Ask Your Question
0

Glance with Keystone authentication not working HELP!

asked 2015-03-10 14:24:35 -0500

bobyakov gravatar image

updated 2015-03-12 08:48:46 -0500

Hi Guys,

Using Icehouse and Ubuntu 14.04 HAProxy 192.168.8.2 in front of 2 controllers.

Having issue where user that creates snapshot does not see it. If I make it public, everyone is able to see it. Determined I needed to setup glance to authenticate with keystone. Also ran glance-manage db_sync, and confirmed DB tables populated with images that worked prior to pointing to keystone.

Now getting error :

glance --debug image-list
curl -i -X GET -H 'X-Auth-Token: MIIMUgYJKoZIhvcNAQcCoIIMQzCCDD8CAQExDTALBglghkgBZQMEAgEwggqgBgkqhkiG9w0BBwGgggqRBIIKjXsiYWNjZXNzIjogeyJ0b2tlbiI6IHsiaXNzdWVkX2F0IjogIjIwMTUtMDMtMTFUMTc6MTk6NDkuNjE1OTk1IiwgImV4cGlyZXMiOiAiMjAxNS0wMy0xMVQxODoxOTo0OVoiLCAiaWQiOiAicGxhY2Vob2xkZXIiLCAidGVuYW50IjogeyJkZXNjcmlwdGlvbiI6IG51bGwsICJlbmFibGVkIjogdHJ1ZSwgImlkIjogImE3YWE1ODdmODAyYzQxNGNiY2VmNjljNTY5N2JlMzU4IiwgIm5hbWUiOiAiYWRtaW4ifX0sICJzZXJ2aWNlQ2F0YWxvZyI6IFt7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xOTIuMTY4LjguMjo4Nzc0L3YyL2E3YWE1ODdmODAyYzQxNGNiY2VmNjljNTY5N2JlMzU4IiwgInJlZ2lvbiI6ICJyZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzE5Mi4xNjguOC4yOjg3NzQvdjIvYTdhYTU4N2Y4MDJjNDE0Y2JjZWY2OWM1Njk3YmUzNTgiLCAiaWQiOiAiMGViM2M1OTgzODkyNDZmNTg1ZWQyYzg5MTFiMGU2ODMiLCAicHVibGljVVJMIjogImh0dHA6Ly8yNC4yNDYuMTIwLjIzMTo4Nzc0L3YyL2E3YWE1ODdmODAyYzQxNGNiY2VmNjljNTY5N2JlMzU4In1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImNvbXB1dGUiLCAibmFtZSI6ICJub3ZhIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzE5Mi4xNjguOC4yOjk2OTYvIiwgInJlZ2lvbiI6ICJyZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzE5Mi4xNjguOC4yOjk2OTYvIiwgImlkIjogIjEzZDAxYTBiODhkNjQyYjFhZWJmMDRhYWIzMDc3OWI4IiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMjQuMjQ2LjEyMC4yMzE6OTY5Ni8ifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAibmV0d29yayIsICJuYW1lIjogInF1YW50dW0ifSwgeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vMTkyLjE2OC44LjI6OTI5MiIsICJyZWdpb24iOiAicmVnaW9uT25lIiwgImludGVybmFsVVJMIjogImh0dHA6Ly8xOTIuMTY4LjguMjo5MjkyIiwgImlkIjogIjBjMmVmY2M0NWRmODQ1ZDM5Zjc3MTIyZmFmOWQ4ZGJmIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMjQuMjQ2LjEyMC4yMzE6OTI5MiJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJpbWFnZSIsICJuYW1lIjogImdsYW5jZSJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xOTIuMTY4LjguMjo4Nzc2L3YxL2E3YWE1ODdmODAyYzQxNGNiY2VmNjljNTY5N2JlMzU4IiwgInJlZ2lvbiI6ICJyZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzE5Mi4xNjguOC4yOjg3NzYvdjEvYTdhYTU4N2Y4MDJjNDE0Y2JjZWY2OWM1Njk3YmUzNTgiLCAiaWQiOiAiOTI0ZGFlOWExNmFiNGIyMmEwZWVmNjExMjBkMjgxZjMiLCAicHVibGljVVJMIjogImh0dHA6Ly8yNC4yNDYuMTIwLjIzMTo4Nzc2L3YxL2E3YWE1ODdmODAyYzQxNGNiY2VmNjljNTY5N2JlMzU4In1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogInZvbHVtZSIsICJuYW1lIjogImNpbmRlciJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xOTIuMTY4LjguMjo4NzczL3NlcnZpY2VzL0FkbWluIiwgInJlZ2lvbiI6ICJyZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzE5Mi4xNjguOC4yOjg3NzMvc2VydmljZXMvQ2xvdWQiLCAiaWQiOiAiNjE5MGFkNzMzNTM2NGEwZmJkYzg2OWFhY2ZhOWQyOGIiLCAicHVibGljVVJMIjogImh0dHA6Ly8yNC4yNDYuMTIwLjIzMTo4NzczL3NlcnZpY2VzL0Nsb3VkIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImVjMiIsICJuYW1lIjogImVjMiJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xOTIuMTY4LjguMjo4MDgwLyIsICJyZWdpb24iOiAicmVnaW9uT25lIiwgImludGVybmFsVVJMIjogImh0dHA6Ly8xOTIuMTY4LjguMjo4MDgwL3YxL0FVVEhfYTdhYTU4N2Y4MDJjNDE0Y2JjZWY2OWM1Njk3YmUzNTgiLCAiaWQiOiAiNzBkYWIxZTFjNDRhNDI1Yzg3NWI0ZTEwOTZlYjhkOGUiLCAicHVibGljVVJMIjogImh0dHA6Ly8yNC4yNDYuMTIwLjIzMTo4MDgwL3YxL0FVVEhfYTdhYTU4N2Y4MDJjNDE0Y2JjZWY2OWM1Njk3YmUzNTgifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAib2JqZWN0LXN0b3JlIiwgIm5hbWUiOiAic3dpZnQifSwgeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vMTkyLjE2OC44LjI6MzUzNTcvdjIuMCIsICJyZWdpb24iOiAicmVnaW9uT25lIiwgImludGVybmFsVVJMIjogImh0dHA6Ly8xOTIuMTY4LjguMjo1MDAwL3YyLjAiLCAiaWQiOiAiODRlNzQwZGY0YWM1NGQyM2E3OWU4NGU5N2ViMGUxYmQiLCAicHVibGljVVJMIjogImh0dHA6Ly8yNC4yNDYuMTIwLjIzMTo1MDAwL3YyLjAifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAiaWRlbnRpdHkiLCAibmFtZSI6ICJrZXlzdG9uZSJ9XSwgInVzZXIiOiB7InVzZXJuYW1lIjogImFkbWluIiwgInJvbGVzX2xpbmtzIjogW10sICJpZCI6ICJjYWQ1ZjNiMGMzZGQ0OWIwYTk0YjY5ZmYxMzdiYjgwNSIsICJyb2xlcyI6IFt7Im5hbWUiOiAiYWRtaW4ifV0sICJuYW1lIjogImFkbWluIn0sICJtZXRhZGF0YSI6IHsiaXNfYWRtaW4iOiAwLCAicm9sZXMiOiBbIjM0YTY3ZDc1YTQzMjQ2NWJiNjFiNTJkYzQ4MzVkMjUyIl19fX0xggGFMIIBgQIBATBcMFcxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVVbnNldDEOMAwGA1UEBwwFVW5zZXQxDjAMBgNVBAoMBVVuc2V0MRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20CAQEwCwYJYIZIAWUDBAIBMA0GCSqGSIb3DQEBAQUABIIBAKYBU0Pi7fjXjvOGo2LoDiKO51MLhy1jzW0yLyQVZBzWmkuvR1Fc9T9BIZ+o3JDmls6JCOZWIX4ZpJJH0sRRZqQd9c3OpCBZhNYN3tHbcQoPtkw-tFAFf4xcG2yZpL1pn3-1ijkzwJVZpbEYoFpr+pzoHB891OfaHvy7WcDYfLDpVLuPjZMnDvvwgte9G+-ci+lODHY3P8O3JRT3CqjlymF548Mm8HpGA56FKp3aojsp59B33uVVfW8WA6qYmsIp0AGN1MCjQgsYJ6I7Fr1JhEshV7Gpsr52A900GTFDRVsOOw8LKd8xo5ejvM+1GsopyGQoLxYD97SjOaC8fegr9Z4=' -H 'Content-Type: application/json' -H 'User-Agent: python-glanceclient' http://24.246.120.231:9292/v1/images/detail?sort_key=name&sort_dir=asc&limit=20

