[Openstack] keystone with external authentication using apache2 on havana/ubuntu1204
Miller, Mark M (EB SW Cloud - R&D - Corvallis)
mark.m.miller at hp.com
Thu Feb 20 18:00:38 UTC 2014
I haven't used the Apache2 WSGI front end for Icehouse, but I did use it with Grizzly. The Keystone endpoints should not change. The following URLs are incorrect.
export OS_AUTH_URL="http://10.65.235.39:5000/keystone/main"
export SERVICE_ENDPOINT="http://10.65.235.39:35357/keystone/admin"
Mark
From: Staicu Gabriel [mailto:gabriel_staicu at yahoo.com]
Sent: Thursday, February 20, 2014 1:38 AM
To: Dave Walker; openstack at lists.openstack.org
Subject: Re: [Openstack] keystone with external authentication using apache2 on havana/ubuntu1204
Hi Dave,
Thanks a lot for you interest in helping me. I will try to answer your questions as good as I can:
I am using havana release of the openstack. I am starting from default keystone authentication:
This is my /etc/keystone/keystone.conf:
[DEFAULT]
log_file = keystone.log
log_dir = /var/log/keystone
[sql]
connection = mysql://keystoneuser:keystonepass@153.65.235.39/keystone
[identity]
driver = keystone.identity.backends.sql.Identity
[credential]
driver = keystone.credential.backends.sql.Credential
[trust]
driver = keystone.trust.backends.sql.Trust
[os_inherit]
[catalog]
driver = keystone.catalog.backends.sql.Catalog
[endpoint_filter]
[token]
driver = keystone.token.backends.sql.Token
[cache]
[policy]
driver = keystone.policy.backends.sql.Policy
[ec2]
driver = keystone.contrib.ec2.backends.kvs.Ec2
[assignment]
[oauth1]
[ssl]
[signing]
[ldap]
[auth]
Then I am doing:
service keystone start
source openstackrc
The content of openstackrc:
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export SERVICE_TOKEN=ADMIN
export OS_AUTH_URL="http://10.65.235.39:5000/v2.0/"
export SERVICE_ENDPOINT="http://10.65.235.39:35357/v2.0"
keystone user-list
root at ubuntu1204:~# keystone user-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------------------------------+------------+---------+-------------------+
| id | name | enabled | email |
+----------------------------------+------------+---------+-------------------+
| 813a815b593f495c9a449f9c5c44625d | admin | True | admin at example.com<mailto:admin at example.com> |
| 7df8919856ec4072927d2523bceed5eb | ceilometer | True | admin at example.com<mailto:admin at example.com> |
| b6aae4b745484e3da6892b68a7e322f9 | cinder | True | admin at example.com<mailto:admin at example.com> |
| d08d5f5e515a4601b417a637cf690999 | demo | True | demo at example.com<mailto:demo at example.com> |
| a3a5444d42b9462e8fcac9e3a10f2e60 | glance | True | admin at example.com<mailto:admin at example.com> |
| 1c1ab74a4a934273836f41999e2ac9fc | heat | True | admin at example.com<mailto:admin at example.com> |
| 823d9d20cbd8412887c3f6052eca720d | neutron | True | admin at example.com<mailto:admin at example.com> |
| e58d30815fac48209bf56441e1d5bb76 | nova | True | admin at example.com<mailto:admin at example.com> |
+----------------------------------+------------+---------+-------------------+
keystone endpoint-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------------------------------+-----------+--------------------------------------------+--------------------------------------------+--------------------------------------------+----------------------------------+
| id | region | publicurl | internalurl | adminurl | service_id |
