Bug 876763
Summary: | Update authtoken configuration for Nova, Glance and Cinder | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Alan Pevec <apevec> |
Component: | doc-Getting_Started_Guide | Assignee: | Bruce Reeler <breeler> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 2.0 (Folsom) | CC: | breeler, eharney, pbrady, rlandman, sclewis, sgordon, sthaha |
Target Milestone: | beta | Keywords: | Documentation |
Target Release: | 2.1 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Red_Hat_OpenStack_Preview-Getting_Started_Guide-2-web-en-US-1.0-13.el6eng | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-07-24 00:35:40 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Alan Pevec
2012-11-14 22:01:54 UTC
1.) Item one is (I think) fixed in Chapter 2 "Upgrading from Essex to Folsom Preview", 1.1) step 6: in /etc/glance: Copy admin_* from glance*paste.ini [filter:authtoken] to glance*.conf [keystone_authtoken] 1.2) step 7: in /etc/nova: Copy admin_* from api-paste.ini [filter:authtoken] to nova.conf [keystone_authtoken] 1.3) I am not sure about Cinder. The 2nd command in the following, from Chap 5 "Cinder", uses api-paste.ini. Does this mean it is still (incorrectly) using paste.ini, or is it using the correct new method? $ sudo openstack-config --set /etc/cinder/cinder.conf DEFAULT auth_strategy keystone $ sudo openstack-config --set /etc/cinder/api-paste.ini \ filter:authtoken admin_token $(cat /tmp/ks_admin_token) 2. Item two, admin_token replaced by admin_*. It is not clear where, or if, this is still apllicable. e.g. in Chap 4 Glance, its says: "Run the following commands to update the Glance configuration files for Keystone use:" followed by $ sudo openstack-config --set /etc/glance/glance-api.conf paste_deploy flavor keystone $ sudo openstack-config --set /etc/glance/glance-api-paste.ini \ filter:authtoken admin_token $(cat /tmp/ks_admin_token) $ sudo openstack-config --set /etc/glance/glance-registry.conf \ paste_deploy flavor keystone $ sudo openstack-config --set /etc/glance/glance-registry-paste.ini \ filter:authtoken admin_token $(cat /tmp/ks_admin_token) Does this fix the issue? (In reply to comment #2) > 1.3) I am not sure about Cinder. The 2nd command in the following, from Chap > 5 "Cinder", uses api-paste.ini. Does this mean it is still (incorrectly) > using paste.ini, or is it using the correct new method? > $ sudo openstack-config --set /etc/cinder/cinder.conf DEFAULT auth_strategy > keystone > $ sudo openstack-config --set /etc/cinder/api-paste.ini \ > filter:authtoken admin_token $(cat /tmp/ks_admin_token) That's doubly incorrect: - it should use [keystone_authtoken] section in cinder.conf NOT api-paste.ini - it should set admin_tenant_name, admin_user and admin_password in [keystone_authtoken] NOT admin_token > 2. Item two, admin_token replaced by admin_*. > It is not clear where, or if, this is still apllicable. e.g. in Chap 4 > Glance, its says: "Run the following commands to update the Glance > configuration files for Keystone use:" followed by > $ sudo openstack-config --set /etc/glance/glance-api.conf paste_deploy > flavor keystone > $ sudo openstack-config --set /etc/glance/glance-api-paste.ini \ > filter:authtoken admin_token $(cat /tmp/ks_admin_token) > $ sudo openstack-config --set /etc/glance/glance-registry.conf \ > paste_deploy flavor keystone > $ sudo openstack-config --set /etc/glance/glance-registry-paste.ini \ > filter:authtoken admin_token $(cat /tmp/ks_admin_token) > > Does this fix the issue? That's again doubly incorrect: - it should use [keystone_authtoken] section in glance-{api|registry}.conf NOT glance-{api|registry}-paste.ini - it should set admin_tenant_name, admin_user and admin_password in [keystone_authtoken] NOT admin_token Comment 3 part 1: Fixed in Chapter 9. Cinder (Volume): replaced $ sudo openstack-config --set /etc/cinder/api-paste.ini \ filter:authtoken