Keystone integration in glance

Asked by Tamas Kapolnasi on 2011-09-24

I've used these links to configurate glance and keystone:
http://glance.openstack.org/authentication.html
http://docs.openstack.org/diablo/openstack-identity/admin/content/creating-tenants-users-roles-tokens-and-endpoints.html

I would like to upload an image, that other user cannot see it. (other user can't have permission)
I've uploaded an image with 'glance add', but owner attribute didn't get value. (in the database owner value is NULL)

The keystone gives the following message in debug mode:
AttributeError: 'NoneType' object has no attribute 'enabled'

Why doesn't get value the owner while uploading image?

If I upload with the following commands, I won't see anything in the keystone log file and the owner value will be NULL too.

euca-bundle-image -u 999888777666 -i natty-server-cloudimg-amd64.img
euca-upload-bundle -b test -m /tmp/natty-server-cloudimg-amd64.img.manifest.xml
euca-register -a x86_64 -n natty-server-test-keystone-amd64.img test/natty-server-cloudimg-amd64.img.manifest.xml

Thanks for your help,
Thomas

- keystone from git (1.0)
- glance 2011.3~d4

# dpkg -l |grep glance
ii glance 2011.3~d4-0ubuntu0~ppa1~natty1 OpenStack Image Registry and Delivery Service - Daemons
ii python-glance 2011.3~d4-0ubuntu0~ppa1~natty1 OpenStack Image Registry and Delivery Service - Python library

keystone.conf:

[DEFAULT]
# Show more verbose log output (sets INFO log level output)
verbose = False

# Show debugging output in logs (sets DEBUG log level output)
debug = True

# Which backend store should Keystone use by default.
# Default: 'sqlite'
# Available choices are 'sqlite' [future will include LDAP, PAM, etc]
default_store = sqlite

# Log to this file. Make sure you do not set the same log
# file for both the API and registry servers!
log_file = keystone.log

# List of backends to be configured
backends = keystone.backends.sqlalchemy
#For LDAP support, add: ,keystone.backends.ldap

# Dictionary Maps every service to a header.Missing services would get header
# X_(SERVICE_NAME) Key => Service Name, Value => Header Name
service-header-mappings = {
        'nova' : 'X-Server-Management-Url',
        'swift' : 'X-Storage-Url',
        'cdn' : 'X-CDN-Management-Url'}

# Address to bind the API server
# TODO Properties defined within app not available via pipeline.
service_host = 0.0.0.0

# Port the bind the API server to
service_port = 5000

# Address to bind the Admin API server
admin_host = 0.0.0.0

# Port the bind the Admin API server to
admin_port = 5001

#Role that allows to perform admin operations.
keystone-admin-role = Admin

#Role that allows to perform service admin operations.
keystone-service-admin-role = KeystoneServiceAdmin

[keystone.backends.sqlalchemy]
# SQLAlchemy connection string for the reference implementation registry
# server. Any valid SQLAlchemy connection string is fine.
# See: http://bit.ly/ideIpI
sql_connection = sqlite:///keystone.db
backend_entities = ['UserRoleAssociation', 'Endpoints', 'Role', 'Tenant',
                    'User', 'Credentials', 'EndpointTemplates', 'Token',
                    'Service']

# Period in seconds after which SQLAlchemy should reestablish its connection
# to the database.
sql_idle_timeout = 30

[pipeline:admin]
pipeline =
        urlrewritefilter
        admin_api

[pipeline:keystone-legacy-auth]
pipeline =
        urlrewritefilter
    legacy_auth
    RS-KEY-extension
    service_api

[app:service_api]
paste.app_factory = keystone.server:service_app_factory

[app:admin_api]
paste.app_factory = keystone.server:admin_app_factory

[filter:urlrewritefilter]
paste.filter_factory = keystone.middleware.url:filter_factory

[filter:legacy_auth]
paste.filter_factory = keystone.frontends.legacy_token_auth:filter_factory

[filter:RS-KEY-extension]
paste.filter_factory = keystone.contrib.extensions.rskey.frontend:filter_factory

glance-api.conf:

