[rhos-list] unable to get a token
Vogel Nicolas
nicolas.vogel at heig-vd.ch
Wed Dec 12 13:04:17 UTC 2012
Thanks so much for your answer, it works!
I was totally confused with those different variables and didn't understand how they work exactly.
But now it's allright :). I can continue my install.
Thanks,
Nicolas.
-----Original Message-----
From: Derek Higgins [mailto:derekh at redhat.com]
Sent: mercredi 12 décembre 2012 13:53
To: Vogel Nicolas
Cc: rhos-list at redhat.com; cloud at lists.fedoraproject.org
Subject: Re: [rhos-list] unable to get a token
On 12/12/2012 07:54 AM, Vogel Nicolas wrote:
> Hi,
>
>
>
> Sorry for coming back with the same problem, but I really don't
> understand what is getting wrong on my install. I have CentOS 6.3 and
> I'm following the "Redhat Openstack Preview - Getting started guide rev.
> 1.0-4".
>
> I really follow the guide step by step and at the end from the
> Keystone chapter, I'm unable to get a token. I created both
> keystonerc_admin and keystonerc_username file and can source it successfully.
>
> After sourcing the keystonerc_username, I'm unable to display the
> user-list without giving the --os-endpoint and I'm completely unable
> to get a token.
>
> I also created a special tenant named "Service" and assigned to it
> four new users (nova, glance, ec2 and swift), like described in the
> official Openstack Install and Deploy Manuel (from nov. 2012)
>
> My keystonerc_username file is exactly the same as in the
> install-guide; I just replaced the loopback addresses with my server
> IP address in all the commands.
>
> Here is the output from my terminal:
>
>
>
> [admin at IICT-SV001 ~(keystone_username)]$ keystone user-list
>
> Expecting an endpoint provided via either --endpoint or
> env[SERVICE_ENDPOINT]
>
>
>
> [admin at IICT-SV001 ~(keystone_username)]$ keystone --os-endpoint
> http://10.192.75.242:35357/v2.0 user-list
>
> +----------------------------------+----------+---------+-------+
>
> | id | name | enabled | email |
>
> +----------------------------------+----------+---------+-------+
>
> | 0264bdc687d348a8b830b16be0c62629 | ec2 | True | |
>
> | 25f3b67a98b145ad9e8f1ec2c602f400 | username | True | |
>
> | 2a6f404d17864052a14963d2fefa4ae0 | nova | True | |
>
> | 5ff5d5ec35a34499a5caf21d94aed8d7 | glance | True | |
>
> | b7b26d9a43c7496abec2fcbd1cd5d1e4 | swift | True | |
>
> | f7bfd7ba488f4df2b9feececa4a5f173 | admin | True | |
>
> +----------------------------------+----------+---------+-------+
>
>
>
> [admin at IICT-SV001 ~(keystone_username)]$ keystone token-get
>
> Expecting an endpoint provided via either --endpoint or
> env[SERVICE_ENDPOINT]
>
>
>
> [admin at IICT-SV001 ~(keystone_username)]$ keystone --os-endpoint
> http://10.192.75.242:35357/v2.0 token-get
>
> Configuration error: Client configured to run without a service catalog.
> Run the client using --os-auth-url or OS_AUTH_URL, instead of
> --os-endpoint or OS_SERVICE_ENDPOINT, for example.
>
>
>
> [admin at IICT-SV001 ~(keystone_username)]$ echo $OS_AUTH_URL
>
> http://10.192.75.242:5000/v2.0/
>
>
>
> So as you can see the OS_AUTH_URL is well defined and I don't
> understand why I couldn't get a token. I already searched in different
> logs but couldn't find any answer.
