OpenStack Image Registry and Delivery Service (Glance)

Glance return "401 Unauthorized" when I want listing or uploading image

Asked by Nicolas de BONFILS on 2011-09-13

Hi,

I got the lastest version (from trunk) of nova, glance, swift, keystone and dashboard running.
Keystone is integrated into all the other part, and I can authenticate correctly with keystone CLI, swift CLI and dashboard web page form.
But with glance, it doesn't work.
When I want to upload an image :
glance-upload --host 192.168.23.5 --ramdisk uec-tar/ttylinux-uec-amd64-12.1_2.6.35-22_1/ttylinux-uec-amd64-12.1_2.6.35-22_1-initrd --kernel uec-tar/ttylinux-uec-amd64-12.1_2.6.35-22_1/ttylinux-uec-amd64-12.1_2.6.35-22_1-vmlinuz --type=machine uec-tar/ttylinux-uec-amd64-12.1_2.6.35-22_1/ttylinux-uec-amd64-12.1_2.6.35-22_1.img ttylinux

It return :
----
Failed to add new image. Got error: 401 Unauthorized

This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.

 Authentication required
----

All details, logs and conf here : http://paste.openstack.org/show/2430/

I don't know where to look to fix that. Any hints appreciated :) Thanks

Question information

Language:
English Edit question
Status:
Answered
For:
Glance Edit question
Assignee:
No assignee Edit question
Last query:
2011-09-13
Last reply:
2011-09-26
Kevin L. Mitchell (klmitch) said : #1

You need to pass an authentication token to the glance client with the --auth_token option. You can use keystone-manage to list existing tokens for your users and pick one of those. Pay attention to the expiration time on the tokens. (You can also use keystone-manage to create a long-lived token if you need to.)

(Yes, it would be better to have glance get the authentication token from keystone using the username and password, and there is in fact a project working on getting glance to do just that; the --auth_token was a quick hack to get the client to the point where the keystone integration could be tested.)

Dan Prince (dan-prince) said : #2

Hi Nicolas,

You won't have to worry about tokens expiring if you setup the following in your environment:

root@glance1:~# cat openstackrc
export OS_AUTH_USER=admin
export OS_AUTH_KEY=AABBCC112233
export OS_AUTH_TENANT=admin
export OS_AUTH_URL=http://login:5000/v2.0
export OS_AUTH_STRATEGY=keystone

root@glance1:~# source openstackrc

Once you have those variables set you should be all set when using glance client with keystone. In order for this to work you'll need the latest glance master source (from github) commit revision 9337103675b502b18dc3f75e67e14a489e1ebcce or later.

Hi Kevin,

I add the param you indicate and got :
Not authorized to make this request. Check your credentials (OS_AUTH_USER, OS_AUTH_KEY, ...)

I found a script in tools/ that set those env, and set them by hand with my values :
> echo $OS_AUTH_KEY
999888777666
> echo $OS_AUTH_STRATEGY
keystone
> echo $OS_AUTH_TENANT
test
> echo $OS_AUTH_URL
http://192.168.23.5:5000/v1.1/
> echo $OS_AUTH_USER
admin

but got :
[16:58:10] ~/openstack
> glance -v --host 192.168.23.5 --auth_token 999888777666 index -d
/usr/local/bin/glance:4: UserWarning: Module paste was already imported from None, but /usr/lib/python2.6/dist-packages is being added to sys.path
  import pkg_resources
Traceback (most recent call last):
  File "/usr/local/bin/glance", line 5, in <module>
    pkg_resources.run_script('glance==2012.1', 'glance')
  File "/usr/lib/python2.6/dist-packages/pkg_resources.py", line 467, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/usr/lib/python2.6/dist-packages/pkg_resources.py", line 1200, in run_script
    execfile(script_filename, namespace, namespace)
  File "/usr/local/lib/python2.6/dist-packages/glance-2012.1-py2.6.egg/EGG-INFO/scripts/glance", line 1204, in <module>
    result = command(options, args)
  File "/usr/local/lib/python2.6/dist-packages/glance-2012.1-py2.6.egg/EGG-INFO/scripts/glance", line 60, in wrapper
    ret = func(*args, **kwargs)
  File "/usr/local/lib/python2.6/dist-packages/glance-2012.1-py2.6.egg/EGG-INFO/scripts/glance", line 495, in images_index
    print_header=True)
  File "/usr/local/lib/python2.6/dist-packages/glance-2012.1-py2.6.egg/EGG-INFO/scripts/glance", line 441, in _images_index
    images = client.get_images(**parameters)
  File "/usr/local/lib/python2.6/dist-packages/glance-2012.1-py2.6.egg/glance/client.py", line 53, in get_images
    res = self.do_request("GET", "/images", params=params)
  File "/usr/local/lib/python2.6/dist-packages/glance-2012.1-py2.6.egg/glance/common/client.py", line 145, in do_request
    method, action, body=body, headers=headers, params=params)
  File "/usr/local/lib/python2.6/dist-packages/glance-2012.1-py2.6.egg/glance/common/client.py", line 232, in _do_request
    raise Exception("Internal Server error: %s" % res.read())
Exception: Internal Server error: {"cloudServersFault": {"message": "local variable '_' referenced before assignment", "code": 500}}

I you think that is another problem, I will open a new one.