...
pipeline = versionnegotiation tokenauth context apiv1app

# To enable Image Cache Management API replace pipeline with below:
# pipeline = versionnegotiation context imagecache apiv1app
# NOTE: use the following pipeline for keystone auth (with caching)
#pipeline = versionnegotiation authtoken context imagecache apiv1app

[pipeline:versions]
pipeline = versionsapp

[app:versionsapp]
paste.app_factory = glance.api.versions:app_factory

[app:apiv1app]
paste.app_factory = glance.api.v1:app_factory

[filter:versionnegotiation]
paste.filter_factory = glance.api.middleware.version_negotiation:filter_factory

[filter:imagecache]
paste.filter_factory = glance.api.middleware.image_cache:filter_factory

[filter:context]
paste.filter_factory = glance.common.context:filter_factory

[filter:tokenauth]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
service_protocol = http
service_host = 127.0.0.1
service_port = 5000
auth_host = 127.0.0.1
auth_port = 5001
auth_protocol = http
auth_uri = http://127.0.0.1:5000/
admin_token = 999888777666

# Allows anonymous access
delay_auth_decision = 1

[filter:keystone_shim]
paste.filter_factory = keystone.middleware.glance_auth_token:filter_factory

glance-registry.conf:

...
[pipeline:glance-registry]
#pipeline = context registryapp
# NOTE: use the following pipeline for keystone
pipeline = tokenauth keystone_shim context registryapp

[app:registryapp]
paste.app_factory = glance.registry.server:app_factory

[filter:context]
context_class = glance.registry.context.RequestContext
paste.filter_factory = glance.common.context:filter_factory

[filter:tokenauth]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
service_protocol = http
service_host = 127.0.0.1
service_port = 5000
auth_host = 127.0.0.1
auth_port = 5001
auth_protocol = http
auth_uri = http://127.0.0.1:5000/
admin_token = 999888777666

# Allows anonymous access
delay_auth_decision = 1

[filter:keystone_shim]
paste.filter_factory = keystone.middleware.glance_auth_token:filter_factory

api-paste.ini:

...
[pipeline:openstackapi10]
#pipeline = faultwrap noauth ratelimit osapiapp10
# NOTE(vish): use the following pipeline for deprecated auth
# pipeline = faultwrap auth ratelimit osapiapp10
# NOTE(vish): use the following pipeline for keystone
pipeline = faultwrap tokenauth keystonecontext ratelimit osapiapp10

[pipeline:openstackapi11]
#pipeline = faultwrap noauth ratelimit extensions osapiapp11
# NOTE(vish): use the following pipeline for deprecated auth
# pipeline = faultwrap auth ratelimit extensions osapiapp11
# NOTE(vish): use the following pipeline for keystone
pipeline = faultwrap tokenauth keystonecontext ratelimit extensions osapiapp11

[filter:faultwrap]
paste.filter_factory = nova.api.openstack:FaultWrapper.factory

[filter:auth]
paste.filter_factory = nova.api.openstack.auth:AuthMiddleware.factory

[filter:noauth]
paste.filter_factory = nova.api.openstack.auth:NoAuthMiddleware.factory

[filter:ratelimit]
paste.filter_factory = nova.api.openstack.limits:RateLimitingMiddleware.factory

[filter:extensions]
paste.filter_factory = nova.api.openstack.extensions:ExtensionMiddleware.factory

[app:osapiapp10]
paste.app_factory = nova.api.openstack:APIRouterV10.factory

[app:osapiapp11]
paste.app_factory = nova.api.openstack:APIRouterV11.factory

[pipeline:osversions]
pipeline = faultwrap osversionapp

[app:osversionapp]
paste.app_factory = nova.api.openstack.versions:Versions.factory

##########
# Shared #
##########

[filter:keystonecontext]
paste.filter_factory = nova.api.auth:KeystoneContext.factory

[filter:tokenauth]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
service_protocol = http
service_host = 127.0.0.1
service_port = 5000
auth_host = 127.0.0.1
auth_port = 5001
auth_protocol = http
auth_uri = http://127.0.0.1:5000/
admin_token = 999888777666

[filter:auth_shim]
paste.filter_factory = keystone.middleware.nova_auth_token:KeystoneAuthShim.factory

keystone start:

