Red Hat Training

A Red Hat training course is available for Red Hat OpenStack Platform

3.8. Validate the Identity Service Installation

Verify that an Identity service installation is functioning correctly. All steps in this procedure must be performed on the Identity server or on another server in the environment. The logged-in user must have access to keystonerc_admin and keystonerc_user files containing the environment variables required to authenticate as the administrative user and a regular user respectively. Also, the system must have the following already installed: httpd, mod_wsgi, and mod_ssl (for security purposes).

Procedure 3.12. Validating the Identity Service Installation

  1. Set up the shell to access keystone as the adminstrative user:
    # source ~/keystonerc_admin
  2. List the users defined in the system:
    [(keystone_admin)]# openstack user list
    | ID                               | Name  |
    | 23c56d02d3bc4b88b034e0b3720fcd1b | admin |
    | 246b1342a8684bf39d7cc5165ef835d4 | USER  |
    The list of users defined in the system is displayed. If the list is not displayed, there is an issue with the installation.
    1. If the message returned indicates a permissions or authorization issue, check that the administrative user account, tenant, and role were created properly. Also ensure that the three objects are linked correctly.
    2. If the message returned indicates a connectivity issue (Connection refused), verify that the openstack-keystone service is running and that the firewall service is configured to allow connections on ports 5000 and 35357.
  3. Set up the shell to access keystone as the regular Identity service user:
    # source ~/keystonerc_user
  4. Attempt to list the users defined in the system:
    [(keystone_user)]# openstack user list
    You are not authorized to perform the requested action: admin_required (HTTP 403) (Request-ID: req-1cfd3869-ac97-424d-bd00-f835a6ab9be6)
    An error message is displayed indicating that the user is not an administrator. If the error message is not displayed, but the user list appears instead, then the regular user account was incorrectly attached to the admin role.

3.8.1. Troubleshoot Identity Client (keystone) Connectivity Problems

When the Identity client (keystone) is unable to contact the Identity service, it returns an error:
Unable to communicate with identity service: [Errno 113] No route to host. (HTTP 400)
To debug the issue, check for these common causes:
Identity service is down
On the system hosting the Identity service, check the service status:
# systemctl status openstack-keystone
● openstack-keystone.service - OpenStack Identity Service (code-named Keystone)
   Loaded: loaded (/usr/lib/systemd/system/openstack-keystone.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2016-06-07 02:31:14 EDT; 5h 29min ago
 Main PID: 23236 (keystone-all)
   CGroup: /system.slice/openstack-keystone.service
           ├─23236 /usr/bin/python2 /usr/bin/keystone-all
           ├─23247 /usr/bin/python2 /usr/bin/keystone-all
           ├─23248 /usr/bin/python2 /usr/bin/keystone-all
           ├─23249 /usr/bin/python2 /usr/bin/keystone-all
           └─23250 /usr/bin/python2 /usr/bin/keystone-all

Jun 07 02:31:13 mitaka.localdomain systemd[1]: Starting OpenStack Identity Service (code-named Keystone)...
Jun 07 02:31:14 mitaka.localdomain systemd[1]: Started OpenStack Identity Service (code-named Keystone).
If the service is not running (the output reads Active: inactive (dead)), log in as the root user and start it:
# systemctl start openstack-keystone
Firewall is not configured properly
The firewall might not be configured to allow TCP traffic on ports 5000 and 35357. See Section 3.3.3, “Configure the Firewall to Allow Identity Service Traffic” for instructions on how to correct this.