On 12/12/2012 07:54 AM, Vogel Nicolas wrote: > Hi, > > > > Sorry for coming back with the same problem, but I really don’t > understand what is getting wrong on my install. I have CentOS 6.3 and > I’m following the “Redhat Openstack Preview - Getting started guide rev. > 1.0-4”. > > I really follow the guide step by step and at the end from the Keystone > chapter, I’m unable to get a token. I created both keystonerc_admin and > keystonerc_username file and can source it successfully. > > After sourcing the keystonerc_username, I’m unable to display the > user-list without giving the --os-endpoint and I’m completely unable to > get a token. > > I also created a special tenant named “Service” and assigned to it four > new users (nova, glance, ec2 and swift), like described in the official > Openstack Install and Deploy Manuel (from nov. 2012) > > My keystonerc_username file is exactly the same as in the install-guide; > I just replaced the loopback addresses with my server IP address in all > the commands. > > Here is the output from my terminal: > > > > [admin@IICT-SV001 ~(keystone_username)]$ keystone user-list > > Expecting an endpoint provided via either --endpoint or > env[SERVICE_ENDPOINT] > > > > [admin@IICT-SV001 ~(keystone_username)]$ keystone --os-endpoint > http://10.192.75.242:35357/v2.0 user-list > > +----------------------------------+----------+---------+-------+ > > | id | name | enabled | email | > > +----------------------------------+----------+---------+-------+ > > | 0264bdc687d348a8b830b16be0c62629 | ec2 | True | | > > | 25f3b67a98b145ad9e8f1ec2c602f400 | username | True | | > > | 2a6f404d17864052a14963d2fefa4ae0 | nova | True | | > > | 5ff5d5ec35a34499a5caf21d94aed8d7 | glance | True | | > > | b7b26d9a43c7496abec2fcbd1cd5d1e4 | swift | True | | > > | f7bfd7ba488f4df2b9feececa4a5f173 | admin | True | | > > +----------------------------------+----------+---------+-------+ > > > > [admin@IICT-SV001 ~(keystone_username)]$ keystone token-get > > Expecting an endpoint provided via either --endpoint or > env[SERVICE_ENDPOINT] > > > > [admin@IICT-SV001 ~(keystone_username)]$ keystone --os-endpoint > http://10.192.75.242:35357/v2.0 token-get > > Configuration error: Client configured to run without a service catalog. > Run the client using --os-auth-url or OS_AUTH_URL, instead of > --os-endpoint or OS_SERVICE_ENDPOINT, for example. > > > > [admin@IICT-SV001 ~(keystone_username)]$ echo $OS_AUTH_URL > > http://10.192.75.242:5000/v2.0/ > > > > So as you can see the OS_AUTH_URL is well defined and I don’t understand > why I couldn’t get a token. I already searched in different logs but > couldn’t find any answer. Hi Vogel, I suspect you still have SERVICE_TOKEN defined in your shell, see below for a log of commands I run to get working results and at the end how I set the variable to reproduce your error # Make sure you have no OpenStack authentication variables set [derekh@qt ~]$ env | grep -i -e service -e os_ # the contents of my admin and user rc files [derekh@qt ~]$ cat keystonerc_admin export OS_USERNAME=admin export OS_TENANT_NAME=admin export OS_PASSWORD=secret export OS_AUTH_URL=http://127.0.0.1:35357/v2.0/ export PS1="[\u@\h \W(keystone_admin)]\$ " [derekh@qt ~]$ cat keystonerc_username export OS_USERNAME=username export OS_TENANT_NAME=rhsummit export OS_PASSWORD=secret export OS_AUTH_URL=http://127.0.0.1:5000/v2.0/ export PS1="[\u@\h \W(keystone_username)]\$ " # Source keystonerc_admin to use keystone as the admin user [derekh@qt ~]$ . keystonerc_admin [derekh@qt ~(keystone_admin)]$ keystone user-list +----------------------------------+----------+---------+-------+ | id | name | enabled | email | +----------------------------------+----------+---------+-------+ | 03b614eb5e024257be8f5cbd00837834 | username | True | | | da2df2e2b1b1462ebedce84e236e1918 | admin | True | | +----------------------------------+----------+---------+-------+ # Source keystonerc_username to use keystone as a unprivileged user [derekh@qt ~(keystone_admin)]$ . keystonerc_username # user-list doesn't work because we are no longer admin [derekh@qt ~(keystone_username)]$ keystone user-list You are not authorized to perform the requested action: admin_required (HTTP 403) # but I can get a token [derekh@qt ~(keystone_username)]$ keystone token-get +-----------+----------------------------------+ | Property | Value | +-----------+----------------------------------+ | expires | 2012-12-13T12:32:20Z | | id | f99e071ad81d48b9841c4d1c2f4e24c1 | | tenant_id | 21ca6367afbf4851a47e78ccc074eab4 | | user_id | 03b614eb5e024257be8f5cbd00837834 | +-----------+----------------------------------+ # Now set a SERVICE_TOKEN but no SERVICE_ENDPOINT, to reproduce the error you are seeing [derekh@qt ~(keystone_username)]$ export SERVICE_TOKEN=050ed8afbc072bab2098 [derekh@qt ~(keystone_username)]$ . keystonerc_admin [derekh@qt ~(keystone_admin)]$ keystone user-list Expecting an endpoint provided via either --endpoint or env[SERVICE_ENDPOINT] # specifying the endpoint on the command line is ok (its effectively the same as setting the SERVICE_ENDPOINT env variable [derekh@qt ~(keystone_admin)]$ keystone --os-endpoint http://127.0.0.1:35357/v2.0 user-list +----------------------------------+----------+---------+-------+ | id | name | enabled | email | +----------------------------------+----------+---------+-------+ | 03b614eb5e024257be8f5cbd00837834 | username | True | | | da2df2e2b1b1462ebedce84e236e1918 | admin | True | | +----------------------------------+----------+---------+-------+ # but we still can't get a token, this is because you have authenticated against keystone with the ADMIN token and not as a user, because you are not a user you can't create a token [derekh@qt ~(keystone_admin)]$ keystone --os-endpoint http://127.0.0.1:35357/v2.0 token-get Configuration error: Client configured to run without a service catalog. Run the client using --os-auth-url or OS_AUTH_URL, instead of --os-endpoint or OS_SERVICE_ENDPOINT, for example. In short, once you have created a keystone SERVICE_TOKEN and created an admin user with it, you should unset both SERVICE_TOKEN and SERVICE_ENDPOINT, forget about them and never use them again. Hope this helps, Derek. > > > > Thanks a lot for your help, > > > > Regards, > > Nicolas. > > > > _______________________________________________ > rhos-list mailing list > rhos-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/rhos-list > _______________________________________________ cloud mailing list cloud@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/cloud
