All,
Thanks, that was a huge help. The problem was indeed some stale
mismatching keys sitting in the signing_dir. I removed those and reloaded
them from keystone and everything is working as expected.
Cheers,
-Matt
On Wed, Jul 24, 2013 at 10:42 AM, Syed Armani syed.arm...@hastexo.comwrote:
Great post Adam. Thanks.
Cheers,
Syed
On Wed, Jul 24, 2013 at 10:54 PM, Adam Young ayo...@redhat.com wrote:
I wrote this up as a general answer. Hope it helps.
https://adam.younglogic.com/2013/07/troubleshooting-pki-middleware/
On 07/24/2013 11:44 AM, Adam Young wrote:
On 07/24/2013 10:45 AM, Salvatore Orlando wrote:
Hav you tried checking the credentials that glance uses for validating
tokens with keystone?
They are defined in glance's conf files in the section:
[keystone_authtoken]
signing_dir = /var/cache/glance/api
make sure that the directory
/var/cache/glance/api
exists and has the certificates in it. A good test is to remove the
certifcates and hit the server again, as they are fetched on demand. If
there are no certificates there after another try, either glance can't talk
to Keystone or keystone is not handing out the certificates.
auth_uri = http://127.0.0.1:5000/
auth_host = 127.0.0.1
auth_port = 35357
auth_protocol = http
admin_tenant_name = service
admin_user = glance
admin_password = password
Salvatore
On 18 July 2013 22:16, Matt Davis mattd5...@gmail.com wrote:
Hello all,
I'm working on a deployment script to install and configure my
OpenStack services and I'm getting a strange result with glance. It's
surely a bug with my script messing up a config file line, but I can't
interpret the glance and keystone logs to track the issue down. Here's the
use case:
1) Install keystone following the directions in the Grizzly
installation guide for Ubuntu 12.04.
2) Install glance following the directions in the Grizzly installation
guide for Ubuntu 12.04.
3) Run glance image-list to see if I can get an empty list.
My result:
=
glance --os-username=admin --os-password=secrete --os-tenant-name demo
--os-auth-url=http://localhost:5000/v2.0 image-list
Request returned failure status.
Invalid OpenStack Identity credentials.
=
The glance API log is as follows:
=
2013-07-18 11:18:24.301 6306 DEBUG
glance.api.middleware.version_negotiation [-] Determining version of
request: GET //v1/images/detail Accept: process_request
/usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:46
2013-07-18 11:18:24.302 6306 DEBUG
glance.api.middleware.version_negotiation [-] Using url versioning
process_request
/usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:59
2013-07-18 11:18:24.302 6306 DEBUG
glance.api.middleware.version_negotiation [-] Matched version: v1
process_request
/usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:71
2013-07-18 11:18:24.302 6306 DEBUG
glance.api.middleware.version_negotiation [-] new uri /v1/images/detail
process_request
/usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:72
=
No entries are added to the glance registry log. If I tweak the
password to make the credentials invalid, I get this:
=
glance --os-username=admin --os-password=wrong_pw --os-tenant-name demo
--os-auth-url=http://localhost:5000/v2.0 image-list
Unable to communicate with identity service: {error: {message:
Invalid user / password, code: 401, title: Not Authorized}}. (HTTP
401)
=
So keystone is definitely looking up my credentials and responding
differently when they match.
Any ideas as to where should I be looking for the issue?
Thanks for your time!
-Matt
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
