Ask Your Question
1

Image Service: Invalid OpenStack Identity credentials

asked 2014-12-28 10:21:39 -0600

gnychis gravatar image

updated 2014-12-28 11:30:45 -0600

I am trying to properly setup OpenStack on Ubuntu 14.04 (Juno). Following the guide provided by OpenStack, I am currently stuck on Chapter 4, where you http://docs.openstack.org/juno/install-guide/install/apt/content/glance-verify.html (setup and verify the Image Service). I believe that I've set it up properly. I've repeated the steps 4-5 times, however, when I try to verify my installation by uploading an image I get:

root@src-server1:/tmp/images# source ~/admin-openrc.sh
root@src-server1:/tmp/images# keystone token-get
+-----------+----------------------------------+
|  Property |              Value               |
+-----------+----------------------------------+
|  expires  |       2014-12-28T01:42:58Z       |
|     id    | e4d081bc68de43b1a12a6c51103eb0f7 |
| tenant_id | 44363eba77ca42a9a1bbf22d7fb882f9 |
|  user_id  | fd2397b348fb4ca3b307f414d53f9b6a |
+-----------+----------------------------------+
root@src-server1:/tmp/images# glance image-create --name "cirros-0.3.3-x86_64" --file cirros-0.3.3-x86_64-disk.img   --disk-format qcow2 --container-format bare --is-public True --progress
[=============================>] 100%
Request returned failure status.
Invalid OpenStack Identity credentials.

I am pretty postiive the credentials I am using are correct for my admin user and my glance user. I've tried dropping the glance user several times, readding the user to the service tenant, and triple-checking the password.

To provide a little more confidence that my glance user's is setup properly, here I can request a token using the credentials from keystone:

root@src-server1:/tmp/images# cat test.rc
export OS_USERNAME=glance
export OS_PASSWORD=abcdefg
export OS_TENANT_NAME=service
export OS_AUTH_URL=http://172.16.0.10:35357/v2.0
root@src-server1:/tmp/images# source test.rc
root@src-server1:/tmp/images# keystone token-get
+-----------+----------------------------------+
|  Property |              Value               |
+-----------+----------------------------------+
|  expires  |       2014-12-28T17:05:41Z       |
|     id    | e54325f9542640f1a19f123a6c800102 |
| tenant_id | e2eff1ec9bc148ff942ff8c257b56f90 |
|  user_id  | bbd04f397fd14fbf87c67b8aad8d70ca |
+-----------+----------------------------------+

You can see the user is setup, there is a service tenant, and that the glance user is in the service tenant:

root@src-server1:/tmp/images# keystone --os-tenant-name admin --os-username admin --os-password 12345 --os-auth-url http://172.16.0.10:35357/v2.0 user-list
+----------------------------------+--------+---------+-------------------+
|                id                |  name  | enabled |       email       |
+----------------------------------+--------+---------+-------------------+
| fd2397b348fb4ca3b307f414d53f9b6a | admin  |   True  |  admin@soroco.com |
| 9693bd6cc59c43e29f9c1e54f1e359c4 |  demo  |   True  | george@soroco.com |
| bbd04f397fd14fbf87c67b8aad8d70ca | glance |   True  |  admin@soroco.com |
+----------------------------------+--------+---------+-------------------+
root@src-server1:/tmp/images# keystone --os-tenant-name admin --os-username admin --os-password 12345 --os-auth-url http://172.16.0.10:35357/v2.0 tenant-list
+----------------------------------+---------+---------+
|                id                |   name  | enabled |
+----------------------------------+---------+---------+
| 44363eba77ca42a9a1bbf22d7fb882f9 |  admin  |   True  |
| 7210a23ec39c48f78d8f9841a232f566 |   demo  |   True  |
| e2eff1ec9bc148ff942ff8c257b56f90 | service |   True  |
+----------------------------------+---------+---------+
root@src-server1:/tmp/images# keystone user-role-add --user=glance --tenant=service --role=admin
Conflict occurred attempting to store role grant. User bbd04f397fd14fbf87c67b8aad8d70ca already has role 464b03e2d4b248d5bde14d59fe633fc6 in tenant e2eff1ec9bc148ff942ff8c257b56f90 (HTTP 409)

I set glance to verbose to try and debug the issue, and I am a little concerned about it trying to create an HTTPS connection, whereas in my config I do not have SSL or HTTPS setup. My URI is HTTP. Could this be the issue? The concerning part of the log:

2014-12-27 16:05:58.438 12984 INFO urllib3.connectionpool [-] Starting new HTTPS connection (1): 127.0.0.1
2014-12-27 16:05:58.447 12984 WARNING keystoneclient.middleware.auth_token [-] Retrying on HTTP connection exception: [Errno 1] _ssl.c:510: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

Here, you can see my connection URI in glance-api.conf (and glance-registry.conf), there is no use of https:

[keystone_authtoken]
auth_uri = http://172.16.0.10:5000/v2.0
identity_uri ...
(more)
edit retag flag offensive close merge delete
add a comment

6 answers

Sort by ยป oldest newest most voted
2

answered 2014-12-29 21:19:25 -0600

sfcloudman gravatar image

Auth uri should also point 35357 and not 5000.

