[Openstack] Auth issue with glance
Adam Lawson
alawson at aqorn.com
Mon Mar 24 21:51:25 UTC 2014
Are you able to authenticate in Keystone without introducing the additional
service?
This should indicate if your default Keystone admin credentials are
authenticating via user/pass versus PKI tokens (a little different but I
like it):
$ unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT
> $ export OS_USERNAME=<admin_username>
> $ export OS_PASSWORD=<admin_password>
> $ export OS_TENANT_NAME=<admin_tenant_name>
> $ export OS_AUTH_URL=http://IP_ADDRESS:35357/v2.0 (for instance)
> $ keystone user-list
This unsets your env vars and takes a non-token approach. should display
defined users. If not then your Keystone server isn't working or isn't
hearing the request. a wget of the auth url should tell you if you can see
the service. Are you getting success at this level at least?
Mahalo,
Adam
*Adam Lawson*
AQORN, Inc.
427 North Tatnall Street
Ste. 58461
Wilmington, Delaware 19801-2230
Toll-free: (888) 406-7620
On Mon, Mar 24, 2014 at 1:21 PM, Erich Weiler <weiler at soe.ucsc.edu> wrote:
> Ah, no, this is the first one. ;)
>
> I can auth users however with "keystone token-get" so I know that works at
> least.
>
> "glance-api-paste.ini" and "glance-registry-paste.ini" have been
> integrated into glance-api.conf and glance-registry.conf so I don't need to
> edit those (for RedHat RDO only). I have the service auth creds in those
> files.
>
> Thanks for the help!
>
>
> On 3/24/14, 1:16 PM, Adam Lawson wrote:
>
>> Do you have any other OpenStack services authenticating against Keystone
>> successfully?
>>
>> */
>> Adam Lawson/*
>>
>> AQORN, Inc.
>> 427 North Tatnall Street
>> Ste. 58461
>> Wilmington, Delaware 19801-2230
>> Toll-free: (888) 406-7620
>>
>>
>>
>> On Mon, Mar 24, 2014 at 11:43 AM, Erich Weiler <weiler at soe.ucsc.edu
>> <mailto:weiler at soe.ucsc.edu>> wrote:
>>
>> Hi Y'all,
>>
>> I'm trying to configure Glance on RedHat RDO Icehouse, but I'm
>> getting an auth error when I try to upload an image to it. On the
>> client I'm trying to upload from, I see:
>>
>> # glance -d image-create --name="CirrOS 0.3.1" --disk-format=qcow2
>> --container-format=bare --is-public=true <
>> cirros-0.3.1-x86_64-disk.img
>> curl -i -X POST -H 'x-image-meta-container___format: bare' -H
>>
>> 'Transfer-Encoding: chunked' -H 'User-Agent: python-glanceclient' -H
>> 'x-image-meta-size: 13147648' -H 'x-image-meta-is_public: True' -H
>> 'X-Auth-Token: <...removed token...>' -H 'Content-Type:
>> application/octet-stream' -H 'x-image-meta-disk_format: qcow2' -H
>> 'x-image-meta-name: CirrOS 0.3.1' -d '<open file '<stdin>', mode 'r'
>> at 0x7f49edd5d0c0>' https://my-public-server.com:__9292/v1/images
>>
>> <https://my-public-server.com:9292/v1/images>
>>
>> HTTP/1.1 500 Internal Server Error
>> date: Mon, 24 Mar 2014 18:34:03 GMT
>> content-length: 0
>> content-type: text/plain
>> connection: close
>>
>> Request returned failure status.
