python-keystoneclient

Keystone redux Ubuntu 12.04 B1 'Client' object has no attribute 'service_catalog'

Bug #949904 reported by Kevin Jackson
32
This bug affects 6 people
Affects Status Importance Assigned to Milestone
python-keystoneclient
Fix Released
Low
Dolph Mathews

Bug Description

Installation of OpenStack Essex4 on Ubuntu 12.04 Beta 1
Version: 2012.1~e4-0ubuntu2

export SERVICE_ENDPOINT=http://localhost:35357/v2.0/
export SERVICE_TOKEN=999888777666

keystone user-list
+----------------------------------+---------+----------------+-------+
| id | enabled | email | name |
+----------------------------------+---------+----------------+-------+
| 1cdbc4e96dcf41748ef239fa287395b8 | true | root@localhost | admin |
| 629e3fcd4e944d43ba5becb1bce9609f | true | demo@localhost | demo |
+----------------------------------+---------+----------------+-------+

user-list, service-list, endpoint-list all work fine.

But when doing other commands such as token-get and catalog I get the following

'Client' object has no attribute 'service_catalog'

Related(?): when I then use glance I get not authorized when using the token (e.g. glance -A 999888777666 index) which worked before this keystone change.

Dolph Mathews (dolph)
Changed in keystone:
importance: Undecided → Medium
milestone: none → essex-rc1
status: New → Confirmed
Revision history for this message
Alan Pevec (apevec) wrote :

WRT last question: is glance configured to use keystone auth i.e.have in /etc/glance/glance*.conf
[paste_deploy]
flavor = keystone

and in /etc/glance/glance*paste.ini
[filter:authtoken]
...
admin_token = 999888777666

Revision history for this message
Kevin Jackson (kevin-linuxservices) wrote :

glance*.conf has paste_deploy in and the paste file has the correct token and service references.

I've just done the api as a paste, but registry is similarly setup: http://paste.openstack.org/show/7802/

Revision history for this message
Kevin Jackson (kevin-linuxservices) wrote :

Other snippets:
I've stopped keystone (stop keystone) then ran keystone-all to get a non-daemon debug view.

The details are here http://paste.openstack.org/show/7804/

Revision history for this message
Kevin Jackson (kevin-linuxservices) wrote :

As a comparison I've done a call that works (keystone user-list) to see what that looks like. This is in http://paste.openstack.org/show/7823/

What I've seen is a subtle difference:

In 7804 note arg_dict: with the token (and this fails)

(root): 2012-03-09 14:20:44,806 DEBUG wsgi __call__ arg_dict: {'token_id': u'999888777666'}
(root): 2012-03-09 14:20:44,808 WARNING wsgi __call__ Could not find token: 999888777666
(root): 2012-03-09 14:20:44,808 DEBUG wsgi __call__ ******************** RESPONSE HEADERS ********************
(root): 2012-03-09 14:20:44,808 DEBUG wsgi __call__ Content-Type = application/json
(root): 2012-03-09 14:20:44,808 DEBUG wsgi __call__ Vary = X-Auth-Token
(root): 2012-03-09 14:20:44,808 DEBUG wsgi __call__ Content-Length = 95
(root): 2012-03-09 14:20:44,808 DEBUG wsgi __call__
(root): 2012-03-09 14:20:44,809 DEBUG wsgi print_generator ******************** RESPONSE BODY ********************
(root): 2012-03-09 14:20:44,809 DEBUG wsgi print_generator {"error": {"message": "Could not find token: 999888777666", "code": 404, "title": "Not Found"}}

