[Openstack] Auth issue with glance

Adam Lawson alawson at aqorn.com
Mon Mar 24 21:51:25 UTC 2014


Are you able to authenticate in Keystone without introducing the additional
service?

This should indicate if your default Keystone admin credentials are
authenticating via user/pass versus PKI tokens (a little different but I
like it):

$ unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT
> $ export OS_USERNAME=<admin_username>
> $ export OS_PASSWORD=<admin_password>
> $ export OS_TENANT_NAME=<admin_tenant_name>
> $ export OS_AUTH_URL=http://IP_ADDRESS:35357/v2.0 (for instance)
> $ keystone user-list


This unsets your env vars and takes a non-token approach. should display
defined users. If not then your Keystone server isn't working or isn't
hearing the request. a wget of the auth url should tell you if you can see
the service. Are you getting success at this level at least?

Mahalo,
Adam


*Adam Lawson*
AQORN, Inc.
427 North Tatnall Street
Ste. 58461
Wilmington, Delaware 19801-2230
Toll-free: (888) 406-7620



On Mon, Mar 24, 2014 at 1:21 PM, Erich Weiler <weiler at soe.ucsc.edu> wrote:

> Ah, no, this is the first one.  ;)
>
> I can auth users however with "keystone token-get" so I know that works at
> least.
>
> "glance-api-paste.ini" and "glance-registry-paste.ini" have been
> integrated into glance-api.conf and glance-registry.conf so I don't need to
> edit those (for RedHat RDO only).  I have the service auth creds in those
> files.
>
> Thanks for the help!
>
>
> On 3/24/14, 1:16 PM, Adam Lawson wrote:
>
>> Do you have any other OpenStack services authenticating against Keystone
>> successfully?
>>
>> */
>> Adam Lawson/*
>>
>> AQORN, Inc.
>> 427 North Tatnall Street
>> Ste. 58461
>> Wilmington, Delaware 19801-2230
>> Toll-free: (888) 406-7620
>>
>>
>>
>> On Mon, Mar 24, 2014 at 11:43 AM, Erich Weiler <weiler at soe.ucsc.edu
>> <mailto:weiler at soe.ucsc.edu>> wrote:
>>
>>     Hi Y'all,
>>
>>     I'm trying to configure Glance on RedHat RDO Icehouse, but I'm
>>     getting an auth error when I try to upload an image to it.  On the
>>     client I'm trying to upload from, I see:
>>
>>     # glance -d image-create --name="CirrOS 0.3.1" --disk-format=qcow2
>>     --container-format=bare --is-public=true <
>> cirros-0.3.1-x86_64-disk.img
>>     curl -i -X POST -H 'x-image-meta-container___format: bare' -H
>>
>>     'Transfer-Encoding: chunked' -H 'User-Agent: python-glanceclient' -H
>>     'x-image-meta-size: 13147648' -H 'x-image-meta-is_public: True' -H
>>     'X-Auth-Token: <...removed token...>' -H 'Content-Type:
>>     application/octet-stream' -H 'x-image-meta-disk_format: qcow2' -H
>>     'x-image-meta-name: CirrOS 0.3.1' -d '<open file '<stdin>', mode 'r'
>>     at 0x7f49edd5d0c0>' https://my-public-server.com:__9292/v1/images
>>
>>     <https://my-public-server.com:9292/v1/images>
>>
>>     HTTP/1.1 500 Internal Server Error
>>     date: Mon, 24 Mar 2014 18:34:03 GMT
>>     content-length: 0
>>     content-type: text/plain
>>     connection: close
>>
>>     Request returned failure status.
>>     HTTPInternalServerError (HTTP 500)
>>
>>     I've launched glance-api in debug mode on the server side, and I see
>>     this when the above command is run:
>>
>>     2014-03-24 11:36:14.202 14543 DEBUG
