OpenStack Identity (keystone)

using glance with token auth doesn't work

Bug #942838 reported by Jesse Andrews
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Invalid
Undecided
Unassigned

Bug Description

install devstack then source openrc

This sets:

    declare -x OS_AUTH_URL="http://example.com:5000/v2.0"
    declare -x OS_PASSWORD="secrete"
    declare -x OS_TENANT_NAME="admin"
    declare -x OS_USERNAME="admin"

from here you should be able to get a token and use it directly with services.

$ keystone token-get

    +----------+----------------------------------+
    | Property | Value |
    +----------+----------------------------------+
    | expires | 2012-02-29T13:21:25Z |
    | id | 111f6974cfdb4a7ca79d790dd61b58ec |
    | tenant | 53d16bbf4f1e452a845182a61d313d00 |
    +----------+----------------------------------+

$ glance -A 111f6974cfdb4a7ca79d790dd61b58ec index

Failed to show index. Got error:
Internal Server error: Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/eventlet/wsgi.py", line 336, in handle_one_response
    result = self.application(self.environ, start_response)
  File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 147, in __call__
    resp = self.call_func(req, *args, **self.kwargs)
  File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 208, in call_func
    return self.func(req, *args, **kwargs)
  File "/opt/stack/glance/glance/common/wsgi.py", line 279, in __call__
    response = req.get_response(self.application)
  File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1053, in get_response
    application, catch_exc_info=False)
  File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1022, in call_application
    app_iter = application(self.environ, start_response)
  File "/opt/stack/keystone/keystone/middleware/auth_token.py", line 164, in __call__
    valid = self._validate_claims(claims)
  File "/opt/stack/keystone/keystone/middleware/auth_token.py", line 272, in _validate_claims
    self.admin_password)
  File "/opt/stack/keystone/keystone/middleware/auth_token.py", line 263, in _get_admin_auth_token
    return json.loads(data)["access"]["token"]["id"]
KeyError: 'access'

From the service side we see keystone attempting to validate the token:

