Re: [Openstack] Keystone Fernet Token

Mon, 09 Nov 2015 07:05:42 -0800 

On 11/07/2015 01:08 PM, Reza Bakhshayeshi wrote:

Thanks all, specially Rahul,
I solved the problem temporarily by disabling selinux.



What did you have for an AVC?  It sounds like the issue was The Keystone 
WSGI process reading the Keys file?  Can you post the relevant sections 
from the audit log?





On 3 November 2015 at 07:43, 张家龙 <zhan...@awcloud.com 
<mailto:zhan...@awcloud.com>> wrote:


    Maybe, you should do like follows:

        chown -R keystone:keystone /etc/keystone

    Then, restart the keystone service:

        systemctl restart openstack-keystone





    ------------------
    Best Regards
    ZhangJialong
    ------------------ Original ------------------
    *From: * "Adam Young"<ayo...@redhat.com <mailto:ayo...@redhat.com>>;
    *Date: * Tue, Nov 3, 2015 11:01 AM
    *To: * "openstack"<openstack@lists.openstack.org
    <mailto:openstack@lists.openstack.org>>;
    *Subject: * Re: [Openstack] Keystone Fernet Token
    On 10/28/2015 02:23 PM, Reza Bakhshayeshi wrote:

    Hi all,

    I'm going to use fernet token on OpenStack Kilo (only Keystone
    service is installed),
    I've configured keystone.conf like:

    [token]
    provider = keystone.token.providers.fernet.Provider

    when I'm running:
    keystone-manage fernet_setup --keystone-user keystone
    --keystone-group keystone

    keys creating successfully in /etc/keystone/fernet-keys directory.
    But when I'm going to creating a token I receive the following
    error, here is the complete log:

    2015-10-28 21:22:14.680 65218 INFO keystone.common.wsgi [-] GET /?
    2015-10-28 23:50:25.343 9377 INFO
    keystone.token.providers.fernet.utils [-] [fernet_tokens]
    key_repository does not appear to exist; attempting to create it
    2015-10-28 23:50:25.344 9377 INFO
    keystone.token.providers.fernet.utils [-] Created a new key:
    /etc/keystone/fernet-keys/0
    2015-10-28 23:50:25.344 9377 INFO
    keystone.token.providers.fernet.utils [-] Starting key rotation
    with 1 key files: ['/etc/keystone/fernet-keys/0']
    2015-10-28 23:50:25.344 9377 INFO
    keystone.token.providers.fernet.utils [-] Current primary key is: 0
    2015-10-28 23:50:25.345 9377 INFO
    keystone.token.providers.fernet.utils [-] Next primary key will be: 1
    2015-10-28 23:50:25.345 9377 INFO
    keystone.token.providers.fernet.utils [-] Promoted key 0 to be
    the primary: 1
    2015-10-28 23:50:25.345 9377 INFO
    keystone.token.providers.fernet.utils [-] Created a new key:
    /etc/keystone/fernet-keys/0
    2015-10-28 23:50:25.345 9377 INFO
    keystone.token.providers.fernet.utils [-] Excess keys to purge: []
    2015-10-28 23:50:52.632 8059 INFO keystone.common.wsgi [-] POST
    /tokens?
    2015-10-28 23:50:52.889 8059 ERROR
    keystone.token.providers.fernet.utils [-] Either [fernet_tokens]
    key_repository does not exist or Keystone does not have
    sufficient permission to access it: /etc/keystone/fernet-keys/
    2015-10-28 23:50:52.890 8059 WARNING keystone.common.wsgi [-] No
    encryption keys found; run keystone-manage fernet_setup to
    bootstrap one.

    while the permissions seem to be correct:

    # ls -lah /etc/keystone/
    total 104K
    drwxr-x---.   3 root     keystone 4.0K Oct 28 23:50 .
    drwxr-xr-x. 143 root     root      12K Oct 28 12:56 ..
    -rw-r-----.   1 root     keystone 1.5K Jul 29 00:21
    default_catalog.templates
    drwx------.   2 keystone keystone 4.0K Oct 28 23:50 fernet-keys
    -rw-r-----.   1 root     keystone  57K Oct 28 23:48 keystone.conf
    -rw-r-----.   1 root     keystone 1.1K Jul 29 00:21 logging.conf
    -rw-r-----.   1 keystone keystone 8.6K Jul 29 00:21 policy.json
    -rw-r-----.   1 keystone keystone  665 Jul 29 00:21
    sso_callback_template.html

    What am I missing?


    No idea.  When I get into these situations, I use rpdb;

    http://adam.younglogic.com/2015/02/debugging-openstack-with-rpdb/


    Is there anything in /etc/keystone/fernet-keys ?






    _______________________________________________
    Mailing list:http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
    Post to     :openstack@lists.openstack.org 
<mailto:openstack@lists.openstack.org>
    Unsubscribe :http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



    _______________________________________________
    Mailing list:
    http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
    Post to     : openstack@lists.openstack.org
    <mailto:openstack@lists.openstack.org>
    Unsubscribe :
    http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack





_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack






















					Reply via email to