>>     glance.api.middleware.version___negotiation [-] Determining version
>>
>>     of request: POST /v1/images Accept:  process_request
>>     /usr/lib/python2.6/site-__packages/glance/api/__middleware/version___
>> negotiation.py:44
>>
>>     2014-03-24 11:36:14.203 14543 DEBUG
>>     glance.api.middleware.version___negotiation [-] Using url versioning
>>     process_request
>>     /usr/lib/python2.6/site-__packages/glance/api/__middleware/version___
>> negotiation.py:57
>>
>>     2014-03-24 11:36:14.203 14543 DEBUG
>>     glance.api.middleware.version___negotiation [-] Matched version: v1
>>     process_request
>>     /usr/lib/python2.6/site-__packages/glance/api/__middleware/version___
>> negotiation.py:69
>>
>>     2014-03-24 11:36:14.204 14543 DEBUG
>>     glance.api.middleware.version___negotiation [-] new path /v1/images
>>     process_request
>>     /usr/lib/python2.6/site-__packages/glance/api/__middleware/version___
>> negotiation.py:70
>>
>>     2014-03-24 11:36:14.204 14543 DEBUG
>>     keystoneclient.middleware.__auth_token [-] Authenticating user token
>>     __call__
>>     /usr/lib/python2.6/site-__packages/keystoneclient/__
>> middleware/auth_token.py:558
>>
>>     2014-03-24 11:36:14.205 14543 DEBUG
>>     keystoneclient.middleware.__auth_token [-] Removing headers from
>>     request environment:
>>     X-Identity-Status,X-Domain-Id,__X-Domain-Name,X-Project-Id,
>> X-__Project-Name,X-Project-Domain-__Id,X-Project-Domain-
>> Name,X-__User-Id,X-User-Name,X-User-__Domain-Id,X-User-
>> Domain-Name,__X-Roles,X-Service-Catalog,X-__User,X-
>> Tenant-Id,X-Tenant-__Name,X-Tenant,X-Role
>>     _remove_auth_headers
>>     /usr/lib/python2.6/site-__packages/keystoneclient/__
>> middleware/auth_token.py:617
>>
>>     2014-03-24 11:36:14.226 14543 INFO urllib3.connectionpool [-]
>>     Starting new HTTP connection (1):
>>     genome-cloud-0-10.kilokluster.__ucsc.edu
>>     <http://genome-cloud-0-10.kilokluster.ucsc.edu>
>>
>>     2014-03-24 11:36:14.339 14543 DEBUG urllib3.connectionpool [-] "POST
>>     /v2.0/tokens HTTP/1.1" 200 3446 _make_request
>>     /usr/lib/python2.6/site-__packages/urllib3/__connectionpool.py:295
>>
>>     2014-03-24 11:36:14.382 14543 INFO urllib3.connectionpool [-]
>>     Starting new HTTP connection (1):
>>     genome-cloud-0-10.kilokluster.__ucsc.edu
>>     <http://genome-cloud-0-10.kilokluster.ucsc.edu>
>>
>>     2014-03-24 11:36:14.422 14543 DEBUG urllib3.connectionpool [-] "GET
>>     /v2.0/tokens/revoked HTTP/1.1" 200 686 _make_request
>>     /usr/lib/python2.6/site-__packages/urllib3/__connectionpool.py:295
>>
>>     2014-03-24 11:36:14.433 14543 INFO urllib3.connectionpool [-]
>>     Starting new HTTP connection (1):
>>     genome-cloud-0-10.kilokluster.__ucsc.edu
>>     <http://genome-cloud-0-10.kilokluster.ucsc.edu>
>>
>>     2014-03-24 11:36:14.439 14543 DEBUG urllib3.connectionpool [-] "GET
>>     /v2.0/certificates/signing HTTP/1.1" 200 4251 _make_request
>>     /usr/lib/python2.6/site-__packages/urllib3/__connectionpool.py:295
>>
>>     2014-03-24 11:36:14.451 14543 INFO urllib3.connectionpool [-]
>>     Starting new HTTP connection (1):
>>     genome-cloud-0-10.kilokluster.__ucsc.edu
>>     <http://genome-cloud-0-10.kilokluster.ucsc.edu>
>>
>>     2014-03-24 11:36:14.455 14543 DEBUG urllib3.connectionpool [-] "GET
