[Openstack] Glance authentication/authorisation error.

Adam Clark clark.adam.p at gmail.com
Mon Apr 7 07:14:32 UTC 2014


Hi all,
  I am slowly putting my OpenStack deployment together and have run into an
issue with Glance and Keystone.

If I set my paste_deploy flavour to empty glance works perfectly fine.  I
can upload and list images.

Keystone related options in glance-api.conf
[keystone_authtoken]
auth_host = localhost
auth_port = 35357
auth_protocol = http
admin_tenant_name = services
admin_user = glance
admin_password = glance_password
auth_uri=http://api.openstack.home:5000/

[paste_deploy]
flavor=keystone

Keystone related options in glance-api-paste.ini
[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
delay_auth_decision = true
auth_host=api01.openstack.home
admin_user=glance
admin_tenant_name=services
admin_password=glance_password


I only added the auth_host and admin_* in glance-api-paste.ini after
reading the havana documentation

I know my glance credentials are fine as they work fine with the keystone
client:
openstack at admin:~$ keystone --os-username glance --os-password
glance_password --os-tenant-name services user-list
+----------------------------------+--------+---------+------------------------+
|                id                |  name  | enabled |         email
   |
+----------------------------------+--------+---------+------------------------+
| 6cf5d29c132949679f730dd9a4ccdf75 | admin  |   True  |
clark.adam.p at gmail.com |
| d29b9eeb8321427a9f5eed9dfb495ed1 | glance |   True  |    glance at localhost   |
| a0ffc44433314c71bc9bfb979045735d |  test  |   True  |    test at example.com   |
+----------------------------------+--------+---------+------------------------+

But when I use the same against glance with my flavor=keystone I get:
openstack at admin:~$ glance --os-username glance --os-password
glance_password --os-tenant-name services image-list
Request returned failure status.
Invalid OpenStack Identity credentials.


And the associated api log entries are:
2014-04-07 17:10:46.866 15375 DEBUG keystoneclient.middleware.auth_token
[-] Authenticating user token __call__
/usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py:526
2014-04-07 17:10:46.867 15375 DEBUG keystoneclient.middleware.auth_token
[-] Removing headers from request environment:
X-Identity-Status,X-Domain-Id,X-Domain-Name,X-Project-Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-User-Id,X-User-Name,X-User-Domain-Id,X-User-Domain-Name,X-Roles,X-Service-Catalog,X-User,X-Tenant-Id,X-Tenant-Name,X-Tenant,X-Role
_remove_auth_headers
/usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py:585
2014-04-07 17:10:46.918 15375 DEBUG keystoneclient.middleware.auth_token
[-] Token expired a 2014-04-07T08:10:46Z _confirm_token_not_expired
/usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py:1024
2014-04-07 17:10:46.919 15375 DEBUG keystoneclient.middleware.auth_token
[-] Token validation failure. _validate_user_token
/usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py:790
2014-04-07 17:10:46.919 15375 TRACE keystoneclient.middleware.auth_token
Traceback (most recent call last):
2014-04-07 17:10:46.919 15375 TRACE keystoneclient.middleware.auth_token
File
"/usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py",
line 782, in _validate_user_token
2014-04-07 17:10:46.919 15375 TRACE keystoneclient.middleware.auth_token
  expires = self._confirm_token_not_expired(data)
2014-04-07 17:10:46.919 15375 TRACE keystoneclient.middleware.auth_token
File
"/usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py",
line 1025, in _confirm_token_not_expired
2014-04-07 17:10:46.919 15375 TRACE keystoneclient.middleware.auth_token
  raise InvalidUserToken('Token authorization failed')
2014-04-07 17:10:46.919 15375 TRACE keystoneclient.middleware.auth_token
InvalidUserToken: Token authorization failed
2014-04-07 17:10:46.919 15375 TRACE keystoneclient.middleware.auth_token
2014-04-07 17:10:46.919 15375 DEBUG keystoneclient.middleware.auth_token
[-] Marking token <token removed for clarity> as unauthorized in memcache
_cache_store_invalid
/usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py:1043
2014-04-07 17:10:46.920 15375 WARNING keystoneclient.middleware.auth_token
[-] Authorization failed for token <token removed for clarity>
2014-04-07 17:10:46.920 15375 INFO keystoneclient.middleware.auth_token [-]
Invalid user token - deferring reject downstream

My time between all of my hosts are synced, and token expiry is well past
(my time zone is +10 hours)
root at api01:~# date  --utc
Mon Apr  7 07:10:54 UTC 2014

I'm pretty sure I have all my keystone config options correct.

Cheers

Adam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140407/b7267531/attachment.html>


More information about the Openstack mailing list