Ask Your Question

ayoung's profile - activity

2019-01-25 23:49:18 -0500 answered a question Horizon unable to login while keystone endpoint number over 60

" keystone service's endpoint number over 60" What does this mean? That there are over 60 Keystone Endpoints? Why so many?

2018-11-09 10:58:25 -0500 answered a question keystone api project problem need your help

The PHPOpenCloud API is not part of the Keystone project, so I can't say what it is doing, buit it looks like it wants an project prior to any operation, and you are getting an unscoped token instead. You might need to make a direct call to the Keystone API to create the initial project, or the PHP library might have a different API you use to create the initial project.

Probably what is happening is that the unscoped token does not provide a service catalog, and the createProject API is using the catalog to try and find the identity service. That is one of the reasons for this feature:

2018-04-29 20:54:00 -0500 answered a question Authentication gnocchi api is not working

It is an oslo-conf object. For example, see

2016-10-30 06:55:19 -0500 received badge  Nice Answer (source)
2016-10-30 04:24:15 -0500 received badge  Necromancer (source)
2016-10-29 11:26:35 -0500 answered a question How to retrieve a list of tenants/projects for user from keystone API

This one is not obvious or published, but this is what Horizon does:

curl -H "X-Auth-Token: $AUTH_TOKEN" -H "Content-type: application/json" $OS_AUTH_URL/v3/auth/projects

{"links": {"self": "", "previous": null, "next": null}, "projects": [{"is_domain": false, "description": "Auto created account", "links": {"self": ""}, "enabled": true, "id": "38db4610673545e58a99d7c0ea708174", "parent_id": null, "domain_id": "default", "name": "facebook665086733"}]}

In general, without a scoped token, keystone operations can only be performed against the AUTH_URL. Thus, the enumeration of user specific information must be under OS_AUTH_URL/v3/auth

2016-08-29 09:37:31 -0500 answered a question Keystone authentication: Failed to contact the endpoint.

Note that sometimes you have IP address and sometimes you have Hostnames specified.
The initial AUTH URL uses the IP address: Which seems to succeed. It then should get the identity endpoint out of the service catalog, and that seems to be using the hostname:


Apache or HA Proxy is not responding to this, probably as it needs to be in the vhost section of the Keystone Config file. Either change the endpoint to use the IP address, or, even better, make Apache respond to requests for the Hostname.

2016-07-01 00:06:08 -0500 answered a question Unable to start keystone

Keystone is not in HTTPD, not Eventlet. The systemd way to star\t keystone is systemctl start httpd.service.

2016-07-01 00:05:18 -0500 received badge  Supporter (source)
2016-07-01 00:04:42 -0500 answered a question Is it acceptable to PATCH Keystone JSON documents with custom attributes?

Is not possible. While most Keystone objects have a n"extra' field, they do not get added to the Token. You would need to write a custom token provider to do that.

2016-07-01 00:03:00 -0500 answered a question how user's metadata are stored in keystone?

Keystone should use HTTPS. It was not easy to do in the past due to Eventlet, but with HTTPD, it should be no problem.

Metadata is stored as a serialized JSON blob in clear text.

2016-07-01 00:01:45 -0500 answered a question keystone - unable to establish connection

Network problem or Keystone server is down.

2016-06-30 23:56:26 -0500 answered a question How to create an instance for a tenant via admin?

You don't create instances for users. You create proejcts (not tenants anymore) and assign users the role in that that project, and let them create the instances themseleves

2016-06-29 06:08:50 -0500 received badge  Necromancer (source)
2016-06-28 16:45:46 -0500 answered a question Why is tenant name immutable when using LDAP identity provider in Keystone?

LDAP is expected to be read only. In general, the projects (neeTenants) should be stored in SQL, not LDAP

2016-06-28 16:37:17 -0500 answered a question Realm Value need to be passed from horizon to get the complete list of available Idp's in Keystone ?

Realm should not be necessary for listing IdPs.

2016-06-28 16:36:10 -0500 answered a question keystone version 3
  1. V3 has a lot that is not in V2. Domains and Groups, Federation some of the big items.
  2. cannot parse the question.
  3. All services should be able to use V3, but it is still a configuration option to set it up.
  4. Middleware is in its own repo now keystonemiddleware is complete V3 Aware.
2016-06-28 16:34:18 -0500 answered a question How to use horizon with keystone using external authentication?

This has been solved upstream.

2016-06-28 16:33:32 -0500 answered a question configuring Keystone for both http & https

Yes, especially now. Keystone runs in Apache, so you could put https on one or both of the virtual hosts. Recommend using HTTPS everywhere.

2016-06-28 16:32:33 -0500 answered a question keystone on CentOS 6.3

Obsolete. This was under Keystone Eventlet, so even if we did answer it, it would not be current.

2016-06-28 16:29:40 -0500 answered a question Keystone LDAP default structural class for users

That is just the default. The classes used are specified in the config:

user_objectclass = cfg.StrOpt( 'user_objectclass', default='inetOrgPerson', help=utils.fmt("""
LDAP objectclass for users. """))

2016-06-28 14:14:24 -0500 answered a question What kind of policies can be created in keystone?

