3.11. Validate the Identity Service Installation

Follow the steps outlined in this procedure to verify that an Identity service installation is functioning correctly. These steps must be performed while logged in to either the Identity server or another system.
The logged in user must have access to keystonerc_admin and keystonerc_user files containing the environment variables required to authenticate as the administrator user and a regular user respectively.

Procedure 3.13. Validating the Identity Service installation

  1. Run the source command on the file containing the environment variables used to identify the Identity service administrator.
    # source ~/keystonerc_admin
  2. Run the keystone user-list command to authenticate with the Identity service and list the users defined in the system.
    # keystone user-list
    +----------------------------------+--------+---------+------------------+
    |                id                |  name  | enabled |      email       |
    +----------------------------------+--------+---------+------------------+
    | 94d659c3c9534095aba5f8475c87091a | admin  |   True  |                  |
    | b8275d7494dd4c9cb3f69967a11f9765 |  USER  |   True  |                  |
    +----------------------------------+--------+---------+------------------+
    The list of users defined in the system is displayed. If the list is not displayed then there is an issue with the installation.
    1. If the message returned indicates a permissions or authorization issue then check that the administrator user account, tenant, and role were created properly. Also ensure that the three objects are linked correctly.
      Unable to communicate with identity service: {"error": {"message": "You are not authorized to perform the requested action: admin_required", "code": 403, "title": "Not Authorized"}}. (HTTP 403)
    2. If the message returned indicates a connectivity issue then verify that the openstack-keystone service is running and that the firewall service is configured to allow connections on ports 5000 and 35357.
      Authorization Failed: [Errno 111] Connection refused
  3. Run the source command on the file containing the environment variables used to identify the regular Identity service user.
    # source ~/keystonerc_user
  4. Run the keystone user-list command to authenticate with the Identity service and list the users defined in the system.
    # keystone user-list
    Unable to communicate with identity service: {"error": {"message": "You are not authorized to perform the requested action: admin_required", "code": 403, "title": "Not Authorized"}}. (HTTP 403)
    An error message is displayed indicating that the user is Not Authorized to run the command. If the error message is not displayed but instead the user list appears then the regular user account was incorrectly attached to the admin role.
  5. Run the keystone token-get command to verify that the regular user account is able to run commands that it is authorized to access.
    # keystone token-get
    +-----------+----------------------------------+
    |  Property |              Value               |
    +-----------+----------------------------------+
    |  expires  |       2013-05-07T13:00:24Z       |
    |     id    | 5f6e089b24d94b198c877c58229f2067 |
    | tenant_id | f7e8628768f2437587651ab959fbe239 |
    |  user_id  | 8109f0e3deaf46d5990674443dcf7db7 |
    +-----------+----------------------------------+
The Identity service is installed and functioning correctly.

3.11.1. Troubleshoot Identity Client (keystone) Connectivity Problems

When the Identity client (keystone) is unable to contact the Identity service it returns an error:
Unable to communicate with identity service: [Errno 113] No route to host. (HTTP 400)
To debug the issue check for these common causes:
Identity service is down
On the system hosting the Identity service check the service status:
# openstack-status | grep keystone
openstack-keystone:                     active
If the service is not running then log in as the root user and start it.
# service openstack-keystone start
Firewall is not configured properly
The firewall might not be configured to allow TCP traffic on ports 5000 and 35357. If so, refer to Section 3.5.4, “Configure the Firewall to Allow Identity Service Traffic” for instructions on how to correct this.
Service Endpoints not defined correctly
On the system hosting the Identity service check that the endpoints are defined correctly.

Procedure 3.14. Verifying Identity Service endpoints

  1. Obtain the administration token:
    $ grep admin_token /etc/keystone/keystone.conf
    admin_token = 0292d404a88c4f269383ff28a3839ab4
  2. Determine the correct administration endpoint for the Identity service:
    http://IP:35357/VERSION
    Replace IP with the IP address or host name of the system hosting the Identity service. Replace VERSION with the API version (v2.0, or v3) that is in use.
  3. Unset any pre-defined Identity service related environment variables:
    $ unset OS_USERNAME OS_TENANT_NAME OS_PASSWORD OS_AUTH_URL
  4. Use the administration token and endpoint to authenticate with the Identity service. Confirm that the Identity service endpoint is correct:
    $ keystone --os-token=TOKEN \
                --os-endpoint=ENDPOINT \
                endpoint-list
    Verify that the listed publicurl, internalurl, and adminurl for the Identity service are correct. In particular ensure that the IP addresses and port numbers listed within each endpoint are correct and reachable over the network.
    If these values are incorrect then refer to Section 3.7, “Create the Identity Service Endpoint” for information on adding the correct endpoint. Once the correct endpoints have been added, remove any incorrect endpoints using the endpoint-delete action of the keystone command.
    $ keystone --os-token=TOKEN \
                --os-endpoint=ENDPOINT \
                endpoint-delete ID
    Replace TOKEN and ENDPOINT with the values identified previously. Replace ID with the identity of the endpoint to remove as listed by the endpoint-list action.