# Keystone and Nova Users

Hey guys,

I have an OpenStack environment implemented in a lab setting for the purposes of research. I am a bit confused as to the difference between creating users/projects via nova-manage and users/projects in keystone using keystone-manage. I can't seem to find anything in the documentation that distinguishes between them.

When I deploy the "Horizon" component, I am required to use keystone to create users, tenants, and so forth. Should these overlap with those created in Nova?

As a result, I am also experiencing an issue with euca2ools where I receive the following error:

"Warning: failed to parse error message from AWS: <unknown>:1:0: syntax error None: None"

This is probably related to the environment variables in openrc. I'm not sure which users/projects to use in the openrc file.

Thanks,

Andrew

edit retag close merge delete

Sort by » oldest newest most voted

in keystone credentials are used for ec2 auth ,so you should create credentials and also add the same credential to nova use nova-manage .

more

Also receiving this error in the nova-api.log file:

"10.129.1.2 POST /services/Cloud/ None:None 400 [Boto/2.0 (linux2)] application/x-www-form-urlencoded text/plain"

more

Hey guys,

So I wanted to follow up on my own issue and give others out there a solution to my problem.

I was able to get some more information regarding the differences between nova-manage users and keystone users from some community members in the chat room. I think user management should be documented further when distinguishing between Keystone users and Nova users.

Regarding the EC2 credentials and euca-tools, turns out the problem goes back to my "openrc" file. (go figure; after hours and hours of diagnostics). The EC2_ACCESS_KEY environment variable initially set as follows:

EC2_ACCESS_KEY="$KEYSTONE_USERNAME:$KEYSTONE_TENANT"

After listing the stored EC2 tokens via keystone-manage token list, I noticed that one of the tokens was NOT assigned to a keystone tenant. Turns out that when I initially created EC2 credentials for the user, I failed to include a tenant. By removing the \$KEYSTONE_TENANT variable from the EC2_ACCESS_KEY I was able to get it to work. For future reference, ensure that your access key matches the keystone username AND/OR tenant exactly how it was entered in the EC2 credential command.

more

nova user/projects are used before the keystone as the default auth service.now,nova use keystone to perform the auth .but if you want to use euca2ools with keystone,you should create same user/projects(tenant) in both keystone and nova user,project tables use nova-manage.

more

It also took me some time to trouble shoot this euca2ools and Keystone issue, with following error message:

"Warning: failed to parse error message from AWS: <unknown>:1:0: syntax error None: None"

Just as Yaguang mentioned above, one should use same credential in nova-manage as those in keystone-manage. And let me be more specific.

Then, you should export "EC2_ACCESS_KEY=admin:openstackDemo" and "EC2_SECRET_KEY=secretword" in order to use euca2ools together with Keystone and Nova.

more

# Get to know Ask OpenStack

Resources for moderators

## Stats

Seen: 99 times

Last updated: Feb 15 '12