[Openstack] issue when I using PKI for token format

Li, Chen chen.li at intel.com
Thu Mar 6 04:22:17 UTC 2014 

I remember  somewhere ask me to do at the very beginning...
But I can't re-produce that anymore.



Anyway, When I run command

        keystone-manage pki_setup

I get :

usage: keystone-manage [db_sync|db_version|pki_setup|ssl_setup|token_flush] pki_setup
       [-h] --keystone-user KEYSTONE_USER --keystone-group KEYSTONE_GROUP
keystone-manage [db_sync|db_version|pki_setup|ssl_setup|token_flush] pki_setup: error: argument --keystone-user is required



ð   I change my ENV to:



        export SERVICE_TOKEN=ADMIN

       export SERVICE_ENDPOINT=http://host-keystone:35357/v2.0



Then run

keystone user-list

+----------------------------------+---------+---------+-------+

|                id                |   name  | enabled | email |

+----------------------------------+---------+---------+-------+

| 618d4218ae584b25a5c0594a6dd1efd4 |  cinder |   True  |       |

| 851c80fe95d64569a701ca0f461e87eb |  glance |   True  |       |

| dad121e464174060a4eb46c5fed019bf |  lichen |   True  |       |

| 958cb6cb788643b79125f1af5d7846d9 | neutron |   True  |       |

| 43ecc4544517446e85ecaca34416244b |   nova  |   True  |       |

+----------------------------------+---------+---------+-------+

keystone tenant-list
+----------------------------------+----------+---------+
|                id                |   name   | enabled |
+----------------------------------+----------+---------+
| 044f5ddb818f4b78b9f4aa0e0affd05d | services |   True  |
| 1e57be810f854bcdb73901567140ac48 |   test   |   True  |
+----------------------------------+----------+---------+


Then run
                keystone-manage pki_setup  --keystone-user dad121e464174060a4eb46c5fed019bf --keystone-group 1e57be810f854bcdb73901567140ac48

                I get :
2014-03-06 12:20:04.841 19854 CRITICAL keystone [-] Unknown user 'dad121e464174060a4eb46c5fed019bf' in --keystone-user


Then run

keystone-manage pki_setup  --keystone-user lichen --keystone-group 1e57be810f854bcdb73901567140ac48
                I get :

2014-03-06 12:20:59.792 20029 CRITICAL keystone [-] Unknown user 'lichen' in --keystone-user


Then run

keystone-manage pki_setup  --keystone-user lichen --keystone-group test
                I get :

2014-03-06 12:21:24.603 20113 CRITICAL keystone [-] Unknown user 'lichen' in --keystone-user

I don't know how to run the command anymore.....

Thanks.
-chen




From: Adam Young [mailto:ayoung at redhat.com]
Sent: Thursday, March 06, 2014 11:56 AM
To: openstack at lists.openstack.org
Subject: Re: [Openstack] issue when I using PKI for token format

On 03/05/2014 08:59 PM, Li, Chen wrote:

Hi,

I'm working under CentOS 6.4 + Havana, my keystone version is:
          openstack-keystone.noarch 2013.2.2-1.el6 @openstack-havana

When I run command "keystone user-list", I get error:
         Authorization Failed: Unable to sign token. (HTTP 500)

I can get error information in both "keystone-startup.log" and "keystone.log":
Did you run keystone-manage pki_setup?  Problem is something with your certificates.



2014-03-06 09:31:29.999 18693 ERROR keystone.common.cms [-] Signing error: Unable to load certificate - ensure you've configured PKI with 'keystone-manage pki_setup'
2014-03-06 09:31:29.999 18693 ERROR keystone.token.providers.pki [-] Unable to sign token
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki Traceback (most recent call last):
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/token/providers/pki.py", line 39, in _get_token_id
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki CONF.signing.keyfile)
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/common/cms.py", line 144, in cms_sign_token
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki output = cms_sign_text(text, signing_cert_file_name, signing_key_file_name)
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/common/cms.py", line 139, in cms_sign_text
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki raise environment.subprocess.CalledProcessError(retcode, "openssl")
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki CalledProcessError: Command 'openssl' returned non-zero exit status 3
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki
2014-03-06 09:31:30.000 18693 WARNING keystone.common.wsgi [-] Unable to sign token.
~

Anyone know why this happened ???

Thanks.
-chen



My /etc/keystone/keystone.conf :

[DEFAULT]

[sql]
connection = mysql://keystone:keystone@host-db/keystone

[identity]

[credential]

[trust]

[os_inherit]

[catalog]
driver = keystone.catalog.backends.sql.Catalog

[endpoint_filter]

[token]
driver = keystone.token.backends.memcache.Token

[cache]

[policy]

[ec2]

[assignment]

[oauth1]

[ssl]

[signing]

[ldap]

[auth]
methods = external,password,token,oauth1
password = keystone.auth.plugins.password.Password
token = keystone.auth.plugins.token.Token
oauth1 = keystone.auth.plugins.oauth1.OAuth

[paste_deploy]





_______________________________________________

Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Post to     : openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>

Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140306/e5545dfa/attachment.html>

More information about the Openstack mailing list