>>     /v2.0/certificates/ca HTTP/1.1" 200 1277 _make_request
>>     /usr/lib/python2.6/site-__packages/urllib3/__connectionpool.py:295
>>
>>     2014-03-24 11:36:14.476 14543 DEBUG
>>     keystoneclient.middleware.__auth_token [-] Storing
>>     326d8c391f19d07c9f5a69d40da33f__0a token in memcache _cache_put
>>     /usr/lib/python2.6/site-__packages/keystoneclient/__
>> middleware/auth_token.py:1061
>>
>>     2014-03-24 11:36:14.477 14543 DEBUG
>>     keystoneclient.middleware.__auth_token [-] Received request from
>>     user: f8fdf7f84ad34c439c4075b5e37202__11 with project_id :
>>     f7e61747885045d8b266a161310c00__94 and roles: _member_
>>     _build_user_headers
>>     /usr/lib/python2.6/site-__packages/keystoneclient/__
>> middleware/auth_token.py:922
>>
>>     2014-03-24 11:36:14.487 14543 DEBUG routes.middleware [-] Matched
>>     POST /images __call__
>>     /usr/lib/python2.6/site-__packages/Routes-1.12.3-py2.6._
>> _egg/routes/middleware.py:100
>>
>>     2014-03-24 11:36:14.487 14543 DEBUG routes.middleware [-] Route
>>     path: '/images', defaults: {'action': u'create', 'controller':
>>     <glance.common.wsgi.Resource object at 0x34c7450>} __call__
>>     /usr/lib/python2.6/site-__packages/Routes-1.12.3-py2.6._
>> _egg/routes/middleware.py:102
>>
>>     2014-03-24 11:36:14.487 14543 DEBUG routes.middleware [-] Match
>>     dict: {'action': u'create', 'controller':
>>     <glance.common.wsgi.Resource object at 0x34c7450>} __call__
>>     /usr/lib/python2.6/site-__packages/Routes-1.12.3-py2.6._
>> _egg/routes/middleware.py:103
>>
>>     2014-03-24 11:36:14.488 14543 DEBUG glance.registry.client.v1.api
>>     [3f58e73a-6eb0-4747-ab61-__e8b81fbe55d3
>>     f8fdf7f84ad34c439c4075b5e37202__11
>>     f7e61747885045d8b266a161310c00__94] Adding image metadata...
>>     add_image_metadata
>>     /usr/lib/python2.6/site-__packages/glance/registry/__
>> client/v1/api.py:159
>>
>>     2014-03-24 11:36:14.488 14543 DEBUG glance.common.client
>>     [3f58e73a-6eb0-4747-ab61-__e8b81fbe55d3
>>     f8fdf7f84ad34c439c4075b5e37202__11
>>     f7e61747885045d8b266a161310c00__94] Constructed URL:
>>     http://0.0.0.0:9191/images _construct_url
>>     /usr/lib/python2.6/site-__packages/glance/common/client.__py:407
>>
>>     2014-03-24 11:36:14.556 14543 DEBUG glance.common.client
>>     [3f58e73a-6eb0-4747-ab61-__e8b81fbe55d3
>>     f8fdf7f84ad34c439c4075b5e37202__11
>>     f7e61747885045d8b266a161310c00__94] Constructed URL:
>>     http://0.0.0.0:9191/images _construct_url
>>     /usr/lib/python2.6/site-__packages/glance/common/client.__py:407
>>
>>     2014-03-24 11:36:14.560 14543 INFO
>>     glance.registry.client.v1.__client
>>     [3f58e73a-6eb0-4747-ab61-__e8b81fbe55d3
>>     f8fdf7f84ad34c439c4075b5e37202__11
>>     f7e61747885045d8b266a161310c00__94] Registry client request POST
>>
>>     /images raised NotAuthenticated
>>     2014-03-24 11:36:14.564 14543 INFO glance.wsgi.server
>>     [3f58e73a-6eb0-4747-ab61-__e8b81fbe55d3
>>     f8fdf7f84ad34c439c4075b5e37202__11
>>     f7e61747885045d8b266a161310c00__94] Traceback (most recent call
>> last):
>>        File "/usr/lib/python2.6/site-__packages/eventlet/wsgi.py", line
>>
>>     382, in handle_one_response
>>          result = self.application(self.environ, start_response)
