主页
产品
Red Hat OpenStack Platform
8
Installation Reference
3.9. Validate the Identity Service Installation

此内容没有您所选择的语言版本。

3.9. Validate the Identity Service Installation

Verify that an Identity service installation is functioning correctly. All steps in this procedure must be performed on the Identity server or on another server in the environment. The logged-in user must have access to keystonerc_admin and keystonerc_user files containing the environment variables required to authenticate as the administrative user and a regular user respectively. Also, the system must have the following already installed: httpd, mod_wsgi, and mod_ssl (for security purposes).

Procedure 3.13. Validating the Identity Service Installation

Set up the shell to access keystone as the adminstrative user:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
source ~/keystonerc_admin
```
```
# source ~/keystonerc_admin
```

List the users defined in the system:

Copy to Clipboard Toggle word wrap

[(keystone_admin)]# keystone user-list
+----------------------------------+--------+---------+------------------+
|                id                |  name  | enabled |      email       |
+----------------------------------+--------+---------+------------------+
| 94d659c3c9534095aba5f8475c87091a | admin  |   True  |                  |
| b8275d7494dd4c9cb3f69967a11f9765 |  USER  |   True  |                  |
+----------------------------------+--------+---------+------------------+

[(keystone_admin)]# keystone user-list
+----------------------------------+--------+---------+------------------+
|                id                |  name  | enabled |      email       |
+----------------------------------+--------+---------+------------------+
| 94d659c3c9534095aba5f8475c87091a | admin  |   True  |                  |
| b8275d7494dd4c9cb3f69967a11f9765 |  USER  |   True  |                  |
+----------------------------------+--------+---------+------------------+

The list of users defined in the system is displayed. If the list is not displayed, there is an issue with the installation.

If the message returned indicates a permissions or authorization issue, check that the administrative user account, tenant, and role were created properly. Also ensure that the three objects are linked correctly.

Copy to Clipboard Toggle word wrap

Unable to communicate with identity service: {"error": {"message": "You are not authorized to perform the requested action: admin_required", "code": 403, "title": "Not Authorized"}}. (HTTP 403)

Unable to communicate with identity service: {"error": {"message": "You are not authorized to perform the requested action: admin_required", "code": 403, "title": "Not Authorized"}}. (HTTP 403)

If the message returned indicates a connectivity issue, verify that the openstack-keystone service is running and that the firewall service is configured to allow connections on ports 5000 and 35357.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
Authorization Failed: [Errno 111] Connection refused
```
```
Authorization Failed: [Errno 111] Connection refused
```

Set up the shell to access keystone as the regular Identity service user:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
source ~/keystonerc_user
```
```
# source ~/keystonerc_user
```

Attempt to list the users defined in the system:

Copy to Clipboard Toggle word wrap

[(keystone_user)]# keystone user-list
Unable to communicate with identity service: {"error": {"message": "You are not authorized to perform the requested action: admin_required", "code": 403, "title": "Not Authorized"}}. (HTTP 403)

[(keystone_user)]# keystone user-list
Unable to communicate with identity service: {"error": {"message": "You are not authorized to perform the requested action: admin_required", "code": 403, "title": "Not Authorized"}}. (HTTP 403)

An error message is displayed indicating that the user is Not Authorized to run the command. If the error message is not displayed, but the user list appears instead, then the regular user account was incorrectly attached to the admin role.

Verify that the regular user account is able to run commands that it is authorized to access:

Copy to Clipboard Toggle word wrap

[(keystone_user)]# keystone token-get
+-----------+----------------------------------+
|  Property |              Value               |
+-----------+----------------------------------+
|  expires  |       2013-05-07T13:00:24Z       |
|     id    | 5f6e089b24d94b198c877c58229f2067 |
| tenant_id | f7e8628768f2437587651ab959fbe239 |
|  user_id  | 8109f0e3deaf46d5990674443dcf7db7 |
+-----------+----------------------------------+

[(keystone_user)]# keystone token-get
+-----------+----------------------------------+
|  Property |              Value               |
+-----------+----------------------------------+
|  expires  |       2013-05-07T13:00:24Z       |
|     id    | 5f6e089b24d94b198c877c58229f2067 |
| tenant_id | f7e8628768f2437587651ab959fbe239 |
|  user_id  | 8109f0e3deaf46d5990674443dcf7db7 |
+-----------+----------------------------------+

3.9.1. Troubleshoot Identity Client (keystone) Connectivity Problems

When the Identity client (keystone) is unable to contact the Identity service, it returns an error:

Copy to Clipboard Toggle word wrap

Unable to communicate with identity service: [Errno 113] No route to host. (HTTP 400)

Unable to communicate with identity service: [Errno 113] No route to host. (HTTP 400)

To debug the issue, check for these common causes:

Identity service is down

On the system hosting the Identity service, check the service status:

Copy to Clipboard Toggle word wrap

openstack-status | grep keystone

# openstack-status | grep keystone
openstack-keystone:                     active

If the service is not running, log in as the root user and start it.

Copy to Clipboard Toggle word wrap

service openstack-keystone start

# service openstack-keystone start

Firewall is not configured properly

The firewall might not be configured to allow TCP traffic on ports 5000 and 35357. See Section 3.3.4, “Configure the Firewall to Allow Identity Service Traffic” for instructions on how to correct this.

Service Endpoints not defined correctly

On the server hosting the Identity service, check that the endpoints are defined correctly.

Procedure 3.14. Verifying Identity Service Endpoints

Obtain the administration token:

Copy to Clipboard Toggle word wrap

grep admin_token /etc/keystone/keystone.conf

# grep admin_token /etc/keystone/keystone.conf
admin_token = 0292d404a88c4f269383ff28a3839ab4

Unset any pre-defined Identity service-related environment variables:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
unset OS_USERNAME OS_TENANT_NAME OS_PASSWORD OS_AUTH_URL
```
```
# unset OS_USERNAME OS_TENANT_NAME OS_PASSWORD OS_AUTH_URL
```
Use the administration token and endpoint to authenticate with the Identity service. Confirm that the Identity service endpoint is correct:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
keystone --os-token TOKEN \
   --os-endpoint ENDPOINT \
   endpoint-list
```
```
# keystone --os-token TOKEN \
   --os-endpoint ENDPOINT \
   endpoint-list
```
Replace TOKEN with the ID of the administration token. Replace ENDPOINT with the endpoint for the administration endpoint: http://IP:35357/v2.0.
Verify that the listed publicurl, internalurl, and adminurl for the Identity service are correct. In particular, ensure that the IP addresses and port numbers listed within each endpoint are correct and reachable over the network.
If these values are incorrect, see Section 3.6, “Create the Identity Service Endpoint” for information on adding the correct endpoint. Once the correct endpoints have been added, remove any incorrect endpoints:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
keystone --os-token=TOKEN \
   --os-endpoint=ENDPOINT \
   endpoint-delete ID
```
```
# keystone --os-token=TOKEN \
   --os-endpoint=ENDPOINT \
   endpoint-delete ID
```
Replace TOKEN and ENDPOINT with the values identified previously. Replace ID with the identity of the endpoint to remove as listed by the endpoint-list action.

返回顶部

此内容没有您所选择的语言版本。

3.9. Validate the Identity Service Installation

3.9.1. Troubleshoot Identity Client (keystone) Connectivity Problems

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links