Ask Your Question
0

Keystone rejecting swift service token auth request

asked 2017-02-14 16:44:43 -0500

abqkawi1000 gravatar image

I am running a swift stat command returns 503 service unavailable. However, the swift proxy logs and keystone logs seem to reveal that keystone is refusing the swift request. Can anyone point me in the right direction?

I have a swift user setup with the admin role

root@controller01:~# openstack role list --project service --user swift
+----------------------------------+-------+---------+-------+
| ID                               | Name  | Project | User  |
+----------------------------------+-------+---------+-------+
| 4e1a2fa0b4f94b279a8e37bcf810341f | admin | service | swift |
+----------------------------------+-------+---------+-------+

My endpoints:

root@controller01:~# openstack endpoint list --service swift
+----------------------------------+--------+--------------+--------------+---------+-----------+------------------------------------------------+
| ID                               | Region | Service Name | Service Type | Enabled | Interface | URL                                            |
+----------------------------------+--------+--------------+--------------+---------+-----------+------------------------------------------------+
| 219c7df55c5e43cb93f2065960f3f240 | nova   | swift        | object-store | True    | internal  | http://10.203.0.101:8080/v1/AUTH_%(tenant_id)s |
| 8f22d72c626d4d86a6cca79d003666ac | nova   | swift        | object-store | True    | public    | http://10.203.0.101:8080/v1/AUTH_%(tenant_id)s |
| b2694d19e2f342819d7555d81aef21b2 | nova   | swift        | object-store | True    | admin     | http://10.203.0.101:8080/v1/AUTH_%(tenant_id)s |
+----------------------------------+--------+--------------+--------------+---------+-----------+------------------------------------------------+

My proxy-server.conf

[filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
auth_uri = http://10.203.2.1:5000
auth_url = http://10.203.2.1:35357
memcached_servers = 127.0.0.1:11211
#auth_type = password
#project_domain_name = default
#user_domain_name = default
project_domain_id = default
user_domain_id = default
project_name = service
auth_plugin = password
username = swift
password = swiftSekretPassword
log_level = debug
cache = swift.cache
include_service_catalog = False
delay_auth_decision = True
#
# delay_auth_decision defaults to False, but leaving it as false will
# prevent other auth systems, staticweb, tempurl, formpost, and ACLs from
# working. This value must be explicitly set to True.
# delay_auth_decision = False
#
# cache = swift.cache
# include_service_catalog = False
#
[filter:keystoneauth]
use = egg:swift#keystoneauth
reseller_prefix = AUTH, SERVICE
operator_roles = admin, swiftoperator
SERVICE_service_roles = service

FROM CLIENT:

swift -V 2 -A http://10.203.2.1:5000/v2.0 -U admin:myadminname -K myadminpass stat --debug
DEBUG:keystoneclient.auth.identity.v2:Making authentication request to http://10.203.2.1:5000/v2.0/tokens
INFO:requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): 10.203.2.1
DEBUG:requests.packages.urllib3.connectionpool:"POST /v2.0/tokens HTTP/1.1" 200 3689
INFO:requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): 10.203.0.101
DEBUG:requests.packages.urllib3.connectionpool:"HEAD /v1/AUTH_175ea570020a4fe8a8bd1ed2f7070d84 HTTP/1.1" 503 0
INFO:swiftclient:REQ: curl -i http://10.203.0.101:8080/v1/AUTH_175ea570020a4fe8a8bd1ed2f7070d84 -I -H "X-Auth-Token: gAAAAABYo2quDtDS8GTAIKoziw5--ujlbdSXFs_sFVmSKwSPzsy1ixSARZ2HV4QZ0lMVg6UG1z8ZjlIt2_ac1GDrq3an4H7cY_NLbBuwlCi86wxs9u0qhrtY9Kf_JAYcZP6_k7iNzAV276TzYGA0BnuSPL1a3h4vfA"

From Proxy-Server

Feb 14 13:35:44 cee-cldswift proxy-server: Rejecting request
Feb 14 13:35:44 cee-cldswift proxy-server: Identity server rejected authorization
Feb 14 13:35:44 cee-cldswift proxy-server: Identity response: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}
Feb 14 13:35:44 cee-cldswift proxy-server: Retrying validation
Feb 14 13:35:44 cee-cldswift proxy-server: Identity server rejected authorization
Feb 14 13:35:44 cee-cldswift proxy-server: Identity response: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}
Feb 14 13:35:44 cee-cldswift proxy-server: Unable to validate token: Identity server rejected authorization necessary to fetch token data
Feb 14 13:35:44 cee-cldswift proxy-server: 10.203.2.7 10.203.2.7 14/Feb/2017/20/35/44 PUT /v1/AUTH_862fd19d772f42159cb0066592feb50e/test HTTP/1.0 503 - python-swiftclient-3.0.0 gAAAAABYo2AhMz_g... - 100 - txbcf8614c0d6746019e35c-0058a36a20 - 0.0516 - - 1487104544.378717899 1487104544.430274963

From Controller (keystone.log)

2017-02-14 ...
(more)
edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
0

answered 2017-02-16 09:07:43 -0500

abqkawi1000 gravatar image

I understand now why Keystone is telling my swift service to go piss up a rope. For me to run a successful "openstack catalog show object-store, I need to pass --os-identity-api-version, --os-auth-url, --os-project-name, --os-project-domain-name, -os-username, --os-user-domain-name to keystone. If I am missing any of these, I get an AUTH error.

Hopefully, swift-proxy can use all of these variables in authtoken middleware. So far I am unable to find an example of proxy-server.conf that contains identity_api_version, so I will just have to experiment on configs.

edit flag offensive delete link more
0

answered 2017-02-16 10:11:59 -0500

You set the parameter project_domain_id and user_domain_id to default. But default is NOT an id. Uncomment project_domain_name=default, user_domain_Name=default and comment project_domain_id and user_domain_id out in your proxy-server.conf. Restart your proxy-server and retry :-)

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2017-02-14 16:44:43 -0500

Seen: 754 times

Last updated: Feb 16 '17