Are you able to authenticate in Keystone without introducing the additional service?
This should indicate if your default Keystone admin credentials are authenticating via user/pass versus PKI tokens (a little different but I like it): $ unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT > $ export OS_USERNAME=<admin_username> > $ export OS_PASSWORD=<admin_password> > $ export OS_TENANT_NAME=<admin_tenant_name> > $ export OS_AUTH_URL=http://IP_ADDRESS:35357/v2.0 (for instance) > $ keystone user-list This unsets your env vars and takes a non-token approach. should display defined users. If not then your Keystone server isn't working or isn't hearing the request. a wget of the auth url should tell you if you can see the service. Are you getting success at this level at least? Mahalo, Adam *Adam Lawson* AQORN, Inc. 427 North Tatnall Street Ste. 58461 Wilmington, Delaware 19801-2230 Toll-free: (888) 406-7620 On Mon, Mar 24, 2014 at 1:21 PM, Erich Weiler <[email protected]> wrote: > Ah, no, this is the first one. ;) > > I can auth users however with "keystone token-get" so I know that works at > least. > > "glance-api-paste.ini" and "glance-registry-paste.ini" have been > integrated into glance-api.conf and glance-registry.conf so I don't need to > edit those (for RedHat RDO only). I have the service auth creds in those > files. > > Thanks for the help! > > > On 3/24/14, 1:16 PM, Adam Lawson wrote: > >> Do you have any other OpenStack services authenticating against Keystone >> successfully? >> >> */ >> Adam Lawson/* >> >> AQORN, Inc. >> 427 North Tatnall Street >> Ste. 58461 >> Wilmington, Delaware 19801-2230 >> Toll-free: (888) 406-7620 >> >> >> >> On Mon, Mar 24, 2014 at 11:43 AM, Erich Weiler <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hi Y'all, >> >> I'm trying to configure Glance on RedHat RDO Icehouse, but I'm >> getting an auth error when I try to upload an image to it. On the >> client I'm trying to upload from, I see: >> >> # glance -d image-create --name="CirrOS 0.3.1" --disk-format=qcow2 >> --container-format=bare --is-public=true < >> cirros-0.3.1-x86_64-disk.img >> curl -i -X POST -H 'x-image-meta-container___format: bare' -H >> >> 'Transfer-Encoding: chunked' -H 'User-Agent: python-glanceclient' -H >> 'x-image-meta-size: 13147648' -H 'x-image-meta-is_public: True' -H >> 'X-Auth-Token: <...removed token...>' -H 'Content-Type: >> application/octet-stream' -H 'x-image-meta-disk_format: qcow2' -H >> 'x-image-meta-name: CirrOS 0.3.1' -d '<open file '<stdin>', mode 'r' >> at 0x7f49edd5d0c0>' https://my-public-server.com:__9292/v1/images >> >> <https://my-public-server.com:9292/v1/images> >> >> HTTP/1.1 500 Internal Server Error >> date: Mon, 24 Mar 2014 18:34:03 GMT >> content-length: 0 >> content-type: text/plain >> connection: close >> >> Request returned failure status. >> HTTPInternalServerError (HTTP 500) >> >> I've launched glance-api in debug mode on the server side, and I see >> this when the above command is run: >> >> 2014-03-24 11:36:14.202 14543 DEBUG >> glance.api.middleware.version___negotiation [-] Determining version >> >> of request: POST /v1/images Accept: process_request >> /usr/lib/python2.6/site-__packages/glance/api/__middleware/version___ >> negotiation.py:44 >> >> 2014-03-24 11:36:14.203 14543 DEBUG >> glance.api.middleware.version___negotiation [-] Using url versioning >> process_request >> /usr/lib/python2.6/site-__packages/glance/api/__middleware/version___ >> negotiation.py:57 >> >> 2014-03-24 11:36:14.203 14543 DEBUG >> glance.api.middleware.version___negotiation [-] Matched version: v1 >> process_request >> /usr/lib/python2.6/site-__packages/glance/api/__middleware/version___ >> negotiation.py:69 >> >> 2014-03-24 11:36:14.204 14543 DEBUG >> glance.api.middleware.version___negotiation [-] new path /v1/images >> process_request >> /usr/lib/python2.6/site-__packages/glance/api/__middleware/version___ >> negotiation.py:70 >> >> 2014-03-24 11:36:14.204 14543 DEBUG >> keystoneclient.middleware.