Comment 2 for bug 953989
Revision history for this message
| Jay Pipes (jaypipes) wrote Re: [Bug 953989] [NEW] Glance saying not authorized, Keystone produces token. Using -A token then works. | #2 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
On 03/13/2012 08:36 AM, Kevin Jackson wrote:
> I set up keystone using the following script:
> https:/
That script needs to be modified. The concept of a service token has
been deprecated in the new Keystone code. More below...
> Essentially I create an admin user and another user (say demo). Both users are members of Admin.
> I set my service token to be 999888777666
OK, so this is admittedly very confusing. I was hit by this myself and
logged bugs in Keystone about it. Turns out that the concept of a
long-lived "service token" has been deprecated and the auth_token
middleware in Glance/Nova does not support this anymore.
What you need to do instead is use a regular user/password when using
the glance CLI command (either using options or using env vars). More
below...
> On running glance I used to be able to do this:
>
> glance -A 999888777666 index and this used to work before redux. It now
> says not authorized.
Yes, this no longer works as you expect. If you supply the -A option, it
needs to be a newly-created token that you retreived from keystone
directly with, for example, a call to curl -X POST -H "X-Auth-User:
<USER>" -H "X-Auth-Key: <PASSWORD>" -H "X-Auth-Tenant: <TENANT>"
http://
However, instead of making a separate call to get a token from Keystone,
you can just let the auth token middleware in Glance/Nova do this. More
below...
> On using username/password auth it says I'm not authorized
>
> root@openstack1:~# glance -I admin -K openstack -T admin index
> Not authorized to make this request. Check your credentials (OS_AUTH_USER, OS_AUTH_KEY, ...).
Now, the above SHOULD work. Can you try adding the "-S keystone" and
--auth_
us know if that works properly? If it does, that means this bug can be
changed to something like "Defaults for auth_url and strategy are not
being used"
> but running keystone-all in debug shows:
>
> (root): 2012-03-13 12:26:37,900 DEBUG wsgi __call__ *******
> (root): 2012-03-13 12:26:37,900 DEBUG wsgi __call__ {"auth": {"tenantName": "admin", "passwordCreden
> (root): 2012-03-13 12:26:37,900 DEBUG wsgi __call__
> /usr/lib/
> req.response.
> /usr/lib/
> req.response.
> /usr/lib/
> req.response.
> /usr/lib/
> req.response.
> /usr/lib/
> req.response.
> (root): 2012-03-13 12:26:37,902 DEBUG wsgi __call__ arg_dict: {}
> (root): 2012-03-13 12:26:38,031 DEBUG service authenticate TOKEN_REF {'id': '610fc0209e604c
> (root): 2012-03-13 12:26:38,031 DEBUG wsgi __call__ *******
> (root): 2012-03-13 12:26:38,031 DEBUG wsgi __call__ Content-Type = application/json
> (root): 2012-03-13 12:26:38,031 DEBUG wsgi __call__ Vary = X-Auth-Token
> (root): 2012-03-13 12:26:38,031 DEBUG wsgi __call__ Content-Length = 244
> (root): 2012-03-13 12:26:38,031 DEBUG wsgi __call__
> (root): 2012-03-13 12:26:38,032 DEBUG wsgi print_generator *******
> (root): 2012-03-13 12:26:38,032 DEBUG wsgi print_generator {"access": {"token": {"expires": "2012-03-
>
> I then use that token and then glance appears to work.
>
> root@openstack1:~# glance -A 610fc0209e604c2
Right, since it is a regular token (see explanation above).
Thanks!
-jay