[Openstack] keystone with external authentication using apache2 on havana/ubuntu1204

Miller, Mark M (EB SW Cloud - R&D - Corvallis) mark.m.miller at hp.com
Thu Feb 20 18:00:38 UTC 2014


I haven't used the Apache2 WSGI front end for Icehouse, but I did use it with Grizzly. The Keystone endpoints should not change. The following URLs are incorrect.

export OS_AUTH_URL="http://10.65.235.39:5000/keystone/main"
export SERVICE_ENDPOINT="http://10.65.235.39:35357/keystone/admin"

Mark

From: Staicu Gabriel [mailto:gabriel_staicu at yahoo.com]
Sent: Thursday, February 20, 2014 1:38 AM
To: Dave Walker; openstack at lists.openstack.org
Subject: Re: [Openstack] keystone with external authentication using apache2 on havana/ubuntu1204

Hi Dave,

Thanks a lot for you interest in helping me. I will try to answer your questions as good as I can:
I am using havana release of the openstack. I am starting from default keystone authentication:
This is my /etc/keystone/keystone.conf:


[DEFAULT]
log_file = keystone.log
log_dir = /var/log/keystone
[sql]
connection = mysql://keystoneuser:keystonepass@153.65.235.39/keystone
[identity]
driver = keystone.identity.backends.sql.Identity
[credential]
driver = keystone.credential.backends.sql.Credential
[trust]
driver = keystone.trust.backends.sql.Trust
[os_inherit]
[catalog]
driver = keystone.catalog.backends.sql.Catalog
[endpoint_filter]
[token]
driver = keystone.token.backends.sql.Token
[cache]
[policy]
driver = keystone.policy.backends.sql.Policy
[ec2]
driver = keystone.contrib.ec2.backends.kvs.Ec2
[assignment]
[oauth1]
[ssl]
[signing]
[ldap]
[auth]

Then I am doing:
service keystone start
source openstackrc

The content of openstackrc:
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export SERVICE_TOKEN=ADMIN
export OS_AUTH_URL="http://10.65.235.39:5000/v2.0/"
export SERVICE_ENDPOINT="http://10.65.235.39:35357/v2.0"

keystone user-list
root at ubuntu1204:~# keystone user-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------------------------------+------------+---------+-------------------+
|                id                |    name    | enabled |       email       |
+----------------------------------+------------+---------+-------------------+
| 813a815b593f495c9a449f9c5c44625d |   admin    |   True  | admin at example.com<mailto:admin at example.com> |
| 7df8919856ec4072927d2523bceed5eb | ceilometer |   True  | admin at example.com<mailto:admin at example.com> |
| b6aae4b745484e3da6892b68a7e322f9 |   cinder   |   True  | admin at example.com<mailto:admin at example.com> |
| d08d5f5e515a4601b417a637cf690999 |    demo    |   True  |  demo at example.com<mailto:demo at example.com> |
| a3a5444d42b9462e8fcac9e3a10f2e60 |   glance   |   True  | admin at example.com<mailto:admin at example.com> |
| 1c1ab74a4a934273836f41999e2ac9fc |    heat    |   True  | admin at example.com<mailto:admin at example.com> |
| 823d9d20cbd8412887c3f6052eca720d |  neutron   |   True  | admin at example.com<mailto:admin at example.com> |
| e58d30815fac48209bf56441e1d5bb76 |    nova    |   True  | admin at example.com<mailto:admin at example.com> |
+----------------------------------+------------+---------+-------------------+