__auth_token [-] Authenticating user token >> __call__ >> /usr/lib/python2.6/site-__packages/keystoneclient/__ >> middleware/auth_token.py:558 >> >> 2014-03-24 11:36:14.205 14543 DEBUG >> keystoneclient.middleware.__auth_token [-] Removing headers from >> request environment: >> X-Identity-Status,X-Domain-Id,__X-Domain-Name,X-Project-Id, >> X-__Project-Name,X-Project-Domain-__Id,X-Project-Domain- >> Name,X-__User-Id,X-User-Name,X-User-__Domain-Id,X-User- >> Domain-Name,__X-Roles,X-Service-Catalog,X-__User,X- >> Tenant-Id,X-Tenant-__Name,X-Tenant,X-Role >> _remove_auth_headers >> /usr/lib/python2.6/site-__packages/keystoneclient/__ >> middleware/auth_token.py:617 >> >> 2014-03-24 11:36:14.226 14543 INFO urllib3.connectionpool [-] >> Starting new HTTP connection (1): >> genome-cloud-0-10.kilokluster.__ucsc.edu >> <http://genome-cloud-0-10.kilokluster.ucsc.edu> >> >> 2014-03-24 11:36:14.339 14543 DEBUG urllib3.connectionpool [-] "POST >> /v2.0/tokens HTTP/1.1" 200 3446 _make_request >> /usr/lib/python2.6/site-__packages/urllib3/__connectionpool.py:295 >> >> 2014-03-24 11:36:14.382 14543 INFO urllib3.connectionpool [-] >> Starting new HTTP connection (1): >> genome-cloud-0-10.kilokluster.__ucsc.edu >> <http://genome-cloud-0-10.kilokluster.ucsc.edu> >> >> 2014-03-24 11:36:14.422 14543 DEBUG urllib3.connectionpool [-] "GET >> /v2.0/tokens/revoked HTTP/1.1" 200 686 _make_request >> /usr/lib/python2.6/site-__packages/urllib3/__connectionpool.py:295 >> >> 2014-03-24 11:36:14.433 14543 INFO urllib3.connectionpool [-] >> Starting new HTTP connection (1): >> genome-cloud-0-10.kilokluster.__ucsc.edu >> <http://genome-cloud-0-10.kilokluster.ucsc.edu> >> >> 2014-03-24 11:36:14.439 14543 DEBUG urllib3.connectionpool [-] "GET >> /v2.0/certificates/signing HTTP/1.1" 200 4251 _make_request >> /usr/lib/python2.6/site-__packages/urllib3/__connectionpool.py:295 >> >> 2014-03-24 11:36:14.451 14543 INFO urllib3.connectionpool [-] >> Starting new HTTP connection (1): >> genome-cloud-0-10.kilokluster.__ucsc.edu >> <http://genome-cloud-0-10.kilokluster.ucsc.edu> >> >> 2014-03-24 11:36:14.455 14543 DEBUG urllib3.connectionpool [-] "GET >> /v2.0/certificates/ca HTTP/1.1" 200 1277 _make_request >> /usr/lib/python2.6/site-__packages/urllib3/__connectionpool.py:295 >> >> 2014-03-24 11:36:14.476 14543 DEBUG >> keystoneclient.middleware.__auth_token [-] Storing >> 326d8c391f19d07c9f5a69d40da33f__0a token in memcache _cache_put >> /usr/lib/python2.6/site-__packages/keystoneclient/__ >> middleware/auth_token.py:1061 >> >> 2014-03-24 11:36:14.477 14543 DEBUG >> keystoneclient.middleware.__auth_token [-] Received request from >> user: f8fdf7f84ad34c439c4075b5e37202__11 with project_id : >> f7e61747885045d8b266a161310c00__94 and roles: _member_ >> _build_user_headers >> /usr/lib/python2.6/site-__packages/keystoneclient/__ >> middleware/auth_token.py:922 >> >> 2014-03-24 11:36:14.487 14543 DEBUG routes.middleware [-] Matched >> POST /images __call__ >> /usr/lib/python2.6/site-__packages/Routes-1.12.3-py2.6._ >> _egg/routes/middleware.py:100 >> >> 2014-03-24 11:36:14.487 14543 DEBUG routes.middleware [-] Route >> path: '/images', defaults: {'action': u'create', 'controller': >> <glance.common.wsgi.Resource object at 0x34c7450>} __call__ >> /usr/lib/python2.6/site-__packages/Routes-1.12.3-py2.6._ >> _egg/routes/middleware.py:102 >> >> 2014-03-24 11:36:14.487 14543 DEBUG routes.middleware [-] Match >> dict: {'action': u'create', 'controller': >> <glance.common.wsgi.Resource object at 