Starting the RS-KEY extension
Starting the Legacy Authentication component
admin : INFO **************************************************
admin : INFO Configuration options gathered from config file:
admin : INFO /root/keystone/etc/keystone.conf
admin : INFO ================================================
admin : INFO admin_host 0.0.0.0
admin : INFO admin_port 5001
admin : INFO backends keystone.backends.sqlalchemy
admin : INFO debug True
admin : INFO default_store sqlite
admin : INFO keystone-admin-role Admin
admin : INFO keystone-service-admin-role KeystoneServiceAdmin
admin : INFO log_file keystone.log
admin : INFO service-header-mappings {
'nova' : 'X-Server-Management-Url',
'swift' : 'X-Storage-Url',
'cdn' : 'X-CDN-Management-Url'}
admin : INFO service_host 0.0.0.0
admin : INFO service_port 5000
admin : INFO verbose False
admin : INFO **************************************************
Using config file: /root/keystone/etc/keystone.conf
Service API listening on 0.0.0.0:5000
Admin API listening on 0.0.0.0:5001
eventlet.wsgi.server: DEBUG (11492) wsgi starting up on http://0.0.0.0:5000/
eventlet.wsgi.server: DEBUG (11492) wsgi starting up on http://0.0.0.0:5001/

./keystone-manage tenant add admin
./keystone-manage tenant add demo

./keystone-manage user add admin secrete 1
./keystone-manage user add demo secrete 2

./keystone-manage role add Admin
./keystone-manage role add Member
./keystone-manage role grant Admin admin

./keystone-manage endpointTemplates add RegionOne swift http://%HOST_IP%:8080/v1/AUTH_%tenant_id% http://%HOST_IP%:8080/ http://%HOST_IP%:8080/v1/AUTH_%tenant_id% 1 1
./keystone-manage endpointTemplates add RegionOne nova_compat http://%HOST_IP%:8774/v1.0/ http://%HOST_IP%:8774/v1.0 http://%HOST_IP%:8774/v1.0 1 1
./keystone-manage endpointTemplates add RegionOne nova http://%HOST_IP%:8774/v1.1/%tenant_id% http://%HOST_IP%:8774/v1.1/%tenant_id% http://%HOST_IP%:8774/v1.1/%tenant_id% 1 1
./keystone-manage endpointTemplates add RegionOne glance http://%HOST_IP%:9292/v1.1/%tenant_id% http://%HOST_IP%:9292/v1.1/%tenant_id% http://%HOST_IP%:9292/v1.1/%tenant_id% 1 1
./keystone-manage endpointTemplates add RegionOne identity http://%HOST_IP%:5000/v2.0 http://%HOST_IP%:5001/v2.0 http://%HOST_IP%:5000/v2.0 1 1

./keystone-manage token add 999888777666 1 1 2015-02-05T00:00

./keystone-manage endpoint add 1 1
./keystone-manage endpoint add 1 2
./keystone-manage endpoint add 1 3
./keystone-manage endpoint add 1 4
./keystone-manage endpoint add 1 5
./keystone-manage endpoint add 1 6

./keystone-manage endpoint add 2 1
./keystone-manage endpoint add 2 2
./keystone-manage endpoint add 2 3
./keystone-manage endpoint add 2 4
./keystone-manage endpoint add 2 5
./keystone-manage endpoint add 2 6

result:

SUCCESS: Tenant admin created.
SUCCESS: Tenant demo created.
SUCCESS: User admin created.
SUCCESS: User demo created.
SUCCESS: Role Admin created successfully.
SUCCESS: Role Member created successfully.
SUCCESS: Granted admin the Admin role on None.
SUCCESS: Created EndpointTemplates for swift pointing to http://%HOST_IP%:8080/v1/AUTH_%tenant_id%.
SUCCESS: Created EndpointTemplates for nova_compat pointing to http://%HOST_IP%:8774/v1.0/.
SUCCESS: Created EndpointTemplates for nova pointing to http://%HOST_IP%:8774/v1.1/%tenant_id%.
SUCCESS: Created EndpointTemplates for glance pointing to http://%HOST_IP%:9292/v1.1/%tenant_id%.
SUCCESS: Created EndpointTemplates for identity pointing to http://%HOST_IP%:5000/v2.0.
SUCCESS: Token 999888777666 created.
SUCCESS: Endpoint 1 added to tenant 1.
SUCCESS: Endpoint 2 added to tenant 1.
SUCCESS: Endpoint 3 added to tenant 1.
SUCCESS: Endpoint 4 added to tenant 1.
SUCCESS: Endpoint 5 added to tenant 1.
SUCCESS: Endpoint 6 added to tenant 1.
SUCCESS: Endpoint 1 added to tenant 2.
SUCCESS: Endpoint 2 added to tenant 2.
SUCCESS: Endpoint 3 added to tenant 2.
SUCCESS: Endpoint 4 added to tenant 2.
SUCCESS: Endpoint 5 added to tenant 2.
SUCCESS: Endpoint 6 added to tenant 2.