>> HTTPInternalServerError (HTTP 500)
>>
>> I've launched glance-api in debug mode on the server side, and I see
>> this when the above command is run:
>>
>> 2014-03-24 11:36:14.202 14543 DEBUG
>> glance.api.middleware.version___negotiation [-] Determining version
>>
>> of request: POST /v1/images Accept: process_request
>> /usr/lib/python2.6/site-__packages/glance/api/__middleware/version___
>> negotiation.py:44
>>
>> 2014-03-24 11:36:14.203 14543 DEBUG
>> glance.api.middleware.version___negotiation [-] Using url versioning
>> process_request
>> /usr/lib/python2.6/site-__packages/glance/api/__middleware/version___
>> negotiation.py:57
>>
>> 2014-03-24 11:36:14.203 14543 DEBUG
>> glance.api.middleware.version___negotiation [-] Matched version: v1
>> process_request
>> /usr/lib/python2.6/site-__packages/glance/api/__middleware/version___
>> negotiation.py:69
>>
>> 2014-03-24 11:36:14.204 14543 DEBUG
>> glance.api.middleware.version___negotiation [-] new path /v1/images
>> process_request
>> /usr/lib/python2.6/site-__packages/glance/api/__middleware/version___
>> negotiation.py:70
>>
>> 2014-03-24 11:36:14.204 14543 DEBUG
>> keystoneclient.middleware.__auth_token [-] Authenticating user token
>> __call__
>> /usr/lib/python2.6/site-__packages/keystoneclient/__
>> middleware/auth_token.py:558
>>
>> 2014-03-24 11:36:14.205 14543 DEBUG
>> keystoneclient.middleware.__auth_token [-] Removing headers from
>> request environment:
>> X-Identity-Status,X-Domain-Id,__X-Domain-Name,X-Project-Id,
>> X-__Project-Name,X-Project-Domain-__Id,X-Project-Domain-
>> Name,X-__User-Id,X-User-Name,X-User-__Domain-Id,X-User-
>> Domain-Name,__X-Roles,X-Service-Catalog,X-__User,X-
>> Tenant-Id,X-Tenant-__Name,X-Tenant,X-Role
>> _remove_auth_headers
>> /usr/lib/python2.6/site-__packages/keystoneclient/__
>> middleware/auth_token.py:617
>>
>> 2014-03-24 11:36:14.226 14543 INFO urllib3.connectionpool [-]
>> Starting new HTTP connection (1):
>> genome-cloud-0-10.kilokluster.__ucsc.edu
>> <http://genome-cloud-0-10.kilokluster.ucsc.edu>
>>
>> 2014-03-24 11:36:14.339 14543 DEBUG urllib3.connectionpool [-] "POST
>> /v2.0/tokens HTTP/1.1" 200 3446 _make_request
>> /usr/lib/python2.6/site-__packages/urllib3/__connectionpool.py:295
>>
>> 2014-03-24 11:36:14.382 14543 INFO urllib3.connectionpool [-]
>> Starting new HTTP connection (1):
>> genome-cloud-0-10.kilokluster.__ucsc.edu
>> <http://genome-cloud-0-10.kilokluster.ucsc.edu>
>>
>> 2014-03-24 11:36:14.422 14543 DEBUG urllib3.connectionpool [-] "GET
>> /v2.0/tokens/revoked HTTP/1.1" 200 686 _make_request
>> /usr/lib/python2.6/site-__packages/urllib3/__connectionpool.py:295
>>
>> 2014-03-24 11:36:14.433 14543 INFO urllib3.connectionpool [-]
>> Starting new HTTP connection (1):
>> genome-cloud-0-10.kilokluster.__ucsc.edu
>> <http://genome-cloud-0-10.kilokluster.ucsc.edu>
>>
>> 2014-03-24 11:36:14.439 14543 DEBUG urllib3.connectionpool [-] "GET
>> /v2.0/certificates/signing HTTP/1.1" 200 4251 _make_request
>> /usr/lib/python2.6/site-__packages/urllib3/__connectionpool.py:295
>>
>> 2014-03-24 11:36:14.451 14543 INFO urllib3.connectionpool [-]
>> Starting new HTTP connection (1):
>> genome-cloud-0-10.kilokluster.__ucsc.edu
>> <http://genome-cloud-0-10.kilokluster.ucsc.edu>
>>
>> 2014-03-24 11:36:14.455 14543 DEBUG urllib3.connectionpool [-] "GET
>> /v2.0/certificates/ca HTTP/1.1" 200 1277 _make_request
>> /usr/lib/python2.6/site-__packages/urllib3/__connectionpool.py:295
>>
>> 2014-03-24 11:36:14.476 14543 DEBUG
>> keystoneclient.middleware.__auth_token [-] Storing
>> 326d8c391f19d07c9f5a69d40da33f__0a token in memcache _cache_put
>> /usr/lib/python2.6/site-__packages/keystoneclient/__
>> middleware/auth_token.py:1061
>>
>> 2014-03-24 11:36:14.477 14543 DEBUG
>> keystoneclient.middleware.__auth_token [-] Received request from
>> user: f8fdf7f84ad34c439c4075b5e37202__11 with project_id :
>> f7e61747885045d8b266a161310c00__94 and roles: _member_
>> _build_user_headers
>> /usr/lib/python2.6/site-__packages/keystoneclient/__
>> middleware/auth_token.py:922
>>
>> 2014-03-24 11:36:14.487 14543 DEBUG routes.middleware [-] Matched
>> POST /images __call__
>> /usr/lib/python2.6/site-__packages/Routes-1.12.3-py2.6._
>> _egg/routes/middleware.py:100
>>
>> 2014-03-24 11:36:14.487 14543 DEBUG routes.middleware [-] Route
>> path: '/images', defaults: {'action': u'create', 'controller':
>> <glance.common.wsgi.Resource object at 0x34c7450>} __call__
>> /usr/lib/python2.6/site-__packages/Routes-1.12.3-py2.6._
>> _egg/routes/middleware.py:102
>>
>> 2014-03-24 11:36:14.487 14543 DEBUG routes.middleware [-] Match
>> dict: {'action': u'create', 'controller':
>> <glance.common.wsgi.Resource object at 0x34c7450>} __call__
>> /usr/lib/python2.6/site-__packages/Routes-1.12.3-py2.6._
>> _egg/routes/middleware.py:103
>>
>> 2014-03-24 11:36:14.488 14543 DEBUG glance.registry.client.v1.api
>> [3f58e73a-6eb0-4747-ab61-__e8b81fbe55d3
>> f8fdf7f84ad34c439c4075b5e37202__11
>> f7e61747885045d8b266a161310c00__94] Adding image metadata...