0x34c7450>} __call__ >> /usr/lib/python2.6/site-__packages/Routes-1.12.3-py2.6._ >> _egg/routes/middleware.py:103 >> >> 2014-03-24 11:36:14.488 14543 DEBUG glance.registry.client.v1.api >> [3f58e73a-6eb0-4747-ab61-__e8b81fbe55d3 >> f8fdf7f84ad34c439c4075b5e37202__11 >> f7e61747885045d8b266a161310c00__94] Adding image metadata... >> add_image_metadata >> /usr/lib/python2.6/site-__packages/glance/registry/__ >> client/v1/api.py:159 >> >> 2014-03-24 11:36:14.488 14543 DEBUG glance.common.client >> [3f58e73a-6eb0-4747-ab61-__e8b81fbe55d3 >> f8fdf7f84ad34c439c4075b5e37202__11 >> f7e61747885045d8b266a161310c00__94] Constructed URL: >> http://0.0.0.0:9191/images _construct_url >> /usr/lib/python2.6/site-__packages/glance/common/client.__py:407 >> >> 2014-03-24 11:36:14.556 14543 DEBUG glance.common.client >> [3f58e73a-6eb0-4747-ab61-__e8b81fbe55d3 >> f8fdf7f84ad34c439c4075b5e37202__11 >> f7e61747885045d8b266a161310c00__94] Constructed URL: >> http://0.0.0.0:9191/images _construct_url >> /usr/lib/python2.6/site-__packages/glance/common/client.__py:407 >> >> 2014-03-24 11:36:14.560 14543 INFO >> glance.registry.client.v1.__client >> [3f58e73a-6eb0-4747-ab61-__e8b81fbe55d3 >> f8fdf7f84ad34c439c4075b5e37202__11 >> f7e61747885045d8b266a161310c00__94] Registry client request POST >> >> /images raised NotAuthenticated >> 2014-03-24 11:36:14.564 14543 INFO glance.wsgi.server >> [3f58e73a-6eb0-4747-ab61-__e8b81fbe55d3 >> f8fdf7f84ad34c439c4075b5e37202__11 >> f7e61747885045d8b266a161310c00__94] Traceback (most recent call >> last): >> File "/usr/lib/python2.6/site-__packages/eventlet/wsgi.py", line >> >> 382, in handle_one_response >> result = self.application(self.environ, start_response) >> File "/usr/lib/python2.6/site-__packages/webob/dec.py", line 130, >> >> in __call__ >> resp = self.call_func(req, *args, **self.kwargs) >> File "/usr/lib/python2.6/site-__packages/webob/dec.py", line 195, >> >> in call_func >> return self.func(req, *args, **kwargs) >> File >> "/usr/lib/python2.6/site-__packages/glance/common/wsgi.__py", line >> 372, in __call__ >> response = req.get_response(self.__application) >> File "/usr/lib/python2.6/site-__packages/webob/request.py", line >> >> 1296, in send >> application, catch_exc_info=False) >> File "/usr/lib/python2.6/site-__packages/webob/request.py", line >> >> 1260, in call_application >> app_iter = application(self.environ, start_response) >> File >> "/usr/lib/python2.6/site-__packages/keystoneclient/__ >> middleware/auth_token.py", >> >> line 571, in __call__ >> return self.app(env, start_response) >> File "/usr/lib/python2.6/site-__packages/webob/dec.py", line 130, >> >> in __call__ >> resp = self.call_func(req, *args, **self.kwargs) >> File "/usr/lib/python2.6/site-__packages/webob/dec.py", line 195, >> >> in call_func >> return self.func(req, *args, **kwargs) >> File >> "/usr/lib/python2.6/site-__packages/glance/common/wsgi.__py", line >> 372, in __call__ >> response = req.get_response(self.__application) >> File "/usr/lib/python2.6/site-__packages/webob/request.py", line >> >> 1296, in send >> application, catch_exc_info=False) >> File "/usr/lib/python2.6/site-__packages/webob/request.py", line >> >> 1260, in call_application >> app_iter = application(self.environ, start_response) >> File "/usr/lib/python2.6/site-__packages/paste/urlmap.py", line >> >> 203, in __call__ >> return app(environ, start_response) >> File "/usr/lib/python2.6/site-__packages/webob/dec.py", line 144, >> >> in __call__ >> return resp(environ, start_response) >> File >> "/usr/lib/python2.6/site-__packages/Routes-1.12.3-py2.6._ >> _egg/routes/middleware.py", >> >> line 131, in __call__ >> response = self.app(environ, start_response) >> File "/usr/lib/python2.6/site-__packages/webob/dec.py", line 144, >> >> in __call__ >> return resp(environ, start_response) >> File "/usr/lib/python2.6/site-__packages/webob/dec.py", line 130, >> >> in __call__ >> resp = self.call_func(req, *args, **self.kwargs) >> File "/usr/lib/python2.6/site-__packages/webob/dec.py", line 195, >> >> in call_func >> return self.func(req, *args, **kwargs) >> File >> "/usr/lib/python2.6/site-__packages/glance/common/wsgi.