Show Table of Contents
3.8. Validate the Identity Service Installation
Verify that an Identity service installation is functioning correctly. All steps in this procedure must be performed on the Identity server or on another server in the environment. The logged-in user must have access to
keystonerc_userfiles containing the environment variables required to authenticate as the administrative user and a regular user respectively. Also, the system must have the following already installed: httpd, mod_wsgi, and mod_ssl (for security purposes).
Procedure 3.12. Validating the Identity Service Installation
- Set up the shell to access keystone as the adminstrative user:
- List the users defined in the system:
openstack user list+----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | 23c56d02d3bc4b88b034e0b3720fcd1b | admin | | 246b1342a8684bf39d7cc5165ef835d4 | USER | +----------------------------------+-------+The list of users defined in the system is displayed. If the list is not displayed, there is an issue with the installation.
- If the message returned indicates a permissions or authorization issue, check that the administrative user account, tenant, and role were created properly. Also ensure that the three objects are linked correctly.
- If the message returned indicates a connectivity issue (
Connection refused), verify that the
openstack-keystoneservice is running and that the firewall service is configured to allow connections on ports
- Set up the shell to access keystone as the regular Identity service user:
- Attempt to list the users defined in the system:
openstack user listYou are not authorized to perform the requested action: admin_required (HTTP 403) (Request-ID: req-1cfd3869-ac97-424d-bd00-f835a6ab9be6)An error message is displayed indicating that the user is not an administrator. If the error message is not displayed, but the user list appears instead, then the regular user account was incorrectly attached to the
3.8.1. Troubleshoot Identity Client (keystone) Connectivity Problems
When the Identity client (
keystone) is unable to contact the Identity service, it returns an error:
Unable to communicate with identity service: [Errno 113] No route to host. (HTTP 400)
To debug the issue, check for these common causes:
- Identity service is down
- On the system hosting the Identity service, check the service status:
systemctl status openstack-keystone● openstack-keystone.service - OpenStack Identity Service (code-named Keystone) Loaded: loaded (/usr/lib/systemd/system/openstack-keystone.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2016-06-07 02:31:14 EDT; 5h 29min ago Main PID: 23236 (keystone-all) CGroup: /system.slice/openstack-keystone.service ├─23236 /usr/bin/python2 /usr/bin/keystone-all ├─23247 /usr/bin/python2 /usr/bin/keystone-all ├─23248 /usr/bin/python2 /usr/bin/keystone-all ├─23249 /usr/bin/python2 /usr/bin/keystone-all └─23250 /usr/bin/python2 /usr/bin/keystone-all Jun 07 02:31:13 mitaka.localdomain systemd: Starting OpenStack Identity Service (code-named Keystone)... Jun 07 02:31:14 mitaka.localdomain systemd: Started OpenStack Identity Service (code-named Keystone).If the service is not running (the output reads
Active: inactive (dead)), log in as the
rootuser and start it:
systemctl start openstack-keystone
- Firewall is not configured properly
- The firewall might not be configured to allow TCP traffic on ports
35357. See Section 3.3.3, “Configure the Firewall to Allow Identity Service Traffic” for instructions on how to correct this.