>> add_image_metadata
>> /usr/lib/python2.6/site-__packages/glance/registry/__
>> client/v1/api.py:159
>>
>> 2014-03-24 11:36:14.488 14543 DEBUG glance.common.client
>> [3f58e73a-6eb0-4747-ab61-__e8b81fbe55d3
>> f8fdf7f84ad34c439c4075b5e37202__11
>> f7e61747885045d8b266a161310c00__94] Constructed URL:
>> http://0.0.0.0:9191/images _construct_url
>> /usr/lib/python2.6/site-__packages/glance/common/client.__py:407
>>
>> 2014-03-24 11:36:14.556 14543 DEBUG glance.common.client
>> [3f58e73a-6eb0-4747-ab61-__e8b81fbe55d3
>> f8fdf7f84ad34c439c4075b5e37202__11
>> f7e61747885045d8b266a161310c00__94] Constructed URL:
>> http://0.0.0.0:9191/images _construct_url
>> /usr/lib/python2.6/site-__packages/glance/common/client.__py:407
>>
>> 2014-03-24 11:36:14.560 14543 INFO
>> glance.registry.client.v1.__client
>> [3f58e73a-6eb0-4747-ab61-__e8b81fbe55d3
>> f8fdf7f84ad34c439c4075b5e37202__11
>> f7e61747885045d8b266a161310c00__94] Registry client request POST
>>
>> /images raised NotAuthenticated
>> 2014-03-24 11:36:14.564 14543 INFO glance.wsgi.server
>> [3f58e73a-6eb0-4747-ab61-__e8b81fbe55d3
>> f8fdf7f84ad34c439c4075b5e37202__11
>> f7e61747885045d8b266a161310c00__94] Traceback (most recent call
>> last):
>> File "/usr/lib/python2.6/site-__packages/eventlet/wsgi.py", line
>>
>> 382, in handle_one_response
>> result = self.application(self.environ, start_response)
>> File "/usr/lib/python2.6/site-__packages/webob/dec.py", line 130,
>>
>> in __call__
>> resp = self.call_func(req, *args, **self.kwargs)
>> File "/usr/lib/python2.6/site-__packages/webob/dec.py", line 195,
>>
>> in call_func
>> return self.func(req, *args, **kwargs)
>> File
>> "/usr/lib/python2.6/site-__packages/glance/common/wsgi.__py", line
>> 372, in __call__
>> response = req.get_response(self.__application)
>> File "/usr/lib/python2.6/site-__packages/webob/request.py", line
>>
>> 1296, in send
>> application, catch_exc_info=False)
>> File "/usr/lib/python2.6/site-__packages/webob/request.py", line
>>
>> 1260, in call_application
>> app_iter = application(self.environ, start_response)
>> File
>> "/usr/lib/python2.6/site-__packages/keystoneclient/__
>> middleware/auth_token.py",
>>
>> line 571, in __call__
>> return self.app(env, start_response)
>> File "/usr/lib/python2.6/site-__packages/webob/dec.py", line 130,
>>
>> in __call__
>> resp = self.call_func(req, *args, **self.kwargs)
>> File "/usr/lib/python2.6/site-__packages/webob/dec.py", line 195,
>>
>> in call_func
>> return self.func(req, *args, **kwargs)
>> File
>> "/usr/lib/python2.6/site-__packages/glance/common/wsgi.__py", line
>> 372, in __call__
>> response = req.get_response(self.__application)
>> File "/usr/lib/python2.6/site-__packages/webob/request.py", line
>>
>> 1296, in send
>> application, catch_exc_info=False)
>> File "/usr/lib/python2.6/site-__packages/webob/request.py", line
>>
>> 1260, in call_application
>> app_iter = application(self.environ, start_response)
>> File "/usr/lib/python2.6/site-__packages/paste/urlmap.py", line
>>
>> 203, in __call__
>> return app(environ, start_response)
>> File "/usr/lib/python2.6/site-__packages/webob/dec.py", line 144,
>>
>> in __call__
>> return resp(environ, start_response)
>> File
>> "/usr/lib/python2.6/site-__packages/Routes-1.12.3-py2.6._
>> _egg/routes/middleware.py",
>>
>> line 131, in __call__
>> response = self.app(environ, start_response)
>> File "/usr/lib/python2.6/site-__packages/webob/dec.py", line 144,
>>
>> in __call__
>> return resp(environ, start_response)
>> File "/usr/lib/python2.6/site-__packages/webob/dec.py", line 130,
>>
>> in __call__
>> resp = self.call_func(req, *args, **self.kwargs)
