Ask Your Question
2

juno glance Invalid OpenStack Identity credentials

asked 2014-11-23 14:32:07 -0600

cunningr69 gravatar image

updated 2014-11-26 01:19:16 -0600

I am following the install docs for Ubuntu Juno with Icehouse version of Openstack. Keystone installation and tests all worked fine however i am getting and auth error with glance when testing the image upload. Here are the logs and debug API call:

me@kermit:/tmp/images$ glance -dv image-create --name "cirros-0.3.3-x86_64" --file cirros-0.3.3-x86_64-disk.img   --disk-format qcow2 --container-format bare --is-public True --progress
curl -i -X POST -H 'x-image-meta-container_format: bare' -H 'Transfer-Encoding: chunked' -H 'User-Agent: python-glanceclient' -H 'x-image-meta-size: 13200896' -H 'x-image-meta-is_public: True' -H 'X-Auth-Token: 4618a45ef50640d9af385e3e554358b6' -H 'Content-Type: application/octet-stream' -H 'x-image-meta-disk_format: qcow2' -H 'x-image-meta-name: cirros-0.3.3-x86_64' -d '<glanceclient.common.progressbar.VerboseFileWrapper object at 0x7f8491614050>' http://controller:9292/v1/images
[=============================>] 100%

HTTP/1.1 401 Unauthorized
date: Sun, 23 Nov 2014 08:28:37 GMT
content-length: 253
content-type: text/plain; charset=UTF-8

401 Unauthorized

This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.

Request returned failure status. Invalid OpenStack Identity credentials.

####

me@kermit:/tmp/images$ tail /var/log/glance/api.log
2014-11-23 08:28:33.861 13334 WARNING keystoneclient.middleware.auth_token [-] Retrying on HTTP connection exception: [Errno 1] _ssl.c:510: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
2014-11-23 08:28:34.363 13334 INFO urllib3.connectionpool [-] Starting new HTTPS connection (1): 127.0.0.1
2014-11-23 08:28:34.380 13334 WARNING keystoneclient.middleware.auth_token [-] Retrying on HTTP connection exception: [Errno 1] _ssl.c:510: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
2014-11-23 08:28:35.381 13334 INFO urllib3.connectionpool [-] Starting new HTTPS connection (1): 127.0.0.1
2014-11-23 08:28:35.394 13334 WARNING keystoneclient.middleware.auth_token [-] Retrying on HTTP connection exception: [Errno 1] _ssl.c:510: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
2014-11-23 08:28:37.397 13334 INFO urllib3.connectionpool [-] Starting new HTTPS connection (1): 127.0.0.1
2014-11-23 08:28:37.414 13334 ERROR keystoneclient.middleware.auth_token [-] HTTP connection exception: [Errno 1] _ssl.c:510: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
2014-11-23 08:28:37.414 13334 WARNING keystoneclient.middleware.auth_token [-] Authorization failed for token
2014-11-23 08:28:37.414 13334 INFO keystoneclient.middleware.auth_token [-] Invalid user token - deferring reject downstream
2014-11-23 08:28:37.445 13334 INFO glance.wsgi.server [-] 10.48.59.28 - - [23/Nov/2014 08:28:37] "POST /v1/images HTTP/1.1" 401 381 3.600561

Can anyone help?

With the glance OS_ env settings I can also get a token from keystone:

cisco@kermit:~$ env | grep OS_
OS_PASSWORD=Cisco123
OS_AUTH_URL=http://controller:35357/v2.0
OS_USERNAME=glance
OS_TENANT_NAME=service
cisco@kermit:~$ keystone token-get
+-----------+----------------------------------+
|  Property |              Value               |
+-----------+----------------------------------+
|  expires  |       2014-11-23T20:53:29Z       |
|     id    | 1f9043f2ec2d4ac08df1e8bf0b5c5aba |
| tenant_id | aa7182a859e54141983193b85f683712 |
|  user_id  | 2579ef7fab174753a136aec60fed0d61 |
+-----------+----------------------------------+

keystone.conf

cisco@kermit:~$ sudo grep -v ^# /etc/keystone/keystone.conf | grep -v ^$
[DEFAULT]
admin_token=XXXXXXXXXXX
verbose=True
[assignment]
[auth]
[cache]
[catalog]
[credential]
[database]
connection = mysql://keystone:Cisco123@controller/keystone
[ec2]
[endpoint_filter]
[federation]
[identity]
[kvs]
[ldap]
[matchmaker_ring]
[memcache ...
(more)
edit retag flag offensive close merge delete

Comments

Please paste your glance-api.conf as well as the keystone.conf here.

