[Openstack] Glance having problems with Keystone Authent/Author
Adam Clark
clark.adam.p at gmail.com
Mon Apr 7 21:15:04 UTC 2014
Hi all,
I am slowly putting together my havana openstack deployment in a home
lab, but I seem to have hit an issue with glance with the keystone
authentication.
I can set my paste_deploy flavor to an empty string and glance stores and
lists images just fine.
When enabling keystone auth I get the following (also happens with my test
user and tenant)
openstack at admin:~$ glance --os-username glance --os-password
glance_password --os-tenant-name services image-list
Request returned failure status.
Invalid OpenStack Identity credentials.
Relevant logs below:
2014-04-07 17:10:46.866 15375 DEBUG keystoneclient.middleware.auth_token
[-] Authenticating user token __call__
/usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py:526
2014-04-07 17:10:46.867 15375 DEBUG keystoneclient.middleware.auth_token
[-] Removing headers from request environment:
X-Identity-Status,X-Domain-Id,X-Domain-Name,X-Project-Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-User-Id,X-User-Name,X-User-Domain-Id,X-User-Domain-Name,X-Roles,X-Service-Catalog,X-User,X-Tenant-Id,X-Tenant-Name,X-Tenant,X-Role
_remove_auth_headers
/usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py:585
2014-04-07 17:10:46.918 15375 DEBUG keystoneclient.middleware.auth_token
[-] Token expired a 2014-04-07T08:10:46Z _confirm_token_not_expired
/usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py:1024
2014-04-07 17:10:46.919 15375 DEBUG keystoneclient.middleware.auth_token
[-] Token validation failure. _validate_user_token
/usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py:790
2014-04-07 17:10:46.919 15375 TRACE keystoneclient.middleware.auth_token
Traceback (most recent call last):
2014-04-07 17:10:46.919 15375 TRACE keystoneclient.middleware.auth_token
File
"/usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py",
line 782, in _validate_user_token
2014-04-07 17:10:46.919 15375 TRACE keystoneclient.middleware.auth_token
expires = self._confirm_token_not_expired(data)
2014-04-07 17:10:46.919 15375 TRACE keystoneclient.middleware.auth_token
File
"/usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py",
line 1025, in _confirm_token_not_expired
2014-04-07 17:10:46.919 15375 TRACE keystoneclient.middleware.auth_token
raise InvalidUserToken('Token authorization failed')
2014-04-07 17:10:46.919 15375 TRACE keystoneclient.middleware.auth_token
InvalidUserToken: Token authorization failed
2014-04-07 17:10:46.919 15375 TRACE keystoneclient.middleware.auth_token
2014-04-07 17:10:46.919 15375 DEBUG keystoneclient.middleware.auth_token
[-] Marking token <Token) as unauthorized in memcache _cache_store_invalid
/usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py:1043
2014-04-07 17:10:46.920 15375 WARNING keystoneclient.middleware.auth_token
[-] Authorization failed for token <token>
2014-04-07 17:10:46.920 15375 INFO keystoneclient.middleware.auth_token [-]
Invalid user token - deferring reject downstream
^C
root at api01:~# date --utc
Mon Apr 7 07:10:54 UTC 2014
Time on all hosts is synced to the same NTP source, my timezone an offset
of UTC+10. The token above has just under an hour for its lifetime.
I can use these credentials directly with keystone
openstack at admin:~$ keystone --os-username glance --os-password
glance_password --os-tenant-name services tenant-list
+----------------------------------+----------+---------+
| id | name | enabled |
+----------------------------------+----------+---------+
| e30936cb81524d8a8fa1a51991fd3acd | admin | True |
| 97b98e459c214db58dd6bfd367a53d8a | services | True |
| a8b1b92c004643999aad469ce7123bf4 | test | True |
+----------------------------------+----------+---------+
get-token works fine also.
