[Openstack] Enabling logging in keystone.

Anne Gentle anne at openstack.org
Wed Oct 3 00:19:35 UTC 2012 

Comments below. With an "I object." :)

On Tue, Oct 2, 2012 at 6:50 PM, Dolph Mathews <dolph.mathews at gmail.com>wrote:

> I find it odd that the document describes two approaches for configuring
> keystone -- one being a relatively undocumented, scripted approach not
> managed or distributed by OpenStack. Surely these two approaches will
> continue to evolve seperately and we'll experience more issues such as this
> one.
>
> Anyone have any objections to removing this "scripted configuration"
> section in favor of focusing on the existing "manual" approach?
>

Sorry, I have to object after watching this page and the scripts evolve
over the last 9-12 months. There just has to be a scripted option and I
agree it needs to be tested and maintained. I'm fine with having the
keystone script be the documented one. For a while though the scripts were
populating templated catalogs (files) not populating the database.

I think the best fix is to:
 - ensure scripts have exactly the documented names of tenants, users, etc.
 - patch the doc to use only the names in the script and manual in the
verification step.

Doc bug logged here describing the work needing done:
https://bugs.launchpad.net/openstack-manuals/+bug/1060536



>
> http://docs.openstack.org/trunk/openstack-compute/install/apt/content/setting-up-tenants-users-and-roles.html
>
> -Dolph
>
>
> On Tue, Oct 2, 2012 at 6:42 PM, Ahmed Al-Mehdi <ahmed at coraid.com> wrote:
>
>>   Hi Dolph,
>>
>>  I am now getting the same output as the "curl" command, basically
>> "Invalid Tenant". At this point
>>
>> root at ubuntu1:~# keystone --os-username=adminUser --os-password=secretword--os-tenant-name=service
>> --os-auth-url=http://10.0.
>> 2.15:35357/v2.0 token-get
>>
>> No handlers could be found for logger "keystoneclient.client"
>> Invalid tenant (HTTP 401)
>>
>> Without the "os-tenant-name" parameter, I seem to get "good' response.
>>
>> root at ubuntu1:~# keystone --os-username=adminUser --os-password=secretword--os
>> -auth-url=http://10.0.2.15:35357/v2.0 token-get
>> No handlers could be found for logger "keystoneclient.v2_0.client"
>> +----------+----------------------------------+
>> | Property | Value |
>> +----------+----------------------------------+
>> | expires | 2012-10-03T23:31:17Z |
>> | id | 31078072aae94f5aab5c8e46ff5f6373 |
>> | user_id | 3e674f7f64ba452cb20781b8d5e26b7f |
>> +----------+----------------------------------+
>>  At this point, I feel like I am running into issues with/in the python
>> / PyYAML script (https://github.com/nimbis/keystone-init.git) which must
>> not be populating info into keystone "accurately" and most probably not
>> equivalent to manual steps mentioned in "Deploy and Install OpenStack -
>> Red Hat Ubuntu". I will look into the script.
>>
>>  Regards,
>> Ahmed.
>>
>>  ------------------------------
>> *From:* Dolph Mathews [dolph.mathews at gmail.com]
>> *Sent:* Tuesday, October 02, 2012 2:19 PM
>>
>> *To:* Ahmed Al-Mehdi
>> *Cc:* heckj; openstack at lists.launchpad.net
>> *Subject:* Re: [Openstack] Enabling logging in keystone.
>>
>>  No worries, that's what a second set of eyes is for!
>>
>>  By specifying a token and endpoint, you're bypassing the authentication
>> process that your curl command is performing.
>>
>>  You can test authentication with the keystone client using:
>>
>>  $ keystone --os-username=adminUser --os-password=secretword
>> --os-tenant-name=adminTenant --os-authurl=http://10.0.2.15:35357/v2.0<http://10.0.2.15:35357/v2.0/tokens>
>>  token-get
>>
>>  But as Anne pointed out, you don't have a tenant named "adminTenant".
>> You'll also need to make sure you've granted a role to your user on the
>> specified tenant for authorization to succeed. You can remove the tenant
>> name argument from the token-get call to test authentication without
>> authorization (therefore without requiring anything but a valid user in
>> your keystone install).
>>
>>  -Dolph
>>
>> On Tuesday, October 2, 2012, Ahmed Al-Mehdi wrote:
>>
>>>  Hi Dolph,
>>>
>>> Very sorry about that.  With the correct token, calling keystone from
>>> the cli is working.    However, the curl command is failing.  Will this
>>> cause an issue down the line as I start to install glance and nova?
>>>
>>>
>>> #> keystone --token 012345SECRET99TOKEN012345 --endpoint
>>> http://10.0.2.15:35357/v2.0 tenant-list
>>> +----------------------------------+---------------+---------+
