[Openstack] [Glance] Support for Keystone v3 multi-domain?

Tatsuya Kawano tkawano at cloudian.com
Fri Nov 21 03:14:39 UTC 2014


Hi,

I'm using Icehouse and enabled Keystone v3 multi-domain feature in
Horizon and Nova. I created a non-default Keystone domain and added
projects and users in it. However, if a user (in the non-default
domain) tries to list/create VM image or launch VM instance in
Horizon, it gets unauthorized error from Glance.

/var/log/glance/api.log
----------
2014-11-20 19:02:45.112 26969 DEBUG urllib3.connectionpool [-] "GET
/v2.0/tokens/e8dde073ce429da4ae5fc3c2d2506753 HTTP/1.1" 401 114
_make_request /usr/lib/python2.6/site-packages/urllib3/connectionpool.py:295

2014-11-20 19:02:45.113 26969 INFO
keystoneclient.middleware.auth_token [-] Keystone rejected admin
token, resetting

2014-11-20 19:02:45.113 26969 WARNING
keystoneclient.middleware.auth_token [-] Invalid user token. Keystone
response: {u'error': {u'message': u'The request you have made requires
authentication.', u'code': 401, u'title': u'Unauthorized'}}

2014-11-20 19:02:45.113 26969 DEBUG
keystoneclient.middleware.auth_token [-] Token validation failure.
_validate_user_token
/usr/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py:943
----------

I checked Glance source codes (glance/common/auth.py), and it seems
Glance only supports Keystone v1 and v2 APIs. So if the user is using
Keystone v3 auth token, Glance can't validate the auth token with
Keystone.

Am I correct?  If so, does anybody has a patch to enable Keystone v3
API support in Glance?

Thanks,
Tatsuya Kawano (Mr.)




More information about the Openstack mailing list