Regards

Tries several time to got the last error, but now I'm stuck with the 'not authorized. check credentials' even if I set the env var

Jay Pipes (jaypipes) said : #5

Hi Nicolas,

I think you just have mixed up your token and key values. I believe $OS_AUTH_KEY should be secrete, not 999888777666.

Also, in your glance-api.conf, I saw this:

admin_token = secrete
#999888777666

That should probably be:

admin_token = 999888777666

Cheers!
jay

Dan Prince (dan-prince) said : #6

Hi Nicolas,

My openstackrc (listed above) was just an example. You'll have to supply your own valid credentials in that format and then source the file if you take this route.

Hope this helps.

Dan

Hi,

@Dan : yes, I put the correct info, but thanks for the update
@Jay : it's easy to mix up with the terms (difficulty to have another native language)

So, I update the script and env vars, and got :
> glance -d -v index
/usr/local/bin/glance:4: UserWarning: Module paste was already imported from None, but /usr/lib/python2.6/dist-packages is being added to sys.path
  import pkg_resources
Traceback (most recent call last):
  File "/usr/local/bin/glance", line 5, in <module>
    pkg_resources.run_script('glance==2012.1', 'glance')
  File "/usr/lib/python2.6/dist-packages/pkg_resources.py", line 467, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/usr/lib/python2.6/dist-packages/pkg_resources.py", line 1200, in run_script
    execfile(script_filename, namespace, namespace)
  File "/usr/local/lib/python2.6/dist-packages/glance-2012.1-py2.6.egg/EGG-INFO/scripts/glance", line 1204, in <module>
    result = command(options, args)
  File "/usr/local/lib/python2.6/dist-packages/glance-2012.1-py2.6.egg/EGG-INFO/scripts/glance", line 60, in wrapper
    ret = func(*args, **kwargs)
  File "/usr/local/lib/python2.6/dist-packages/glance-2012.1-py2.6.egg/EGG-INFO/scripts/glance", line 495, in images_index
    print_header=True)
  File "/usr/local/lib/python2.6/dist-packages/glance-2012.1-py2.6.egg/EGG-INFO/scripts/glance", line 441, in _images_index
    images = client.get_images(**parameters)
  File "/usr/local/lib/python2.6/dist-packages/glance-2012.1-py2.6.egg/glance/client.py", line 53, in get_images
    res = self.do_request("GET", "/images", params=params)
  File "/usr/local/lib/python2.6/dist-packages/glance-2012.1-py2.6.egg/glance/common/client.py", line 140, in do_request
    method, action, body=body, headers=headers, params=params)
  File "/usr/local/lib/python2.6/dist-packages/glance-2012.1-py2.6.egg/glance/common/client.py", line 234, in _do_request
    raise Exception("Unknown error occurred! %s" % res.read())
Exception: Unknown error occurred! {"versions": [{"status": "CURRENT", "id": "v1.1", "links": [{"href": "http://192.168.23.5:9292/v1/", "rel": "self"}]}, {"status": "SUPPORTED", "id": "v1.0", "links": [{"href": "http://192.168.23.5:9292/v1/", "rel": "self"}]}]}

It seems that the keystone url is not supported. Here the sampledata.py, I used for keystone : http://paste.openstack.org/show/2433/
And the vars fill with :
OS_AUTH_USER=admin
OS_AUTH_KEY=999888777666
OS_AUTH_TENANT=test
OS_AUTH_URL=http://192.168.23.5:5000/v2.0
OS_AUTH_STRATEGY=keystone

And I try with other suffix than v2.0 : v1, v1.0, v1.1, also with and without ending slash

Jay Pipes (jaypipes) said : #9

OS_AUTH_KEY needs to be "secrete", not "9999888777666".

In addition, it looks like there may be an unrelated bug in the Glance client that is not properly catching the HTTP 300 Multiple Choices that is returned with the versions JSON output you see. I will check into that.

Cheers,
jay

Hi all,

Thanks for the help. I open a bug report (see Jay message) so we can track it : https://bugs.launchpad.net/glance/+bug/850685

---Nicolas

Jesse Andrews (anotherjesse) said : #11

looks like you can do:

glance add -A (token) as well now

Jay Pipes (jaypipes) said : #12

Please don't use the --auth-token -A options to the glance client. Those were a temporary fix to allow testing and are being removed in a near future release of Glance:

https://bugs.launchpad.net/glance/+bug/853933

Thanks!
-jay

Can you help with this problem?

Provide an answer of your own, or ask Nicolas de BONFILS for more information if necessary.

To post a message you must log in.