 keystone endpoint-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------------------------------+-----------+--------------------------------------------+--------------------------------------------+--------------------------------------------+----------------------------------+
|                id                |   region  |                 publicurl                  |                internalurl                 |                  adminurl                  |            service_id            |
+----------------------------------+-----------+--------------------------------------------+--------------------------------------------+--------------------------------------------+----------------------------------+
| 05784027da8b4acb8489d0486faf9f61 |  myregion |  http://153.65.235.39:8773/services/cloud  |  http://153.65.235.39:8773/services/cloud  |  http://153.65.235.39:8773/services/admin  | 5bc96b5587aa4f12919f3a155b5713b0 |
| 10a762a17a58478d8285c1ca6ed8344a |  myregion | http://153.65.235.39:8004/v1/$(tenant_id)s | http://153.65.235.39:8004/v1/$(tenant_id)s | http://153.65.235.39:8004/v1/$(tenant_id)s | 3308b160d21f4dac84b866063852a47a |
| 23aff8a4b486423592ad877eb0eb29d2 |  myregion |       http://153.65.235.39:5000/v2.0       |       http://153.65.235.39:5000/v2.0       |      http://153.65.235.39:35357/v2.0       | c5196b9c3d5446bdb63ee3b8f40d67f7 |
| 8e0ecafcf86e42c28f6431e9cd6b330b |  myregion | http://153.65.235.39:8774/v2/$(tenant_id)s | http://153.65.235.39:8774/v2/$(tenant_id)s | http://153.65.235.39:8774/v2/$(tenant_id)s | 4d7a03c577304e3381a3d08ba74a70dc |
| aaa01a27723d4d4abfe65496d03e811e |  myregion | http://153.65.235.39:8776/v1/$(tenant_id)s | http://153.65.235.39:8776/v1/$(tenant_id)s | http://153.65.235.39:8776/v1/$(tenant_id)s | aed8babcd157477b827c7a2ce89a641c |
| aebb4602fae143ef86d62de0c0bc5ba8 | regionOne |     http://153.65.235.39/keystone/main     |                                            |    http://153.65.235.39/keystone/admin     | c5196b9c3d5446bdb63ee3b8f40d67f7 |
| c5169966464140c69fe8c244659ad932 |  myregion |         http://153.65.235.39:9696/         |         http://153.65.235.39:9696/         |         http://153.65.235.39:9696/         | a7a32598413a435687e9919c6add1647 |
| d5b7a1f9f7bf417295f7b1e9e34f0a26 |  myregion |        http://153.65.235.39:8000/v1        |        http://153.65.235.39:8000/v1        |        http://153.65.235.39:8000/v1        | 43f4318c522646c2bdd44d6e9e09edfe |
| ecc1cd7cbad8461281181a879286c2bf |  myregion |        http://153.65.235.39:9292/v2        |        http://153.65.235.39:9292/v2        |        http://153.65.235.39:9292/v2        | 6bd3e90b00a743cfa4a94050f87319aa |
| fe815ceefd0544f2abd16c484cab1b27 |  myregion |         http://153.65.235.39:8777          |         http://153.65.235.39:8777          |         http://153.65.235.39:8777          | 4aa31f280a1e40888d45119c02149a01 |
+----------------------------------+-----------+--------------------------------------------+--------------------------------------------+--------------------------------------------+----------------------------------+

keystone service-list
 keystone service-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------------------------------+------------+----------------+----------------------------------+
|                id                |    name    |      type      |           description            |
+----------------------------------+------------+----------------+----------------------------------+
| 4aa31f280a1e40888d45119c02149a01 | ceilometer |    metering    |    openstack metering service    |
| aed8babcd157477b827c7a2ce89a641c |   cinder   |     volume     |     openstack volume service     |
| 5bc96b5587aa4f12919f3a155b5713b0 |    ec2     |      ec2       |           ec2 service            |
| 6bd3e90b00a743cfa4a94050f87319aa |   glance   |     image      |     openstack image service      |
| 3308b160d21f4dac84b866063852a47a |    heat    | orchestration  | openstack orchestration service  |
| 43f4318c522646c2bdd44d6e9e09edfe |  heat-cfn  | cloudformation | openstack cloudformation service |
| c5196b9c3d5446bdb63ee3b8f40d67f7 |  keystone  |    identity    |    openstack identity service    |
| a7a32598413a435687e9919c6add1647 |  neutron   |    network     |   openstack networking service   |
| 4d7a03c577304e3381a3d08ba74a70dc |    nova    |    compute     |    openstack compute service     |
+----------------------------------+------------+----------------+----------------------------------+

So this means that normal configuration works ok.
Now I will try to configure http authentication and the steps that I am using are the following:
1) service keystone stop
2) create the file /etc/apache2/conf.d/wsgi-keystone.conf with the following content:
Listen 5000
<VirtualHost *:5000>
WSGIScriptAlias /keystone/main /var/www/cgi-bin/keystone/main
</VirtualHost>
Listen 35357
<VirtualHost *:35357>
WSGIScriptAlias /keystone/admin /var/www/cgi-bin/keystone/admin
</VirtualHost>

