[Openstack] Auth issue with glance
Erich Weiler
weiler at soe.ucsc.edu
Mon Mar 24 20:21:04 UTC 2014
Ah, no, this is the first one. ;)
I can auth users however with "keystone token-get" so I know that works
at least.
"glance-api-paste.ini" and "glance-registry-paste.ini" have been
integrated into glance-api.conf and glance-registry.conf so I don't need
to edit those (for RedHat RDO only). I have the service auth creds in
those files.
Thanks for the help!
On 3/24/14, 1:16 PM, Adam Lawson wrote:
> Do you have any other OpenStack services authenticating against Keystone
> successfully?
>
> */
> Adam Lawson/*
> AQORN, Inc.
> 427 North Tatnall Street
> Ste. 58461
> Wilmington, Delaware 19801-2230
> Toll-free: (888) 406-7620
>
>
>
> On Mon, Mar 24, 2014 at 11:43 AM, Erich Weiler <weiler at soe.ucsc.edu
> <mailto:weiler at soe.ucsc.edu>> wrote:
>
> Hi Y'all,
>
> I'm trying to configure Glance on RedHat RDO Icehouse, but I'm
> getting an auth error when I try to upload an image to it. On the
> client I'm trying to upload from, I see:
>
> # glance -d image-create --name="CirrOS 0.3.1" --disk-format=qcow2
> --container-format=bare --is-public=true < cirros-0.3.1-x86_64-disk.img
> curl -i -X POST -H 'x-image-meta-container___format: bare' -H
> 'Transfer-Encoding: chunked' -H 'User-Agent: python-glanceclient' -H
> 'x-image-meta-size: 13147648' -H 'x-image-meta-is_public: True' -H
> 'X-Auth-Token: <...removed token...>' -H 'Content-Type:
> application/octet-stream' -H 'x-image-meta-disk_format: qcow2' -H
> 'x-image-meta-name: CirrOS 0.3.1' -d '<open file '<stdin>', mode 'r'
> at 0x7f49edd5d0c0>' https://my-public-server.com:__9292/v1/images
> <https://my-public-server.com:9292/v1/images>
>
> HTTP/1.1 500 Internal Server Error
> date: Mon, 24 Mar 2014 18:34:03 GMT
> content-length: 0
> content-type: text/plain
> connection: close
>
> Request returned failure status.
> HTTPInternalServerError (HTTP 500)
>
> I've launched glance-api in debug mode on the server side, and I see
> this when the above command is run:
>
> 2014-03-24 11:36:14.202 14543 DEBUG
> glance.api.middleware.version___negotiation [-] Determining version
> of request: POST /v1/images Accept: process_request
> /usr/lib/python2.6/site-__packages/glance/api/__middleware/version___negotiation.py:44
> 2014-03-24 11:36:14.203 14543 DEBUG
> glance.api.middleware.version___negotiation [-] Using url versioning
> process_request
> /usr/lib/python2.6/site-__packages/glance/api/__middleware/version___negotiation.py:57
> 2014-03-24 11:36:14.203 14543 DEBUG
> glance.api.middleware.version___negotiation [-] Matched version: v1
> process_request
> /usr/lib/python2.6/site-__packages/glance/api/__middleware/version___negotiation.py:69
> 2014-03-24 11:36:14.204 14543 DEBUG
> glance.api.middleware.version___negotiation [-] new path /v1/images
> process_request
> /usr/lib/python2.6/site-__packages/glance/api/__middleware/version___negotiation.py:70
> 2014-03-24 11:36:14.204 14543 DEBUG
> keystoneclient.middleware.__auth_token [-] Authenticating user token
> __call__
> /usr/lib/python2.6/site-__packages/keystoneclient/__middleware/auth_token.py:558
> 2014-03-24 11:36:14.205 14543 DEBUG
> keystoneclient.middleware.__auth_token [-] Removing headers from
> request environment:
