Openstack Kilo glance-registry.conf fails keystone auth users cant see there snapshots

asked 2015-10-27 04:21:59 -0500

jgalvin2015 gravatar image


Im having an issue with glance-registry.conf I can create snapshots from admin login where only admin can see the instance snapshots,

But when other users in different tenants try to create a snapshot they cant see there own snapshots

I found a mis configuration where in glance-registry.conf flavor = keystone was not set but when i uncomment flavor = keystone and restart glance-registry.conf i get the following:

2015-10-27 09:16:39.265 25047 INFO eventlet.wsgi.server [-] (25047) wsgi starting up on 2015-10-27 09:16:39.273 25048 INFO eventlet.wsgi.server [-] (25048) wsgi starting up on 2015-10-27 09:16:39.273 25039 INFO glance.common.wsgi [-] Started child 25048 2015-10-27 09:16:40.882 25047 WARNING keystonemiddleware.auth_token [-] Unable to find authentication token in headers 2015-10-27 09:16:40.885 25047 INFO eventlet.wsgi.server [-] - - [27/Oct/2015 09:16:40] "OPTIONS / HTTP/1.0" 401 213 0.004707

My glance-api.conf: [DEFAULT] default_store = rbd notification_driver = messagingv2 rpc_backend = rabbit rabbit_hosts = kloud-rabbit1,kloud-rabbit2,kloud-rabbit3 rabbit_userid = openstack rabbit_password = openstack show_image_direct_url = True verbose = True auth_strategy = keystone

Address to bind the API server

bind_host =

Port the bind the API server to

bind_port = 9292

Log to this file. Make sure you do not set the same log file for both the API

and registry servers!


If log_file is omitted and use_syslog is false, then log messages are

sent to stdout as a fallback.

log_file = /var/log/glance/api.log

Backlog requests when creating socket

backlog = 4096

TCP_KEEPIDLE value in seconds when creating socket.

Not supported on OS X.

tcp_keepidle = 600

API to use for accessing data. Default value points to sqlalchemy

package, it is also possible to use: glance.db.registry.api

data_api = glance.db.sqlalchemy.api

The number of child process workers that will be

created to service API requests. The default will be

equal to the number of CPUs available. (integer value)

workers = 4

Maximum line size of message headers to be accepted.

max_header_line may need to be increased when using large tokens

(typically those generated by the Keystone v3 API with big service


max_header_line = 16384

Role used to identify an authenticated user as administrator

admin_role = admin

Allow unauthenticated users to access the API with read-only

privileges. This only applies when using ContextMiddleware.

allow_anonymous_access = False

Allow access to version 1 of glance api

enable_v1_api = True

Allow access to version 2 of glance api

enable_v2_api = True

Return the URL that references where the data is stored on

the backend storage system. For example, if using the

file system store a URL of 'file:///path/to/image' will

be returned to the user in the 'direct_url' meta-data field.

The default value is false.

show_image_direct_url = False

Send headers containing user and tenant information when making requests to

the v1 glance registry. This allows the registry to function as if a user is

authenticated without the need to authenticate a user itself using ...

edit retag flag offensive close merge delete