I haven't used the Apache2 WSGI front end for Icehouse, but I did use it with Grizzly. The Keystone endpoints should not change. The following URLs are incorrect.
export OS_AUTH_URL="http://10.65.235.39:5000/keystone/main"; export SERVICE_ENDPOINT="http://10.65.235.39:35357/keystone/admin"; Mark From: Staicu Gabriel [mailto:[email protected]] Sent: Thursday, February 20, 2014 1:38 AM To: Dave Walker; [email protected] Subject: Re: [Openstack] keystone with external authentication using apache2 on havana/ubuntu1204 Hi Dave, Thanks a lot for you interest in helping me. I will try to answer your questions as good as I can: I am using havana release of the openstack. I am starting from default keystone authentication: This is my /etc/keystone/keystone.conf: [DEFAULT] log_file = keystone.log log_dir = /var/log/keystone [sql] connection = mysql://keystoneuser:[email protected]/keystone [identity] driver = keystone.identity.backends.sql.Identity [credential] driver = keystone.credential.backends.sql.Credential [trust] driver = keystone.trust.backends.sql.Trust [os_inherit] [catalog] driver = keystone.catalog.backends.sql.Catalog [endpoint_filter] [token] driver = keystone.token.backends.sql.Token [cache] [policy] driver = keystone.policy.backends.sql.Policy [ec2] driver = keystone.contrib.ec2.backends.kvs.Ec2 [assignment] [oauth1] [ssl] [signing] [ldap] [auth] Then I am doing: service keystone start source openstackrc The content of openstackrc: export OS_TENANT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=admin export SERVICE_TOKEN=ADMIN export OS_AUTH_URL="http://10.65.235.39:5000/v2.0/"; export SERVICE_ENDPOINT="http://10.65.235.39:35357/v2.0"; keystone user-list root@ubuntu1204:~# keystone user-list WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored). +----------------------------------+------------+---------+-------------------+ | id | name | enabled | email | +----------------------------------+------------+---------+-------------------+ | 813a815b593f495c9a449f9c5c44625d | admin | True | [email protected]<mailto:[email protected]> | | 7df8919856ec4072927d2523bceed5eb | ceilometer | True | [email protected]<mailto:[email protected]> | | b6aae4b745484e3da6892b68a7e322f9 | cinder | True | [email protected]<mailto:[email protected]> | | d08d5f5e515a4601b417a637cf690999 | demo | True | [email protected]<mailto:[email protected]> | | a3a5444d42b9462e8fcac9e3a10f2e60 | glance | True | [email protected]<mailto:[email protected]> | | 1c1ab74a4a934273836f41999e2ac9fc | heat | True | [email protected]<mailto:[email protected]> | | 823d9d20cbd8412887c3f6052eca720d | neutron | True | [email protected]<mailto:[email protected]> | | e58d30815fac48209bf56441e1d5bb76 | nova | True | [email protected]<mailto:[email protected]> | +----------------------------------+------------+---------+-------------------+ keystone endpoint-list WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored). +----------------------------------+-----------+--------------------------------------------+--------------------------------------------+--------------------------------------------+----------------------------------+ | id | region | publicurl | internalurl | adminurl | service_id | +----------------------------------+-----------+--------------------------------------------+--------------------------------------------+--------------------------------------------+----------------------------------+ | 05784027da8b4acb8489d0486faf9f61 | myregion | http://153.65.235.39:8773/services/cloud | http://153.65.235.39:8773/services/cloud | http://153.65.235.39:8773/services/admin | 5bc96b5587aa4f12919f3a155b5713b0 | | 10a762a17a58478d8285c1ca6ed8344a | myregion | http://153.65.235.39:8004/v1/$(tenant_id)s | http://153.65.235.39:8004/v1/$(tenant_id)s | http://153.65.235.39:8004/v1/$(tenant_id)s | 3308b160d21f4dac84b866063852a47a | | 23aff8a4b486423592ad877eb0eb29d2 | myregion | http://153.65.235.39:5000/v2.0 | http://153.65.235.39:5000/v2.0 | http://153.65.235.39:35357/v2.0 | c5196b9c3d5446bdb63ee3b8f40d67f7 | | 8e0ecafcf86e42c28f6431e9cd6b330b | myregion | http://153.65.235.39:8774/v2/$(tenant_id)s | http://153.65.235.39:8774/v2/$(tenant_id)s | http://153.65.235.39:8774/v2/$(tenant_id)s | 4d7a03c577304e3381a3d08ba74a70dc | | aaa01a27723d4d4abfe65496d03e811e | myregion | http://153.65.235.39:8776/v1/$(tenant_id)s | http://153.65.235.39:8776/v1/$(tenant_id)s | http://153.65.235.39:8776/v1/$(tenant_id)s | aed8babcd157477b827c7a2ce89a641c | | aebb4602fae143ef86d62de0c0bc5ba8 | regionOne | http://153.65.235.39/keystone/main | | http://153.65.235.39/keystone/admin | c5196b9c3d5446bdb63ee3b8f40d67f7 | | c5169966464140c69fe8c244659ad932 | myregion | http://153.65.235.39:9696/ | http://153.65.235.39:9696/ | http://153.65.235.39:9696/ | a7a32598413a435687e9919c6add1647 | | d5b7a1f9f7bf417295f7b1e9e34f0a26 | myregion | http://153.65.235.39:8000/v1 | http://153.65.235.39:8000/v1 | http://153.65.235.39:8000/v1 | 43f4318c522646c2bdd44d6e9e09edfe | | ecc1cd7cbad8461281181a879286c2bf | myregion | http://153.65.235.39:9292/v2 | http://153.65.235.39:9292/v2 | http://153.65.235.39:9292/v2 | 6bd3e90b00a743cfa4a94050f87319aa | | fe815ceefd0544f2abd16c484cab1b27 | myregion | http://153.65.235.39:8777 | http://153.65.235.39:8777 | http://153.65.235.39:8777 | 4aa31f280a1e40888d45119c02149a01 | +----------------------------------+-----------+--------------------------------------------+--------------------------------------------+--------------------------------------------+----------------------------------+ keystone service-list keystone service-list WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored). +----------------------------------+------------+----------------+----------------------------------+ | id | name | type | description | +----------------------------------+------------+----------------+----------------------------------+ | 4aa31f280a1e40888d45119c02149a01 | ceilometer | metering | openstack metering service | | aed8babcd157477b827c7a2ce89a641c | cinder | volume | openstack volume service | | 5bc96b5587aa4f12919f3a155b5713b0 | ec2 | ec2 | ec2 service | | 6bd3e90b00a743cfa4a94050f87319aa | glance | image | openstack image service | | 3308b160d21f4dac84b866063852a47a | heat | orchestration | openstack orchestration service | | 43f4318c522646c2bdd44d6e9e09edfe | heat-cfn | cloudformation | openstack cloudformation service | | c5196b9c3d5446bdb63ee3b8f40d67f7 | keystone | identity | openstack identity service | | a7a32598413a435687e9919c6add1647 | neutron | network | openstack networking service | | 4d7a03c577304e3381a3d08ba74a70dc | nova | compute | openstack compute service | +----------------------------------+------------+----------------+----------------------------------+ So this means that normal configuration works ok. Now I will try to configure http authentication and the steps that I am using are the following: 1) service keystone stop 2) create the file /etc/apache2/conf.d/wsgi-keystone.conf with the following content: Listen 5000 <VirtualHost *:5000> WSGIScriptAlias /keystone/main /var/www/cgi-bin/keystone/main </VirtualHost> Listen 35357 <VirtualHost *:35357> WSGIScriptAlias /keystone/admin /var/www/cgi-bin/keystone/admin </VirtualHost> 3) Both /var/www/cgi-bin/keystone/main and /var/www/cgi-bin/keystone/admin have the following content: # Copyright 2013 OpenStack Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. import logging import os from paste import deploy from keystone.openstack.common import gettextutils # NOTE(blk-u): # gettextutils.install() must run to set _ before importing any modules that # contain static translated strings. gettextutils.install('keystone', lazy=True) from keystone.common import dependency from keystone.common import environment from keystone.common import sql from keystone import config from keystone.openstack.common import log from keystone import service CONF = config.CONF config.configure() sql.initialize() config.set_default_for_default_log_levels() CONF(project='keystone') config.setup_logging() environment.use_stdlib() name = os.path.basename(__file__) if CONF.debug: CONF.log_opt_values(log.getLogger(CONF.prog), logging.DEBUG) drivers = service.load_backends() # NOTE(ldbragst): 'application' is required in this context by WSGI spec. # The following is a reference to Python Paste Deploy documentation # http://pythonpaste.org/deploy/ application = deploy.loadapp('config:%s' % config.find_paste_config(), name=name) dependency.resolve_future_dependencies() 4) service apache2 restart root@ubuntu1204:~# netstat -ntlp|grep 5000 tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN 23078/apache2 root@ubuntu1204:~# netstat -ntlp|grep 35357 tcp 0 0 0.0.0.0:35357 0.0.0.0:* LISTEN 23078/apache2 5) source openstackrchttp with the following content: export OS_TENANT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=admin export SERVICE_TOKEN=ADMIN export OS_AUTH_URL="http://10.65.235.39:5000/keystone/main"; export SERVICE_ENDPOINT="http://10.65.235.39:35357/keystone/admin"; 6) keystone user-list WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored). Unable to communicate with identity service: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>500 Internal Server Error</title> </head><body> <h1>Internal Server Error</h1> <p>The server encountered an internal error or misconfiguration and was unable to complete your request.</p> <p>Please contact the server administrator, [no address given] and inform them of the time the error occurred, and anything you might have done that may have caused the error.</p> <p>More information about this error may be available in the server error log.</p> <hr> <address>Apache/2.2.22 (Ubuntu) Server at 10.65.235.39 Port 35357</address> </body></html> . (HTTP 500) What is lacking? What else should be done? If we will find a solution we can write a very clear document with steps to configure keystone with http authentication on ubuntu with openstack havana. Thanks a lot, Gabriel On Wednesday, February 19, 2014 6:54 PM, Dave Walker <[email protected]<mailto:[email protected]>> wrote: Hi Staicu, Which release of Openstack are you using? - The distro shouldn't really matter in this instance. What Auth method are you attempting to do through Apache? - Simple Auth, Kerberos? What are you using in your dispatcher file (wsgi / fcgi plumbing)? What behaviour are you seeing? - Is REMOTE_USER environ being set? On 19 February 2014 16:51, Staicu Gabriel <[email protected]<mailto:[email protected]>> wrote: > Hi, > > Is there someone who did the keystone to delegate authentication to apache > on ubuntu/havana. > I have read these documents but nothing is clear: > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/4/html/Installation_and_Configuration_Guide/Configuring_the_Identity_Service_to_Run_in_HTTPD.html > https://wiki.openstack.org/wiki/Talk:Keystone_in_HTTPD_on_RHEL6 > http://docs.openstack.org/developer/keystone/apache-httpd.html > > It seams like everyone is telling half of the truth....:) > > Is there any other place where I could understand how you could do it on > ubuntu? > > Thanks a lot, > Gabriel > > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : > [email protected]<mailto:[email protected]> > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
