3.9. Validate the Identity Service Installation
Verify that an Identity service installation is functioning correctly. All steps in this procedure must be performed on the Identity server or on another server in the environment. The logged-in user must have access to
keystonerc_admin
and keystonerc_user
files containing the environment variables required to authenticate as the administrative user and a regular user respectively. Also, the system must have the following already installed: httpd, mod_wsgi, and mod_ssl (for security purposes).
Procedure 3.13. Validating the Identity Service Installation
- Set up the shell to access keystone as the adminstrative user:
#
source ~/keystonerc_admin
- List the users defined in the system:
[(keystone_admin)]#
keystone user-list
+----------------------------------+--------+---------+------------------+ | id | name | enabled | email | +----------------------------------+--------+---------+------------------+ | 94d659c3c9534095aba5f8475c87091a | admin | True | | | b8275d7494dd4c9cb3f69967a11f9765 | USER | True | | +----------------------------------+--------+---------+------------------+The list of users defined in the system is displayed. If the list is not displayed, there is an issue with the installation.- If the message returned indicates a permissions or authorization issue, check that the administrative user account, tenant, and role were created properly. Also ensure that the three objects are linked correctly.
Unable to communicate with identity service: {"error": {"message": "You are not authorized to perform the requested action: admin_required", "code": 403, "title": "Not Authorized"}}. (HTTP 403)
- If the message returned indicates a connectivity issue, verify that the
openstack-keystone
service is running and that the firewall service is configured to allow connections on ports5000
and35357
.Authorization Failed: [Errno 111] Connection refused
- Set up the shell to access keystone as the regular Identity service user:
#
source ~/keystonerc_user
- Attempt to list the users defined in the system:
[(keystone_user)]#
keystone user-list
Unable to communicate with identity service: {"error": {"message": "You are not authorized to perform the requested action: admin_required", "code": 403, "title": "Not Authorized"}}. (HTTP 403)An error message is displayed indicating that the user isNot Authorized
to run the command. If the error message is not displayed, but the user list appears instead, then the regular user account was incorrectly attached to theadmin
role. - Verify that the regular user account is able to run commands that it is authorized to access:
[(keystone_user)]#
keystone token-get
+-----------+----------------------------------+ | Property | Value | +-----------+----------------------------------+ | expires | 2013-05-07T13:00:24Z | | id | 5f6e089b24d94b198c877c58229f2067 | | tenant_id | f7e8628768f2437587651ab959fbe239 | | user_id | 8109f0e3deaf46d5990674443dcf7db7 | +-----------+----------------------------------+
3.9.1. Troubleshoot Identity Client (keystone) Connectivity Problems
When the Identity client (
keystone
) is unable to contact the Identity service, it returns an error:
Unable to communicate with identity service: [Errno 113] No route to host. (HTTP 400)
To debug the issue, check for these common causes:
- Identity service is down
- On the system hosting the Identity service, check the service status:
#
openstack-status | grep keystone
openstack-keystone: activeIf the service is not running, log in as theroot
user and start it.#
service openstack-keystone start
- Firewall is not configured properly
- The firewall might not be configured to allow TCP traffic on ports
5000
and35357
. See Section 3.3.4, “Configure the Firewall to Allow Identity Service Traffic” for instructions on how to correct this. - Service Endpoints not defined correctly
- On the server hosting the Identity service, check that the endpoints are defined correctly.
Procedure 3.14. Verifying Identity Service Endpoints
- Obtain the administration token:
#
grep admin_token /etc/keystone/keystone.conf
admin_token = 0292d404a88c4f269383ff28a3839ab4 - Unset any pre-defined Identity service-related environment variables:
#
unset OS_USERNAME OS_TENANT_NAME OS_PASSWORD OS_AUTH_URL
- Use the administration token and endpoint to authenticate with the Identity service. Confirm that the Identity service endpoint is correct:
#
keystone --os-token TOKEN \
--os-endpoint ENDPOINT \
endpoint-list
Replace TOKEN with the ID of the administration token. Replace ENDPOINT with the endpoint for the administration endpoint: http://IP:35357/v2.0.Verify that the listedpublicurl
,internalurl
, andadminurl
for the Identity service are correct. In particular, ensure that the IP addresses and port numbers listed within each endpoint are correct and reachable over the network. - If these values are incorrect, see Section 3.6, “Create the Identity Service Endpoint” for information on adding the correct endpoint. Once the correct endpoints have been added, remove any incorrect endpoints:
#
keystone --os-token=TOKEN \
--os-endpoint=ENDPOINT \
endpoint-delete ID
Replace TOKEN and ENDPOINT with the values identified previously. Replace ID with the identity of the endpoint to remove as listed by theendpoint-list
action.