 (32 bit)
>>> running inVirtualBox.
>>> >
>>> > Currently I am getting the following error:
>>> >
>>> > #> keystone --token 012345SECRET99TOKEN01234 --endpoint
>>> http://10.0.2.15/v2.0 tenant-list
>>> > No handlers could be found for logger "keystoneclient.client"
>>> > Unable to communicate with identity service: [Errno 111] Connection
>>> refused. (HTTP 400)
>>> >
>>> > How can I address the "logger" error.  I don't see any output sent to
>>> /var/log/keystone/keystone.log.
>>> >
>>> > I checked mysql and keystone is running:
>>> >
>>> > #> service keystone status
>>> > keystone start/running, process 741
>>> > #> ps aux | grep key
>>> > keystone   741  0.0  0.0   3028  1184 ?        Ss   09:41   0:00 su-s /bin/sh-c exec keystone-all keystone
>>> > keystone   760  0.1  1.0  30872 21696 ?        S    09:41   0:01 /usr/bin/python
>>> /usr/bin/keystone-all
>>> > root      1726  0.0  0.0   4388   828 tty1     S+   09:56   0:00 grep--color=auto key
>>> >
>>> > Thank you,
>>> > Ahmed.
>>> >
>>> >
>>> > ________________________________________
>>> > From: heckj [heckj at mac.com]
>>> > Sent: Monday, October 01, 2012 5:47 PM
>>> > To: Ahmed Al-Mehdi
>>> > Cc: openstack at lists.launchpad.net
>>> > Subject: Re: [Openstack] Enabling logging in keystone.
>>> >
>>> > Can you invoke the keystone commands with --token and --endpoint?
>>> That's the same thing as what you're trying to do with curl, but using
>>> the CLI to do the hard work of making sure you get the header's all
>>> nailed down correctly.
>>> >
>>> > Some good ones to try are:
>>> > (using your example "token" and "endpoint" from below - modify if they
>>> don't match your config)
>>> >
>>> >        keystone --token ahmedadmintoken --endpoint
>>> http://10.176.20.158:35357/v2.0 tenant-list
>>> >        keystone --token ahmedadmintoken --endpoint
>>> http://10.176.20.158:35357/v2.0 user-list
>>> >        keystone --token ahmedadmintoken --endpoint
>>> http://10.176.20.158:35357/v2.0 service-list
>>> >        keystone --token ahmedadmintoken --endpoint
>>> http://10.176.20.158:35357/v2.0 role-list
>>> >
>>> > All of these should report back *without* errors, even if you haven't
>>> bootstrapped Keystone to include any services, tenants, users, or roles.
>>> >
>>> > You can also add "--debug" (as in keystone --debug
>>> --token ahmedadmintoken --endpoint http://10.176.20.158:35357/v2.0user-list) to see the underlying HTTP protocol going back and forth and
>>> what's getting sent to Keystone.
>>> >
>>> > -joe
>>> >
>>> > On Oct 1, 2012, at 5:30 PM, Ahmed Al-Mehdi <ahmed at coraid.com> wrote:
>>> >> Actually, the curl command with the "X_Auth_Token" is my weak
>>> attempt to try to find a solution.  I am actually issuing the following
>>> command (per recommendation from the OpenStack document - "Install and
>>> Deploy Manual – Red Hat Ubuntu"):
>>> >>
>>> >> root at bodega:~# curl -d '{"auth": {"tenantName": "adminTenant",
>>> "passwordCredentials": {"username": "adminUser", "password": "secretword"}}}'
>>> -H "Content-type: application/json" -H "X_Auth_Token: ahmedadmintoken"
>>> http://10.176.20.158:35357/v2.0/tokens | python -mjson.tool
>>> >>  % Total    % Received % Xferd  Average Speed   Time    Time     Time
>>>   Current
>>> >>                                 Dload  Upload   Total   Spent
>>>  Left  Speed
>>> >> 100   231    0   116  100   115  12927  12816 --:--:-- --:--:--
>>> --:--:-- 14500
>>> >> {
>>> >>    "error": {
>>> >>        "code": 401,
>>> >>        "message": "The request you have made requires
>>> authentication.",
>>> >>        "title": "Not Authorized"
>>> >>    }
>>> >> }
>>> >>
>>> >> Regards,
>>> >> Ahmed.
>>> >>
>>> >>
>>> >> From: heckj <heckj at mac.com>
>>> >> Date: Monday, October 1, 2012 5:23 PM
>>> >> To: Ahmed Al-Mehdi <ahmed at coraid.com>
>>> >> Cc: "openstack at lists.launchpad.net" <openstack at lists.launchpad.net>
>>> >> Subject: Re: [Openstack] Enabling logging in keystone.
>>> >>
>>> >> Ahmed -
>>> >>
>>> >> The header that's supposed to have the token within it is labelled"X-Auth-Token', not "X_Auth_Token".
