[Openstack] [Glance] Support for Keystone v3 multi-domain?

Tatsuya Kawano tkawano at cloudian.com
Fri Nov 21 07:36:57 UTC 2014


Never mind. I solved this by myself. I had to add `auth_version=v3.0`
in [keystone_authtoken] section of glance-api.conf and
glance-registry.conf, and then restart these services.

Following bug report and commit log helped me to figure it out:

- Documentation Configuring Glance API to use Keystone without auth_version
   https://bugs.launchpad.net/glance/+bug/1323646

- Glance auth_version needs to be in conf by default
   https://github.com/stackforge/cookbook-openstack-image/commit/31ba27ccd04250f046e9a4ec45e3433308977410

Thanks,


On Fri, Nov 21, 2014 at 12:14 PM, Tatsuya Kawano <tkawano at cloudian.com> wrote:
> Hi,
>
> I'm using Icehouse and enabled Keystone v3 multi-domain feature in
> Horizon and Nova. I created a non-default Keystone domain and added
> projects and users in it. However, if a user (in the non-default
> domain) tries to list/create VM image or launch VM instance in
> Horizon, it gets unauthorized error from Glance.
>
> /var/log/glance/api.log
> ----------
> 2014-11-20 19:02:45.112 26969 DEBUG urllib3.connectionpool [-] "GET
> /v2.0/tokens/e8dde073ce429da4ae5fc3c2d2506753 HTTP/1.1" 401 114
> _make_request /usr/lib/python2.6/site-packages/urllib3/connectionpool.py:295
>
> 2014-11-20 19:02:45.113 26969 INFO
> keystoneclient.middleware.auth_token [-] Keystone rejected admin
> token, resetting
>
> 2014-11-20 19:02:45.113 26969 WARNING
> keystoneclient.middleware.auth_token [-] Invalid user token. Keystone
> response: {u'error': {u'message': u'The request you have made requires
> authentication.', u'code': 401, u'title': u'Unauthorized'}}
>
> 2014-11-20 19:02:45.113 26969 DEBUG
> keystoneclient.middleware.auth_token [-] Token validation failure.
> _validate_user_token
> /usr/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py:943
> ----------
>
> I checked Glance source codes (glance/common/auth.py), and it seems
> Glance only supports Keystone v1 and v2 APIs. So if the user is using
> Keystone v3 auth token, Glance can't validate the auth token with
> Keystone.
>
> Am I correct?  If so, does anybody has a patch to enable Keystone v3
> API support in Glance?
>
> Thanks,
> Tatsuya Kawano (Mr.)




More information about the Openstack mailing list