> X-Identity-Status,X-Domain-Id,__X-Domain-Name,X-Project-Id,X-__Project-Name,X-Project-Domain-__Id,X-Project-Domain-Name,X-__User-Id,X-User-Name,X-User-__Domain-Id,X-User-Domain-Name,__X-Roles,X-Service-Catalog,X-__User,X-Tenant-Id,X-Tenant-__Name,X-Tenant,X-Role
> _remove_auth_headers
> /usr/lib/python2.6/site-__packages/keystoneclient/__middleware/auth_token.py:617
> 2014-03-24 11:36:14.226 14543 INFO urllib3.connectionpool [-]
> Starting new HTTP connection (1):
> genome-cloud-0-10.kilokluster.__ucsc.edu
> <http://genome-cloud-0-10.kilokluster.ucsc.edu>
> 2014-03-24 11:36:14.339 14543 DEBUG urllib3.connectionpool [-] "POST
> /v2.0/tokens HTTP/1.1" 200 3446 _make_request
> /usr/lib/python2.6/site-__packages/urllib3/__connectionpool.py:295
> 2014-03-24 11:36:14.382 14543 INFO urllib3.connectionpool [-]
> Starting new HTTP connection (1):
> genome-cloud-0-10.kilokluster.__ucsc.edu
> <http://genome-cloud-0-10.kilokluster.ucsc.edu>
> 2014-03-24 11:36:14.422 14543 DEBUG urllib3.connectionpool [-] "GET
> /v2.0/tokens/revoked HTTP/1.1" 200 686 _make_request
> /usr/lib/python2.6/site-__packages/urllib3/__connectionpool.py:295
> 2014-03-24 11:36:14.433 14543 INFO urllib3.connectionpool [-]
> Starting new HTTP connection (1):
> genome-cloud-0-10.kilokluster.__ucsc.edu
> <http://genome-cloud-0-10.kilokluster.ucsc.edu>
> 2014-03-24 11:36:14.439 14543 DEBUG urllib3.connectionpool [-] "GET
> /v2.0/certificates/signing HTTP/1.1" 200 4251 _make_request
> /usr/lib/python2.6/site-__packages/urllib3/__connectionpool.py:295
> 2014-03-24 11:36:14.451 14543 INFO urllib3.connectionpool [-]
> Starting new HTTP connection (1):
> genome-cloud-0-10.kilokluster.__ucsc.edu
> <http://genome-cloud-0-10.kilokluster.ucsc.edu>
> 2014-03-24 11:36:14.455 14543 DEBUG urllib3.connectionpool [-] "GET
> /v2.0/certificates/ca HTTP/1.1" 200 1277 _make_request
> /usr/lib/python2.6/site-__packages/urllib3/__connectionpool.py:295
> 2014-03-24 11:36:14.476 14543 DEBUG
> keystoneclient.middleware.__auth_token [-] Storing
> 326d8c391f19d07c9f5a69d40da33f__0a token in memcache _cache_put
> /usr/lib/python2.6/site-__packages/keystoneclient/__middleware/auth_token.py:1061
> 2014-03-24 11:36:14.477 14543 DEBUG
> keystoneclient.middleware.__auth_token [-] Received request from
> user: f8fdf7f84ad34c439c4075b5e37202__11 with project_id :
> f7e61747885045d8b266a161310c00__94 and roles: _member_
> _build_user_headers
> /usr/lib/python2.6/site-__packages/keystoneclient/__middleware/auth_token.py:922
> 2014-03-24 11:36:14.487 14543 DEBUG routes.middleware [-] Matched
> POST /images __call__
> /usr/lib/python2.6/site-__packages/Routes-1.12.3-py2.6.__egg/routes/middleware.py:100
> 2014-03-24 11:36:14.487 14543 DEBUG routes.middleware [-] Route
> path: '/images', defaults: {'action': u'create', 'controller':
> <glance.common.wsgi.Resource object at 0x34c7450>} __call__
> /usr/lib/python2.6/site-__packages/Routes-1.12.3-py2.6.__egg/routes/middleware.py:102
> 2014-03-24 11:36:14.487 14543 DEBUG routes.middleware [-] Match
> dict: {'action': u'create', 'controller':
> <glance.common.wsgi.Resource object at 0x34c7450>} __call__
> /usr/lib/python2.6/site-__packages/Routes-1.12.3-py2.6.__egg/routes/middleware.py:103
> 2014-03-24 11:36:14.488 14543 DEBUG glance.registry.client.v1.api
> [3f58e73a-6eb0-4747-ab61-__e8b81fbe55d3
> f8fdf7f84ad34c439c4075b5e37202__11
> f7e61747885045d8b266a161310c00__94] Adding image metadata...