>>>  Unless you're really comfortable with the protocol, I'd recommend using
>>> the keystone CLI from the python-keystoneclient to do your verifying,
>>> using it's debugging (which is to show you the curl output that you did
>>> below).
>>> >>
>>> >> -joe
>>> >>
>>> >> On Oct 1, 2012, at 5:12 PM, Ahmed Al-Mehdi <ahmed at coraid.com> wrote:
>>> >>> Hello,
>>> >>>
>>> >>> I am trying to verify the installation of keystone.  When I try to
>>> run some "curl" commands, I get the following error message:
>>> >>>
>>> >>> root at bodega:~/ahmed/keystone-init# curl -d '{"auth": {"tenantName":
>>> "adminTenant", "passwordCredentials": {"username": "adminUser",
>>> "password": "secretword"}}}' -H "Content-type: application/json" -H
>>> "X_Auth_Token: ahmedadmintoken" http://10.176.20.158:35357/v2.0/tokens| python -mjson.tool
>>> >>>  % Total    % Received % Xferd  Average Speed   Time    Time
>>>      Time  Current
>>> >>>                                 Dload  Upload   Total   Spent
>>>  Left  Speed
>>> >>> 100   231    0   116  100   115  15205  15074 --:--:-- --:--:--
>>> --:--:-- 16571
>>> >>> {
>>> >>>    "error": {
>>> >>>        "code": 401,
>>> >>>        "message": "The request you have made requires
>>> authentication.",
>>> >>>        "title": "Not Authorized"
>>> >>>    }
>>> >>> }
>>> >>>
>>> >>>
>>> >>> I don't see any message in the /var/log/keystone/logging.conf file.
>>>   I can pass "-debug" option to keystone to enable debugging, but I am not
>>> sure how to do that from curl.  Following is content of
>>> /etc/keystone/logging.conf file:
>>> >>>
>>> >>> root at bodega:~# cat /etc/keystone/logging.conf
>>> >>> [loggers]
>>> >>> keys=root
>>> >>>
>>> >>> [formatters]
>>> >>> keys=normal,normal_with_name,debug
>>> >>>
>>> >>> [handlers]
>>> >>> keys=production,file,devel
>>> >>>
>>> >>> [logger_root]
>>> >>> level=WARNING
>>> >>> handlers=file
>>> >>>
>>> >>> [handler_production]
>>> >>> class=handlers.SysLogHandler
>>> >>> level=ERROR
>>> >>> formatter=normal_with_name
>>> >>> args=(('localhost', handlers.SYSLOG_UDP_PORT),
>>> handlers.SysLogHandler.LOG_USER)
>>> >>>
>>> >>> [handler_file]
>>> >>> class=FileHandler
>>> >>> level=DEBUG
>>> >>> formatter=normal_with_name
>>> >>> args=('/var/log/keystone/keystone.log', 'a')
>>> >>>
>>> >>> [handler_devel]
>>> >>> class=StreamHandler
>>> >>> level=NOTSET
>>> >>> formatter=debug
>>> >>> args=(sys.stdout,)
>>> >>>
>>> >>> [formatter_normal]
>>> >>> format=%(asctime)s %(levelname)s %(message)s
>>> >>>
>>> >>> [formatter_normal_with_name]
>>> >>> format=(%(name)s): %(asctime)s %(levelname)s %(message)s
>>> >>>
>>> >>> [formatter_debug]
>>> >>> format=(%(name)s): %(asctime)s %(levelname)s %(module)s %(funcName)s
>>> %(message)s
>>> >>> root at bodega:~#
>>> >>>
>>> >>> Any help would be greatly appreciated.
>>> >>>
>>> >>> Regards,
>>> >>> Ahmed.
>>> >>>
>>> >>>
>>> >>>
>>> >>> _______________________________________________
>>> >>> Mailing list: https://launchpad.net/~openstack
>>> >>> Post to     : openstack at lists.launchpad.net
>>> >>> Unsubscribe : https://launchpad.net/~openstack
>>> >>> More help   : https://help.launchpad.net/ListHelp
>>> >>
>>> > _______________________________________________
>>> > Mailing list: https://launchpad.net/~openstack
>>> > Post to     : openstack at lists.launchpad.net
>>> > Unsubscribe : https://launchpad.net/~openstack
>>> > More help   : https://help.launchpad.net/ListHelp
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~openstack
>>> Post to     : openstack at lists.launchpad.net
>>> Unsubscribe : https://launchpad.net/~openstack
>>> More help   : https://help.launchpad.net/ListHelp
>>>
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to     : openstack at lists.launchpad.net
>> Unsubscribe : https://launchpad.net/~openstack
>> More help   : https://help.launchpad.net/ListHelp
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20121002/c4973b0a/attachment.html>


More information about the Openstack mailing list