On 11/07/2015 01:08 PM, Reza Bakhshayeshi wrote:
Thanks all, specially Rahul, I solved the problem temporarily by disabling selinux.
What did you have for an AVC? It sounds like the issue was The Keystone WSGI process reading the Keys file? Can you post the relevant sections from the audit log?
On 3 November 2015 at 07:43, 张家龙 <[email protected] <mailto:[email protected]>> wrote:Maybe, you should do like follows: chown -R keystone:keystone /etc/keystone Then, restart the keystone service: systemctl restart openstack-keystone ------------------ Best Regards ZhangJialong ------------------ Original ------------------ *From: * "Adam Young"<[email protected] <mailto:[email protected]>>; *Date: * Tue, Nov 3, 2015 11:01 AM *To: * "openstack"<[email protected] <mailto:[email protected]>>; *Subject: * Re: [Openstack] Keystone Fernet Token On 10/28/2015 02:23 PM, Reza Bakhshayeshi wrote:Hi all, I'm going to use fernet token on OpenStack Kilo (only Keystone service is installed), I've configured keystone.conf like: [token] provider = keystone.token.providers.fernet.Provider when I'm running: keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone keys creating successfully in /etc/keystone/fernet-keys directory. But when I'm going to creating a token I receive the following error, here is the complete log: 2015-10-28 21:22:14.680 65218 INFO keystone.common.wsgi [-] GET /? 2015-10-28 23:50:25.343 9377 INFO keystone.token.providers.fernet.utils [-] [fernet_tokens] key_repository does not appear to exist; attempting to create it 2015-10-28 23:50:25.344 9377 INFO keystone.token.providers.fernet.utils [-] Created a new key: /etc/keystone/fernet-keys/0 2015-10-28 23:50:25.344 9377 INFO keystone.token.providers.fernet.utils [-] Starting key rotation with 1 key files: ['/etc/keystone/fernet-keys/0'] 2015-10-28 23:50:25.344 9377 INFO keystone.token.providers.fernet.utils [-] Current primary key is: 0 2015-10-28 23:50:25.345 9377 INFO keystone.token.providers.fernet.utils [-] Next primary key will be: 1 2015-10-28 23:50:25.345 9377 INFO keystone.token.providers.fernet.utils [-] Promoted key 0 to be the primary: 1 2015-10-28 23:50:25.345 9377 INFO keystone.token.providers.fernet.utils [-] Created a new key: /etc/keystone/fernet-keys/0 2015-10-28 23:50:25.345 9377 INFO keystone.token.providers.fernet.utils [-] Excess keys to purge: [] 2015-10-28 23:50:52.632 8059 INFO keystone.common.wsgi [-] POST /tokens? 2015-10-28 23:50:52.889 8059 ERROR keystone.token.providers.fernet.utils [-] Either [fernet_tokens] key_repository does not exist or Keystone does not have sufficient permission to access it: /etc/keystone/fernet-keys/ 2015-10-28 23:50:52.890 8059 WARNING keystone.common.wsgi [-] No encryption keys found; run keystone-manage fernet_setup to bootstrap one. while the permissions seem to be correct: # ls -lah /etc/keystone/ total 104K drwxr-x---. 3 root keystone 4.0K Oct 28 23:50 . drwxr-xr-x. 143 root root 12K Oct 28 12:56 .. -rw-r-----. 1 root keystone 1.5K Jul 29 00:21 default_catalog.templates drwx------. 2 keystone keystone 4.0K Oct 28 23:50 fernet-keys -rw-r-----. 1 root keystone 57K Oct 28 23:48 keystone.conf -rw-r-----. 1 root keystone 1.1K Jul 29 00:21 logging.conf -rw-r-----. 1 keystone keystone 8.6K Jul 29 00:21 policy.json -rw-r-----. 1 keystone keystone 665 Jul 29 00:21 sso_callback_template.html What am I missing?No idea. When I get into these situations, I use rpdb; http://adam.younglogic.com/2015/02/debugging-openstack-with-rpdb/ Is there anything in /etc/keystone/fernet-keys ?_______________________________________________ Mailing list:http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to :[email protected] <mailto:[email protected]> Unsubscribe :http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] <mailto:[email protected]> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