2012-02-28 13:28:54 DEBUG [root] ******************** REQUEST ENVIRON ********************
2012-02-28 13:28:54 DEBUG [root] SCRIPT_NAME = /v2.0
2012-02-28 13:28:54 DEBUG [root] webob.adhoc_attrs = {'response': <Response at 0x429ef50 200 OK>}
2012-02-28 13:28:54 DEBUG [root] REQUEST_METHOD = POST
2012-02-28 13:28:54 DEBUG [root] PATH_INFO = /tokens
2012-02-28 13:28:54 DEBUG [root] SERVER_PROTOCOL = HTTP/1.0
2012-02-28 13:28:54 DEBUG [root] CONTENT_LENGTH = 94
2012-02-28 13:28:54 DEBUG [root] eventlet.posthooks = []
2012-02-28 13:28:54 DEBUG [root] SERVER_NAME = 50.56.12.206
2012-02-28 13:28:54 DEBUG [root] REMOTE_ADDR = 50.56.12.206
2012-02-28 13:28:54 DEBUG [root] eventlet.input = <eventlet.wsgi.Input object at 0x396c090>
2012-02-28 13:28:54 DEBUG [root] wsgi.url_scheme = http
2012-02-28 13:28:54 DEBUG [root] SERVER_PORT = 35357
2012-02-28 13:28:54 DEBUG [root] wsgi.input = <_io.BytesIO object at 0x4147ef0>
2012-02-28 13:28:54 DEBUG [root] HTTP_HOST = 50.56.12.206:35357
2012-02-28 13:28:54 DEBUG [root] wsgi.multithread = True
2012-02-28 13:28:54 DEBUG [root] openstack.params = {u'auth': {u'tenantName': u'admin', u'passwordCredentials': {u'username': None, u'password': None}}}
2012-02-28 13:28:54 DEBUG [root] HTTP_ACCEPT = application/json
2012-02-28 13:28:54 DEBUG [root] wsgi.version = (1, 0)
2012-02-28 13:28:54 DEBUG [root] openstack.context = {'token_id': None, 'is_admin': False}
2012-02-28 13:28:54 DEBUG [root] GATEWAY_INTERFACE = CGI/1.1
2012-02-28 13:28:54 DEBUG [root] wsgi.run_once = False
2012-02-28 13:28:54 DEBUG [root] wsgi.errors = <open file '<stderr>', mode 'w' at 0x7f94a19cd270>
2012-02-28 13:28:54 DEBUG [root] wsgi.multiprocess = False
2012-02-28 13:28:54 DEBUG [root] webob.is_body_seekable = True
2012-02-28 13:28:54 DEBUG [root] CONTENT_TYPE = application/json
2012-02-28 13:28:54 DEBUG [root] HTTP_ACCEPT_ENCODING = identity
2012-02-28 13:28:54 DEBUG [root]
2012-02-28 13:28:54 DEBUG [root] ******************** REQUEST BODY ********************
2012-02-28 13:28:54 DEBUG [root] {"auth": {"tenantName": "admin", "passwordCredentials": {"username": null, "password": null}}}
2012-02-28 13:28:54 DEBUG [root]
2012-02-28 13:28:54 DEBUG [routes.middleware] Matched POST /tokens
2012-02-28 13:28:54 DEBUG [routes.middleware] Route path: '{path_info:.*}', defaults: {'controller': <keystone.contrib.admin_crud.core.CrudExtension object at 0x38a7950>}
2012-02-28 13:28:54 DEBUG [routes.middleware] Match dict: {'controller': <keystone.contrib.admin_crud.core.CrudExtension object at 0x38a7950>, 'path_info': '/tokens'}
2012-02-28 13:28:54 DEBUG [routes.middleware] Matched POST /tokens
2012-02-28 13:28:54 DEBUG [routes.middleware] Route path: '{path_info:.*}', defaults: {'controller': <keystone.service.AdminRouter object at 0x2e35ad0>}
2012-02-28 13:28:54 DEBUG [routes.middleware] Match dict: {'controller': <keystone.service.AdminRouter object at 0x2e35ad0>, 'path_info': '/tokens'}
2012-02-28 13:28:54 DEBUG [routes.middleware] Matched POST /tokens
2012-02-28 13:28:54 DEBUG [routes.middleware] Route path: '/tokens', defaults: {'action': u'authenticate', 'controller': <keystone.service.TokenController object at 0x2fc6b50>}
2012-02-28 13:28:54 DEBUG [routes.middleware] Match dict: {'action': u'authenticate', 'controller': <keystone.service.TokenController object at 0x2fc6b50>}
2012-02-28 13:28:54 DEBUG [root] arg_dict: {}
/opt/stack/keystone/keystone/service.py:258: DeprecationWarning: BaseException.message has been deprecated as of Python 2.6
  raise exception.Unauthorized(e.message)
2012-02-28 13:28:54 WARNING [root] Invalid user / password
2012-02-28 13:28:54 DEBUG [root] ******************** RESPONSE HEADERS ********************
2012-02-28 13:28:54 DEBUG [root] Content-Type = application/json
2012-02-28 13:28:54 DEBUG [root] Vary = X-Auth-Token
2012-02-28 13:28:54 DEBUG [root] Content-Length = 89
2012-02-28 13:28:54 DEBUG [root]
2012-02-28 13:28:54 DEBUG [root] ******************** RESPONSE BODY ********************
2012-02-28 13:28:54 DEBUG [root] {"error": {"message": "Invalid user / password", "code": 401, "title": "Not Authorized"}}

2012-02-28 13:28:54 DEBUG [eventlet.wsgi.server] 50.56.12.206 - - [28/Feb/2012 13:28:54] "POST /v2.0/tokens HTTP/1.1" 401 229 0.010303

Revision history for this message
Jesse Andrews (anotherjesse) wrote :

For completeness:

$ keystone tenant-list

No handlers could be found for logger "keystoneclient.v2_0.client"
+----------------------------------+-------+---------+
| id | name | enabled |
 +----------------------------------+-------+---------+
| 1febdaa3998b4249926e17431b3dbe96 | demo | True |
| 53d16bbf4f1e452a845182a61d313d00 | admin | True |
 +----------------------------------+-------+---------+

Revision history for this message
Jesse Andrews (anotherjesse) wrote :

the issue is actually different:

glance -A 111f6974cfdb4a7ca79d790dd61b58ec index

works, but if you do:

glance -A INVALIDTOKEN index

it fails forever... opening a new bug

Changed in keystone:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.