+----------------------------------+-----------+--------------------------------------------+--------------------------------------------+--------------------------------------------+----------------------------------+
| 05784027da8b4acb8489d0486faf9f61 | myregion | http://153.65.235.39:8773/services/cloud | http://153.65.235.39:8773/services/cloud | http://153.65.235.39:8773/services/admin | 5bc96b5587aa4f12919f3a155b5713b0 |
| 10a762a17a58478d8285c1ca6ed8344a | myregion | http://153.65.235.39:8004/v1/$(tenant_id)s | http://153.65.235.39:8004/v1/$(tenant_id)s | http://153.65.235.39:8004/v1/$(tenant_id)s | 3308b160d21f4dac84b866063852a47a |
| 23aff8a4b486423592ad877eb0eb29d2 | myregion | http://153.65.235.39:5000/v2.0 | http://153.65.235.39:5000/v2.0 | http://153.65.235.39:35357/v2.0 | c5196b9c3d5446bdb63ee3b8f40d67f7 |
| 8e0ecafcf86e42c28f6431e9cd6b330b | myregion | http://153.65.235.39:8774/v2/$(tenant_id)s | http://153.65.235.39:8774/v2/$(tenant_id)s | http://153.65.235.39:8774/v2/$(tenant_id)s | 4d7a03c577304e3381a3d08ba74a70dc |
| aaa01a27723d4d4abfe65496d03e811e | myregion | http://153.65.235.39:8776/v1/$(tenant_id)s | http://153.65.235.39:8776/v1/$(tenant_id)s | http://153.65.235.39:8776/v1/$(tenant_id)s | aed8babcd157477b827c7a2ce89a641c |
| aebb4602fae143ef86d62de0c0bc5ba8 | regionOne | http://153.65.235.39/keystone/main | | http://153.65.235.39/keystone/admin | c5196b9c3d5446bdb63ee3b8f40d67f7 |
| c5169966464140c69fe8c244659ad932 | myregion | http://153.65.235.39:9696/ | http://153.65.235.39:9696/ | http://153.65.235.39:9696/ | a7a32598413a435687e9919c6add1647 |
| d5b7a1f9f7bf417295f7b1e9e34f0a26 | myregion | http://153.65.235.39:8000/v1 | http://153.65.235.39:8000/v1 | http://153.65.235.39:8000/v1 | 43f4318c522646c2bdd44d6e9e09edfe |
| ecc1cd7cbad8461281181a879286c2bf | myregion | http://153.65.235.39:9292/v2 | http://153.65.235.39:9292/v2 | http://153.65.235.39:9292/v2 | 6bd3e90b00a743cfa4a94050f87319aa |
| fe815ceefd0544f2abd16c484cab1b27 | myregion | http://153.65.235.39:8777 | http://153.65.235.39:8777 | http://153.65.235.39:8777 | 4aa31f280a1e40888d45119c02149a01 |
+----------------------------------+-----------+--------------------------------------------+--------------------------------------------+--------------------------------------------+----------------------------------+
keystone service-list
keystone service-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------------------------------+------------+----------------+----------------------------------+
| id | name | type | description |
+----------------------------------+------------+----------------+----------------------------------+
| 4aa31f280a1e40888d45119c02149a01 | ceilometer | metering | openstack metering service |
| aed8babcd157477b827c7a2ce89a641c | cinder | volume | openstack volume service |
| 5bc96b5587aa4f12919f3a155b5713b0 | ec2 | ec2 | ec2 service |
| 6bd3e90b00a743cfa4a94050f87319aa | glance | image | openstack image service |
| 3308b160d21f4dac84b866063852a47a | heat | orchestration | openstack orchestration service |
| 43f4318c522646c2bdd44d6e9e09edfe | heat-cfn | cloudformation | openstack cloudformation service |
| c5196b9c3d5446bdb63ee3b8f40d67f7 | keystone | identity | openstack identity service |
| a7a32598413a435687e9919c6add1647 | neutron | network | openstack networking service |
| 4d7a03c577304e3381a3d08ba74a70dc | nova | compute | openstack compute service |
+----------------------------------+------------+----------------+----------------------------------+
So this means that normal configuration works ok.
