glance and keystone configuration

Asked by Tamas Kapolnasi on 2011-09-19

I've tried configuring glance with keystone, but glance index command says that it's not authorized.

Where is the error in my configuration?

Thanks for your help.
Thomas

# glance -v --host 127.0.0.1 --auth_token 999888777666 index
Failed to show index. Got error:
Internal Server error: Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/eventlet/wsgi.py", line 336, in handle_one_response
    result = self.application(self.environ, start_response)
  File "/usr/lib/pymodules/python2.7/webob/dec.py", line 147, in __call__
    resp = self.call_func(req, *args, **self.kwargs)
  File "/usr/lib/pymodules/python2.7/webob/dec.py", line 208, in call_func
    return self.func(req, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/glance/common/wsgi.py", line 113, in __call__
    response = req.get_response(self.application)
  File "/usr/lib/pymodules/python2.7/webob/request.py", line 1053, in get_response
    application, catch_exc_info=False)
  File "/usr/lib/pymodules/python2.7/webob/request.py", line 1022, in call_application
    app_iter = application(self.environ, start_response)
  File "/usr/lib/python2.7/dist-packages/keystone/middleware/auth_token.py", line 186, in __call__
    return self._forward_request(env, start_response, proxy_headers)
  File "/usr/lib/python2.7/dist-packages/keystone/middleware/auth_token.py", line 310, in _forward_request
    return self.app(env, start_response)
  File "/usr/lib/pymodules/python2.7/webob/dec.py", line 147, in __call__
    resp = self.call_func(req, *args, **self.kwargs)
  File "/usr/lib/pymodules/python2.7/webob/dec.py", line 208, in call_func
    return self.func(req, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/glance/common/wsgi.py", line 113, in __call__
    response = req.get_response(self.application)
  File "/usr/lib/pymodules/python2.7/webob/request.py", line 1053, in get_response
    application, catch_exc_info=False)
  File "/usr/lib/pymodules/python2.7/webob/request.py", line 1022, in call_application
    app_iter = application(self.environ, start_response)
  File "/usr/lib/pymodules/python2.7/webob/dec.py", line 159, in __call__
    return resp(environ, start_response)
  File "/usr/lib/pymodules/python2.7/routes/middleware.py", line 131, in __call__
    response = self.app(environ, start_response)
  File "/usr/lib/pymodules/python2.7/webob/dec.py", line 159, in __call__
    return resp(environ, start_response)
  File "/usr/lib/pymodules/python2.7/webob/dec.py", line 147, in __call__
    resp = self.call_func(req, *args, **self.kwargs)
  File "/usr/lib/pymodules/python2.7/webob/dec.py", line 208, in call_func
    return self.func(req, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/glance/common/wsgi.py", line 311, in __call__
    request, **action_args)
  File "/usr/lib/python2.7/dist-packages/glance/common/wsgi.py", line 328, in dispatch
    return method(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/glance/api/v1/images.py", line 112, in index
    **params)
  File "/usr/lib/python2.7/dist-packages/glance/registry/__init__.py", line 37, in get_images_list
    return c.get_images(**kwargs)
  File "/usr/lib/python2.7/dist-packages/glance/registry/client.py", line 59, in get_images
    res = self.do_request("GET", "/images", params=params)
  File "/usr/lib/python2.7/dist-packages/glance/common/client.py", line 148, in do_request
    raise exception.NotAuthorized(res.read())
NotAuthorized: 401 Unauthorized

This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.

 Authentication required

Completed in 0.0539 sec.

# dpkg -l |grep glance
ii glance 2011.3~d4-0ubuntu0~ppa1~natty1 OpenStack Image Registry and Delivery Service - Daemons
ii python-glance 2011.3~d4-0ubuntu0~ppa1~natty1 OpenStack Image Registry and Delivery Service - Python library

# dpkg -l |grep keystone
ii keystone 1.0~d4~20110823.1078-0ubuntu0ppa1~natty1 Proposed OpenStack identity service - Daemons
ii keystone-doc 1.0~d4~20110823.1078-0ubuntu0ppa1~natty1 Proposed OpenStack identity service - Documentation
ii python-keystone 1.0~d4~20110823.1078-0ubuntu0ppa1~natty1 Proposed OpenStack identity service - Python library

# keystone-manage user list
id enabled tenant
-------------------------------------------------------------------------------
joeuser 1 1234
joeadmin 1 1234
admin 1 1234
serviceadmin 1 1234
disabled 0 1234

# keystone-manage token list
token user expiration tenant
-------------------------------------------------------------------------------
887665443383838 joeuser 2012-02-05 00:00:00 1234
999888777666 admin 2015-02-05 00:00:00 1234
111222333444 serviceadmin 2015-02-05 00:00:00 1234
000999 admin 2010-02-05 00:00:00 1234
999888777 disabled 2015-02-05 00:00:00 1234

