Ask Your Question
1

Image Service: Invalid OpenStack Identity credentials

asked 2014-12-28 10:21:39 -0500

gnychis gravatar image

updated 2014-12-28 11:30:45 -0500

I am trying to properly setup OpenStack on Ubuntu 14.04 (Juno). Following the guide provided by OpenStack, I am currently stuck on Chapter 4, where you http://docs.openstack.org/juno/install-guide/install/apt/content/glance-verify.html (setup and verify the Image Service). I believe that I've set it up properly. I've repeated the steps 4-5 times, however, when I try to verify my installation by uploading an image I get:

root@src-server1:/tmp/images# source ~/admin-openrc.sh
root@src-server1:/tmp/images# keystone token-get
+-----------+----------------------------------+
|  Property |              Value               |
+-----------+----------------------------------+
|  expires  |       2014-12-28T01:42:58Z       |
|     id    | e4d081bc68de43b1a12a6c51103eb0f7 |
| tenant_id | 44363eba77ca42a9a1bbf22d7fb882f9 |
|  user_id  | fd2397b348fb4ca3b307f414d53f9b6a |
+-----------+----------------------------------+
root@src-server1:/tmp/images# glance image-create --name "cirros-0.3.3-x86_64" --file cirros-0.3.3-x86_64-disk.img   --disk-format qcow2 --container-format bare --is-public True --progress
[=============================>] 100%
Request returned failure status.
Invalid OpenStack Identity credentials.

I am pretty postiive the credentials I am using are correct for my admin user and my glance user. I've tried dropping the glance user several times, readding the user to the service tenant, and triple-checking the password.

To provide a little more confidence that my glance user's is setup properly, here I can request a token using the credentials from keystone:

root@src-server1:/tmp/images# cat test.rc
export OS_USERNAME=glance
export OS_PASSWORD=abcdefg
export OS_TENANT_NAME=service
export OS_AUTH_URL=http://172.16.0.10:35357/v2.0
root@src-server1:/tmp/images# source test.rc
root@src-server1:/tmp/images# keystone token-get
+-----------+----------------------------------+
|  Property |              Value               |
+-----------+----------------------------------+
|  expires  |       2014-12-28T17:05:41Z       |
|     id    | e54325f9542640f1a19f123a6c800102 |
| tenant_id | e2eff1ec9bc148ff942ff8c257b56f90 |
|  user_id  | bbd04f397fd14fbf87c67b8aad8d70ca |
+-----------+----------------------------------+

You can see the user is setup, there is a service tenant, and that the glance user is in the service tenant:

root@src-server1:/tmp/images# keystone --os-tenant-name admin --os-username admin --os-password 12345 --os-auth-url http://172.16.0.10:35357/v2.0 user-list
+----------------------------------+--------+---------+-------------------+
|                id                |  name  | enabled |       email       |
+----------------------------------+--------+---------+-------------------+
| fd2397b348fb4ca3b307f414d53f9b6a | admin  |   True  |  admin@soroco.com |
| 9693bd6cc59c43e29f9c1e54f1e359c4 |  demo  |   True  | george@soroco.com |
| bbd04f397fd14fbf87c67b8aad8d70ca | glance |   True  |  admin@soroco.com |
+----------------------------------+--------+---------+-------------------+
root@src-server1:/tmp/images# keystone --os-tenant-name admin --os-username admin --os-password 12345 --os-auth-url http://172.16.0.10:35357/v2.0 tenant-list
+----------------------------------+---------+---------+
|                id                |   name  | enabled |
+----------------------------------+---------+---------+
| 44363eba77ca42a9a1bbf22d7fb882f9 |  admin  |   True  |
| 7210a23ec39c48f78d8f9841a232f566 |   demo  |   True  |
| e2eff1ec9bc148ff942ff8c257b56f90 | service |   True  |
+----------------------------------+---------+---------+
root@src-server1:/tmp/images# keystone user-role-add --user=glance --tenant=service --role=admin
Conflict occurred attempting to store role grant. User bbd04f397fd14fbf87c67b8aad8d70ca already has role 464b03e2d4b248d5bde14d59fe633fc6 in tenant e2eff1ec9bc148ff942ff8c257b56f90 (HTTP 409)

I set glance to verbose to try and debug the issue, and I am a little concerned about it trying to create an HTTPS connection, whereas in my config I do not have SSL or HTTPS setup. My URI is HTTP. Could this be the issue? The concerning part of the log:

2014-12-27 16:05:58.438 12984 INFO urllib3.connectionpool [-] Starting new HTTPS connection (1): 127.0.0.1
2014-12-27 16:05:58.447 12984 WARNING keystoneclient.middleware.auth_token [-] Retrying on HTTP connection exception: [Errno 1] _ssl.c:510: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

Here, you can see my connection URI in glance-api.conf (and glance-registry.conf), there is no use of https:

[keystone_authtoken]
auth_uri = http://172.16.0.10:5000/v2.0
identity_uri ...
(more)
edit retag flag offensive close merge delete
add a comment

6 answers

Sort by ยป oldest newest most voted
2

answered 2014-12-29 21:19:25 -0500

sfcloudman gravatar image

Auth uri should also point 35357 and not 5000.

