Ask Your Question
0

Unable to get version info from keystone

asked 2015-02-06 18:26:07 -0500

zipmaster07 gravatar image

I know this has probably been asked a thousand times and there is probably a simple solution but I can't find anything on the web. I'm getting an authentication problem in glance. I'm installing Juno on Debian Wheezy. I'm following this http://docs.openstack.org/juno/install-guide/install/apt-debian/content/ch_preface.html (guide)

I can run any keystone command:

keystone token-get
+-----------+----------------------------------+
|  Property |              Value               |
+-----------+----------------------------------+
|  expires  |       2015-02-07T01:08:17Z       |
|     id    | 7d7d57038a17450696c75431e14c8811 |
| tenant_id | 9cf0386649564e528381f40d22387545 |
|  user_id  | 242a46a55fcb4b2a8f64670df82dbad3 |
+-----------+----------------------------------+

but when I run any glance command I get an error:

    glance -dv image-list
curl -i -X GET -H 'User-Agent: python-glanceclient' -H 'Content-Type: application/octet-stream' -H 'Accept-Encoding: gzip, deflate' -H 'Accept: */*' -H 'X-Auth-Token: {SHA1}1e0a46f40523cb392e3a60fc048732ab685a6813' http://192.168.54.114:9292/v1/images/detail?sort_key=name&sort_dir=asc&limit=20
Request returned failure status 401.
Invalid OpenStack Identity credentials.

The glance-api.log file shows the following error:

tail /var/log/glance/glance-api.log
2015-02-06 17:00:27.451 5684 INFO urllib3.connectionpool [-] Starting new HTTP connection (1): thinkctrl.appendata.net
2015-02-06 17:00:27.489 5684 ERROR keystonemiddleware.auth_token [-] Unable to get version info from keystone: 200
2015-02-06 17:00:27.491 5684 WARNING keystonemiddleware.auth_token [-] Authorization failed for token
2015-02-06 17:00:27.492 5684 INFO keystonemiddleware.auth_token [-] Invalid user token - deferring reject downstream
2015-02-06 17:00:27.493 5684 INFO glance.wsgi.server [-] 192.168.54.114 - - [06/Feb/2015 17:00:27] "GET /v1/images/detail?sort_key=name&sort_dir=asc&limit=20 HTTP/1.1" 401 485 0.060374

If I add "auth_version = 2.0" to my glance-api.conf and glance-registry.conf config file then I get a different error in the api log file:

tail /var/log/glance/glance-api.log
2015-02-06 17:12:49.276 5983 INFO keystonemiddleware.auth_token [-] Auth Token proceeding with requested 2.0 apis
2015-02-06 17:12:49.291 5983 INFO urllib3.connectionpool [-] Starting new HTTP connection (1): thinkctrl.appendata.net
2015-02-06 17:12:49.319 5983 WARNING keystonemiddleware.auth_token [-] Unexpected response from keystone service: {u'error': {u'message': u'The resource could not be found.', u'code': 404, u'title': u'Not Found'}}
2015-02-06 17:12:49.320 5983 WARNING keystonemiddleware.auth_token [-] Authorization failed for token
2015-02-06 17:12:49.320 5983 INFO keystonemiddleware.auth_token [-] Invalid user token - deferring reject downstream
2015-02-06 17:12:49.322 5983 INFO glance.wsgi.server [-] 192.168.54.114 - - [06/Feb/2015 17:12:49] "GET /v1/images/detail?sort_key=name&sort_dir=asc&limit=20 HTTP/1.1" 401 485 0.049364

I've not been able to find much on "Unexpected response from keystone service... the resource could not be found"

Snippets from glance config files:

glance-api.conf:

[keystone_authtoken]
identity_uri = http://thinkctrl.appendata.net:5000/v2.0
admin_tenant_name = service
admin_user = glance
admin_password = password
revocation_cache_time = 10

glance-registry.conf:

[keystone_authtoken]
identity_uri = http://thinkctrl.appendata.net:5000/v2.0
admin_tenant_name = service
admin_user = glance
admin_password = password

Again, if I add "auth_version = 2.0" to the keystone_authtoken sections then I get the second error listed above.

I am able to get a token ... (more)

edit retag flag offensive close merge delete

4 answers

Sort by ยป oldest newest most voted
1

answered 2015-02-07 16:10:48 -0500

updated 2015-02-08 00:35:56 -0500

If you are using identity_url config parameter then the value should be unversioned url. Pre Juno, there was config param called auth_uri which takes versioned url. It can also be used. Also from service perspective, it doesn't matter whether you use port 35357 or port 5000. Both will work

   identity_url = http://thinkctrl.appendata.net:35357

If that doesn't work then please post the output of version command?

curl -i http://thinkctrl.appendata.net:5000/v2.0
edit flag offensive delete link more

Comments

Not sure about Juno but as of icehouse port 5000 would not work for any admin APIs .

The easiest way to test is to set your auth URL to use 5000 instead of 35357 and see if you can run user list or tenant list .

sfcloudman gravatar imagesfcloudman ( 2015-02-08 02:32:06 -0500 )edit

You are correct, but only user CRUD operations are admin api. Here we are dealing with token operations which are available at both the ports

Haneef Ali gravatar imageHaneef Ali ( 2015-02-08 11:50:27 -0500 )edit

Thanks. As of Juno or previous version as well?

sfcloudman gravatar imagesfcloudman ( 2015-02-08 14:49:39 -0500 )edit

As for as I know, it is like that from beginning ( diablo, I think)

Haneef Ali gravatar imageHaneef Ali ( 2015-02-09 00:09:20 -0500 )edit

Thanks guys for your help. I had tried switching to port 35357 earlier and it didn't make any difference. I thought I had read that because it is only dealing with tokens it didn't matter whether it was on port 5000 or 35357. However I removed the "/v2.0" from the uri and that fixed the problem

zipmaster07 gravatar imagezipmaster07 ( 2015-02-09 11:56:05 -0500 )edit
1

answered 2015-02-07 00:53:54 -0500

All admin users need to use port 35357 not 5000.

Change with uri go got to port 35357 and done.

edit flag offensive delete link more
0

answered 2015-07-31 14:06:09 -0500

Raouf gravatar image

OMG! I bumped this issue in kilo setup. After 2 days of digging I found that you need to have URL instead of URI!!! So, you should have: auth_url = http://controller:35357

instead of: auth_uri = http://controller:35357

edit flag offensive delete link more
0

answered 2015-02-27 10:12:20 -0500

Dayaa gravatar image

I removed the "/v2.0" from the uri and that fixed the problem

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-02-06 18:26:07 -0500

Seen: 5,392 times

Last updated: Feb 27 '15