Never mind. I solved this by myself. I had to add `auth_version=v3.0` in [keystone_authtoken] section of glance-api.conf and glance-registry.conf, and then restart these services.
Following bug report and commit log helped me to figure it out: - Documentation Configuring Glance API to use Keystone without auth_version https://bugs.launchpad.net/glance/+bug/1323646 - Glance auth_version needs to be in conf by default https://github.com/stackforge/cookbook-openstack-image/commit/31ba27ccd04250f046e9a4ec45e3433308977410 Thanks, On Fri, Nov 21, 2014 at 12:14 PM, Tatsuya Kawano <[email protected]> wrote: > Hi, > > I'm using Icehouse and enabled Keystone v3 multi-domain feature in > Horizon and Nova. I created a non-default Keystone domain and added > projects and users in it. However, if a user (in the non-default > domain) tries to list/create VM image or launch VM instance in > Horizon, it gets unauthorized error from Glance. > > /var/log/glance/api.log > ---------- > 2014-11-20 19:02:45.112 26969 DEBUG urllib3.connectionpool [-] "GET > /v2.0/tokens/e8dde073ce429da4ae5fc3c2d2506753 HTTP/1.1" 401 114 > _make_request /usr/lib/python2.6/site-packages/urllib3/connectionpool.py:295 > > 2014-11-20 19:02:45.113 26969 INFO > keystoneclient.middleware.auth_token [-] Keystone rejected admin > token, resetting > > 2014-11-20 19:02:45.113 26969 WARNING > keystoneclient.middleware.auth_token [-] Invalid user token. Keystone > response: {u'error': {u'message': u'The request you have made requires > authentication.', u'code': 401, u'title': u'Unauthorized'}} > > 2014-11-20 19:02:45.113 26969 DEBUG > keystoneclient.middleware.auth_token [-] Token validation failure. > _validate_user_token > /usr/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py:943 > ---------- > > I checked Glance source codes (glance/common/auth.py), and it seems > Glance only supports Keystone v1 and v2 APIs. So if the user is using > Keystone v3 auth token, Glance can't validate the auth token with > Keystone. > > Am I correct? If so, does anybody has a patch to enable Keystone v3 > API support in Glance? > > Thanks, > Tatsuya Kawano (Mr.) _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
