Ask Your Question
0

Keystone and Nova Users

asked 2012-02-08 16:57:09 -0500

weissa gravatar image

Hey guys,

I have an OpenStack environment implemented in a lab setting for the purposes of research. I am a bit confused as to the difference between creating users/projects via nova-manage and users/projects in keystone using keystone-manage. I can't seem to find anything in the documentation that distinguishes between them.

When I deploy the "Horizon" component, I am required to use keystone to create users, tenants, and so forth. Should these overlap with those created in Nova?

As a result, I am also experiencing an issue with euca2ools where I receive the following error:

"Warning: failed to parse error message from AWS: <unknown>:1:0: syntax error None: None"

This is probably related to the environment variables in openrc. I'm not sure which users/projects to use in the openrc file.

Thanks,

Andrew

edit retag flag offensive close merge delete

5 answers

Sort by ยป oldest newest most voted
0

answered 2012-02-09 05:30:08 -0500

heut2008 gravatar image

in keystone credentials are used for ec2 auth ,so you should create credentials and also add the same credential to nova use nova-manage .

edit flag offensive delete link more
0

answered 2012-02-08 17:46:40 -0500

weissa gravatar image

Also receiving this error in the nova-api.log file:

"10.129.1.2 POST /services/Cloud/ None:None 400 [Boto/2.0 (linux2)] application/x-www-form-urlencoded text/plain"

edit flag offensive delete link more
0

answered 2012-02-09 03:47:33 -0500

weissa gravatar image

Hey guys,

So I wanted to follow up on my own issue and give others out there a solution to my problem.

I was able to get some more information regarding the differences between nova-manage users and keystone users from some community members in the chat room. I think user management should be documented further when distinguishing between Keystone users and Nova users.

Regarding the EC2 credentials and euca-tools, turns out the problem goes back to my "openrc" file. (go figure; after hours and hours of diagnostics). The EC2_ACCESS_KEY environment variable initially set as follows:

EC2_ACCESS_KEY="$KEYSTONE_USERNAME:$KEYSTONE_TENANT"

After listing the stored EC2 tokens via keystone-manage token list, I noticed that one of the tokens was NOT assigned to a keystone tenant. Turns out that when I initially created EC2 credentials for the user, I failed to include a tenant. By removing the $KEYSTONE_TENANT variable from the EC2_ACCESS_KEY I was able to get it to work. For future reference, ensure that your access key matches the keystone username AND/OR tenant exactly how it was entered in the EC2 credential command.

edit flag offensive delete link more
0

answered 2012-02-09 05:28:04 -0500

heut2008 gravatar image

nova user/projects are used before the keystone as the default auth service.now,nova use keystone to perform the auth .but if you want to use euca2ools with keystone,you should create same user/projects(tenant) in both keystone and nova user,project tables use nova-manage.

edit flag offensive delete link more
0

answered 2012-02-15 12:05:55 -0500

It also took me some time to trouble shoot this euca2ools and Keystone issue, with following error message:

"Warning: failed to parse error message from AWS: <unknown>:1:0: syntax error None: None"

Just as Yaguang mentioned above, one should use same credential in nova-manage as those in keystone-manage. And let me be more specific.

nova-manage user admin admin nova-manage project create openstackDemo admin keystone-manage credentials add admin EC2 'secretword' openstackDemo

Then, you should export "EC2_ACCESS_KEY=admin:openstackDemo" and "EC2_SECRET_KEY=secretword" in order to use euca2ools together with Keystone and Nova.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2012-02-08 16:57:09 -0500

Seen: 100 times

Last updated: Feb 15 '12