Keystone policies are for RBAC only. The policy backend was an attempt to provide a place to store and fetch them, but its use is not required.

2016-06-28 14:12:22 -0500 answered a question If policy.json is accidently deleted , is there anyway for admin to login to openstack?

Technically yes, but I htink, theway youare asking it, realistically no.

If there is no policy.json file, I think Keystone denies all.

you can do ADMIN_TOKEN, but in a sane deployment, that should be disabled. You wouldneed the same degree of acces to the machine to enable ADMIN_TOKEN as to replace the policy file.

you could just as easily add a new policy.json file. The policy.json file is protected by operatin system file permissions; make it world readable, but writable only by root is it best approach.

If it could be modified once, it can be modified again.

2016-06-27 10:08:57 -0500 answered a question Cannot create scoped token from openid unscoped token - authenticate_for_token() got an unexpected keyword argument 'scope'

This is a known issue with keystoneclient, and looks like it carried over to middleware.

I wrote a simple alternative using the client (Newtown) that shows the general approach to the solution:

For now, you can use the Federated approach to get an unscoped token, then use a token auth plugin manually (this is a really bad solution I know)

2016-04-11 11:28:13 -0500 answered a question Individual instances?

Duplicate of But the answer is still the same: there is not. The Project is the abstraction for Info hiding. If you want two users to have distinct set of VMs, put them in separate projects.

2016-04-11 11:26:55 -0500 answered a question Hiding a user's instances from other users

No, there is not. The Project is the abstraction for Info hiding. If you want two users to have distinct set of VMs, put them in separate projects.

2016-03-28 13:34:26 -0500 answered a question Why is /usr/bin/openstack domain list ... hanging?

It does not sound like the hang is the call to the Keystone server. This sounds like it might be an issue with the Keystone puppet module, and it is insisting on using a V2 API:

"Warning: The tenant parameter is deprecated and will be removed in the future. Please use keystone_user_role to assign a user to a project."

IS, I think, trying to do "add-user-to-project"

Please file an upstream bug against the puppet-keystone: if this is still a problem.

2016-03-28 13:29:42 -0500 answered a question auth_token in keystone v3

Try using the rc file produced from the script here.

2016-02-24 13:16:03 -0500 answered a question No handlers could be found for logger "oslo_config.cfg"

Please file this as a bug

2015-06-23 22:26:02 -0500 commented answer OpenStack Policy Enforcement for Custom Role Project_Admin

If everything works from the Command line, but not the web ui, I thjink you need to update the policy files cached in Horizon.

2015-06-19 12:33:49 -0500 answered a question OpenStack Policy Enforcement for Custom Role Project_Admin

"rule:admin_required or rule:Tenant_Admin and project_id:%( might be ambiguous. I'd certainly group using parenthesis to make sure it does what you want.

I wrote a simple CLI tool you can use to test a policy file. Might help/

2015-03-18 22:39:12 -0500 answered a question EndpointNotFound errors with Keystone v3 Python API

I was unable to reproduce on my machine. Turns out it was due to an out of date client. Updated client seems to work correctly.

2014-12-11 11:46:57 -0500 received badge  Good Answer (source)
2014-06-14 09:12:28 -0500 answered a question "An error occurred authenticating. Please try again later." on authentication with ldap configuration.

Authentication will fail if the user does not have a role in any project, and you request a token scoped to a project.

2013-12-12 08:52:46 -0500 received badge  Nice Answer (source)
2013-09-11 15:50:30 -0500 answered a question When I use swift to perform a HEAD, I am getting 401 Unauthorized.

I am the Keystone core dev that wrote the PKI token code. I wrote up a troubleshooting guide here:

2013-06-28 03:39:25 -0500 answered a question Keystone didn't support worker children processes

Look into the development process on the Openstack Web Site. You would submit your change via Git Review to Gerrit. That is what is meant by "subit it as a patch." That is how it would get merged to master.

2013-06-14 02:28:25 -0500 answered a question Keystone didn't support worker children processes

Submit it as a patch. No reason we can't support it for Eventlet based deployments.

2013-05-29 17:38:20 -0500 received badge  Teacher (source)
2013-05-20 14:58:02 -0500 received badge  Editor (source)
2013-05-20 08:05:08 -0500 answered a question How to configure Keystone with open LDAP + horizon on grizzly

The short answer is it is broken and being fixed:

You can work around it by creating a domain subtree.

The Fix to the above has been merged into master.

In the past, users were directly "members" of projects. Now, users have roles in projects. This is done (usually) using organzationalRoles as a collection under the project. For Microsoft AD, You need to change the object type, as it will not allow you to nest objects under groupOfNames: make the project an OrganizationalUnit instead.

If you have additional questions, please open them separately.

2012-03-07 16:55:12 -0500 answered a question Tenant addition giving problems over OpenLDAP

The fact that there is SQL Alchemy lines in your stack trace indicate that you are not talking to LDAP.

In order to add a user to LDAP, you need to use the HTTP API, and cannot do it via Keystone Manage.