[rhos-list] unable to get a token

Vogel Nicolas nicolas.vogel at heig-vd.ch
Wed Dec 12 13:04:17 UTC 2012 

Thanks so much for your answer, it works!
I was totally confused with those different variables and didn't understand how they work exactly.
But now it's allright :). I can continue my install.

Thanks,

Nicolas.

-----Original Message-----
From: Derek Higgins [mailto:derekh at redhat.com] 
Sent: mercredi 12 décembre 2012 13:53
To: Vogel Nicolas
Cc: rhos-list at redhat.com; cloud at lists.fedoraproject.org
Subject: Re: [rhos-list] unable to get a token


On 12/12/2012 07:54 AM, Vogel Nicolas wrote:
> Hi,
> 
>  
> 
> Sorry for coming back with the same problem, but I really don't 
> understand what is getting wrong on my install. I have CentOS 6.3 and 
> I'm following the "Redhat Openstack Preview - Getting started guide rev.
> 1.0-4".
> 
> I really follow the guide step by step and at the end from the 
> Keystone chapter, I'm unable to get a token. I created both 
> keystonerc_admin and keystonerc_username file and can source it successfully.
> 
> After sourcing the keystonerc_username, I'm unable to display the 
> user-list without giving the --os-endpoint and I'm completely unable 
> to get a token.
> 
> I also created a special tenant named "Service" and assigned to it 
> four new users (nova, glance, ec2 and swift), like described in the 
> official Openstack Install and Deploy Manuel (from nov. 2012)
> 
> My keystonerc_username file is exactly the same as in the 
> install-guide; I just replaced the loopback addresses with my server 
> IP address in all the commands.
> 
> Here is the output from my terminal:
> 
>  
> 
> [admin at IICT-SV001 ~(keystone_username)]$ keystone user-list
> 
> Expecting an endpoint provided via either --endpoint or 
> env[SERVICE_ENDPOINT]
> 
>  
> 
> [admin at IICT-SV001 ~(keystone_username)]$ keystone --os-endpoint
> http://10.192.75.242:35357/v2.0 user-list
> 
> +----------------------------------+----------+---------+-------+
> 
> |                id                |   name   | enabled | email |
> 
> +----------------------------------+----------+---------+-------+
> 
> | 0264bdc687d348a8b830b16be0c62629 |   ec2    |   True  |       |
> 
> | 25f3b67a98b145ad9e8f1ec2c602f400 | username |   True  |       |
> 
> | 2a6f404d17864052a14963d2fefa4ae0 |   nova   |   True  |       |
> 
> | 5ff5d5ec35a34499a5caf21d94aed8d7 |  glance  |   True  |       |
> 
> | b7b26d9a43c7496abec2fcbd1cd5d1e4 |  swift   |   True  |       |
> 
> | f7bfd7ba488f4df2b9feececa4a5f173 |  admin   |   True  |       |
> 
> +----------------------------------+----------+---------+-------+
> 
>  
> 
> [admin at IICT-SV001 ~(keystone_username)]$ keystone token-get
> 
> Expecting an endpoint provided via either --endpoint or 
> env[SERVICE_ENDPOINT]
> 
>  
> 
> [admin at IICT-SV001 ~(keystone_username)]$ keystone --os-endpoint
> http://10.192.75.242:35357/v2.0 token-get
> 
> Configuration error: Client configured to run without a service catalog.
> Run the client using --os-auth-url or OS_AUTH_URL, instead of 
> --os-endpoint or OS_SERVICE_ENDPOINT, for example.
> 
>  
> 
> [admin at IICT-SV001 ~(keystone_username)]$ echo $OS_AUTH_URL
> 
> http://10.192.75.242:5000/v2.0/
> 
>  
> 
> So as you can see the OS_AUTH_URL is well defined and I don't 
> understand why I couldn't get a token. I already searched in different 
> logs but couldn't find any answer.