# keystone-manage tenant list
tenant enabled
-------------------------------------------------------------------------------
1234 1
ANOTHER:TENANT 1
0000 0

# export |grep OS_
declare -x OS_AUTH_KEY="secrete"
declare -x OS_AUTH_STRATEGY="keystone"
declare -x OS_AUTH_TENANT="1234"
declare -x OS_AUTH_URL="http://localhost:5000/v2.0"
declare -x OS_AUTH_USER="admin"

glance-api.conf:

...
[pipeline:glance-api]
#pipeline = versionnegotiation context apiv1app
# NOTE: use the following pipeline for keystone
pipeline = versionnegotiation authtoken context apiv1app

# To enable Image Cache Management API replace pipeline with below:
# pipeline = versionnegotiation context imagecache apiv1app
# NOTE: use the following pipeline for keystone auth (with caching)
#pipeline = versionnegotiation authtoken context imagecache apiv1app

[pipeline:versions]
pipeline = versionsapp

[app:versionsapp]
paste.app_factory = glance.api.versions:app_factory

[app:apiv1app]
paste.app_factory = glance.api.v1:app_factory

[filter:versionnegotiation]
paste.filter_factory = glance.api.middleware.version_negotiation:filter_factory

[filter:imagecache]
paste.filter_factory = glance.api.middleware.image_cache:filter_factory

[filter:context]
paste.filter_factory = glance.common.context:filter_factory

[filter:authtoken]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
service_protocol = http
service_host = 127.0.0.1
service_port = 5000
auth_host = 127.0.0.1
auth_port = 5001
auth_protocol = http
auth_uri = http://127.0.0.1:5000/
admin_token = 999888777666

glance api.log:

2011-09-19 13:41:29 DEBUG [eventlet.wsgi.server] 127.0.0.1 - - [19/Sep/2011 13:41:29] "GET /v1/images?limit=10 HTTP/1.1" 500 3598 0.048640
2011-09-19 13:41:43 DEBUG [glance.api.middleware.version_negotiation] Processing request: GET /v1/images Accept:
2011-09-19 13:41:43 DEBUG [glance.api.middleware.version_negotiation] Matched versioned URI. Version: 1.0
2011-09-19 13:41:43 DEBUG [root] HTTP PERF: 0.02209 seconds to GET 127.0.0.1:5001 /v2.0/tokens/999888777666)
2011-09-19 13:41:43 DEBUG [root] HTTP PERF: 0.02110 seconds to GET 127.0.0.1:5001 /v2.0/tokens/999888777666)
2011-09-19 13:41:43 DEBUG [routes.middleware] Matched GET /images
2011-09-19 13:41:43 DEBUG [routes.middleware] Route path: '/images', defaults: {'action': u'index', 'controller': <glance.common.wsgi.Resource object at 0x31097d0>}
2011-09-19 13:41:43 DEBUG [routes.middleware] Match dict: {'action': u'index', 'controller': <glance.common.wsgi.Resource object at 0x31097d0>}
2011-09-19 13:41:43 DEBUG [eventlet.wsgi.server] Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/eventlet/wsgi.py", line 336, in handle_one_response
    result = self.application(self.environ, start_response)
  File "/usr/lib/pymodules/python2.7/webob/dec.py", line 147, in __call__
    resp = self.call_func(req, *args, **self.kwargs)
  File "/usr/lib/pymodules/python2.7/webob/dec.py", line 208, in call_func
    return self.func(req, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/glance/common/wsgi.py", line 113, in __call__
    response = req.get_response(self.application)
  File "/usr/lib/pymodules/python2.7/webob/request.py", line 1053, in get_response
    application, catch_exc_info=False)
  File "/usr/lib/pymodules/python2.7/webob/request.py", line 1022, in call_application
    app_iter = application(self.environ, start_response)
  File "/usr/lib/python2.7/dist-packages/keystone/middleware/auth_token.py", line 186, in __call__
    return self._forward_request(env, start_response, proxy_headers)
  File "/usr/lib/python2.7/dist-packages/keystone/middleware/auth_token.py", line 310, in _forward_request
    return self.app(env, start_response)
  File "/usr/lib/pymodules/python2.7/webob/dec.py", line 147, in __call__
    resp = self.call_func(req, *args, **self.kwargs)
  File "/usr/lib/pymodules/python2.7/webob/dec.py", line 208, in call_func
    return self.func(req, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/glance/common/wsgi.py", line 113, in __call__
    response = req.get_response(self.application)
  File "/usr/lib/pymodules/python2.7/webob/request.py", line 1053, in get_response
    application, catch_exc_info=False)
  File "/usr/lib/pymodules/python2.7/webob/request.py", line 1022, in call_application
    app_iter = application(self.environ, start_response)
  File "/usr/lib/pymodules/python2.7/webob/dec.py", line 159, in __call__
    return resp(environ, start_response)
  File "/usr/lib/pymodules/python2.7/routes/middleware.py", line 131, in __call__
    response = self.app(environ, start_response)
  File "/usr/lib/pymodules/python2.7/webob/dec.py", line 159, in __call__
    return resp(environ, start_response)
  File "/usr/lib/pymodules/python2.7/webob/dec.py", line 147, in __call__
    resp = self.call_func(req, *args, **self.kwargs)
  File "/usr/lib/pymodules/python2.7/webob/dec.py", line 208, in call_func
    return self.func(req, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/glance/common/wsgi.py", line 311, in __call__
    request, **action_args)
  File "/usr/lib/python2.7/dist-packages/glance/common/wsgi.py", line 328, in dispatch
    return method(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/glance/api/v1/images.py", line 112, in index
    **params)
  File "/usr/lib/python2.7/dist-packages/glance/registry/__init__.py", line 37, in get_images_list
    return c.get_images(**kwargs)
  File "/usr/lib/python2.7/dist-packages/glance/registry/client.py", line 59, in get_images
    res = self.do_request("GET", "/images", params=params)
  File "/usr/lib/python2.7/dist-packages/glance/common/client.py", line 148, in do_request
    raise exception.NotAuthorized(res.read())
NotAuthorized: 401 Unauthorized