>>        File "/usr/lib/python2.6/site-__packages/webob/dec.py", line 130,
>>
>>     in __call__
>>          resp = self.call_func(req, *args, **self.kwargs)
>>        File "/usr/lib/python2.6/site-__packages/webob/dec.py", line 195,
>>
>>     in call_func
>>          return self.func(req, *args, **kwargs)
>>        File
>>     "/usr/lib/python2.6/site-__packages/glance/common/wsgi.__py", line
>>     372, in __call__
>>          response = req.get_response(self.__application)
>>        File "/usr/lib/python2.6/site-__packages/webob/request.py", line
>>
>>     1296, in send
>>          application, catch_exc_info=False)
>>        File "/usr/lib/python2.6/site-__packages/webob/request.py", line
>>
>>     1260, in call_application
>>          app_iter = application(self.environ, start_response)
>>        File
>>     "/usr/lib/python2.6/site-__packages/keystoneclient/__
>> middleware/auth_token.py",
>>
>>     line 571, in __call__
>>          return self.app(env, start_response)
>>        File "/usr/lib/python2.6/site-__packages/webob/dec.py", line 130,
>>
>>     in __call__
>>          resp = self.call_func(req, *args, **self.kwargs)
>>        File "/usr/lib/python2.6/site-__packages/webob/dec.py", line 195,
>>
>>     in call_func
>>          return self.func(req, *args, **kwargs)
>>        File
>>     "/usr/lib/python2.6/site-__packages/glance/common/wsgi.__py", line
>>     372, in __call__
>>          response = req.get_response(self.__application)
>>        File "/usr/lib/python2.6/site-__packages/webob/request.py", line
>>
>>     1296, in send
>>          application, catch_exc_info=False)
>>        File "/usr/lib/python2.6/site-__packages/webob/request.py", line
>>
>>     1260, in call_application
>>          app_iter = application(self.environ, start_response)
>>        File "/usr/lib/python2.6/site-__packages/paste/urlmap.py", line
>>
>>     203, in __call__
>>          return app(environ, start_response)
>>        File "/usr/lib/python2.6/site-__packages/webob/dec.py", line 144,
>>
>>     in __call__
>>          return resp(environ, start_response)
>>        File
>>     "/usr/lib/python2.6/site-__packages/Routes-1.12.3-py2.6._
>> _egg/routes/middleware.py",
>>
>>     line 131, in __call__
>>          response = self.app(environ, start_response)
>>        File "/usr/lib/python2.6/site-__packages/webob/dec.py", line 144,
>>
>>     in __call__
>>          return resp(environ, start_response)
>>        File "/usr/lib/python2.6/site-__packages/webob/dec.py", line 130,
>>
>>     in __call__
>>          resp = self.call_func(req, *args, **self.kwargs)
>>        File "/usr/lib/python2.6/site-__packages/webob/dec.py", line 195,
>>
>>     in call_func
>>          return self.func(req, *args, **kwargs)
>>        File
>>     "/usr/lib/python2.6/site-__packages/glance/common/wsgi.__py", line
>>
>>     604, in __call__
>>          request, **action_args)
>>        File
>>     "/usr/lib/python2.6/site-__packages/glance/common/wsgi.__py", line
>>
>>     623, in dispatch
>>          return method(*args, **kwargs)
>>        File
>>     "/usr/lib/python2.6/site-__packages/glance/common/utils.__py", line
>>
>>     435, in wrapped
>>          return func(self, req, *args, **kwargs)
>>        File
>>     "/usr/lib/python2.6/site-__packages/glance/api/v1/images.__py", line
>>
>>     781, in create