__py", line >> >> 604, in __call__ >> request, **action_args) >> File >> "/usr/lib/python2.6/site-__packages/glance/common/wsgi.__py", line >> >> 623, in dispatch >> return method(*args, **kwargs) >> File >> "/usr/lib/python2.6/site-__packages/glance/common/utils.__py", line >> >> 435, in wrapped >> return func(self, req, *args, **kwargs) >> File >> "/usr/lib/python2.6/site-__packages/glance/api/v1/images.__py", line >> >> 781, in create >> image_meta = self._reserve(req, image_meta) >> File >> "/usr/lib/python2.6/site-__packages/glance/api/v1/images.__py", line >> 514, in _reserve >> image_meta = registry.add_image_metadata(__req.context, >> image_meta) >> File >> "/usr/lib/python2.6/site-__packages/glance/registry/__ >> client/v1/api.py", >> >> line 161, in add_image_metadata >> return c.add_image(image_meta) >> File >> "/usr/lib/python2.6/site-__packages/glance/registry/__ >> client/v1/client.py", >> >> line 163, in add_image >> res = self.do_request("POST", "/images", body=body, >> headers=headers) >> File >> "/usr/lib/python2.6/site-__packages/glance/registry/__ >> client/v1/client.py", >> >> line 107, in do_request >> **kwargs) >> File >> "/usr/lib/python2.6/site-__packages/glance/common/client.__py", line >> >> 65, in wrapped >> return func(self, *args, **kwargs) >> File >> "/usr/lib/python2.6/site-__packages/glance/common/client.__py", line >> 382, in do_request >> headers=copy.deepcopy(headers)__) >> File >> "/usr/lib/python2.6/site-__packages/glance/common/client.__py", line >> >> 79, in wrapped >> return func(self, method, url, body, headers) >> File >> "/usr/lib/python2.6/site-__packages/glance/common/client.__py", line >> 523, in _do_request >> raise exception.NotAuthenticated(__res.read()) >> >> NotAuthenticated: Authentication required >> >> >> 2014-03-24 11:36:14.967 14543 INFO glance.wsgi.server >> [3f58e73a-6eb0-4747-ab61-__e8b81fbe55d3 >> f8fdf7f84ad34c439c4075b5e37202__11 >> f7e61747885045d8b266a161310c00__94] 111.213.225.79,10.1.1.137 - - >> >> [24/Mar/2014 11:36:14] "POST /v1/images HTTP/1.1" 500 139 0.765716 >> >> So I see some Auth errors in that, but I can't tell _what_ kind of >> Auth errors they are. User auth errors from the user uploading the >> file? Service Auth errors from the glance service trying to auth to >> keystone? QPID auth errors? >> >> Can anyone see what's wrong? Then I can better debug where my >> problem is... I've confirmed the user can auth ok with "keystone >> token-get'", that seems OK, I have the service user in keystone, not >> sure where it's failing... >> >> keystone logs don't really show anything other than: >> >> 2014-03-24 11:41:52.420 16503 WARNING keystone.common.wsgi [-] >> Authorization failed. The request you have made requires >> authentication. from 10.1.1.148 >> >> Where 10.1.1.148 is the glance-api server on my internal network. >> >> Thanks for any hints!! >> >> -erich >> >> _________________________________________________ >> Mailing list: >> http://lists.openstack.org/__cgi-bin/mailman/listinfo/__openstack >> >> <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack> >> Post to : [email protected] >> <mailto:[email protected]> >> Unsubscribe : >> http://lists.openstack.org/__cgi-bin/mailman/listinfo/__openstack >> <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack> >> >> >>
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