This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.

 Authentication required

Question information

Language:
English Edit question
Status:
Solved
For:
Glance Edit question
Assignee:
No assignee Edit question
Solved by:
Tamas Kapolnasi
Solved:
2011-09-19
Last query:
2011-09-19
Last reply:

I've found the solution:

/etc/glance/glance-api.conf:
#pipeline = versionnegotiation authtoken context apiv1app
pipeline = versionnegotiation tokenauth context apiv1app
...
#[filter:authtoken]
[filter:tokenauth]

/etc/glance/glance-registry.conf:
#pipeline = authtoken keystone_shim context registryapp
pipeline = tokenauth keystone_shim context registryapp
...
#[filter:authtoken]
[filter:tokenauth]

# glance -v --host 127.0.0.1 --auth_token 999888777666 index
Completed in 0.0893 sec.

root@openstackdev:~/downloads# glance -v --host 127.0.0.1 -A 999888777666 --verbose add name="natty-server-amd64" is_public=true < natty-server-cloudimg-amd64.img
Added new image with ID: 1
Returned the following metadata for the new image:
                       checksum => bae737367f42c0590b972e572ade4288
               container_format => ovf
                     created_at => 2011-09-19T12:23:43
                        deleted => False
                     deleted_at => None
                    disk_format => raw
                             id => 1
                      is_public => True
                       location => file:///var/lib/glance/images/1
                           name => natty-server-amd64
                          owner => None
                     properties => {}
                           size => 1476395008
                         status => active
                     updated_at => 2011-09-19T12:24:00
Completed in 16.3209 sec.

Nicolas d (nicolas2b) said : #2

Hi,

Can you put on paste.openstack.org, the sampledata you used because, I got the same probleme, got the same conf, but got a problem with the id of user( instead of "joeuser,joeadmin, admin, serviceadmin, disabled", I have numbers : 1, 2, 3, 4, 5)

Thanks

--- Nicolas

I used this is default sampledata.sh (location ~keystone/bin/sampledata.sh):
http://paste.openstack.org/show/2479/

T.

duypd (warsaw20062000) said : #4

Hi Tamas Kapolnasi,

I fix files configuration of glance via your guide.
When I run command "glance -v --host 127.0.0.1 --auth_token e0e8ac207b614f8fb42cf1031baa7570 --verbose add", output of command is "Completed in 0.003s" but still error in output as:

'''
Failed to show index. Got error:
The request returned 500 Internal Server Error
...........................................................
ServiceUnavailable: The request returned 503 Service Unavilable. This generally occurs on service overload or other transient outage.
'''

Can you help me?

Manuel Muradás (dieresys) said : #5

Hi duypd,

I've found the same problem and a I've realized that the documentation is missing a change in the following file:
/etc/glance/glance-registry-paste.ini

At the end of the file you have you have to change the following lines:
{{{
admin_tenant_name = %SERVICE_TENANT_NAME%
admin_user = %SERVICE_USER%
admin_password = %SERVICE_PASSWORD%
}}}

with:
{{{
admin_tenant_name = service
admin_user = glance
admin_password = glance
}}}