Ask Your Question
0

glance with identity v3 but self._session calls keystoneclient.auth.identity.v2

asked 2015-03-26 07:24:29 -0600

mariojmdavid gravatar image

updated 2015-03-26 11:14:50 -0600

I have, haproxy nodes on top of the controllers nodes, https openstack endpoints ssl terminated at the haproxy Centos7, Openstack Juno latest updates, in particular relevant for what follows

openstack-keystone-2014.2.2-1.el7.noarch python-keystone-2014.2.2-1.el7.noarch python-keystoneclient-0.11.1-1.el7.centos.noarch python-keystonemiddleware-1.2.0-1.el7.centos.noarch

openstack-glance-2014.2.2-1.el7.noarch python-glance-2014.2.2-1.el7.noarch python-glanceclient-0.15.0-1.el7.centos.noarch python-glance-store-0.1.10-2.el7.centos.noarch

Virtual IP is:  nimbus.ncg.ingrid.pt

client env variables
OS_AUTH_URL=https://nimbus.ncg.ingrid.pt:5000/v3
OS_CACERT=lipca.pem
OS_IDENTITY_API_VERSION=3
OS_PASSWORD=XXXX
OS_PROJECT_DOMAIN_NAME=default
OS_PROJECT_NAME=admin
OS_TENANT_NAME=admin
OS_URL=https://nimbus.ncg.ingrid.pt:35357/v3
OS_USER_DOMAIN_NAME=default
OS_USERNAME=admin

keystone.conf contains
...
admin_endpoint = https://nimbus.ncg.ingrid.pt:35357
public_endpoint = https://nimbus.ncg.ingrid.pt:5000
...

glance-api.conf contains
...
[keystone_authtoken]
auth_uri=https://nimbus.ncg.ingrid.pt:5000/v3
identity_uri=https://nimbus.ncg.ingrid.pt:35357
auth_version=v3
admin_tenant_name=service
admin_user=glance
admin_password=XXX
...

openstack user list ( or service, project, endpoint ... work as expected) Relevant endpoints Service Name | Service Type | Enabled | Interface | URL | glance | image | True | admin | https://nimbus.ncg.ingrid.pt:9292 glance | image | True | public | https://nimbus.ncg.ingrid.pt:9292 keystone | identity | True | public | https://nimbus.ncg.ingrid.pt:5000/v3 keystone | identity | True | admin | https://nimbus.ncg.ingrid.pt:35357/v3

openstack --debug image list gives .... DEBUG: keystoneclient.auth.identity.v3 Making authentication request to https://nimbus.ncg.ingrid.pt:5000/v3/... DEBUG: requests.packages.urllib3.connectionpool "POST /v3/auth/tokens HTTP/1.1" 201 4293 DEBUG: requests.packages.urllib3.connectionpool "GET /v1/AUTH_2317a44519e04f2d9d898282f8b4ee96?format=json HTTP/1.1" 401 131 DEBUG: keystoneclient.session RESP: DEBUG: keystoneclient.session Request returned failure status: 401 ERROR: openstack Unauthorized (HTTP 401) ..... So the first 2 lines give the correct result, but after that

relevant entries in /var/log/glance/api.log

...
2015-03-26 10:00:58.968 29541 DEBUG glance.api.middleware.version_negotiation [-] new path /v1/images/detail process_request /usr/lib/python2.7/site-packages/glance/api/middleware/version_negotiation.py:70
2015-03-26 10:00:58.969 29541 DEBUG keystonemiddleware.auth_token [-] Removing headers from request environment: X-Service-Catalog .... X-Tenant _remove_auth_headers /usr/lib/python2.7/site-packages/keystonemiddleware/auth_token.py:780
2015-03-26 10:00:58.969 29541 DEBUG keystonemiddleware.auth_token [-] Authenticating user token __call__ /usr/lib/python2.7/site-packages/keystonemiddleware/auth_token.py:708
2015-03-26 10:00:58.970 29541 INFO keystonemiddleware.auth_token [-] Auth Token proceeding with requested v3 apis
2015-03-26 10:00:58.971 29541 DEBUG keystoneclient.auth.identity.v2 [-] Making authentication request to https://nimbus.ncg.ingrid.pt:35357/v2.0/tokens get_auth_ref /usr/lib/python2.7/site-packages/keystoneclient/auth/identity/v2.py:77
2015-03-26 10:00:58.982 29541 INFO urllib3.connectionpool [-] Starting new HTTPS connection (1): nimbus.ncg.ingrid.pt
2015-03-26 10:00:59.011 29541 WARNING keystonemiddleware.auth_token [-] Retrying on HTTP connection exception: SSL exception connecting to https://nimbus.ncg.ingrid.pt:35357/v2.0/tokens
2015-03-26 10:00:59.511 29541 DEBUG keystoneclient.auth.identity.v2 [-] Making authentication request to https://nimbus.ncg.ingrid ...
(more)
edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
0

answered 2015-03-26 11:24:30 -0600

updated 2015-03-26 11:31:07 -0600

The glance service tokens you have configured is is still v2. auth_version = v3 amd using v3 uri is not going to help.

Also I'm not sure whether glance(keystoneclient used by glance in juno) had support for v3 service token ( I think it had it, but not sure). But kilo defintely supports it. In order to use v3 for service token, use the following config in glance.conf

[keystone_authtoken]
identity_uri = https://nimbus.ncg.ingrid.pt:35357
auth_section = generic_password

[generic_password]
auth_plugin = password
#user_name = nova
username = glance
user_domain_id = default
project_name = service
project_domain_id = default
password = <your password="">
auth_url = https://nimbus.ncg.ingrid.pt:35357

Couple of things. This plugin will work for both v2.0 and v3. Also note, I don't sepcify version information, and it will be dynamically determined based on the settings. (i.e) If you remove domain settings, it will use v2 otherwise it will use v3

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-03-26 07:24:29 -0600

Seen: 957 times

Last updated: Mar 26 '15