admin_token $(cat /tmp/ks_admin_token) with $ sudo openstack-config --set /etc/cinder/cinder.conf \ keystone_authtoken admin_tenant_name admin_user admin_password $(cat /tmp/ks_admin_token) Comment 3 part 2: Fixed in Chapter 8 Glance (Images): replaced $ sudo openstack-config --set /etc/glance/glance-api-paste.ini \ filter:authtoken admin_token $(cat /tmp/ks_admin_token) ... $ sudo openstack-config --set /etc/glance/glance-registry-paste.ini \ filter:authtoken admin_token $(cat /tmp/ks_admin_token) with $ sudo openstack-config --set /etc/glance/glance-api.conf \ keystone_authtoken admin_tenant_name admin_user admin_password $(cat /tmp/ks_admin_token) ... $ sudo openstack-config --set /etc/glance/glance-registry.conf \ keystone_authtoken admin_tenant_name admin_user admin_password $(cat /tmp/ks_admin_token) Looking at these it also looks like we're very reliant on the fact that: a) The user read and followed the directions for configuring Keystone first (reasonable). b) The file in /tmp they created in that procedure is still around (not so reasonable). I think it would be preferable to in each procedure where it is required add a step advising the user to retrieve the token from /etc/keystone/keystone.conf. Unfortunately openstack-config doesn't provide a --get option so it looks like the only way to do this at the moment is manually. $ grep "admin_token = " /etc/keystone/keystone.conf # admin_token = ADMIN admin_token = 06c09b8b1f874cb88ffa3194ef40adec > $ sudo openstack-config --set /etc/glance/glance-api.conf \
> keystone_authtoken admin_tenant_name admin_user admin_password $(cat
> /tmp/ks_admin_token)
This wouldn't work as the openstack-config is unable to handle more than 1 key-value pairs, so you would have to split that into 2 command, first one setting the admin_tenant_name and the second one setting the password
1. $ sudo openstack-config --set /etc/glance/glance-api.conf \
keystone_authtoken admin_tenant_name admin_user
2. $ sudo openstack-config --set /etc/glance/glance-api.conf \
keystone_authtoken admin_password $(cat /tmp/ks_admin_token)
NOTE: this applies to all usage of openstack-config
SIDE-NOTE: May be this could be fixed in the openstack-config utility itself, by enabling it to handle multiple key-value pairs in the same section of the ini-file
These instructions didn't work for me, so I looked at how devstack sets up glance and comparing the conf files, this is what I figured out and which works for me. I need someone to test it and correct me if I am going the wrong way. So, to configure glance-keystone authentication for glance-api, you would have to 1. set flavor in paste_deploy section of /etc/glance/glance-api.conf to keystone sudo openstack-config --set /etc/glance/glance-api.conf \ paste_deploy flavor keystone 2. set the admin details in keystone_authtoken section of glance-api.conf by sudo openstack-config --set /etc/glance/glance-api.conf \ keystone_authtoken admin_user admin sudo openstack-config --set /etc/glance/glance-api.conf \ keystone_authtoken admin_tenant admin sudo openstack-config --set /etc/glance/glance-api.conf \ keystone_authtoken admin_password secret 3. Repeat the same for glance-registry.conf #NOTE admin, the tenant name and password the same as that in the documentation, so if you change any of the details, say - tenant name or password, you need to update it accordingly. Once again, it would be great if someone can confirm that this is the right way to configure before these end up in the documentation. Hi Bruce, this change has been modified for ~ 2 weeks, what is its status? Comment 5 extracted to another bug: BZ911459. Setting this one to ON_QA as Sunil's changes as per comment 7 are in built doc already. These instructions were removed from Getting Started Guide and incorporated in Installation and Configuration Guide. Hence setting this bug to CLOSED : NOT A BUG |