[Openstack] keystone: change from fernet tokens to uuid
Eugen Block
eblock at nde.ag
Mon May 23 07:44:11 UTC 2016
Hi
> Can I run "su -s /bin/sh -c "keystone-manage db_sync" keystone"
> without loosing any data (current users, roles, permissions, etc)??
I wouldn't guarantee that nothing happens to your database (if you're
unsure make a backup), but I have executed this command without any
impact on my database.
Based on your statement
> executing the same command through V3 indentity admin interface
> (/export OS_IDENTITY_API_VERSION=3/) it works
I would suggest to follow Adam's advice to use V3 API.
Regards,
Eugen
Zitat von magicboiz at hotmail.com:
> Hi Eugen
>
> I have admin_token set, but token_provider isn't set.
>
> Can I run "su -s /bin/sh -c "keystone-manage db_sync" keystone"
> without loosing any data (current users, roles, permissions, etc)??
>
> J.
>
> On 20/05/16 12:42, Eugen Block wrote:
>> Hi,
>>
>> I had a similar issue, in Liberty I used uuid tokens, then I
>> upgraded to Mitaka and also switched to fernet tokens. Because of
>> some kind of inconsistency I wanted to switch back to uuid.
>> Do you have an admin_token set in your keystone.conf?
>>
>> I compared my current conf file to the liberty conf and I can't see
>> another difference except admin_token and token_provider.
>>
>> I followed [1] to get keystone to work with uuid tokens in Liberty.
>> If I understand correctly, you'll have to populate the keystone
>> database "su -s /bin/sh -c "keystone-manage db_sync" keystone" and
>> enable the required services.
>> In my case, I managed to switch back to uuid, but in the meantime
>> I'm back to fernet tokens.
>>
>> Hope this helps!
>>
>> [1]
>> http://docs.openstack.org/liberty/install-guide-obs/keystone-install.html#install-and-configure-components
>>
>> Regards,
>> Eugen
>>
>> Zitat von magicboiz at hotmail.com:
>>
>>> Hi
>>>
>>> I've deployed FUEL 8.0 (liberty) on my lab and noticed that FUEL
>>> works with fernet tokens. Because I have an old app which only
>>> works with UUID, I have changed /etc/keyston/keyston.conf
>>>
>>> from:
>>>
>>> [token]
>>> provider = keystone.token.providers.fernet.Provider
>>>
>>>
>>> to:
>>>
>>> [token]
>>> provider = keystone.token.providers.uuid.Provider
>>>
>>>
>>> But now, I'm facing a strange behavior:
>>>
>>> as admin user, executing a simple "keystone user-list" doesn't
>>> work and shows this error:
>>> /.................
>>> RESP BODY: {"error": {"message": "Non-default domain is not
>>> supported (Disable debug mode to suppress these details.)",
>>> "code": 401, "title": "Unauthorized"}}
>>> //.................//
>>>
>>> /Executing "openstack user list" also gets the same error:
>>> /Non-default domain is not supported (Disable debug mode to
>>> suppress these details.) (HTTP 401) (Request-ID:
>>> req-8285b64d-353a-4188-949f-679bbfaa1114)/
>>>
>>> Also from Horizon dashboard, I cannot retrieve the user list.....
>>>
>>>
>>> But the funny/strange thing is that executing the same command
>>> through V3 indentity admin interface (/export
>>> OS_IDENTITY_API_VERSION=3/) it works:
>>>
>>> /root at node-1:~# openstack user list
>>> +----------------------------------+-------------------+
>>> | ID | Name |
>>> +----------------------------------+-------------------+
>>> | 06c80b0440034f49a674bd0ef56385e1 | heat_admin |
>>> | 1b5ae288f1494efd91aa67cadd290939 | sahara |
>>> | 2c71b7342bfe421abdb1af34a05988ac | heat-cfn |
>>> | 4722750675d6416082be67a7cf9b03c3 | murano |
>>> | 6b020f2c8328430b9bc71400e8a8b661 | cinder |
>>> | 958dd93f02614f38b4575c05833b0884 | heat |
>>> | 97c015a3d9b2432090992027fdb16e44 | ceilometer |
>>> | 9fb385d757324bc0a62b502f4c3ae67c | swift |
>>> | cc1395223fd74ea2aa59242fccb279de | admin |
>>> | dc325906c9b6446a801a9d4914472b51 | neutron |
>>> | df265ea710294923991a5d10006dd9cb | nova |
>>> | ebcf0d3439c143d098d95212fa587b6a | glance |
>>> | fc804ae3614349ea80f844bc7f102a59 | fuel_stats_user |
>>> +----------------------------------+-------------------+
>>> /
>>>
>>> Anyone could help me?
>>>
>>> thanks in advance.
>>> J
>>
>>
>>
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
--
Eugen Block voice : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg e-mail : eblock at nde.ag
Vorsitzende des Aufsichtsrates: Angelika Mozdzen
Sitz und Registergericht: Hamburg, HRB 90934
Vorstand: Jens-U. Mozdzen
USt-IdNr. DE 814 013 983
More information about the Openstack
mailing list