Here is the relevant parts to my glance-api.conf
[keystone_authtoken]
auth_host = api-internal.openstack.home
auth_port = 35357
auth_protocol = http
admin_tenant_name = services
admin_user = glance
admin_password = glance_password
auth_uri=http://api-internal.openstack.home:5000/
[paste_deploy]
flavor=keystone
and glance-api-paste.ini
[pipeline:glance-api-keystone]
pipeline = versionnegotiation authtoken context rootapp
[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
delay_auth_decision = true
auth_host=api.openstack.home
admin_user=glance
admin_tenant_name=services
admin_password=glance_password
I added in the auth_* and admin_* directives after following the openstack
documentation
http://docs.openstack.org/havana/install-guide/install/apt/content/glance-install.html
below are all the runtime values gleaned from the log files:
admin_password = ****
admin_role = admin
admin_tenant_name = ****
admin_user = ****
allow_additional_image_properties = True
allow_anonymous_access = False
api_limit_max = 1000
auth_region = None
auth_strategy = noauth
auth_url = None
backlog = 4096
bind_host = 0.0.0.0
bind_port = 9292
ca_file = None
cert_file = None
cinder_api_insecure = False
cinder_ca_certificates_file = None
cinder_catalog_info = volume:cinder:publicURL
cinder_endpoint_template = None
cinder_http_retries = 3
cleanup_scrubber = False
cleanup_scrubber_time = 86400
config_dir = None
config_file = ['/etc/glance/glance-api.conf']
container_formats = ['ami', 'ari', 'aki', 'bare', 'ovf']
data_api = glance.db.sqlalchemy.api
db_auto_create = False
debug = True
default_log_levels = ['amqplib=WARN', 'sqlalchemy=WARN',
'boto=WARN', 'suds=INFO', 'keystone=INFO', 'eventlet.wsgi.server=WARN']
default_store = rbd
delayed_delete = False
disable_process_locking = False
disk_formats = ['ami', 'ari', 'aki', 'vhd', 'vmdk',
'raw', 'qcow2', 'vdi', 'iso']
enable_v1_api = True
enable_v2_api = True
eventlet_hub = poll
fatal_deprecations = False
filesystem_store_datadir = /var/lib/glance/images/
filesystem_store_metadata_file = None
image_size_cap = 1099511627776
instance_format = [instance: %(uuid)s]
instance_uuid_format = [instance: %(uuid)s]
key_file = None
known_stores = ['glance.store.filesystem.Store',
'glance.store.http.Store', 'glance.store.rbd.Store',
'glance.store.s3.Store', 'glance.store.swift.Store',
'glance.store.sheepdog.Store', 'glance.store.cinder.Store']
limit_param_default = 25
lock_path = None
log_config = None
log_date_format = %Y-%m-%d %H:%M:%S
log_dir = /var/log/glance
log_file = /var/log/glance/api.log
log_format = None
logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d
%(levelname)s %(name)s [%(request_id)s %(user)s %(tenant)s]
%(instance)s%(message)s
logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d
%(instance)s%(message)s
logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d TRACE
%(name)s %(instance)s
memcached_servers = None
metadata_encryption_key = ****
notifier_strategy = rabbit
os_region_name = None
owner_is_tenant = True
policy_default_rule = default
policy_file = policy.json
property_protection_file = None
publish_errors = False
pydev_worker_debug_host = None
pydev_worker_debug_port = 5678
rabbit_durable_queues = False
rabbit_host = slb01.openstack.home
rabbit_max_retries = 0
rabbit_notification_exchange = glance
rabbit_notification_topic = notifications
rabbit_password = ******
rabbit_port = 5672
rabbit_retry_backoff = 2
rabbit_retry_max_backoff = 30
rabbit_use_ssl = False
rabbit_userid = rabbit
rabbit_virtual_host = /
rbd_store_ceph_conf = /etc/ceph/ceph.conf
rbd_store_chunk_size = 8
rbd_store_pool = images
rbd_store_user = glance
registry_client_ca_file = None
registry_client_cert_file = None
registry_client_insecure = False
registry_client_key_file = None
registry_client_protocol = http
registry_client_timeout = 600
registry_host = localhost
registry_port = 9191
s3_store_access_key = ************************
s3_store_bucket = <lowercased 20-char aws access key>glance
s3_store_bucket_url_format = subdomain
s3_store_create_bucket_on_put = False
s3_store_host = 127.0.0.1:8080/v1.0/
s3_store_object_buffer_dir = None
s3_store_secret_key = ************************
scrub_time = 43200
scrubber_datadir = /var/lib/glance/scrubber
send_identity_headers = False
sheepdog_store_address = localhost
sheepdog_store_chunk_size = 64
sheepdog_store_port = 7000
show_image_direct_url = True
show_multiple_locations = False
sql_connection =
********************************************************
sql_idle_timeout = 3600
sql_max_retries = 60
sql_retry_interval = 1
sqlalchemy_debug = False
swift_enable_snet = False
swift_store_admin_tenants = []
swift_store_auth_address = 127.0.0.1:5000/v2.0/
swift_store_auth_insecure = False
swift_store_auth_version = 2
swift_store_container = glance
swift_store_create_container_on_put = False
swift_store_endpoint_type = publicURL
swift_store_key = ********************************
swift_store_large_object_chunk_size = 200
swift_store_large_object_size = 5120
swift_store_multi_tenant = False
swift_store_region = None
swift_store_service_type = object-store
swift_store_ssl_compression = True
swift_store_user = *********
syslog_log_facility = LOG_USER
tcp_keepidle = 600
use_stderr = True
use_syslog = False
use_tpool = False
use_user_token = True
user_storage_quota = 0
verbose = True
workers = 1
paste_deploy.config_file = None
paste_deploy.flavor = keystone
keystone_authtoken.admin_password = ***************
keystone_authtoken.admin_tenant_name = services
keystone_authtoken.admin_token = ****
keystone_authtoken.admin_user = glance
keystone_authtoken.auth_admin_prefix =
keystone_authtoken.auth_host = api-internal.openstack.home
keystone_authtoken.auth_port = 35357
keystone_authtoken.auth_protocol = http
keystone_authtoken.auth_uri = http://api-internal.openstack.home:5000/
keystone_authtoken.auth_version = None
keystone_authtoken.cache = None
keystone_authtoken.certfile = None
keystone_authtoken.delay_auth_decision = False
keystone_authtoken.http_connect_timeout = None
keystone_authtoken.http_handler = None
keystone_authtoken.keyfile = None
keystone_authtoken.memcache_secret_key = ****
keystone_authtoken.memcache_security_strategy = None
keystone_authtoken.memcached_servers = None
keystone_authtoken.revocation_cache_time = 1
keystone_authtoken.signing_dir = None
I hope there is a clue in there somewhere.
Cheers
Adam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140408/9295eba8/attachment.html>
More information about the Openstack
mailing list