Hi Vogel,
   I suspect you still have SERVICE_TOKEN defined in your shell, see below for a log of commands I run to get working results and at the end how I set the variable to reproduce your error

# Make sure you have no OpenStack authentication variables set [derekh at qt ~]$ env | grep -i -e service -e os_

# the contents of my admin and user rc files [derekh at qt ~]$ cat keystonerc_admin export OS_USERNAME=admin export OS_TENANT_NAME=admin export OS_PASSWORD=secret export OS_AUTH_URL=http://127.0.0.1:35357/v2.0/
export PS1="[\u@\h \W(keystone_admin)]\$ "

[derekh at qt ~]$ cat keystonerc_username
export OS_USERNAME=username
export OS_TENANT_NAME=rhsummit
export OS_PASSWORD=secret
export OS_AUTH_URL=http://127.0.0.1:5000/v2.0/
export PS1="[\u@\h \W(keystone_username)]\$ "

# Source keystonerc_admin  to use keystone as the admin user [derekh at qt ~]$ . keystonerc_admin [derekh at qt ~(keystone_admin)]$ keystone user-list
+----------------------------------+----------+---------+-------+
|                id                |   name   | enabled | email |
+----------------------------------+----------+---------+-------+
| 03b614eb5e024257be8f5cbd00837834 | username |   True  |       |
| da2df2e2b1b1462ebedce84e236e1918 |  admin   |   True  |       |
+----------------------------------+----------+---------+-------+

# Source keystonerc_username to use keystone as a unprivileged user [derekh at qt ~(keystone_admin)]$ . keystonerc_username

# user-list doesn't work because we are no longer admin [derekh at qt ~(keystone_username)]$ keystone user-list You are not authorized to perform the requested action: admin_required (HTTP 403)

# but I can get a token
[derekh at qt ~(keystone_username)]$ keystone token-get
+-----------+----------------------------------+
|  Property |              Value               |
+-----------+----------------------------------+
|  expires  |       2012-12-13T12:32:20Z       |
|     id    | f99e071ad81d48b9841c4d1c2f4e24c1 |
| tenant_id | 21ca6367afbf4851a47e78ccc074eab4 |  user_id  | 
| 03b614eb5e024257be8f5cbd00837834 |
+-----------+----------------------------------+

# Now set a SERVICE_TOKEN but no SERVICE_ENDPOINT, to reproduce the error you are seeing [derekh at qt ~(keystone_username)]$ export SERVICE_TOKEN=050ed8afbc072bab2098
[derekh at qt ~(keystone_username)]$ . keystonerc_admin [derekh at qt ~(keystone_admin)]$ keystone user-list Expecting an endpoint provided via either --endpoint or env[SERVICE_ENDPOINT]

# specifying the endpoint on the command line is ok (its effectively the same as setting the SERVICE_ENDPOINT env variable [derekh at qt ~(keystone_admin)]$ keystone --os-endpoint
http://127.0.0.1:35357/v2.0 user-list
+----------------------------------+----------+---------+-------+
|                id                |   name   | enabled | email |
+----------------------------------+----------+---------+-------+
| 03b614eb5e024257be8f5cbd00837834 | username |   True  |       |
| da2df2e2b1b1462ebedce84e236e1918 |  admin   |   True  |       |
+----------------------------------+----------+---------+-------+

# but we still can't get a token, this is because you have authenticated against keystone with the ADMIN token and not as a user, because you are not a user you can't create a token [derekh at qt ~(keystone_admin)]$ keystone --os-endpoint
http://127.0.0.1:35357/v2.0 token-get
Configuration error: Client configured to run without a service catalog.
Run the client using --os-auth-url or OS_AUTH_URL, instead of --os-endpoint or OS_SERVICE_ENDPOINT, for example.


In short, once you have created a keystone SERVICE_TOKEN and created an admin user with it, you should unset both SERVICE_TOKEN and SERVICE_ENDPOINT, forget about them and never use them again.

Hope this helps,
Derek.


> 
>  
> 
> Thanks a lot for your help,
> 
>  
> 
> Regards,
> 
> Nicolas.
> 
> 
> 
> _______________________________________________
> rhos-list mailing list
> rhos-list at redhat.com
> https://www.redhat.com/mailman/listinfo/rhos-list
>

More information about the rhos-list mailing list