Hi all, I am slowly putting my OpenStack deployment together and have run into an issue with Glance and Keystone.
If I set my paste_deploy flavour to empty glance works perfectly fine. I can upload and list images. Keystone related options in glance-api.conf [keystone_authtoken] auth_host = localhost auth_port = 35357 auth_protocol = http admin_tenant_name = services admin_user = glance admin_password = glance_password auth_uri=http://api.openstack.home:5000/ [paste_deploy] flavor=keystone Keystone related options in glance-api-paste.ini [filter:authtoken] paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory delay_auth_decision = true auth_host=api01.openstack.home admin_user=glance admin_tenant_name=services admin_password=glance_password I only added the auth_host and admin_* in glance-api-paste.ini after reading the havana documentation I know my glance credentials are fine as they work fine with the keystone client: openstack@admin:~$ keystone --os-username glance --os-password glance_password --os-tenant-name services user-list +----------------------------------+--------+---------+------------------------+ | id | name | enabled | email | +----------------------------------+--------+---------+------------------------+ | 6cf5d29c132949679f730dd9a4ccdf75 | admin | True | [email protected] | | d29b9eeb8321427a9f5eed9dfb495ed1 | glance | True | glance@localhost | | a0ffc44433314c71bc9bfb979045735d | test | True | [email protected] | +----------------------------------+--------+---------+------------------------+ But when I use the same against glance with my flavor=keystone I get: openstack@admin:~$ glance --os-username glance --os-password glance_password --os-tenant-name services image-list Request returned failure status. Invalid OpenStack Identity credentials. And the associated api log entries are: 2014-04-07 17:10:46.866 15375 DEBUG keystoneclient.middleware.auth_token [-] Authenticating user token __call__ /usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py:526 2014-04-07 17:10:46.867 15375 DEBUG keystoneclient.middleware.auth_token [-] Removing headers from request environment: X-Identity-Status,X-Domain-Id,X-Domain-Name,X-Project-Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-User-Id,X-User-Name,X-User-Domain-Id,X-User-Domain-Name,X-Roles,X-Service-Catalog,X-User,X-Tenant-Id,X-Tenant-Name,X-Tenant,X-Role _remove_auth_headers /usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py:585 2014-04-07 17:10:46.918 15375 DEBUG keystoneclient.middleware.auth_token [-] Token expired a 2014-04-07T08:10:46Z _confirm_token_not_expired /usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py:1024 2014-04-07 17:10:46.919 15375 DEBUG keystoneclient.middleware.auth_token [-] Token validation failure. _validate_user_token /usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py:790 2014-04-07 17:10:46.919 15375 TRACE keystoneclient.middleware.auth_token Traceback (most recent call last): 2014-04-07 17:10:46.919 15375 TRACE keystoneclient.middleware.auth_token File "/usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py", line 782, in _validate_user_token 2014-04-07 17:10:46.919 15375 TRACE keystoneclient.middleware.auth_token expires = self._confirm_token_not_expired(data) 2014-04-07 17:10:46.919 15375 TRACE keystoneclient.middleware.auth_token File "/usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py", line 1025, in _confirm_token_not_expired 2014-04-07 17:10:46.919 15375 TRACE keystoneclient.middleware.auth_token raise InvalidUserToken('Token authorization failed') 2014-04-07 17:10:46.919 15375 TRACE keystoneclient.middleware.auth_token InvalidUserToken: Token authorization failed 2014-04-07 17:10:46.919 15375 TRACE keystoneclient.middleware.auth_token 2014-04-07 17:10:46.919 15375 DEBUG keystoneclient.middleware.auth_token [-] Marking token <token removed for clarity> as unauthorized in memcache _cache_store_invalid /usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py:1043 2014-04-07 17:10:46.920 15375 WARNING keystoneclient.middleware.auth_token [-] Authorization failed for token <token removed for clarity> 2014-04-07 17:10:46.920 15375 INFO keystoneclient.middleware.auth_token [-] Invalid user token - deferring reject downstream My time between all of my hosts are synced, and token expiry is well past (my time zone is +10 hours) root@api01:~# date --utc Mon Apr 7 07:10:54 UTC 2014 I'm pretty sure I have all my keystone config options correct. Cheers Adam
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
