[Openstack] keystone: change from fernet tokens to uuid

magicboiz at hotmail.com magicboiz at hotmail.com
Mon May 23 08:18:39 UTC 2016


Hi

yes, I've configured Horizon to use V3 identity endpoint. And after 
applying latests updates from liberty, everything works as expected (v2 
o v3), so I guess it was some kind of bug....

Thanks for your help.
J.

On 23/05/16 09:44, Eugen Block wrote:
> Hi
>
>> Can I run "su -s /bin/sh -c "keystone-manage db_sync" keystone" 
>> without loosing any data (current users, roles, permissions, etc)??
>
> I wouldn't guarantee that nothing happens to your database (if you're 
> unsure make a backup), but I have executed this command without any 
> impact on my database.
>
> Based on your statement
>
>> executing the same command through V3 indentity admin interface 
>> (/export OS_IDENTITY_API_VERSION=3/) it works
>
> I would suggest to follow Adam's advice to use V3 API.
>
> Regards,
> Eugen
>
>
> Zitat von magicboiz at hotmail.com:
>
>> Hi Eugen
>>
>> I have admin_token set, but token_provider isn't set.
>>
>> Can I run "su -s /bin/sh -c "keystone-manage db_sync" keystone" 
>> without loosing any data (current users, roles, permissions, etc)??
>>
>> J.
>>
>> On 20/05/16 12:42, Eugen Block wrote:
>>> Hi,
>>>
>>> I had a similar issue, in Liberty I used uuid tokens, then I 
>>> upgraded to Mitaka and also switched to fernet tokens. Because of 
>>> some kind of inconsistency I wanted to switch back to uuid.
>>> Do you have an admin_token set in your keystone.conf?
>>>
>>> I compared my current conf file to the liberty conf and I can't see 
>>> another difference except admin_token and token_provider.
>>>
>>> I followed [1] to get keystone to work with uuid tokens in Liberty. 
>>> If I understand correctly, you'll have to populate the keystone 
>>> database "su -s /bin/sh -c "keystone-manage db_sync" keystone" and 
>>> enable the required services.
>>> In my case, I managed to switch back to uuid, but in the meantime 
>>> I'm back to fernet tokens.
>>>
>>> Hope this helps!
>>>
>>> [1] 
>>> http://docs.openstack.org/liberty/install-guide-obs/keystone-install.html#install-and-configure-components
>>>
>>> Regards,
>>> Eugen
>>>
>>> Zitat von magicboiz at hotmail.com:
>>>
>>>> Hi
>>>>
>>>> I've deployed FUEL 8.0 (liberty) on my lab and noticed that FUEL 
>>>> works with fernet tokens. Because I have an old app which only 
>>>> works with UUID, I have changed /etc/keyston/keyston.conf
>>>>
>>>> from:
>>>>
>>>> [token]
>>>>        provider = keystone.token.providers.fernet.Provider
>>>>
>>>>
>>>> to:
>>>>
>>>> [token]
>>>>        provider = keystone.token.providers.uuid.Provider
>>>>
>>>>
>>>> But now, I'm facing a strange behavior:
>>>>
>>>> as admin user, executing a simple "keystone user-list" doesn't work 
>>>> and shows this error:
>>>> /.................
>>>> RESP BODY: {"error": {"message": "Non-default domain is not 
>>>> supported (Disable debug mode to suppress these details.)", "code": 
>>>> 401, "title": "Unauthorized"}}
>>>> //.................//
>>>>
>>>> /Executing "openstack user list" also gets the same error:
>>>> /Non-default domain is not supported (Disable debug mode to 
>>>> suppress these details.) (HTTP 401) (Request-ID: 
>>>> req-8285b64d-353a-4188-949f-679bbfaa1114)/
>>>>
>>>> Also from Horizon dashboard, I cannot retrieve the user list.....
>>>>
>>>>
>>>> But the funny/strange thing is that executing the same command 
>>>> through V3 indentity admin interface (/export 
>>>> OS_IDENTITY_API_VERSION=3/) it works:
>>>>
>>>> /root at node-1:~# openstack user list
>>>> +----------------------------------+-------------------+
>>>> | ID                               | Name              |
>>>> +----------------------------------+-------------------+
>>>> | 06c80b0440034f49a674bd0ef56385e1 | heat_admin        |
>>>> | 1b5ae288f1494efd91aa67cadd290939 | sahara            |
>>>> | 2c71b7342bfe421abdb1af34a05988ac | heat-cfn          |
>>>> | 4722750675d6416082be67a7cf9b03c3 | murano            |
>>>> | 6b020f2c8328430b9bc71400e8a8b661 | cinder            |
>>>> | 958dd93f02614f38b4575c05833b0884 | heat              |
>>>> | 97c015a3d9b2432090992027fdb16e44 | ceilometer        |
>>>> | 9fb385d757324bc0a62b502f4c3ae67c | swift             |
>>>> | cc1395223fd74ea2aa59242fccb279de | admin             |
>>>> | dc325906c9b6446a801a9d4914472b51 | neutron           |
>>>> | df265ea710294923991a5d10006dd9cb | nova              |
>>>> | ebcf0d3439c143d098d95212fa587b6a | glance            |
>>>> | fc804ae3614349ea80f844bc7f102a59 | fuel_stats_user   |
>>>> +----------------------------------+-------------------+
>>>> /
>>>>
>>>> Anyone could help me?
>>>>
>>>> thanks in advance.
>>>> J
>>>
>>>
>>>
>>
>>
>> _______________________________________________
>> Mailing list: 
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to     : openstack at lists.openstack.org
>> Unsubscribe : 
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
>





More information about the Openstack mailing list