Now I will try to configure http authentication and the steps that I am using are the following:
1) service keystone stop
2) create the file /etc/apache2/conf.d/wsgi-keystone.conf with the following content:
Listen 5000
<VirtualHost *:5000>
WSGIScriptAlias /keystone/main /var/www/cgi-bin/keystone/main
</VirtualHost>
Listen 35357
<VirtualHost *:35357>
WSGIScriptAlias /keystone/admin /var/www/cgi-bin/keystone/admin
</VirtualHost>
3) Both /var/www/cgi-bin/keystone/main and /var/www/cgi-bin/keystone/admin have the following content:
# Copyright 2013 OpenStack Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import logging
import os
from paste import deploy
from keystone.openstack.common import gettextutils
# NOTE(blk-u):
# gettextutils.install() must run to set _ before importing any modules that
# contain static translated strings.
gettextutils.install('keystone', lazy=True)
from keystone.common import dependency
from keystone.common import environment
from keystone.common import sql
from keystone import config
from keystone.openstack.common import log
from keystone import service
CONF = config.CONF
config.configure()
sql.initialize()
config.set_default_for_default_log_levels()
CONF(project='keystone')
config.setup_logging()
environment.use_stdlib()
name = os.path.basename(__file__)
if CONF.debug:
CONF.log_opt_values(log.getLogger(CONF.prog), logging.DEBUG)
drivers = service.load_backends()
# NOTE(ldbragst): 'application' is required in this context by WSGI spec.
# The following is a reference to Python Paste Deploy documentation
# http://pythonpaste.org/deploy/
application = deploy.loadapp('config:%s' % config.find_paste_config(),
name=name)
dependency.resolve_future_dependencies()
4) service apache2 restart
root at ubuntu1204:~# netstat -ntlp|grep 5000
tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN 23078/apache2
root at ubuntu1204:~# netstat -ntlp|grep 35357
tcp 0 0 0.0.0.0:35357 0.0.0.0:* LISTEN 23078/apache2
5) source openstackrchttp with the following content:
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export SERVICE_TOKEN=ADMIN
export OS_AUTH_URL="http://10.65.235.39:5000/keystone/main"
export SERVICE_ENDPOINT="http://10.65.235.39:35357/keystone/admin"
6) keystone user-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
Unable to communicate with identity service: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator,
[no address given] and inform them of the time the error occurred,
and anything you might have done that may have
caused the error.</p>
<p>More information about this error may be available
in the server error log.</p>
<hr>
<address>Apache/2.2.22 (Ubuntu) Server at 10.65.235.39 Port 35357</address>
</body></html>
. (HTTP 500)
What is lacking? What else should be done? If we will find a solution we can write a very clear document with steps to configure keystone with http authentication on ubuntu with openstack havana.
Thanks a lot,
Gabriel
On Wednesday, February 19, 2014 6:54 PM, Dave Walker <email at daviey.com<mailto:email at daviey.com>> wrote:
Hi Staicu,
Which release of Openstack are you using?
- The distro shouldn't really matter in this instance.
What Auth method are you attempting to do through Apache?
- Simple Auth, Kerberos?
What are you using in your dispatcher file (wsgi / fcgi plumbing)?
What behaviour are you seeing?
- Is REMOTE_USER environ being set?
On 19 February 2014 16:51, Staicu Gabriel <gabriel_staicu at yahoo.com<mailto:gabriel_staicu at yahoo.com>> wrote:
> Hi,
>
> Is there someone who did the keystone to delegate authentication to apache
> on ubuntu/havana.
> I have read these documents but nothing is clear:
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/4/html/Installation_and_Configuration_Guide/Configuring_the_Identity_Service_to_Run_in_HTTPD.html
> https://wiki.openstack.org/wiki/Talk:Keystone_in_HTTPD_on_RHEL6
> http://docs.openstack.org/developer/keystone/apache-httpd.html
>
> It seams like everyone is telling half of the truth....:)
>
> Is there any other place where I could understand how you could do it on
> ubuntu?
>
> Thanks a lot,
> Gabriel
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140220/6dfaa006/attachment.html>
More information about the Openstack
mailing list