Ask Your Question

Keystone integration in glance

asked 2011-09-24 11:13:38 -0500

tamas-kapolnasi gravatar image

I've used these links to configurate glance and keystone: ( (

I would like to upload an image, that other user cannot see it. (other user can't have permission) I've uploaded an image with 'glance add', but owner attribute didn't get value. (in the database owner value is NULL)

The keystone gives the following message in debug mode: AttributeError: 'NoneType' object has no attribute 'enabled'

Why doesn't get value the owner while uploading image?

If I upload with the following commands, I won't see anything in the keystone log file and the owner value will be NULL too.

euca-bundle-image -u 999888777666 -i natty-server-cloudimg-amd64.img euca-upload-bundle -b test -m /tmp/natty-server-cloudimg-amd64.img.manifest.xml euca-register -a x86_64 -n natty-server-test-keystone-amd64.img test/natty-server-cloudimg-amd64.img.manifest.xml

Thanks for your help, Thomas

  • keystone from git (1.0)
  • glance 2011.3~d4

dpkg -l |grep glance

ii glance 2011.3~d4-0ubuntu0~ppa1~natty1 OpenStack Image Registry and Delivery Service - Daemons ii python-glance 2011.3~d4-0ubuntu0~ppa1~natty1 OpenStack Image Registry and Delivery Service - Python library



Show more verbose log output (sets INFO log level output)

verbose = False

Show debugging output in logs (sets DEBUG log level output)

debug = True

Which backend store should Keystone use by default.

Default: 'sqlite'

Available choices are 'sqlite' [future will include LDAP, PAM, etc]

default_store = sqlite

Log to this file. Make sure you do not set the same log

file for both the API and registry servers!

log_file = keystone.log

List of backends to be configured

backends = keystone.backends.sqlalchemy #For LDAP support, add: ,keystone.backends.ldap

Dictionary Maps every service to a header.Missing services would get header

X_(SERVICE_NAME) Key => Service Name, Value => Header Name

service-header-mappings = { 'nova' : 'X-Server-Management-Url', 'swift' : 'X-Storage-Url', 'cdn' : 'X-CDN-Management-Url'}

Address to bind the API server

TODO Properties defined within app not available via pipeline.

service_host =

Port the bind the API server to

service_port = 5000

Address to bind the Admin API server

admin_host =

Port the bind the Admin API server to

admin_port = 5001

#Role that allows to perform admin operations. keystone-admin-role = Admin

#Role that allows to perform service admin operations. keystone-service-admin-role = KeystoneServiceAdmin


SQLAlchemy connection string for the reference implementation registry

server. Any valid SQLAlchemy connection string is fine.


sql_connection = sqlite:///keystone.db backend_entities = ['UserRoleAssociation', 'Endpoints', 'Role', 'Tenant', 'User', 'Credentials', 'EndpointTemplates', 'Token', 'Service']

Period in seconds after which SQLAlchemy should reestablish its connection

to the database.

sql_idle_timeout = 30

[pipeline:admin] pipeline = urlrewritefilter admin_api

[pipeline:keystone-legacy-auth] pipeline = urlrewritefilter legacy_auth RS-KEY-extension service_api

[app:service_api] paste.app_factory = keystone.server:service_app_factory

[app:admin_api] paste.app_factory = keystone.server:admin_app_factory

[filter:urlrewritefilter] paste.filter_factory = keystone.middleware.url:filter_factory

[filter:legacy_auth] paste.filter_factory = keystone.frontends.legacy_token_auth:filter_factory

[filter:RS-KEY-extension] paste.filter_factory = keystone.contrib.extensions.rskey.frontend:filter_factory


... pipeline = versionnegotiation tokenauth context ... (more)

edit retag flag offensive close merge delete

7 answers

Sort by ยป oldest newest most voted

answered 2011-10-10 09:01:08 -0500

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

edit flag offensive delete link more

answered 2011-10-10 09:15:59 -0500

tamas-kapolnasi gravatar image

Does anyone have idea this question?

edit flag offensive delete link more

answered 2012-03-20 00:42:14 -0500

jaypipes gravatar image

Sanjaya, please ask your question on the Keystone forum:

Thanks! jay

edit flag offensive delete link more

answered 2011-10-10 15:19:49 -0500

Looking at your glance-api.conf and glance-registry.conf, I see errors which could be the source of at least some of your problem.

In glance-api.conf, you have:

pipeline = versionnegotiation tokenauth context apiv1app

The problem here is that the "context" filter is not keystone-aware. The "tokenauth" filter communicates with keystone and puts some appropriate data in the environment, but "context" doesn't look for them. You need to replace "context" with "keystone_shim", which does the same thing as "context" but is aware of keystone. What you should have here is:

pipeline = versionnegotiation tokenauth keystone_shim apiv1app

In glance-registry.conf, you have:

pipeline = tokenauth keystone_shim context registryapp

Here you have both "tokenauth" and "keystone_shim", but you follow them with "context"; since "context" is not keystone-aware, it overwrites the request context that "keystone_shim" generated. What you should have here is:

pipeline = tokenauth keystone_shim registryapp

There is also one more error in your glance-registry.conf. You'll notice that your "[filter:context]" section has a "context_class" line which is not present in "[filter:keystone_shim]"; you need to copy that "context_class" line into the "[filter:keystone_shim]" section, like so:

context_class = glance.registry.context.RequestContext
paste.filter_factory = keystone.middleware.glance_auth_token:filter_factory

Note that you do not need this same change in glance-api.conf. Basically, what's happening here is that the registry requires a version of the context with a few more features that are not used (and cannot be used) by the API, and "context_class" is a way of overriding that.

I hope this helps! Please let me know if you still need help. (Also note that I have not looked over your keystone or nova configuration...)

edit flag offensive delete link more

answered 2011-10-10 13:25:47 -0500

jaypipes gravatar image


Sorry, somehow your question must have gotten lost in my inbox! My apologies.

It looks like you are using the tokenauth AND keystone_shim authentication middleware on the Registry, but using the tokenauth only on the API server.

Note your registry's application pipeline:

pipeline = tokenauth keystone_shim context registryapp

I believe that should just be:

pipeline = tokenauth context registryapp

Finally, I believe you should update to the final Diablo release to get some bug fixes that were included in the last milestone. You will also need to make additional changes to your glance-api.conf and glance-registry.conf if you do that update, as "tokenauth" was changed to be "authtoken", in order to match the rest of the codebase.

I'm going to ask Kevin Mitchell to also have a look at this question and provide some feedback, as Kevin understands the authentication middleware better than I do.

Cheers, jay

edit flag offensive delete link more

answered 2011-10-10 14:02:19 -0500

tamas-kapolnasi gravatar image

Ok, thank you Jay, I'm waiting for his answare!

edit flag offensive delete link more

answered 2012-03-19 21:48:43 -0500

sdtranquility gravatar image

i mistakenly add wrong ip while creating api endpoints for ketstone. how can i delete that and assign a right end points. whenever i try to run delete command the output is sudo keystone-manage endpointTemplates disable RegionOne nova http://wrong_IP:8774/v1.1/%25tenant_id%25 (http://wrong_IP:8774/v1.1/%tenant_id%) http://wrong_IP:8774/v1.1/%25tenant_id%25 (http://wrong_IP:8774/v1.1/%tenant_id%) http://wrong_IP:8774/v1.1/%25tenant_id%25 (http://wrong_IP:8774/v1.1/%tenant_id%) 1 1 Action not supported for endpointTemplates

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2011-09-24 11:13:38 -0500

Seen: 200 times

Last updated: Mar 20 '12