Ask Your Question
0

Swift3/S3 API errors when authenticating with EC2 keys

asked 2017-05-11 15:42:14 -0500

jep gravatar image

I have a working Swift in CentOS 7, version Ocata, installed following the installation guides. I'm trying to add the S3 API (swift3). There's a lot of old/outdated information online, but I think I managed to get the correct configuration options in proxy-server.conf (pipeline, filters) and keystone-paste.ini (ec2_extension, s3_extension)

My setup is almost exactly like harshalx in this thread:

https://ask.openstack.org/en/question...

When testing a connection with s3curl, I get:

<?xml version='1.0' encoding='UTF-8'?>
<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message><RequestId>tx98c3a8c4e75d43489ba9e-005914c402</RequestId></Error>

In keystone.log, I get:

2017-05-11 16:05:22.453 6081 INFO keystone.common.wsgi [req-ddd8c06b-d4a2-46ba-9c0e-34aa597d6734 - - - - -] POST http://controller:35357/v2.0/s3tokens
2017-05-11 16:05:22.721 6081 ERROR keystone.common.wsgi [req-ddd8c06b-d4a2-46ba-9c0e-34aa597d6734 - - - - -] need more than 4 values to unpack
2017-05-11 16:05:22.721 6081 ERROR keystone.common.wsgi Traceback (most recent call last):
2017-05-11 16:05:22.721 6081 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 228, in __call__
2017-05-11 16:05:22.721 6081 ERROR keystone.common.wsgi     result = method(req, **params)
2017-05-11 16:05:22.721 6081 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/oslo_log/versionutils.py", line 178, in wrapped
2017-05-11 16:05:22.721 6081 ERROR keystone.common.wsgi     return func_or_cls(*args, **kwargs)
2017-05-11 16:05:22.721 6081 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/contrib/ec2/controllers.py", line 264, in authenticate
2017-05-11 16:05:22.721 6081 ERROR keystone.common.wsgi     ec2credentials=ec2Credentials)
2017-05-11 16:05:22.721 6081 ERROR keystone.common.wsgi ValueError: need more than 4 values to unpack
2017-05-11 16:05:22.721 6081 ERROR keystone.common.wsgi

I only get this error when the keys are correct, so I guess it's authenticating before collapsing. I have tried deleting and recreating ec2 credentials multiple times (openstack ec2 credentials create), with the same result.

When testing using signatures v4 instead of v2, I get a different error:

2017-05-11 16:08:19.077 6080 INFO keystone.common.wsgi [req-b924084a-d48c-4c34-a561-33913787d994 - - - - -] POST http://controller:35357/v2.0/s3tokens
2017-05-11 16:08:19.087 6080 WARNING keystone.common.wsgi [req-b924084a-d48c-4c34-a561-33913787d994 - - - - -] Authorization failed. The request you have made requires authentication.

Any suggestions are welcome. If someone has a working S3 API in Ocata, I'd love to see the configuration files.

edit retag flag offensive close merge delete
add a comment

1 answer

Sort by ยป oldest newest most voted
1

answered 2017-07-05 12:26:35 -0500

tburke gravatar image

Unfortunately, Ocata Keystone doesn't support the s3tokens endpoint. This was broken with the removal of issue_v2_token in https://review.openstack.org/#/c/386762/ (openstack/keystone@dd1e705), but we hadn't noticed until after Ocata was cut. This was fixed in https://review.openstack.org/#/c/437012/ (openstack/keystone@3ec1aa4) (so, will be fixed in Pike) by switching to support Keystone v3 tokens. Given how rarely those modules are touched, it should be fairly easy to backport (either in your own fork or as a stable patch upstream). Note that swift3 will need to be able to make sense of the different response format -- that work was done in https://review.openstack.org/#/c/419721/ (openstack/swift3@807ed38); I should work with Kota to tag a release.

That all has to do with the traceback for v2 signatures -- the v4 failure likely has to do with a difference in how the canonical request (which gets signed using the secret) was constructed on the client and server. I'd be interested in seeing debugging output from the client to look for bugs in what swift3's doing, but even if we got that sorted out, we'd hit a similar traceback when keystone tries to send back a 200 OK.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2017-05-11 15:42:14 -0500

Seen: 1,056 times

Last updated: Jul 05 '17

Related questions

Dashboard cannot access identity tab

[SOLVED] How to solve InternalServerError: Internal Server Error (HTTP 500) on first project creation following Ocata rdo guide?

object-audit move a lot of files to quarantine

swift diy saio with external keystone 503 error problems [closed]

swift [Errno 111] Connection refused [closed]

swift 401 wget

Swift proxy-server returns 401 unauthorized after frist time usage of X-Auth-Token

What is the curl equivalent to keystone user-role-add

Multiple proxy server problem

Is it possible to add SSL to keystone API ?