OpenStack Identity (keystone)

keystone catalog command line fails with "'NoneType' object has no attribute 'has_service_catalog'"

Bug #1362630 reported by Igor Milovanović
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Invalid
Undecided
David J Hu

Bug Description

I am running keystone on icehouse, and client version 0.7.1
I source admin rc file
with OS_SERVICE_TOKEN and OS_SERVICE_ENDPOINT
and run:

$ keystone catalog

This fails with:

"'NoneType' object has no attribute 'has_service_catalog'"

If I unset OS_SERVICE_TOKEN and OS_SERVICE_ENDPOINT, keystone catalog succeeds, but...
running:

$ keystone tenant-list

hangs & timeouts... as my installation (Fuel 5.0.1 based) has adminURL on internal non-accessible network (I am running from public network, remote host)

Revision history for this message
Igor Milovanović (igormilovanovic) wrote :

Workaround is to use different credentials (token and non-token) for different calls.

Revision history for this message
David J Hu (david-j-hu) wrote :

I see the issue for catalog, but not tenant-list.

keystone --os-token azertytoken --os-endpoint http://localhost:35357/v2.0 catalog
'NoneType' object has no attribute 'has_service_catalog'

Changed in keystone:
assignee: nobody → David J Hu (david-j-hu)
Revision history for this message
Igor Milovanović (igormilovanovic) wrote :

In the particular deployment publicUrl and adminUrl are different, the adminURL is on internal network not reachable from client's box (the one issuing keystone tenant-list)...

Revision history for this message
David J Hu (david-j-hu) wrote :

A quick question to help me understand the tenant-list scenario. Is this client box also on the same internal network or the client box is actual on an external network? If the client box is on the external network, I assume that you want to keep your internal network private. In that case, you might want to consider accessing the adminURL from the internal network instead.

Revision history for this message
Igor Milovanović (igormilovanovic) wrote :

The client box is on external network. I was under impression that i don't have to expose adminUrl in order to run admin privileged calls/commands. Otherwise, i am wondering how would external client (app) invoke ( with admin privileges) admin calls?

I'm fairly new to keystone so I probably have skewed assumptions towards behavior, but distribution I have installed (Mirantis Fuel) came with this kind of setup...

Revision history for this message
David J Hu (david-j-hu) wrote :

- For catalog, from keystone client perspective, the service catalog is basically not present with only --os-token and --os-endpoint. Instead, use --os-username, --os-password, --os-tenant-name(or id) and --os-auth-url. Once authenticated, the user specified in os-username will have visibility to service catalog. I have a patch coming which will spew a friendlier error message when service is not present.

- For tenant-list, it sounds like networking configuration related. Do you have a route from your client box on the external network to the internal network? or on the server with keystone running, do you have 1 nic listening on the internal network and a different nic listening on the external networking?

David J Hu (david-j-hu)
Changed in keystone:
status: New → In Progress
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
milestone: none → juno-3
status: Fix Committed → Fix Released
Revision history for this message
Dolph Mathews (dolph) wrote :

There's no fix associated with this - was this supposed to be tracked against python-keystoneclient?

Changed in keystone:
milestone: juno-3 → none
status: Fix Released → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.