Re: [rhos-list] unable to get a token

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 12/12/2012 07:54 AM, Vogel Nicolas wrote:
> Hi,
> 
>  
> 
> Sorry for coming back with the same problem, but I really don’t
> understand what is getting wrong on my install. I have CentOS 6.3 and
> I’m following the “Redhat Openstack Preview - Getting started guide rev.
> 1.0-4”.
> 
> I really follow the guide step by step and at the end from the Keystone
> chapter, I’m unable to get a token. I created both keystonerc_admin and
> keystonerc_username file and can source it successfully.
> 
> After sourcing the keystonerc_username, I’m unable to display the
> user-list without giving the --os-endpoint and I’m completely unable to
> get a token.
> 
> I also created a special tenant named “Service” and assigned to it four
> new users (nova, glance, ec2 and swift), like described in the official
> Openstack Install and Deploy Manuel (from nov. 2012)
> 
> My keystonerc_username file is exactly the same as in the install-guide;
> I just replaced the loopback addresses with my server IP address in all
> the commands.
> 
> Here is the output from my terminal:
> 
>  
> 
> [admin@IICT-SV001 ~(keystone_username)]$ keystone user-list
> 
> Expecting an endpoint provided via either --endpoint or
> env[SERVICE_ENDPOINT]
> 
>  
> 
> [admin@IICT-SV001 ~(keystone_username)]$ keystone --os-endpoint
> http://10.192.75.242:35357/v2.0 user-list
> 
> +----------------------------------+----------+---------+-------+
> 
> |                id                |   name   | enabled | email |
> 
> +----------------------------------+----------+---------+-------+
> 
> | 0264bdc687d348a8b830b16be0c62629 |   ec2    |   True  |       |
> 
> | 25f3b67a98b145ad9e8f1ec2c602f400 | username |   True  |       |
> 
> | 2a6f404d17864052a14963d2fefa4ae0 |   nova   |   True  |       |
> 
> | 5ff5d5ec35a34499a5caf21d94aed8d7 |  glance  |   True  |       |
> 
> | b7b26d9a43c7496abec2fcbd1cd5d1e4 |  swift   |   True  |       |
> 
> | f7bfd7ba488f4df2b9feececa4a5f173 |  admin   |   True  |       |
> 
> +----------------------------------+----------+---------+-------+
> 
>  
> 
> [admin@IICT-SV001 ~(keystone_username)]$ keystone token-get
> 
> Expecting an endpoint provided via either --endpoint or
> env[SERVICE_ENDPOINT]
> 
>  
> 
> [admin@IICT-SV001 ~(keystone_username)]$ keystone --os-endpoint
> http://10.192.75.242:35357/v2.0 token-get
> 
> Configuration error: Client configured to run without a service catalog.
> Run the client using --os-auth-url or OS_AUTH_URL, instead of
> --os-endpoint or OS_SERVICE_ENDPOINT, for example.
> 
>  
> 
> [admin@IICT-SV001 ~(keystone_username)]$ echo $OS_AUTH_URL
> 
> http://10.192.75.242:5000/v2.0/
> 
>  
> 
> So as you can see the OS_AUTH_URL is well defined and I don’t understand
> why I couldn’t get a token. I already searched in different logs but
> couldn’t find any answer.


Hi Vogel,
   I suspect you still have SERVICE_TOKEN defined in your shell, see
below for a log of commands I run to get working results and at the end
how I set the variable to reproduce your error

# Make sure you have no OpenStack authentication variables set
[derekh@qt ~]$ env | grep -i -e service -e os_

# the contents of my admin and user rc files
[derekh@qt ~]$ cat keystonerc_admin
export OS_USERNAME=admin
export OS_TENANT_NAME=admin
export OS_PASSWORD=secret
export OS_AUTH_URL=http://127.0.0.1:35357/v2.0/
export PS1="[\u@\h \W(keystone_admin)]\$ "

[derekh@qt ~]$ cat keystonerc_username
export OS_USERNAME=username
export OS_TENANT_NAME=rhsummit
export OS_PASSWORD=secret
export OS_AUTH_URL=http://127.0.0.1:5000/v2.0/
export PS1="[\u@\h \W(keystone_username)]\$ "

# Source keystonerc_admin  to use keystone as the admin user
[derekh@qt ~]$ . keystonerc_admin
[derekh@qt ~(keystone_admin)]$ keystone user-list
+----------------------------------+----------+---------+-------+
|                id                |   name   | enabled | email |
+----------------------------------+----------+---------+-------+
| 03b614eb5e024257be8f5cbd00837834 | username |   True  |       |
| da2df2e2b1b1462ebedce84e236e1918 |  admin   |   True  |       |
+----------------------------------+----------+---------+-------+

# Source keystonerc_username to use keystone as a unprivileged user
[derekh@qt ~(keystone_admin)]$ . keystonerc_username

# user-list doesn't work because we are no longer admin
[derekh@qt ~(keystone_username)]$ keystone user-list
You are not authorized to perform the requested action: admin_required
(HTTP 403)

# but I can get a token
[derekh@qt ~(keystone_username)]$ keystone token-get
+-----------+----------------------------------+
|  Property |              Value               |
+-----------+----------------------------------+
|  expires  |       2012-12-13T12:32:20Z       |
|     id    | f99e071ad81d48b9841c4d1c2f4e24c1 |
| tenant_id | 21ca6367afbf4851a47e78ccc074eab4 |
|  user_id  | 03b614eb5e024257be8f5cbd00837834 |
+-----------+----------------------------------+

# Now set a SERVICE_TOKEN but no SERVICE_ENDPOINT, to reproduce the
error you are seeing
[derekh@qt ~(keystone_username)]$ export SERVICE_TOKEN=050ed8afbc072bab2098
[derekh@qt ~(keystone_username)]$ . keystonerc_admin
[derekh@qt ~(keystone_admin)]$ keystone user-list
Expecting an endpoint provided via either --endpoint or
env[SERVICE_ENDPOINT]

# specifying the endpoint on the command line is ok (its effectively the
same as setting the SERVICE_ENDPOINT env variable
[derekh@qt ~(keystone_admin)]$ keystone --os-endpoint
http://127.0.0.1:35357/v2.0 user-list
+----------------------------------+----------+---------+-------+
|                id                |   name   | enabled | email |
+----------------------------------+----------+---------+-------+
| 03b614eb5e024257be8f5cbd00837834 | username |   True  |       |
| da2df2e2b1b1462ebedce84e236e1918 |  admin   |   True  |       |
+----------------------------------+----------+---------+-------+

# but we still can't get a token, this is because you have authenticated
against keystone with the ADMIN token and not as a user, because you are
not a user you can't create a token
[derekh@qt ~(keystone_admin)]$ keystone --os-endpoint
http://127.0.0.1:35357/v2.0 token-get
Configuration error: Client configured to run without a service catalog.
Run the client using --os-auth-url or OS_AUTH_URL, instead of
--os-endpoint or OS_SERVICE_ENDPOINT, for example.


In short, once you have created a keystone SERVICE_TOKEN and created an
admin user with it, you should unset both SERVICE_TOKEN and
SERVICE_ENDPOINT, forget about them and never use them again.

Hope this helps,
Derek.


> 
>  
> 
> Thanks a lot for your help,
> 
>  
> 
> Regards,
> 
> Nicolas.
> 
> 
> 
> _______________________________________________
> rhos-list mailing list
> rhos-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/rhos-list
> 

_______________________________________________
cloud mailing list
cloud@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/cloud



[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Big List of Linux Books]     [Yosemite News]     [Linux Apps]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]

  Powered by Linux