That script needs to be modified. The concept of a service token has
been deprecated in the new Keystone code. More below...
> Essentially I create an admin user and another user (say demo). Both users are members of Admin.
> I set my service token to be 999888777666
OK, so this is admittedly very confusing. I was hit by this myself and
logged bugs in Keystone about it. Turns out that the concept of a
long-lived "service token" has been deprecated and the auth_token
middleware in Glance/Nova does not support this anymore.
What you need to do instead is use a regular user/password when using
the glance CLI command (either using options or using env vars). More
below...
> On running glance I used to be able to do this:
>
> glance -A 999888777666 index and this used to work before redux. It now
> says not authorized.
Yes, this no longer works as you expect. If you supply the -A option, it
needs to be a newly-created token that you retreived from keystone
directly with, for example, a call to curl -X POST -H "X-Auth-User:
<USER>" -H "X-Auth-Key: <PASSWORD>" -H "X-Auth-Tenant: <TENANT>" http://mykeystoneurl:5000/v2/tokens.
However, instead of making a separate call to get a token from Keystone,
you can just let the auth token middleware in Glance/Nova do this. More
below...
> On using username/password auth it says I'm not authorized
>
> root@openstack1:~# glance -I admin -K openstack -T admin index
> Not authorized to make this request. Check your credentials (OS_AUTH_USER, OS_AUTH_KEY, ...).
Now, the above SHOULD work. Can you try adding the "-S keystone" and
--auth_url=<YOUR_KEYSTONE_ENDPOINT>" options to your command and letting
us know if that works properly? If it does, that means this bug can be
changed to something like "Defaults for auth_url and strategy are not
being used"
On 03/13/2012 08:36 AM, Kevin Jackson wrote: /github. com/uksysadmin/ OpenStackInstal ler/blob/ essex/keystone- services. sh
> I set up keystone using the following script:
> https:/
That script needs to be modified. The concept of a service token has
been deprecated in the new Keystone code. More below...
> Essentially I create an admin user and another user (say demo). Both users are members of Admin.
> I set my service token to be 999888777666
OK, so this is admittedly very confusing. I was hit by this myself and
logged bugs in Keystone about it. Turns out that the concept of a
long-lived "service token" has been deprecated and the auth_token
middleware in Glance/Nova does not support this anymore.
What you need to do instead is use a regular user/password when using
the glance CLI command (either using options or using env vars). More
below...
> On running glance I used to be able to do this:
>
> glance -A 999888777666 index and this used to work before redux. It now
> says not authorized.
Yes, this no longer works as you expect. If you supply the -A option, it mykeystoneurl: 5000/v2/ tokens.
needs to be a newly-created token that you retreived from keystone
directly with, for example, a call to curl -X POST -H "X-Auth-User:
<USER>" -H "X-Auth-Key: <PASSWORD>" -H "X-Auth-Tenant: <TENANT>"
http://
However, instead of making a separate call to get a token from Keystone,
you can just let the auth token middleware in Glance/Nova do this. More
below...
> On using username/password auth it says I'm not authorized
>
> root@openstack1:~# glance -I admin -K openstack -T admin index
> Not authorized to make this request. Check your credentials (OS_AUTH_USER, OS_AUTH_KEY, ...).
Now, the above SHOULD work. Can you try adding the "-S keystone" and url=<YOUR_ KEYSTONE_ ENDPOINT> " options to your command and letting
--auth_
us know if that works properly? If it does, that means this bug can be
changed to something like "Defaults for auth_url and strategy are not
being used"
> but running keystone-all in debug shows: ******* ****** REQUEST BODY ******* ******* ****** tials": {"username": "admin", "password": "openstack"}}} python2. 7/dist- packages/ webob/dec. py:142: DeprecationWarning: Response.request and Response.environ are deprecated request = req python2. 7/dist- packages/ webob/dec. py:142: DeprecationWarning: Response.request and Response.environ are deprecated request = req python2. 7/dist- packages/ webob/dec. py:142: DeprecationWarning: Response.request and Response.environ are deprecated request = req python2. 7/dist- packages/ webob/dec. py:142: DeprecationWarning: Response.request and Response.environ are deprecated request = req python2. 7/dist- packages/ webob/dec. py:142: DeprecationWarning: Response.request and Response.environ are deprecated request = req 21b6730705b3a75 ac0', 'expires': datetime. datetime( 2012, 3, 14, 12, 26, 37, 955756), 'user': {u'tenantId': u'a73a0e51375f4 10bb3ef0967f33b dd54', u'enabled': u'true', u'email': u'root@localhost', 'name': u'admin', 'id': u'c4f6e60091664 c7db7c3840cce6a 1dcd'}, 'tenant': None, 'metadata': {}} ******* ****** RESPONSE HEADERS ******* ******* ****** ******* ****** RESPONSE BODY ******* ******* ****** 14T12:26: 37Z", "id": "610fc0209e604c 21b6730705b3a75 ac0"}, "serviceCatalog": {}, "user": {"username": "admin", "roles_links": [], "id": "c4f6e60091664c 7db7c3840cce6a1 dcd", "roles": [], "name": "admin"}}} 1b6730705b3a75a c0 index
>
> (root): 2012-03-13 12:26:37,900 DEBUG wsgi __call__ *******
> (root): 2012-03-13 12:26:37,900 DEBUG wsgi __call__ {"auth": {"tenantName": "admin", "passwordCreden
> (root): 2012-03-13 12:26:37,900 DEBUG wsgi __call__
> /usr/lib/
> req.response.
> /usr/lib/
> req.response.
> /usr/lib/
> req.response.
> /usr/lib/
> req.response.
> /usr/lib/
> req.response.
> (root): 2012-03-13 12:26:37,902 DEBUG wsgi __call__ arg_dict: {}
> (root): 2012-03-13 12:26:38,031 DEBUG service authenticate TOKEN_REF {'id': '610fc0209e604c
> (root): 2012-03-13 12:26:38,031 DEBUG wsgi __call__ *******
> (root): 2012-03-13 12:26:38,031 DEBUG wsgi __call__ Content-Type = application/json
> (root): 2012-03-13 12:26:38,031 DEBUG wsgi __call__ Vary = X-Auth-Token
> (root): 2012-03-13 12:26:38,031 DEBUG wsgi __call__ Content-Length = 244
> (root): 2012-03-13 12:26:38,031 DEBUG wsgi __call__
> (root): 2012-03-13 12:26:38,032 DEBUG wsgi print_generator *******
> (root): 2012-03-13 12:26:38,032 DEBUG wsgi print_generator {"access": {"token": {"expires": "2012-03-
>
> I then use that token and then glance appears to work.
>
> root@openstack1:~# glance -A 610fc0209e604c2
Right, since it is a regular token (see explanation above).
Thanks!
-jay