# ./keystone-manage user list
id enabled tenant
--------------------
admin 1 1
demo 1 2

# ./keystone-manage tenant list
tenant enabled
--------------------
admin 1
demo 1

# ./keystone-manage token list
token user expiration tenant
--------------------
999888777666 1 2015-02-05 00:00:00 1

# export|grep NOVA_
declare -x NOVA_API_KEY="bd87d2bb-3006-4153-88ff-078398b2e4df"
declare -x NOVA_AUTH_STRATEGY="keystone"
declare -x NOVA_CERT="/root/creds/cacert.pem"
declare -x NOVA_PROJECT_ID="2"
declare -x NOVA_URL="http://192.168.0.75:5000/v2.0"
declare -x NOVA_USERNAME="demo"
declare -x NOVA_VERSION="1.1"

# export|grep OS_
declare -x OS_AUTH_KEY="secrete"
declare -x OS_AUTH_STRATEGY="keystone"
declare -x OS_AUTH_TENANT="2"
declare -x OS_AUTH_URL="http://localhost:5000/v2.0"
declare -x OS_AUTH_USER="demo"

# glance -v --host 127.0.0.1 -A 999888777666 add name="natty-server-amd64" is_public=true < natty-server-cloudimg-amd64.img
Added new image with ID: 6
Returned the following metadata for the new image:
                       checksum => bae737367f42c0590b972e572ade4288
               container_format => ovf
                     created_at => 2011-09-24T10:19:47
                        deleted => False
                     deleted_at => None
                    disk_format => raw
                             id => 6
                      is_public => True
                       location => file:///var/lib/glance/images/6
                           name => natty-server-amd64
                          owner => None
                     properties => {}
                           size => 1476395008
                         status => active
                     updated_at => 2011-09-24T10:20:15
Completed in 27.8087 sec.

mysql> select owner from images where id=6 ;
+-------+
| owner |
+-------+
| NULL |
+-------+
1 row in set (0.00 sec)

keystone.log:

eventlet.wsgi.server: DEBUG (11784) wsgi starting up on http://0.0.0.0:5000/
eventlet.wsgi.server: DEBUG (11784) wsgi starting up on http://0.0.0.0:5001/
sqlalchemy.engine.base.Engine.0x...d850: INFO SELECT token.id AS token_id, token.user_id AS token_user_id, token.tenant_id AS token_tenant_id, token.expires AS token_expires
FROM token
WHERE token.id = ?
 LIMIT 1 OFFSET 0
sqlalchemy.engine.base.Engine.0x...d850: INFO ('999888777666',)
sqlalchemy.engine.base.Engine.0x...d850: INFO SELECT users.id AS users_id, users.password AS users_password, users.email AS users_email, users.enabled AS users_enabled, users.tenant_id AS users_tenant_id
FROM users
WHERE users.id = ?
 LIMIT 1 OFFSET 0
sqlalchemy.engine.base.Engine.0x...d850: INFO (u'1',)
root : ERROR 'NoneType' object has no attribute 'enabled'
Traceback (most recent call last):
  File "/root/keystone/keystone/utils.py", line 57, in check_error
    return func(*args, **kwargs)
  File "/root/keystone/keystone/controllers/auth.py", line 36, in validate_token
    utils.get_auth_token(req), token_id, belongs_to)
  File "/root/keystone/keystone/logic/service.py", line 116, in validate_token
    self.__validate_admin_token(admin_token)
  File "/root/keystone/keystone/logic/service.py", line 500, in __validate_admin_token
    (token, user) = self.__validate_token(token_id)
  File "/root/keystone/keystone/logic/service.py", line 484, in __validate_token
    if not user.enabled:
AttributeError: 'NoneType' object has no attribute 'enabled'
eventlet.wsgi.server: DEBUG 127.0.0.1 - - [24/Sep/2011 12:19:47] "GET /v2.0/tokens/999888777666 HTTP/1.1" 500 266 0.028431