> add_image_metadata
> /usr/lib/python2.6/site-__packages/glance/registry/__client/v1/api.py:159
> 2014-03-24 11:36:14.488 14543 DEBUG glance.common.client
> [3f58e73a-6eb0-4747-ab61-__e8b81fbe55d3
> f8fdf7f84ad34c439c4075b5e37202__11
> f7e61747885045d8b266a161310c00__94] Constructed URL:
> http://0.0.0.0:9191/images _construct_url
> /usr/lib/python2.6/site-__packages/glance/common/client.__py:407
> 2014-03-24 11:36:14.556 14543 DEBUG glance.common.client
> [3f58e73a-6eb0-4747-ab61-__e8b81fbe55d3
> f8fdf7f84ad34c439c4075b5e37202__11
> f7e61747885045d8b266a161310c00__94] Constructed URL:
> http://0.0.0.0:9191/images _construct_url
> /usr/lib/python2.6/site-__packages/glance/common/client.__py:407
> 2014-03-24 11:36:14.560 14543 INFO
> glance.registry.client.v1.__client
> [3f58e73a-6eb0-4747-ab61-__e8b81fbe55d3
> f8fdf7f84ad34c439c4075b5e37202__11
> f7e61747885045d8b266a161310c00__94] Registry client request POST
> /images raised NotAuthenticated
> 2014-03-24 11:36:14.564 14543 INFO glance.wsgi.server
> [3f58e73a-6eb0-4747-ab61-__e8b81fbe55d3
> f8fdf7f84ad34c439c4075b5e37202__11
> f7e61747885045d8b266a161310c00__94] Traceback (most recent call last):
> File "/usr/lib/python2.6/site-__packages/eventlet/wsgi.py", line
> 382, in handle_one_response
> result = self.application(self.environ, start_response)
> File "/usr/lib/python2.6/site-__packages/webob/dec.py", line 130,
> in __call__
> resp = self.call_func(req, *args, **self.kwargs)
> File "/usr/lib/python2.6/site-__packages/webob/dec.py", line 195,
> in call_func
> return self.func(req, *args, **kwargs)
> File
> "/usr/lib/python2.6/site-__packages/glance/common/wsgi.__py", line
> 372, in __call__
> response = req.get_response(self.__application)
> File "/usr/lib/python2.6/site-__packages/webob/request.py", line
> 1296, in send
> application, catch_exc_info=False)
> File "/usr/lib/python2.6/site-__packages/webob/request.py", line
> 1260, in call_application
> app_iter = application(self.environ, start_response)
> File
> "/usr/lib/python2.6/site-__packages/keystoneclient/__middleware/auth_token.py",
> line 571, in __call__
> return self.app(env, start_response)
> File "/usr/lib/python2.6/site-__packages/webob/dec.py", line 130,
> in __call__
> resp = self.call_func(req, *args, **self.kwargs)
> File "/usr/lib/python2.6/site-__packages/webob/dec.py", line 195,
> in call_func
> return self.func(req, *args, **kwargs)
> File
> "/usr/lib/python2.6/site-__packages/glance/common/wsgi.__py", line
> 372, in __call__
> response = req.get_response(self.__application)
> File "/usr/lib/python2.6/site-__packages/webob/request.py", line
> 1296, in send
> application, catch_exc_info=False)
> File "/usr/lib/python2.6/site-__packages/webob/request.py", line
> 1260, in call_application
> app_iter = application(self.environ, start_response)
> File "/usr/lib/python2.6/site-__packages/paste/urlmap.py", line
> 203, in __call__
> return app(environ, start_response)
> File "/usr/lib/python2.6/site-__packages/webob/dec.py", line 144,
> in __call__
> return resp(environ, start_response)
> File
> "/usr/lib/python2.6/site-__packages/Routes-1.12.3-py2.6.__egg/routes/middleware.py",
> line 131, in __call__
> response = self.app(environ, start_response)
> File "/usr/lib/python2.6/site-__packages/webob/dec.py", line 144,
> in __call__
> return resp(environ, start_response)
> File "/usr/lib/python2.6/site-__packages/webob/dec.py", line 130,
> in __call__
> resp = self.call_func(req, *args, **self.kwargs)
