OpenStack Identity (keystone)

Keystone and Nova Users

Asked by Andrew Weiss

Hey guys,

I have an OpenStack environment implemented in a lab setting for the purposes of research. I am a bit confused as to the difference between creating users/projects via nova-manage and users/projects in keystone using keystone-manage. I can't seem to find anything in the documentation that distinguishes between them.

When I deploy the "Horizon" component, I am required to use keystone to create users, tenants, and so forth. Should these overlap with those created in Nova?

As a result, I am also experiencing an issue with euca2ools where I receive the following error:

"Warning: failed to parse error message from AWS: <unknown>:1:0: syntax error
None: None"

This is probably related to the environment variables in openrc. I'm not sure which users/projects to use in the openrc file.

Thanks,

Andrew

Question information

Language:
English Edit question
Status:
Solved
For:
OpenStack Identity (keystone) Edit question
Assignee:
No assignee Edit question
Solved by:
Andrew Weiss
Solved:
Last query:
Last reply:
Revision history for this message
Andrew Weiss (weissa) said : 		#1

Also receiving this error in the nova-api.log file:

"10.129.1.2 POST /services/Cloud/ None:None 400 [Boto/2.0 (linux2)] application/x-www-form-urlencoded text/plain"

Revision history for this message
Andrew Weiss (weissa) said : 		#2

Hey guys,

So I wanted to follow up on my own issue and give others out there a solution to my problem.

I was able to get some more information regarding the differences between nova-manage users and keystone users from some community members in the chat room. I think user management should be documented further when distinguishing between Keystone users and Nova users.

Regarding the EC2 credentials and euca-tools, turns out the problem goes back to my "openrc" file. (go figure; after hours and hours of diagnostics). The EC2_ACCESS_KEY environment variable initially set as follows:

EC2_ACCESS_KEY="$KEYSTONE_USERNAME:$KEYSTONE_TENANT"

After listing the stored EC2 tokens via keystone-manage token list, I noticed that one of the tokens was NOT assigned to a keystone tenant. Turns out that when I initially created EC2 credentials for the user, I failed to include a tenant. By removing the $KEYSTONE_TENANT variable from the EC2_ACCESS_KEY I was able to get it to work. For future reference, ensure that your access key matches the keystone username AND/OR tenant exactly how it was entered in the EC2 credential command.

Revision history for this message
Yaguang Tang (heut2008) said : 		#3

nova user/projects are used before the keystone as the default auth service.now,nova use keystone to perform the auth .but if you want to use euca2ools with keystone,you should create same user/projects(tenant) in both keystone and nova user,project tables use nova-manage.

Revision history for this message
Yaguang Tang (heut2008) said : 		#4

in keystone credentials are used for ec2 auth ,so you should create credentials and also add the same credential to nova use nova-manage .

Revision history for this message
Qiu Yu (unicell) said : 		#5

It also took me some time to trouble shoot this euca2ools and Keystone issue, with following error message:

>>"Warning: failed to parse error message from AWS: <unknown>:1:0: syntax error
None: None"

Just as Yaguang mentioned above, one should use same credential in nova-manage as those in keystone-manage. And let me be more specific.

>>nova-manage user admin admin
>>nova-manage project create openstackDemo admin
>>keystone-manage credentials add admin EC2 'secretword' openstackDemo

Then, you should export "EC2_ACCESS_KEY=admin:openstackDemo" and "EC2_SECRET_KEY=secretword" in order to use euca2ools together with Keystone and Nova.