Question information

Language:
English Edit question
Status:
Answered
For:
Glance Edit question
Assignee:
No assignee Edit question
Last query:
2011-10-10
Last reply:
2012-03-20
Launchpad Janitor (janitor) said : #1

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

Does anyone have idea this question?

Jay Pipes (jaypipes) said : #3

Hi!

Sorry, somehow your question must have gotten lost in my inbox! My apologies.

It looks like you are using the tokenauth AND keystone_shim authentication middleware on the Registry, but using the tokenauth only on the API server.

Note your registry's application pipeline:

pipeline = tokenauth keystone_shim context registryapp

I believe that should just be:

pipeline = tokenauth context registryapp

Finally, I believe you should update to the final Diablo release to get some bug fixes that were included in the last milestone. You will also need to make additional changes to your glance-api.conf and glance-registry.conf if you do that update, as "tokenauth" was changed to be "authtoken", in order to match the rest of the codebase.

I'm going to ask Kevin Mitchell to also have a look at this question and provide some feedback, as Kevin understands the authentication middleware better than I do.

Cheers,
jay

Ok, thank you Jay, I'm waiting for his answare!

Kevin L. Mitchell (klmitch) said : #5

Looking at your glance-api.conf and glance-registry.conf, I see errors which could be the source of at least some of your problem.

In glance-api.conf, you have:

    pipeline = versionnegotiation tokenauth context apiv1app

The problem here is that the "context" filter is not keystone-aware. The "tokenauth" filter communicates with keystone and puts some appropriate data in the environment, but "context" doesn't look for them. You need to replace "context" with "keystone_shim", which does the same thing as "context" but is aware of keystone. What you should have here is:

    pipeline = versionnegotiation tokenauth keystone_shim apiv1app

In glance-registry.conf, you have:

    pipeline = tokenauth keystone_shim context registryapp

Here you have both "tokenauth" and "keystone_shim", but you follow them with "context"; since "context" is not keystone-aware, it overwrites the request context that "keystone_shim" generated. What you should have here is:

    pipeline = tokenauth keystone_shim registryapp

There is also one more error in your glance-registry.conf. You'll notice that your "[filter:context]" section has a "context_class" line which is not present in "[filter:keystone_shim]"; you need to copy that "context_class" line into the "[filter:keystone_shim]" section, like so:

    [filter:keystone_shim]
    context_class = glance.registry.context.RequestContext
    paste.filter_factory = keystone.middleware.glance_auth_token:filter_factory

Note that you do *not* need this same change in glance-api.conf. Basically, what's happening here is that the registry requires a version of the context with a few more features that are not used (and cannot be used) by the API, and "context_class" is a way of overriding that.

I hope this helps! Please let me know if you still need help. (Also note that I have not looked over your keystone or nova configuration...)

sanjaya dahal (sdtranquility) said : #6

i mistakenly add wrong ip while creating api endpoints for ketstone. how can i delete that and assign a right end points.
whenever i try to run delete command
the output is
sudo keystone-manage endpointTemplates disable RegionOne nova http://wrong_IP:8774/v1.1/%tenant_id% http://wrong_IP:8774/v1.1/%tenant_id% http://wrong_IP:8774/v1.1/%tenant_id% 1 1
Action not supported for endpointTemplates

Jay Pipes (jaypipes) said : #7

Sanjaya, please ask your question on the Keystone forum:

https://answers.launchpad.net/keystone/+addquestion

Thanks!
jay

Can you help with this problem?

Provide an answer of your own, or ask Tamas Kapolnasi for more information if necessary.

To post a message you must log in.