>>          image_meta = self._reserve(req, image_meta)
>>        File
>>     "/usr/lib/python2.6/site-__packages/glance/api/v1/images.__py", line
>>     514, in _reserve
>>          image_meta = registry.add_image_metadata(__req.context,
>> image_meta)
>>        File
>>     "/usr/lib/python2.6/site-__packages/glance/registry/__
>> client/v1/api.py",
>>
>>     line 161, in add_image_metadata
>>          return c.add_image(image_meta)
>>        File
>>     "/usr/lib/python2.6/site-__packages/glance/registry/__
>> client/v1/client.py",
>>
>>     line 163, in add_image
>>          res = self.do_request("POST", "/images", body=body,
>>     headers=headers)
>>        File
>>     "/usr/lib/python2.6/site-__packages/glance/registry/__
>> client/v1/client.py",
>>
>>     line 107, in do_request
>>          **kwargs)
>>        File
>>     "/usr/lib/python2.6/site-__packages/glance/common/client.__py", line
>>
>>     65, in wrapped
>>          return func(self, *args, **kwargs)
>>        File
>>     "/usr/lib/python2.6/site-__packages/glance/common/client.__py", line
>>     382, in do_request
>>          headers=copy.deepcopy(headers)__)
>>        File
>>     "/usr/lib/python2.6/site-__packages/glance/common/client.__py", line
>>
>>     79, in wrapped
>>          return func(self, method, url, body, headers)
>>        File
>>     "/usr/lib/python2.6/site-__packages/glance/common/client.__py", line
>>     523, in _do_request
>>          raise exception.NotAuthenticated(__res.read())
>>
>>     NotAuthenticated: Authentication required
>>
>>
>>     2014-03-24 11:36:14.967 14543 INFO glance.wsgi.server
>>     [3f58e73a-6eb0-4747-ab61-__e8b81fbe55d3
>>     f8fdf7f84ad34c439c4075b5e37202__11
>>     f7e61747885045d8b266a161310c00__94] 111.213.225.79,10.1.1.137 - -
>>
>>     [24/Mar/2014 11:36:14] "POST /v1/images HTTP/1.1" 500 139 0.765716
>>
>>     So I see some Auth errors in that, but I can't tell _what_ kind of
>>     Auth errors they are.  User auth errors from the user uploading the
>>     file? Service Auth errors from the glance service trying to auth to
>>     keystone?  QPID auth errors?
>>
>>     Can anyone see what's wrong?  Then I can better debug where my
>>     problem is...  I've confirmed the user can auth ok with "keystone
>>     token-get'", that seems OK, I have the service user in keystone, not
>>     sure where it's failing...
>>
>>     keystone logs don't really show anything other than:
>>
>>     2014-03-24 11:41:52.420 16503 WARNING keystone.common.wsgi [-]
>>     Authorization failed. The request you have made requires
>>     authentication. from 10.1.1.148
>>
>>     Where 10.1.1.148 is the glance-api server on my internal network.
>>
>>     Thanks for any hints!!
>>
>>     -erich
>>
>>     _________________________________________________
>>     Mailing list:
>>     http://lists.openstack.org/__cgi-bin/mailman/listinfo/__openstack
>>
>>     <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack>
>>     Post to     : openstack at lists.openstack.org
>>     <mailto:openstack at lists.openstack.org>
>>     Unsubscribe :
>>     http://lists.openstack.org/__cgi-bin/mailman/listinfo/__openstack
>>     <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140324/55f1afe5/attachment.html>


More information about the Openstack mailing list