3.9. Validate the Identity Service Installation

Verify that an Identity service installation is functioning correctly. All steps in this procedure must be performed on the Identity server or on another server in the environment. The logged-in user must have access to keystonerc_admin and keystonerc_user files containing the environment variables required to authenticate as the administrative user and a regular user respectively. Also, the system must have the following already installed: httpd, mod_wsgi, and mod_ssl (for security purposes).

Procedure 3.13. Validating the Identity Service Installation

  1. Set up the shell to access keystone as the adminstrative user: 
    # source ~/keystonerc_admin
  2. List the users defined in the system: 
    [(keystone_admin)]# keystone user-list
+----------------------------------+--------+---------+------------------+
|                id                |  name  | enabled |      email       |
+----------------------------------+--------+---------+------------------+
| 94d659c3c9534095aba5f8475c87091a | admin  |   True  |                  |
| b8275d7494dd4c9cb3f69967a11f9765 |  USER  |   True  |                  |
+----------------------------------+--------+---------+------------------+
    The list of users defined in the system is displayed. If the list is not displayed, there is an issue with the installation.
    1. If the message returned indicates a permissions or authorization issue, check that the administrative user account, tenant, and role were created properly. Also ensure that the three objects are linked correctly. 
      Unable to communicate with identity service: {"error": {"message": "You are not authorized to perform the requested action: admin_required", "code": 403, "title": "Not Authorized"}}. (HTTP 403)
    2. If the message returned indicates a connectivity issue, verify that the openstack-keystone service is running and that the firewall service is configured to allow connections on ports 5000 and 35357. 
      Authorization Failed: [Errno 111] Connection refused
  3. Set up the shell to access keystone as the regular Identity service user: 
    # source ~/keystonerc_user
  4. Attempt to list the users defined in the system: 
    [(keystone_user)]# keystone user-list
Unable to communicate with identity service: {"error": {"message": "You are not authorized to perform the requested action: admin_required", "code": 403, "title": "Not Authorized"}}. (HTTP 403)
    An error message is displayed indicating that the user is Not Authorized to run the command. If the error message is not displayed, but the user list appears instead, then the regular user account was incorrectly attached to the admin role.
  5. Verify that the regular user account is able to run commands that it is authorized to access: 
    [(keystone_user)]# keystone token-get
+-----------+----------------------------------+
|  Property |              Value               |
+-----------+----------------------------------+
|  expires  |       2013-05-07T13:00:24Z       |
|     id    | 5f6e089b24d94b198c877c58229f2067 |
| tenant_id | f7e8628768f2437587651ab959fbe239 |
|  user_id  | 8109f0e3deaf46d5990674443dcf7db7 |
+-----------+----------------------------------+

3.9.1. Troubleshoot Identity Client (keystone) Connectivity Problems

When the Identity client (keystone) is unable to contact the Identity service, it returns an error: 
Unable to communicate with identity service: [Errno 113] No route to host. (HTTP 400)
To debug the issue, check for these common causes:
Identity service is down
On the system hosting the Identity service, check the service status: 
# openstack-status | grep keystone
openstack-keystone:                     active
If the service is not running, log in as the root user and start it. 
# service openstack-keystone start
Firewall is not configured properly
The firewall might not be configured to allow TCP traffic on ports 5000 and 35357. See Section 3.3.4, “Configure the Firewall to Allow Identity Service Traffic” for instructions on how to correct this.
Service Endpoints not defined correctly
On the server hosting the Identity service, check that the endpoints are defined correctly.

Procedure 3.14. Verifying Identity Service Endpoints

  1. Obtain the administration token: 
    # grep admin_token /etc/keystone/keystone.conf
admin_token = 0292d404a88c4f269383ff28a3839ab4
  2. Unset any pre-defined Identity service-related environment variables: 
    # unset OS_USERNAME OS_TENANT_NAME OS_PASSWORD OS_AUTH_URL
  3. Use the administration token and endpoint to authenticate with the Identity service. Confirm that the Identity service endpoint is correct: 
    # keystone --os-token TOKEN \
   --os-endpoint ENDPOINT \
   endpoint-list
    Replace TOKEN with the ID of the administration token. Replace ENDPOINT with the endpoint for the administration endpoint: http://IP:35357/v2.0.
    Verify that the listed publicurl, internalurl, and adminurl for the Identity service are correct. In particular, ensure that the IP addresses and port numbers listed within each endpoint are correct and reachable over the network.
  4. If these values are incorrect, see Section 3.6, “Create the Identity Service Endpoint” for information on adding the correct endpoint. Once the correct endpoints have been added, remove any incorrect endpoints: 
    # keystone --os-token=TOKEN \
   --os-endpoint=ENDPOINT \
   endpoint-delete ID
    Replace TOKEN and ENDPOINT with the values identified previously. Replace ID with the identity of the endpoint to remove as listed by the endpoint-list action.