HTTP/1.1 500 Internal Server Error
date: Wed, 11 Mar 2015 17:19:49 GMT
content-length: 0
content-type: text/plain
connection: close

Request returned failure status. HTTPInternalServerError (HTTP 500)

glance-api.conf and glance-registry.conf

   connection=mysql://glance:password@192.168.8.2/glance

   [keystone_authtoken]
    auth_uri = http://192.168.8.2:5000/v2.0
    auth_host = 192.168.8.2
    auth_port = 35357
    auth_protocol = http
    admin_tenant_name = service
    admin_user = glance
    admin_password = password

glance-api-paste.ini and glance-registry-paste.ini

[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
delay_auth_decision = true
service_host = 192.168.8.2
service_port = 5000
service_protocol = http
auth_host = 192.168.8.2
auth_port = 35357
auth_protocol = http
auth_uri = http://192.168.8.2:5000/v2.0
admin_tenant_name = service
admin_user = glance
admin_password = password
admin_token = token in keystone.conf

glance-api log:

2015-03-10 15:20:45.239 3439 WARNING keystoneclient.middleware.auth_token [-] Unable to find authentication token in headers
2015-03-10 15:20:45.240 3439 DEBUG keystoneclient.middleware.auth_token [-] Headers: {'SERVER_PROTOCOL': 'HTTP/1.0', 'GATEWAY_INTERFACE': 'CGI/1.1', 'wsgi.version': (1, 0), 'SERVER_NAME': '192.168.8.6', 'RAW_PATH_INFO': '/', 'REMOTE_ADDR': '192.168.8.4', 'wsgi.run_once': False, 'wsgi.errors': <open file '<stderr>', mode 'w' at 0x7fbb0f9e51e0>, 'wsgi.multiprocess': False, 'SCRIPT_NAME': '', 'SERVER_PORT': '9191', 'wsgi.url_scheme': 'http', 'REMOTE_PORT': '34077', 'wsgi.input': <eventlet.wsgi.Input object at 0x7fbb0a195f50>, 'REQUEST_METHOD': 'OPTIONS', 'PATH_INFO': '/', 'CONTENT_TYPE': 'text/plain', 'wsgi.multithread': True, 'eventlet.input': <eventlet.wsgi.Input object at 0x7fbb0a195f50>, 'eventlet.posthooks': []} _get_user_token_from_header /usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py:647
2015-03-10 15:20:45.240 3439 INFO keystoneclient.middleware.auth_token [-] Invalid user token - rejecting request
2015-03-10 15:20:45.241 3439 INFO glance.wsgi.server [-] 192.168.8.4 - - [10/Mar/2015 15:20:45] "OPTIONS / HTTP/1.0" 401 217 0.001938

glance registry.log

2015-03-10 15:20:31.828 3419 INFO urllib3.connectionpool [-] Starting new HTTP connection (1): 192.168.8.2
2015-03-10 15:20:31.829 3419 DEBUG urllib3.connectionpool [-] Setting read timeout to None _make_request /usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:375
2015-03-10 15:20:31.853 3419 DEBUG urllib3.connectionpool [-] "GET /v2.0/tokens/revoked HTTP/1.1" 200 802 _make_request /usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:415
2015-03-10 15:20:31.875 3419 DEBUG keystoneclient.middleware.auth_token [-] Storing token in cache _cache_put /usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py:1144
2015-03-10 15:20:31.876 3419 DEBUG keystoneclient.middleware.auth_token [-] Received request from user ...
(more)
edit retag flag offensive close merge delete

2 answers

Sort by » oldest newest most voted
1

answered 2015-03-13 15:40:40 -0500

bobyakov gravatar image

So I think I figured out why I was getting error 500. The registry_host was set to a vip and was erroring out when flavor= is set. Registry_host set to VIP did work when flavor= was blank, (weird). Anyway Although I am not getting errors I still can not see private images.

edit flag offensive delete link more

Comments

So once I updated registry_host to specific server rather than VIP, Any new private snapshot was now visible to owner. Still have to figure out how to load balance this.

bobyakov gravatar imagebobyakov ( 2015-03-13 15:59:45 -0500 )edit
0

answered 2015-03-11 23:51:26 -0500

Praveen N gravatar image

Hi,register the glance service and also ensure there the glance service endpoint is proper.

#keystone service-create --name=glance --type=image --description="Glance Image Service"
#keystone endpoint-create --service-id=$(keystone service-list | awk '/ image / {print $2}') --publicurl=http://aioX:9292 --internalurl=http://aioX:9292 --adminurl=http://aioX:9292
edit flag offensive delete link more

Comments

description Glance Image Service enabled True id e4b2a6d1f31a463080c78b2dbbca8381 name glance

Endpoints: regionOne public http://24.246.120.231:9292/ internal http://192.168.8.2:9292 admin http://192.168.8.2:9292

bobyakov gravatar imagebobyakov ( 2015-03-12 08:20:51 -0500 )edit

Get an authentication token using command #keystone token-get and try running commands passing this token..!!

Praveen N gravatar imagePraveen N ( 2015-03-12 08:44:44 -0500 )edit

keystone token-get gives me an encrypted token, is that right?

bobyakov gravatar imagebobyakov ( 2015-03-12 09:02:38 -0500 )edit

So weird thing happened, I tried uploading an image on controller 1 and no longer receive error500. Now receiving HTTP/1.1 401 Unauthorized ( Only on controller1). Controller 2 is still giving me error HTTP/1.1 500 Internal Server Error

bobyakov gravatar imagebobyakov ( 2015-03-12 10:04:14 -0500 )edit

So reason I received 401 is because I passed incorrect token, once I updated token back to HTTP/1.1 500 Internal Server Error

bobyakov gravatar imagebobyakov ( 2015-03-12 11:08:17 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-03-10 14:24:35 -0500

Seen: 3,239 times

Last updated: Mar 13 '15