Bug 876763 - Update authtoken configuration for Nova, Glance and Cinder
Summary: Update authtoken configuration for Nova, Glance and Cinder
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: doc-Getting_Started_Guide
Version: 2.0 (Folsom)
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: beta
: 2.1
Assignee: Bruce Reeler
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-11-14 22:01 UTC by Alan Pevec
Modified: 2016-04-26 23:25 UTC (History)
7 users (show)

Fixed In Version: Red_Hat_OpenStack_Preview-Getting_Started_Guide-2-web-en-US-1.0-13.el6eng
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-07-24 00:35:40 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Alan Pevec 2012-11-14 22:01:54 UTC
* authtoken configuration in paste.ini files has been deprecated in Folsom, [keystone_authtoken] in applications .conf (nova.conf cinder.conf glance*.conf) should be used instead

* using admin_token is deprecated since Essex, admin_tenant_name admin_user admin_password should be used instead
This requires adding creation of service users for each service in Keystone chapter, there example in 7.2.3. Creating a Quantum service user - which BTW cloud be improved with some more scripting, see Keystone sample data script https://github.com/openstack/keystone/blob/master/tools/sample_data.sh#L135

Comment 1 Bruce Reeler 2012-12-18 07:18:00 UTC
1.) Item one is (I think) fixed in Chapter 2 "Upgrading from Essex to Folsom Preview", 
1.1) step 6: in /etc/glance:
Copy admin_* from glance*paste.ini [filter:authtoken] to glance*.conf [keystone_authtoken]

1.2) step 7: in /etc/nova:
Copy admin_* from api-paste.ini [filter:authtoken] to nova.conf [keystone_authtoken]

Comment 2 Bruce Reeler 2012-12-19 06:37:08 UTC
1.3) I am not sure about Cinder. The 2nd command in the following, from Chap 5 "Cinder", uses api-paste.ini.  Does this mean it is still (incorrectly) using paste.ini, or is it using the correct new method?
$ sudo openstack-config --set /etc/cinder/cinder.conf DEFAULT auth_strategy keystone
$ sudo openstack-config --set /etc/cinder/api-paste.ini \
  filter:authtoken admin_token $(cat /tmp/ks_admin_token)


2. Item two, admin_token replaced by admin_*.
It is not clear where, or if, this is still apllicable. e.g. in Chap 4 Glance, its says: "Run the following commands to update the Glance configuration files for Keystone use:" followed by
$ sudo openstack-config --set /etc/glance/glance-api.conf paste_deploy flavor keystone
$ sudo openstack-config --set /etc/glance/glance-api-paste.ini \
  filter:authtoken admin_token $(cat /tmp/ks_admin_token)
$ sudo openstack-config --set /etc/glance/glance-registry.conf \
  paste_deploy flavor keystone
$ sudo openstack-config --set /etc/glance/glance-registry-paste.ini \
  filter:authtoken admin_token $(cat /tmp/ks_admin_token)

Does this fix the issue?

Comment 3 Alan Pevec 2012-12-19 10:32:45 UTC
(In reply to comment #2)
> 1.3) I am not sure about Cinder. The 2nd command in the following, from Chap
> 5 "Cinder", uses api-paste.ini.  Does this mean it is still (incorrectly)
> using paste.ini, or is it using the correct new method?
> $ sudo openstack-config --set /etc/cinder/cinder.conf DEFAULT auth_strategy
> keystone
> $ sudo openstack-config --set /etc/cinder/api-paste.ini \
>   filter:authtoken admin_token $(cat /tmp/ks_admin_token)

That's doubly incorrect:
- it should use [keystone_authtoken] section in cinder.conf NOT api-paste.ini
- it should set admin_tenant_name, admin_user and admin_password in [keystone_authtoken] NOT admin_token

> 2. Item two, admin_token replaced by admin_*.
> It is not clear where, or if, this is still apllicable. e.g. in Chap 4
> Glance, its says: "Run the following commands to update the Glance
> configuration files for Keystone use:" followed by
> $ sudo openstack-config --set /etc/glance/glance-api.conf paste_deploy
> flavor keystone
> $ sudo openstack-config --set /etc/glance/glance-api-paste.ini \
>   filter:authtoken admin_token $(cat /tmp/ks_admin_token)
> $ sudo openstack-config --set /etc/glance/glance-registry.conf \
>   paste_deploy flavor keystone
> $ sudo openstack-config --set /etc/glance/glance-registry-paste.ini \
>   filter:authtoken admin_token $(cat /tmp/ks_admin_token)
> 
> Does this fix the issue?