Not sure the reason keystone was designed with 2 different apis , admin on 35357 and non admin on 5000 , but all service users need to go to 35357.

edit flag offensive delete link more
add a comment
1

answered 2015-06-08 13:25:01 -0500

Vikram gravatar image

Previously I was getting the following error message:-

root@controller:/home/XXXXXX# glance image-create --name "cirros-0.3.3-x86_64" - -file /tmp/images/cirros-0.3.3-x86_64-disk.img --disk-format qcow2 --container-f ormat bare --is-public True --progress [=============================>] 100% Request returned failure status. Invalid OpenStack Identity credentials.

Issue solved by changing ththe following in glance-api.conf & glance-registry.conf:

[keystone_authtoken] auth_uri = http://controller:5000/v2.0 identity_uri = http://controller:35357 admin_tenant_name = service admin_user = XXXXXX admin_password = XXXXXX

To this:

auth_host = controller auth_port = 35357 auth_protocol = http admin_tenant_name = service admin_user = XXXXXX admin_password = XXXXXX auth_uri = http://controller:5000

============

=VALIDATION=

root@controller:/home/XXXXXX# nano /etc/glance/glance-api.conf root@controller:/home/XXXXXX# nano /etc/glance/glance-registry.conf root@controller:/home/XXXXXX# service glance-registry restart glance-registry stop/waiting glance-registry start/running, process 7550 root@controller:/home/XXXXXX# service glance-api restart glance-api stop/waiting glance-api start/running, process 7563 root@controller:/home/XXXXXX# root@controller:/home/XXXXXX# source admin-openrc.sh root@controller:/home/XXXXXX# glance image-create --name "cirros-0.3.3-x86_64" --file /tmp/images/cirros-0.3.3-x86_64-disk.img --disk-format qcow2 --container-format bare --is-public True --progress [=============================>] 100% +------------------+--------------------------------------+ | Property | Value | +------------------+--------------------------------------+ | checksum | 51b8afbd2b6d36d7012280e9ede51e7e | | container_format | bare | | created_at | 2015-06-08T18:14:12 | | deleted | False | | deleted_at | None | | disk_format | qcow2 | | id | 9a8b12c9-f0d6-43a4-a23a-f4cc67fe89f1 | | is_public | True | | min_disk | 0 | | min_ram | 0 | | name | cirros-0.3.3-x86_64 | | owner | c3eab5d97c514aa4aec53ba1dc5aae40 | | protected | False | | size | 955802 | | status | active | | updated_at | 2015-06-08T18:14:12 | | virtual_size | None | +------------------+--------------------------------------+ root@controller:/home/XXXXXX# glance image-list +--------------------------------------+---------------------+-------------+------------------+--------+--------+ | ID | Name | Disk Format | Container Format | Size | Status | +--------------------------------------+---------------------+-------------+------------------+--------+--------+ | 9a8b12c9-f0d6-43a4-a23a-f4cc67fe89f1 | cirros-0.3.3-x86_64 | qcow2 | bare | 955802 | active | +--------------------------------------+---------------------+-------------+------------------+--------+--------+ root@controller:/home/XXXXXX#

edit flag offensive delete link more
add a comment
1

answered 2015-07-31 14:05:22 -0500

Raouf gravatar image

OMG! I bumped this issue in kilo setup. After 2 days of digging I found that you need to have URL instead of URI!!! So, you should have: auth_url = http://controller:35357

instead of: auth_uri = http://controller:35357

edit flag offensive delete link more
add a comment
0

answered 2014-12-28 14:42:59 -0500

gnychis gravatar image

As it turns out, the guide suggested URI and [keystone_authtoken] section does not work. This section works for me instead:

[keystone_authtoken]
auth_host = 172.16.0.10
auth_port = 35357
auth_protocol = http
admin_tenant_name = service
admin_user = glance
admin_password = mypass
auth_uri = http://172.16.0.10:5000
edit flag offensive delete link more
add a comment
0

answered 2014-12-30 03:49:36 -0500

Xianfeng Ye gravatar image

It's really complicated. I succeeded in deploying juno a few days ago. Beside cirros-0.3.3-x86_64, I also upload official ubuntu cloud image. They both boot normally. But from your descriptions, I didn't find something wrong.

edit flag offensive delete link more
add a comment
0

answered 2015-05-15 21:38:16 -0500

weicheng gravatar image

hi,

I occur same problem with you, are you slove this problem?

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2014-12-28 10:21:39 -0500

Seen: 4,987 times

Last updated: Dec 30 '14

Related questions

Cinder Service not running

Error - "Unable to find authentication token in headers" when run "nova image-list on a new install env

Is there a reseller admin role for swift under keystone?

Enable the display of the Metadata definitions catalog in Glance

How to debug tests?

Create an image with multiple disks mounted

Ceilometer central agent failing

Calling batch script from cloudbase-init?

keystone no longer listens on :5000 and :35357

ERROR: openstack Authorization Failed: Cannot authenticate without an auth_url