Hi Vogel,
I suspect you still have SERVICE_TOKEN defined in your shell, see below for a log of commands I run to get working results and at the end how I set the variable to reproduce your error
# Make sure you have no OpenStack authentication variables set [derekh at qt ~]$ env | grep -i -e service -e os_
# the contents of my admin and user rc files [derekh at qt ~]$ cat keystonerc_admin export OS_USERNAME=admin export OS_TENANT_NAME=admin export OS_PASSWORD=secret export OS_AUTH_URL=http://127.0.0.1:35357/v2.0/
export PS1="[\u@\h \W(keystone_admin)]\$ "
[derekh at qt ~]$ cat keystonerc_username
export OS_USERNAME=username
export OS_TENANT_NAME=rhsummit
export OS_PASSWORD=secret
export OS_AUTH_URL=http://127.0.0.1:5000/v2.0/
export PS1="[\u@\h \W(keystone_username)]\$ "
# Source keystonerc_admin to use keystone as the admin user [derekh at qt ~]$ . keystonerc_admin [derekh at qt ~(keystone_admin)]$ keystone user-list
+----------------------------------+----------+---------+-------+
| id | name | enabled | email |
+----------------------------------+----------+---------+-------+
| 03b614eb5e024257be8f5cbd00837834 | username | True | |
| da2df2e2b1b1462ebedce84e236e1918 | admin | True | |
+----------------------------------+----------+---------+-------+
# Source keystonerc_username to use keystone as a unprivileged user [derekh at qt ~(keystone_admin)]$ . keystonerc_username
# user-list doesn't work because we are no longer admin [derekh at qt ~(keystone_username)]$ keystone user-list You are not authorized to perform the requested action: admin_required (HTTP 403)
# but I can get a token
[derekh at qt ~(keystone_username)]$ keystone token-get
+-----------+----------------------------------+
| Property | Value |
+-----------+----------------------------------+
| expires | 2012-12-13T12:32:20Z |
| id | f99e071ad81d48b9841c4d1c2f4e24c1 |
| tenant_id | 21ca6367afbf4851a47e78ccc074eab4 | user_id |
| 03b614eb5e024257be8f5cbd00837834 |
+-----------+----------------------------------+
# Now set a SERVICE_TOKEN but no SERVICE_ENDPOINT, to reproduce the error you are seeing [derekh at qt ~(keystone_username)]$ export SERVICE_TOKEN=050ed8afbc072bab2098
[derekh at qt ~(keystone_username)]$ . keystonerc_admin [derekh at qt ~(keystone_admin)]$ keystone user-list Expecting an endpoint provided via either --endpoint or env[SERVICE_ENDPOINT]
# specifying the endpoint on the command line is ok (its effectively the same as setting the SERVICE_ENDPOINT env variable [derekh at qt ~(keystone_admin)]$ keystone --os-endpoint
http://127.0.0.1:35357/v2.0 user-list
+----------------------------------+----------+---------+-------+
| id | name | enabled | email |
+----------------------------------+----------+---------+-------+
| 03b614eb5e024257be8f5cbd00837834 | username | True | |
| da2df2e2b1b1462ebedce84e236e1918 | admin | True | |
+----------------------------------+----------+---------+-------+
# but we still can't get a token, this is because you have authenticated against keystone with the ADMIN token and not as a user, because you are not a user you can't create a token [derekh at qt ~(keystone_admin)]$ keystone --os-endpoint
http://127.0.0.1:35357/v2.0 token-get
Configuration error: Client configured to run without a service catalog.
Run the client using --os-auth-url or OS_AUTH_URL, instead of --os-endpoint or OS_SERVICE_ENDPOINT, for example.
In short, once you have created a keystone SERVICE_TOKEN and created an admin user with it, you should unset both SERVICE_TOKEN and SERVICE_ENDPOINT, forget about them and never use them again.
Hope this helps,
Derek.
>
>
>
> Thanks a lot for your help,
>
>
>
> Regards,
>
> Nicolas.
>
>
>
> _______________________________________________
> rhos-list mailing list
> rhos-list at redhat.com
> https://www.redhat.com/mailman/listinfo/rhos-list
>
More information about the rhos-list
mailing list