[Openstack] keystone: change from fernet tokens to uuid

Eugen Block eblock at nde.ag
Mon May 23 07:44:11 UTC 2016


Hi

> Can I run "su -s /bin/sh -c "keystone-manage db_sync" keystone"  
> without loosing any data (current users, roles, permissions, etc)??

I wouldn't guarantee that nothing happens to your database (if you're  
unsure make a backup), but I have executed this command without any  
impact on my database.

Based on your statement

> executing the same command through V3 indentity admin interface  
> (/export OS_IDENTITY_API_VERSION=3/) it works

I would suggest to follow Adam's advice to use V3 API.

Regards,
Eugen


Zitat von magicboiz at hotmail.com:

> Hi Eugen
>
> I have admin_token set, but token_provider isn't set.
>
> Can I run "su -s /bin/sh -c "keystone-manage db_sync" keystone"  
> without loosing any data (current users, roles, permissions, etc)??
>
> J.
>
> On 20/05/16 12:42, Eugen Block wrote:
>> Hi,
>>
>> I had a similar issue, in Liberty I used uuid tokens, then I  
>> upgraded to Mitaka and also switched to fernet tokens. Because of  
>> some kind of inconsistency I wanted to switch back to uuid.
>> Do you have an admin_token set in your keystone.conf?
>>
>> I compared my current conf file to the liberty conf and I can't see  
>> another difference except admin_token and token_provider.
>>
>> I followed [1] to get keystone to work with uuid tokens in Liberty.  
>> If I understand correctly, you'll have to populate the keystone  
>> database "su -s /bin/sh -c "keystone-manage db_sync" keystone" and  
>> enable the required services.
>> In my case, I managed to switch back to uuid, but in the meantime  
>> I'm back to fernet tokens.
>>
>> Hope this helps!
>>
>> [1]  
>> http://docs.openstack.org/liberty/install-guide-obs/keystone-install.html#install-and-configure-components
>>
>> Regards,
>> Eugen
>>
>> Zitat von magicboiz at hotmail.com:
>>
>>> Hi
>>>
>>> I've deployed FUEL 8.0 (liberty) on my lab and noticed that FUEL  
>>> works with fernet tokens. Because I have an old app which only  
>>> works with UUID, I have changed /etc/keyston/keyston.conf
>>>
>>> from:
>>>
>>> [token]
>>>        provider = keystone.token.providers.fernet.Provider
>>>
>>>
>>> to:
>>>
>>> [token]
>>>        provider = keystone.token.providers.uuid.Provider
>>>
>>>
>>> But now, I'm facing a strange behavior:
>>>
>>> as admin user, executing a simple "keystone user-list" doesn't  
>>> work and shows this error:
>>> /.................
>>> RESP BODY: {"error": {"message": "Non-default domain is not  
>>> supported (Disable debug mode to suppress these details.)",  
>>> "code": 401, "title": "Unauthorized"}}
>>> //.................//
>>>
>>> /Executing "openstack user list" also gets the same error:
>>> /Non-default domain is not supported (Disable debug mode to  
>>> suppress these details.) (HTTP 401) (Request-ID:  
>>> req-8285b64d-353a-4188-949f-679bbfaa1114)/
>>>
>>> Also from Horizon dashboard, I cannot retrieve the user list.....
>>>
>>>
>>> But the funny/strange thing is that executing the same command  
>>> through V3 indentity admin interface (/export  
>>> OS_IDENTITY_API_VERSION=3/) it works:
>>>
>>> /root at node-1:~# openstack user list
>>> +----------------------------------+-------------------+
>>> | ID                               | Name              |
>>> +----------------------------------+-------------------+
>>> | 06c80b0440034f49a674bd0ef56385e1 | heat_admin        |
>>> | 1b5ae288f1494efd91aa67cadd290939 | sahara            |
>>> | 2c71b7342bfe421abdb1af34a05988ac | heat-cfn          |
>>> | 4722750675d6416082be67a7cf9b03c3 | murano            |
>>> | 6b020f2c8328430b9bc71400e8a8b661 | cinder            |
>>> | 958dd93f02614f38b4575c05833b0884 | heat              |
>>> | 97c015a3d9b2432090992027fdb16e44 | ceilometer        |
>>> | 9fb385d757324bc0a62b502f4c3ae67c | swift             |
>>> | cc1395223fd74ea2aa59242fccb279de | admin             |
>>> | dc325906c9b6446a801a9d4914472b51 | neutron           |
>>> | df265ea710294923991a5d10006dd9cb | nova              |
>>> | ebcf0d3439c143d098d95212fa587b6a | glance            |
>>> | fc804ae3614349ea80f844bc7f102a59 | fuel_stats_user   |
>>> +----------------------------------+-------------------+
>>> /
>>>
>>> Anyone could help me?
>>>
>>> thanks in advance.
>>> J
>>
>>
>>
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



-- 
Eugen Block                             voice   : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG      fax     : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg                         e-mail  : eblock at nde.ag

         Vorsitzende des Aufsichtsrates: Angelika Mozdzen
           Sitz und Registergericht: Hamburg, HRB 90934
                   Vorstand: Jens-U. Mozdzen
                    USt-IdNr. DE 814 013 983





More information about the Openstack mailing list