9lives gravatar image9lives ( 2014-11-23 18:39:38 -0600 )edit

The configs are quite lengthy. Is there a specific portion I can post to help diagnose?

cunningr69 gravatar imagecunningr69 ( 2014-11-24 08:06:42 -0600 )edit

Try to run glance as admin ( with source keystonerc_admin).

dbaxps gravatar imagedbaxps ( 2014-11-24 08:39:03 -0600 )edit

I am trying but this is also not working with the same error ...

cunningr69 gravatar imagecunningr69 ( 2014-11-24 10:17:21 -0600 )edit

Here are some more detailed logs from glance-api. it looks as if glance is having trouble actually talking to keystone rather than actually failing to authenticate. Some SSL error?

http://paste.openstack.org/show/138892/

cunningr69 gravatar imagecunningr69 ( 2014-11-26 09:29:00 -0600 )edit

4 answers

Sort by » oldest newest most voted
1

answered 2014-11-26 13:43:16 -0600

cunningr69 gravatar image

Ok I found my fix. I was hitting ->

https://bugs.launchpad.net/openstack-...

Which meant that Ubuntu 14.04 wasn't actually pulling the latest packages so I wasn't actually using Juno (doh!)

I went back to the start and ran "sudo apt-get update; sudo apt-get upgrade" then went back and updated Openstack packages. I now have keystone and glance working as per install docs for Juno.

Thanks for all the pointers everyone that helped.

edit flag offensive delete link more
0

answered 2014-11-24 22:44:24 -0600

Here you go :

[keystone_authtoken] #signing_dir = /var/cache/glance/api #auth_uri = http://controller:5000/v2.0 identity_uri = http://controller:5000 #auth_host = 127.0.0.1 #auth_port = 35357 #auth_protocol = http admin_tenant_name = service admin_user = glance admin_password = mypass http://www.seokasho.info/2014/11/0555126103.html (كشف تسربات)

edit flag offensive delete link more
0

answered 2014-11-24 00:45:50 -0600

Ram.Meena gravatar image

updated 2014-11-24 01:03:13 -0600

Hi,

Could you please verify the '[keystone_authtoken]' section in glance-api and glance-registry file. Make sure that you have added 'auth_protocol=http' in this section along with other parameters like the following:-

[keystone_authtoken]
auth_host=controller
auth_protocol=http
auth_uri=http://controller:5000/
admin_tenant_name=services
admin_user=glance
admin_password=f175010940df4b64

You will need to replace the password and other credentials according to your environment. It should resolve the issue you are facing.

edit flag offensive delete link more

Comments

Here you go :

[keystone_authtoken]
#signing_dir = /var/cache/glance/api
#auth_uri = http://controller:5000/v2.0
identity_uri = http://controller:5000
#auth_host = 127.0.0.1
#auth_port = 35357
#auth_protocol = http
admin_tenant_name = service
admin_user = glance
admin_password = mypass
cunningr69 gravatar imagecunningr69 ( 2014-11-24 01:45:30 -0600 )edit
1

documentation said: Comment out any auth_host, auth_port, and auth_protocol options because the identity_uri option replaces them.

auth_uri=http://controller:5000/v2.0

francois gravatar imagefrancois ( 2014-11-24 22:21:56 -0600 )edit

Thanks. I think I did that (see below).

cunningr69 gravatar imagecunningr69 ( 2014-11-25 00:44:43 -0600 )edit
0

answered 2014-11-24 22:18:35 -0600

francois gravatar image

Here is how I made my mistake

when I created the user glance i used GRANT ALL PRIVILEGES ON glance.* TO \'glance@localhost\' IDENTIFIED BY ...

but when I modified /etc/glance/glance-api.conf to set the connection I used connection=mysql://glance:myPassword@controller/glance

for mysql localhost != controller once I corrected that line all was well

I wish it would have been easier to find

edit flag offensive delete link more

Comments

Thanks for the suggestion. I don't think this is my issue since I can do a keystone token-get, service-list from a remote machine using the glance credentials:

cisco@gonzo:~$ keystone service-list +----------------------------------+----------+----------+-------------------------+ |

cunningr69 gravatar imagecunningr69 ( 2014-11-25 00:43:39 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

Stats

Asked: 2014-11-23 14:32:07 -0600

Seen: 5,606 times

Last updated: Nov 26 '14