Ask Your Question
0

Unable to authentiate through keystone [closed]

asked 2015-12-22 08:06:24 -0500

Pradip gravatar image

Hello,

I am trying to setup a cinder volume service to be authenticated using keystone running on another vm. I am facing the issue of non-authentication as follows:

stack@openstack4:~/devstack$ cinder --os-username cinder --os-password password --os-tenant-name service list
ERROR: Unauthorized (HTTP 401)

This is the steps followed:

A. In the vm where Keystone is running:

1. keystone user-create --name=cinder --pass=password  --tenant service
2. keystone user-role-add --user=cinder --tenant=service --role=admin
3. keystone service-create --name=cinder --type=volume --description="OpenStack Block Storage"
4. keystone endpoint-create --service cinder --publicurl http://192.168.10.14:8776/v1/%\(tenant_id\)s  --internalurl http://192.168.10.14:8776/v1/%\(tenant_id\)s --adminurl http://192.168.10.14:8776/v1/%\(tenant_id\)s
5. keystone service-create --name=cinderv2 --type=volumev2 --description="OpenStack Block Storage v2"
6. keystone endpoint-create --service cinderv2 --publicurl http://192.168.10.14:8776/v2/%\(tenant_id\)s  --internalurl http://192.168.10.14:8776/v2/%\(tenant_id\)s --adminurl http://192.168.10.14:8776/v2/%\(tenant_id\)s

B. In the vm where Cinder is running:

  1. Changes in the cinder.conf
[keystone_authtoken]
signing_dir = /var/cache/cinder
cafile = /opt/stack/data/ca-bundle.pem
auth_uri = http://192.168.10.12:5000
project_domain_id = default
project_name = service
user_domain_id = default
password = password
username = cinder
auth_url = http://192.168.10.12:35357
auth_plugin = password
  1. Restart all the cinder services.

Can anyone please point me what thing I am missing here?

Thanks, Pradip

edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by Pradip
close date 2015-12-23 01:07:59.982669

add a comment

2 answers

Sort by ยป oldest newest most voted
1

answered 2015-12-22 09:19:24 -0500

Lili Zhang gravatar image

I guess you missed the parameter --os-auth-url when calling cinder API. As shown in this documentation, auth_url needs to be passed along with username, password, and tenant name, when calling cinder API, which is the same for calling other APIs in OpenStack. To see how to set --os-auth-url, check its command line reference.

Hope this is helpful.

edit flag offensive delete link more

Comments

I tried this, however seeing an error:

cinder --os-username cinder --os-password password --os-tenant-name service --os-auth-url http://192.168.10.12:5000/v2.0 list
ERROR: publicURL endpoint for volumev2 service in RegionOne region not found
Pradip gravatar imagePradip ( 2015-12-22 10:28:42 -0500 )edit
  1. Check wether service_id of the endpoint really matches the id of the service it serves, and also the region.
  2. Delete current cinder services and endpoints, and recreate following step 7 and 8 here.
Lili Zhang gravatar imageLili Zhang ( 2015-12-22 20:50:39 -0500 )edit

Thanks a lot! It worked!. I think the "regionOne" was the problem. I deleted all the endpoints and created with "--region RegionOne" - it works well.

Pradip gravatar imagePradip ( 2015-12-23 00:59:18 -0500 )edit
add a comment
0

answered 2015-12-23 01:04:34 -0500

Pradip gravatar image

What Lili Zhang replied is perfect. Here's the steps I followed and it worked (documenting for future reference):

1. Check if a tenant of name 'service' is there by keystone tenant-list
2. keystone user-create --name=cinder --pass=password --tenant service
3. keystone user-role-add --user=cinder --tenant=service --role=admin
4. keystone service-create --name=cinder --type=volume --description="OpenStack Block Storage"
5. keystone endpoint-create --service cinder --publicurl http://192.168.10.14:8776/v1/%\(tenant_id\)s  --internalurl http://192.168.10.14:8776/v1/%\(tenant_id\)s --adminurl  http://192.168.10.14:8776/v1/%\(tenant_id\)s --region RegionOne
6. keystone service-create --name=cinderv2 --type=volumev2 --description="OpenStack Block Storage v2"
7. keystone endpoint-create --service cinderv2 --publicurl http://192.168.10.14:8776/v2/%\(tenant_id\)s  --internalurl http://192.168.10.14:8776/v2/%\(tenant_id\)s --adminurl  http://192.168.10.14:8776/v2/%\(tenant_id\)s --region RegionOne
8. Now change in the /etc/cinder/cinder.conf in the VM where cinder is running:
     a. Change the keystone_authtoken section the following two: auth_uri and auth_url to point to keystone
     b. Change the oslo_messaging_rabbit section with the rabbit_userid, rabbit_password and rabbit_hosts. 
        [The rabbit_userid, rabbit_password can be retrieved from Keystone VM's local.conf and inspecting vi /var/log/rabbitmq/startup_log]
9. Stop the keystone services in the VM where cinder is installed
10. Restart all the cinder services (c-api, c-sch, c-vol)
11. cinder --os-username cinder --os-password password --os-tenant-name service --os-auth-url http://192.168.10.12:5000/v2.0 list
(0r) 10. export OS_USERNAME=cinder ; export OS_PASSWORD=password ; export OS_AUTH_URL=http://192.168.10.12:5000/v2.0 ; export OS_TENANT_NAME=service ; <cinder cli="">
[refer to: http://docs.openstack.org/developer/python-cinderclient/ ;
 refer to : https://linuxacademy.com/blog/linux/understanding-keystone-endpoints/]
edit flag offensive delete link more
add a comment

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2015-12-22 08:06:24 -0500

Seen: 568 times

Last updated: Dec 23 '15

Related questions

Keystone Kerberos configuration

Invalid user token - rejecting request [closed]

lvm.conf on storage/compute nodes

How to find the credentials to be used ?

keystone user-list too slow

Attach volume to instance running on different compute node

Cinder fo SOHO?

sso concept in openstack

options for user_enabled_attribute in keystone configuration

devstack keystone authentication