3) Both /var/www/cgi-bin/keystone/main and /var/www/cgi-bin/keystone/admin have the following content:
# Copyright 2013 OpenStack Foundation
#
#    Licensed under the Apache License, Version 2.0 (the "License"); you may
#    not use this file except in compliance with the License. You may obtain
#    a copy of the License at
#
#         http://www.apache.org/licenses/LICENSE-2.0
#
#    Unless required by applicable law or agreed to in writing, software
#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#    License for the specific language governing permissions and limitations
#    under the License.

import logging
import os

from paste import deploy

from keystone.openstack.common import gettextutils

# NOTE(blk-u):
# gettextutils.install() must run to set _ before importing any modules that
# contain static translated strings.
gettextutils.install('keystone', lazy=True)

from keystone.common import dependency
from keystone.common import environment
from keystone.common import sql
from keystone import config
from keystone.openstack.common import log
from keystone import service


CONF = config.CONF

config.configure()
sql.initialize()
config.set_default_for_default_log_levels()

CONF(project='keystone')
config.setup_logging()

environment.use_stdlib()
name = os.path.basename(__file__)

if CONF.debug:
    CONF.log_opt_values(log.getLogger(CONF.prog), logging.DEBUG)


drivers = service.load_backends()

# NOTE(ldbragst): 'application' is required in this context by WSGI spec.
# The following is a reference to Python Paste Deploy documentation
# http://pythonpaste.org/deploy/
application = deploy.loadapp('config:%s' % config.find_paste_config(),
                             name=name)

dependency.resolve_future_dependencies()

4) service apache2 restart
root at ubuntu1204:~# netstat -ntlp|grep 5000
tcp        0      0 0.0.0.0:5000            0.0.0.0:*               LISTEN      23078/apache2
root at ubuntu1204:~# netstat -ntlp|grep 35357
tcp        0      0 0.0.0.0:35357           0.0.0.0:*               LISTEN      23078/apache2

5) source openstackrchttp with the following content:
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export SERVICE_TOKEN=ADMIN
export OS_AUTH_URL="http://10.65.235.39:5000/keystone/main"
export SERVICE_ENDPOINT="http://10.65.235.39:35357/keystone/admin"

6) keystone user-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
Unable to communicate with identity service: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator,
 [no address given] and inform them of the time the error occurred,
and anything you might have done that may have
caused the error.</p>
<p>More information about this error may be available
in the server error log.</p>
<hr>
<address>Apache/2.2.22 (Ubuntu) Server at 10.65.235.39 Port 35357</address>
</body></html>
. (HTTP 500)


What is lacking? What else should be done? If we will find a solution we can write a very clear document with steps to configure keystone with http authentication on ubuntu with openstack havana.


Thanks a lot,
Gabriel







On Wednesday, February 19, 2014 6:54 PM, Dave Walker <email at daviey.com<mailto:email at daviey.com>> wrote:
Hi Staicu,

Which release of Openstack are you using?
  - The distro shouldn't really matter in this instance.
What Auth method are you attempting to do through Apache?
  - Simple Auth, Kerberos?
What are you using in your dispatcher file (wsgi / fcgi plumbing)?
What behaviour are you seeing?
  - Is REMOTE_USER environ being set?

On 19 February 2014 16:51, Staicu Gabriel <gabriel_staicu at yahoo.com<mailto:gabriel_staicu at yahoo.com>> wrote:
> Hi,
>
> Is there someone who did the keystone to delegate authentication to apache
> on ubuntu/havana.
> I have read these documents but nothing is clear:
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/4/html/Installation_and_Configuration_Guide/Configuring_the_Identity_Service_to_Run_in_HTTPD.html
> https://wiki.openstack.org/wiki/Talk:Keystone_in_HTTPD_on_RHEL6
> http://docs.openstack.org/developer/keystone/apache-httpd.html
>
> It seams like everyone is telling half of the truth....:)
>
> Is there any other place where I could understand how you could do it on
> ubuntu?
>
> Thanks a lot,
> Gabriel

>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to    : openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140220/6dfaa006/attachment.html>


More information about the Openstack mailing list