> File "/usr/lib/python2.6/site-__packages/webob/dec.py", line 195,
> in call_func
> return self.func(req, *args, **kwargs)
> File
> "/usr/lib/python2.6/site-__packages/glance/common/wsgi.__py", line
> 604, in __call__
> request, **action_args)
> File
> "/usr/lib/python2.6/site-__packages/glance/common/wsgi.__py", line
> 623, in dispatch
> return method(*args, **kwargs)
> File
> "/usr/lib/python2.6/site-__packages/glance/common/utils.__py", line
> 435, in wrapped
> return func(self, req, *args, **kwargs)
> File
> "/usr/lib/python2.6/site-__packages/glance/api/v1/images.__py", line
> 781, in create
> image_meta = self._reserve(req, image_meta)
> File
> "/usr/lib/python2.6/site-__packages/glance/api/v1/images.__py", line
> 514, in _reserve
> image_meta = registry.add_image_metadata(__req.context, image_meta)
> File
> "/usr/lib/python2.6/site-__packages/glance/registry/__client/v1/api.py",
> line 161, in add_image_metadata
> return c.add_image(image_meta)
> File
> "/usr/lib/python2.6/site-__packages/glance/registry/__client/v1/client.py",
> line 163, in add_image
> res = self.do_request("POST", "/images", body=body,
> headers=headers)
> File
> "/usr/lib/python2.6/site-__packages/glance/registry/__client/v1/client.py",
> line 107, in do_request
> **kwargs)
> File
> "/usr/lib/python2.6/site-__packages/glance/common/client.__py", line
> 65, in wrapped
> return func(self, *args, **kwargs)
> File
> "/usr/lib/python2.6/site-__packages/glance/common/client.__py", line
> 382, in do_request
> headers=copy.deepcopy(headers)__)
> File
> "/usr/lib/python2.6/site-__packages/glance/common/client.__py", line
> 79, in wrapped
> return func(self, method, url, body, headers)
> File
> "/usr/lib/python2.6/site-__packages/glance/common/client.__py", line
> 523, in _do_request
> raise exception.NotAuthenticated(__res.read())
> NotAuthenticated: Authentication required
>
>
> 2014-03-24 11:36:14.967 14543 INFO glance.wsgi.server
> [3f58e73a-6eb0-4747-ab61-__e8b81fbe55d3
> f8fdf7f84ad34c439c4075b5e37202__11
> f7e61747885045d8b266a161310c00__94] 111.213.225.79,10.1.1.137 - -
> [24/Mar/2014 11:36:14] "POST /v1/images HTTP/1.1" 500 139 0.765716
>
> So I see some Auth errors in that, but I can't tell _what_ kind of
> Auth errors they are. User auth errors from the user uploading the
> file? Service Auth errors from the glance service trying to auth to
> keystone? QPID auth errors?
>
> Can anyone see what's wrong? Then I can better debug where my
> problem is... I've confirmed the user can auth ok with "keystone
> token-get'", that seems OK, I have the service user in keystone, not
> sure where it's failing...
>
> keystone logs don't really show anything other than:
>
> 2014-03-24 11:41:52.420 16503 WARNING keystone.common.wsgi [-]
> Authorization failed. The request you have made requires
> authentication. from 10.1.1.148
>
> Where 10.1.1.148 is the glance-api server on my internal network.
>
> Thanks for any hints!!
>
> -erich
>
> _________________________________________________
> Mailing list:
> http://lists.openstack.org/__cgi-bin/mailman/listinfo/__openstack
> <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack>
> Post to : openstack at lists.openstack.org
> <mailto:openstack at lists.openstack.org>
> Unsubscribe :
> http://lists.openstack.org/__cgi-bin/mailman/listinfo/__openstack
> <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack>
>
>
More information about the Openstack
mailing list