>> File "/usr/lib/python2.6/site-__packages/webob/dec.py", line 195,
>>
>> in call_func
>> return self.func(req, *args, **kwargs)
>> File
>> "/usr/lib/python2.6/site-__packages/glance/common/wsgi.__py", line
>>
>> 604, in __call__
>> request, **action_args)
>> File
>> "/usr/lib/python2.6/site-__packages/glance/common/wsgi.__py", line
>>
>> 623, in dispatch
>> return method(*args, **kwargs)
>> File
>> "/usr/lib/python2.6/site-__packages/glance/common/utils.__py", line
>>
>> 435, in wrapped
>> return func(self, req, *args, **kwargs)
>> File
>> "/usr/lib/python2.6/site-__packages/glance/api/v1/images.__py", line
>>
>> 781, in create
>> image_meta = self._reserve(req, image_meta)
>> File
>> "/usr/lib/python2.6/site-__packages/glance/api/v1/images.__py", line
>> 514, in _reserve
>> image_meta = registry.add_image_metadata(__req.context,
>> image_meta)
>> File
>> "/usr/lib/python2.6/site-__packages/glance/registry/__
>> client/v1/api.py",
>>
>> line 161, in add_image_metadata
>> return c.add_image(image_meta)
>> File
>> "/usr/lib/python2.6/site-__packages/glance/registry/__
>> client/v1/client.py",
>>
>> line 163, in add_image
>> res = self.do_request("POST", "/images", body=body,
>> headers=headers)
>> File
>> "/usr/lib/python2.6/site-__packages/glance/registry/__
>> client/v1/client.py",
>>
>> line 107, in do_request
>> **kwargs)
>> File
>> "/usr/lib/python2.6/site-__packages/glance/common/client.__py", line
>>
>> 65, in wrapped
>> return func(self, *args, **kwargs)
>> File
>> "/usr/lib/python2.6/site-__packages/glance/common/client.__py", line
>> 382, in do_request
>> headers=copy.deepcopy(headers)__)
>> File
>> "/usr/lib/python2.6/site-__packages/glance/common/client.__py", line
>>
>> 79, in wrapped
>> return func(self, method, url, body, headers)
>> File
>> "/usr/lib/python2.6/site-__packages/glance/common/client.__py", line
>> 523, in _do_request
>> raise exception.NotAuthenticated(__res.read())
>>
>> NotAuthenticated: Authentication required
>>
>>
>> 2014-03-24 11:36:14.967 14543 INFO glance.wsgi.server
>> [3f58e73a-6eb0-4747-ab61-__e8b81fbe55d3
>> f8fdf7f84ad34c439c4075b5e37202__11
>> f7e61747885045d8b266a161310c00__94] 111.213.225.79,10.1.1.137 - -
>>
>> [24/Mar/2014 11:36:14] "POST /v1/images HTTP/1.1" 500 139 0.765716
>>
>> So I see some Auth errors in that, but I can't tell _what_ kind of
>> Auth errors they are. User auth errors from the user uploading the
>> file? Service Auth errors from the glance service trying to auth to
>> keystone? QPID auth errors?
>>
>> Can anyone see what's wrong? Then I can better debug where my
>> problem is... I've confirmed the user can auth ok with "keystone
>> token-get'", that seems OK, I have the service user in keystone, not
>> sure where it's failing...
>>
>> keystone logs don't really show anything other than:
>>
>> 2014-03-24 11:41:52.420 16503 WARNING keystone.common.wsgi [-]
>> Authorization failed. The request you have made requires
>> authentication. from 10.1.1.148
>>
>> Where 10.1.1.148 is the glance-api server on my internal network.
>>
>> Thanks for any hints!!
>>
>> -erich
>>
>> _________________________________________________
>> Mailing list:
>> http://lists.openstack.org/__cgi-bin/mailman/listinfo/__openstack
>>
>> <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack>
>> Post to : openstack at lists.openstack.org
>> <mailto:openstack at lists.openstack.org>
>> Unsubscribe :
>> http://lists.openstack.org/__cgi-bin/mailman/listinfo/__openstack
>> <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140324/55f1afe5/attachment.html>
More information about the Openstack
mailing list