>>> |                id                |      name     | enabled |
>>> +----------------------------------+---------------+---------+
>>> | 07a44f9d55694d638f41bc160c14b42e | openstackDemo |   True  |
>>> | 0e4cc20586ae42329db51e0c6f807731 |    service    |   True  |
>>> +----------------------------------+---------------+---------+
>>>  #> curl -d '{"auth": {"tenantName": "adminTenant", "passwordCredentials":
>>> {"username": "adminUser", "password": "secretword"}}}' -H
>>> "Content-type: application/json" http://10.0.2.15:35357/v2.0/tokens |
>>> python -mjson.tool
>>>   % Total    % Received % Xferd  Average Speed   Time    Time     Time
>>> Current
>>>                                  Dload  Upload   Total   Spent    Left
>>> Speed
>>> 100   231    0   116  100   115   2771   2747 --:--:-- --:--:--
>>> --:--:--  3052
>>> {
>>>     "error": {
>>>         "code": 401,
>>>         "message": "The request you have made requires authentication.",
>>>         "title": "Not Authorized"
>>>     }
>>> }
>>>
>>> Regards,
>>> Ahmed.
>>>
>>>
>>>  ------------------------------
>>>  *From:* Dolph Mathews [dolph.mathews at gmail.com<https://exg5.exghost.com/owa/UrlBlockedError.aspx>
>>> ]
>>> *Sent:* Tuesday, October 02, 2012 12:12 PM
>>> *To:* Ahmed Al-Mehdi
>>> *Cc:* heckj; openstack at lists.launchpad.net<https://exg5.exghost.com/owa/UrlBlockedError.aspx>
>>> *Subject:* Re: [Openstack] Enabling logging in keystone.
>>>
>>>  You're missing a "5" on the admin_token you've specified on the
>>> command line.
>>>
>>>  012345SECRET99TOKEN01234 (your CLI arg)
>>> 012345SECRET99TOKEN012345 (keystone.conf)
>>>
>>>  -Dolph
>>>
>>>
>>> On Tue, Oct 2, 2012 at 1:08 PM, Ahmed Al-Mehdi <ahmed at coraid.com> wrote:
>>>
>>> Hi Joe,
>>>
>>> I have put the conf file (renamed to ahmed_keystone.conf)  into gist.
>>>
>>> git://gist.github.com/3821846.git
>>>
>>> Please let me know if you have any issues accessing the file.
>>>
>>> Thank you very much for helping me out.  I have a feeling the issue
>>> might be in the python script to populate keystone. When I previously input
>>> the data manually, I got keystone configured properly.
>>>
>>> Regards,
>>> Ahmed.
>>>
>>>
>>> ________________________________________
>>> From: heckj [heckj at mac.com]
>>>  Sent: Tuesday, October 02, 2012 10:56 AM
>>>  To: Ahmed Al-Mehdi
>>> Cc: openstack at lists.launchpad.net
>>> Subject: Re: [Openstack] Enabling logging in keystone.
>>>
>>> Ahmed - can you put your keystone.conf into a paste or gist and share
>>> it with me? I'd be happy to help you debug this.
>>>
>>> I'm assuming you're running keystone on the system with the IP address
>>> 10.0.2.15, correct?
>>>
>>> -joe
>>>
>>> On Oct 2, 2012, at 10:45 AM, Ahmed Al-Mehdi <ahmed at coraid.com> wrote:
>>>
>>> > Hi Joe,
>>> >
>>> > I noticed I did not put the port number in the URL, now I am getting a
>>> more meaningful error:
>>> >
>>> > #> keystone --token 012345SECRET99TOKEN01234 --endpoint
>>> http://10.0.2.15:35357/v2.0  tenant-list
>>> > No handlers could be found for logger "keystoneclient.client"
>>> > Unable to authorize user
>>> >
>>> > Regards,
>>> > Ahmed.
>>> >
>>> > ________________________________________
>>> > From: openstack-bounces+ahmed=coraid.com at lists.launchpad.net[openstack-bounces+ahmed
>>> =coraid.com at lists.launchpad.net] On Behalf Of Ahmed Al-Mehdi [
>>> ahmed at coraid.com]
>>> > Sent: Tuesday, October 02, 2012 10:30 AM
>>> > To: heckj
>>> > Cc: openstack at lists.launchpad.net
>>> > Subject: Re: [Openstack] Enabling logging in keystone.
>>> >
>>> > Hi Joe,
>>> >
>>> > Unfortunately before I read your response I re-installed my Ubuntuserver.  I repeated the same steps mentioned in the OpenStackdocument "Deploy and Install OpenStack- RedHatUbuntu"
>>> and also used the script mentioned in it  (
>>> https://github.com/nimbis/keystone-init/blob/master/keystone-init.py)
>>> to populate keystone.  I reboot the server prior to running your suggested
>>> command and now running into a different issue, which I feel maybe due to
>>> not starting some service.  Btw, my host OS is Ubuntu 12.04 (32 bit)
>>> running inVirtualBox.
>>> >
>>> > Currently I am getting the following error:
>>> >
>>> > #> keystone --token 012345SECRET99TOKEN01234 --endpoint
>>> http://10.0.2.15/v2.0 tenant-lis
>>>
>>>
>>
>> --
>>
>>  -Dolph
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20121002/5e41adbc/attachment.html>

More information about the Openstack mailing list