(eventlet.wsgi.server): 2012-03-09 14:20:44,809 DEBUG wsgi write 172.15.0.2 - - [09/Mar/2012 14:20:44] "GET /v2.0/tokens/999888777666 HTTP/1.1" 404 249 0.006314

where as 7823 which works doesn't pass the token to arg_dict

(root): 2012-03-09 15:01:00,606 DEBUG wsgi __call__ arg_dict: {}
(root): 2012-03-09 15:01:00,624 DEBUG wsgi __call__ ******************** RESPONSE HEADERS ********************
(root): 2012-03-09 15:01:00,624 DEBUG wsgi __call__ Content-Type = application/json
(root): 2012-03-09 15:01:00,624 DEBUG wsgi __call__ Vary = X-Auth-Token
(root): 2012-03-09 15:01:00,624 DEBUG wsgi __call__ Content-Length = 478
(root): 2012-03-09 15:01:00,624 DEBUG wsgi __call__
(root): 2012-03-09 15:01:00,625 DEBUG wsgi print_generator ******************** RESPONSE BODY ********************
... snip ...

(eventlet.wsgi.server): 2012-03-09 15:01:00,625 DEBUG wsgi write 172.15.0.2 - - [09/Mar/2012 15:01:00] "GET /v2.0//users?fresh=1331305260.58 HTTP/1.1" 200 626 0.035609

Revision history for this message
Adam Gandelman (gandelman-a) wrote :

Kevin-

As I mentioned on the mailing list, it still looks like you're mixing your keystone admin environment with the client environment. Any OS_* user credentials or credentials passed as arguments to keystone client are disregarded with SERVICE_ENDPOINT and SERVICE_TOKEN set in the environment. See: http://paste.ubuntu.com/876375/

Regarding glance, you now need to configure a service tenant and credentials for glance in keystone and in glance's paste configs (same is true for nova and swift). Please see the devstack keystone_data.sh script

Revision history for this message
Kevin Jackson (kevin-linuxservices) wrote :

Hi Adam,
I had 2 issues - but mainly that I didn't realise that I had SERVICE_ENDPOINT and SERVICE_TOKEN set when trying the auth method - user error. Bit misleading though that - its not mentioned anywhere that this is overriding, but in hindsight it has to make sense.

The other was that I had my endpoints in my database for swift and nova with URLS like AUTH_%tenant_id%... it broke on the %t parsing.

I have a "more working" set up now (just need to clarify a few things). It probably explains Glance couldn't be found too.

I reckon this might be user misunderstanding (and that's me being kind to myself!).
Let me check this again on Monday and I'll update any scripts, docs I've done and then look at closing this off.

Cheers! I will be keeping a tally of people I owe a beer to.

Kev

Revision history for this message
Joseph Heck (heckj) wrote :

Marking this bug as invalid since it seems that Kevin has found a configuration solution

Changed in keystone:
status: Confirmed → Invalid
milestone: essex-rc1 → none
Revision history for this message
Kevin Jackson (kevin-linuxservices) wrote :

I'd argue that this is a bug still - admittedly not one that requires a fix in time for Essex.

"Any OS_* user credentials or credentials passed as arguments to keystone client are disregarded with SERVICE_ENDPOINT and SERVICE_TOKEN set in the environment. See: http://paste.ubuntu.com/876375/"

Environment variables shouldn't override the command line when the command line options are in context with what the user wants to achieve. This is a user interface issue.

Thierry Carrez (ttx)
Changed in keystone:
importance: Medium → Low
status: Invalid → Confirmed
Dolph Mathews (dolph)
Changed in keystone:
assignee: nobody → Dolph Mathews (dolph)
Alan Pevec (apevec)
Changed in keystone:
status: Confirmed → Fix Committed
affects: keystone → python-keystoneclient
Revision history for this message
Alan Pevec (apevec) wrote :

https://github.com/openstack/python-keystoneclient/commit/b94c6c063ef802abd42678b7a1725102762a5acb

Revision history for this message
Dolph Mathews (dolph) wrote :

Thanks Alan (I'm not sure why this bug wasn't automatically updated?)

Revision history for this message
Dolph Mathews (dolph) wrote :

Ah, wrong project -- disregard! Thanks again.

Dolph Mathews (dolph)
Changed in python-keystoneclient:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.