Not sure the reason keystone was designed with 2 different apis , admin on 35357 and non admin on 5000 , but all service users need to go to 35357.

edit flag offensive delete link more
add a comment
1

answered 2015-07-31 14:05:22 -0600

Raouf gravatar image

OMG! I bumped this issue in kilo setup. After 2 days of digging I found that you need to have URL instead of URI!!! So, you should have: auth_url = http://controller:35357

instead of: auth_uri = http://controller:35357

edit flag offensive delete link more
add a comment
1

answered 2015-06-08 13:25:01 -0600

Vikram gravatar image

Previously I was getting the following error message:-

root@controller:/home/XXXXXX# glance image-create --name "cirros-0.3.3-x86_64" - -file /tmp/images/cirros-0.3.3-x86_64-disk.img --disk-format qcow2 --container-f ormat bare --is-public True --progress [=============================>] 100% Request returned failure status. Invalid OpenStack Identity credentials.

Issue solved by changing ththe following in glance-api.conf & glance-registry.conf:

[keystone_authtoken] auth_uri = http://controller:5000/v2.0 identity_uri = http://controller:35357 admin_tenant_name = service admin_user = XXXXXX admin_password = XXXXXX

To this:

auth_host = controller auth_port = 35357 auth_protocol = http admin_tenant_name = service admin_user = XXXXXX admin_password = XXXXXX auth_uri = http://controller:5000

============

=VALIDATION=

root@controller:/home/XXXXXX# nano /etc/glance/glance-api.conf root@controller:/home/XXXXXX# nano /etc/glance/glance-registry.conf root@controller:/home/XXXXXX# service glance-registry restart glance-registry stop/waiting glance-registry start/running, process 7550 root@controller:/home/XXXXXX# service glance-api restart glance-api stop/waiting glance-api start/running, process 7563 root@controller:/home/XXXXXX# root@controller:/home/XXXXXX# source admin-openrc.sh root@controller:/home/XXXXXX# glance image-create --name "cirros-0.3.3-x86_64" --file /tmp/images/cirros-0.3.3-x86_64-disk.img --disk-format qcow2 --container-format bare --is-public True --progress [=============================>] 100% +------------------+--------------------------------------+ | Property | Value | +------------------+--------------------------------------+ | checksum | 51b8afbd2b6d36d7012280e9ede51e7e | | container_format | bare | | created_at | 2015-06-08T18:14:12 | | deleted | False | | deleted_at | None | | disk_format | qcow2 | | id | 9a8b12c9-f0d6-43a4-a23a-f4cc67fe89f1 | | is_public | True | | min_disk | 0 | | min_ram | 0 | | name | cirros-0.3.3-x86_64 | | owner | c3eab5d97c514aa4aec53ba1dc5aae40 | | protected | False | | size | 955802 | | status | active | | updated_at | 2015-06-08T18:14:12 | | virtual_size | None | +------------------+--------------------------------------+ root@controller:/home/XXXXXX# glance image-list +--------------------------------------+---------------------+-------------+------------------+--------+--------+ | ID | Name | Disk Format | Container Format | Size | Status | +--------------------------------------+---------------------+-------------+------------------+--------+--------+ | 9a8b12c9-f0d6-43a4-a23a-f4cc67fe89f1 | cirros-0.3.3-x86_64 | qcow2 | bare | 955802 | active | +--------------------------------------+---------------------+-------------+------------------+--------+--------+ root@controller:/home/XXXXXX#

edit flag offensive delete link more
add a comment
0

answered 2015-05-15 21:38:16 -0600

weicheng gravatar image

hi,

I occur same problem with you, are you slove this problem?

edit flag offensive delete link more
add a comment
0

answered 2014-12-28 14:42:59 -0600

gnychis gravatar image

As it turns out, the guide suggested URI and [keystone_authtoken] section does not work. This section works for me instead:

[keystone_authtoken]
auth_host = 172.16.0.10
auth_port = 35357
auth_protocol = http
admin_tenant_name = service
admin_user = glance
admin_password = mypass
auth_uri = http://172.16.0.10:5000
edit flag offensive delete link more
add a comment
0

answered 2014-12-30 03:49:36 -0600

Xianfeng Ye gravatar image

It's really complicated. I succeeded in deploying juno a few days ago. Beside cirros-0.3.3-x86_64, I also upload official ubuntu cloud image. They both boot normally. But from your descriptions, I didn't find something wrong.

edit flag offensive delete link more
add a comment

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2014-12-28 10:21:39 -0600

Seen: 5,270 times

Last updated: Dec 30 '14

Related questions

Devstack Icehouse Installation [closed]

Problem with Keystone and Active Directory

run keystone-all get error.

conflict occurred attempting to store project

Register Designate with Keystone

Enable the display of the Metadata definitions catalog in Glance

ceilometer meter-list show empty

Guest OS details from OpenStack

fail to download cirros disk.img (HTTP 400)

Glance configuration Identity credentials