That's again doubly incorrect:
- it should use [keystone_authtoken] section in glance-{api|registry}.conf NOT glance-{api|registry}-paste.ini
- it should set admin_tenant_name, admin_user and admin_password in [keystone_authtoken] NOT admin_token

Comment 4 Bruce Reeler 2013-01-25 07:17:43 UTC
Comment 3 part 1:  Fixed in Chapter 9. Cinder (Volume):

replaced
$ sudo openstack-config --set /etc/cinder/api-paste.ini \
  filter:authtoken admin_token $(cat /tmp/ks_admin_token)

with

$ sudo openstack-config --set /etc/cinder/cinder.conf \
  keystone_authtoken admin_tenant_name admin_user admin_password $(cat /tmp/ks_admin_token)


Comment 3 part 2:  Fixed in Chapter 8 Glance (Images):

replaced
$ sudo openstack-config --set /etc/glance/glance-api-paste.ini \
  filter:authtoken admin_token $(cat /tmp/ks_admin_token)
...
$ sudo openstack-config --set /etc/glance/glance-registry-paste.ini \
  filter:authtoken admin_token $(cat /tmp/ks_admin_token)

with

$ sudo openstack-config --set /etc/glance/glance-api.conf \
  keystone_authtoken admin_tenant_name admin_user admin_password $(cat /tmp/ks_admin_token)
...
$ sudo openstack-config --set /etc/glance/glance-registry.conf \
  keystone_authtoken admin_tenant_name admin_user admin_password $(cat /tmp/ks_admin_token)

Comment 5 Stephen Gordon 2013-01-29 22:04:16 UTC
Looking at these it also looks like we're very reliant on the fact that:

a) The user read and followed the directions for configuring Keystone first (reasonable).

b) The file in /tmp they created in that procedure is still around (not so reasonable).

I think it would be preferable to in each procedure where it is required add a step advising the user to retrieve the token from /etc/keystone/keystone.conf.

Unfortunately openstack-config doesn't provide a --get option so it looks like the only way to do this at the moment is manually.

$ grep "admin_token = " /etc/keystone/keystone.conf 
# admin_token = ADMIN
admin_token = 06c09b8b1f874cb88ffa3194ef40adec

Comment 6 Sunil Thaha 2013-02-06 05:11:52 UTC
> $ sudo openstack-config --set /etc/glance/glance-api.conf \
>   keystone_authtoken admin_tenant_name admin_user admin_password $(cat
> /tmp/ks_admin_token)

This wouldn't work as the openstack-config is unable to handle more than 1 key-value pairs, so you would have to split that into 2 command, first one setting the admin_tenant_name and the second one setting the password

1. $ sudo openstack-config --set /etc/glance/glance-api.conf \
       keystone_authtoken admin_tenant_name admin_user 

2. $ sudo openstack-config --set /etc/glance/glance-api.conf \
       keystone_authtoken admin_password $(cat /tmp/ks_admin_token)


NOTE: this applies to all usage of openstack-config

SIDE-NOTE: May be this could be fixed in the openstack-config utility itself, by enabling it to handle multiple key-value pairs in the same section of the ini-file

Comment 7 Sunil Thaha 2013-02-07 00:49:15 UTC
These instructions didn't work for me, so I looked at how devstack sets up glance and comparing the conf files, this is what I figured out and which works for me. I need someone to test it  and correct me if I am going the wrong way. 

So, to configure glance-keystone authentication for glance-api, you would have to 

1. set flavor in paste_deploy section of /etc/glance/glance-api.conf to keystone

 sudo openstack-config --set /etc/glance/glance-api.conf \
   paste_deploy flavor keystone

2. set the admin details in keystone_authtoken section of glance-api.conf by

 sudo openstack-config --set /etc/glance/glance-api.conf \
   keystone_authtoken admin_user admin

 sudo openstack-config --set /etc/glance/glance-api.conf \
   keystone_authtoken admin_tenant admin

 sudo openstack-config --set /etc/glance/glance-api.conf \
   keystone_authtoken admin_password secret

3. Repeat the same for glance-registry.conf

#NOTE admin, the tenant name and password the same as that in the documentation, so if you change any of the details, say - tenant name or password, you need to update it accordingly. 

Once again, it would be great if someone can confirm that this is the right way to configure before these end up in the documentation.

Comment 8 Bruce Reeler 2013-02-08 05:24:41 UTC
Changed as per comment 7 for both Glance and Cinder.
Clarifying comment 5.

Comment 9 Stephen Gordon 2013-02-20 18:43:02 UTC
Hi Bruce, this change has been modified for ~ 2 weeks, what is its status?

Comment 10 Bruce Reeler 2013-02-21 21:18:49 UTC
Comment 5 extracted to another bug: BZ911459. Setting this one to ON_QA as Sunil's changes as per comment 7 are in built doc already.

Comment 14 Bruce Reeler 2013-07-24 00:35:40 UTC
These instructions were removed from Getting Started Guide and incorporated in Installation and Configuration Guide.

Hence setting this bug to CLOSED : NOT A BUG


Note You need to log in before you can comment on or make changes to this bug.