Ask Your Question
0

Swift3/S3 API errors when authenticating with EC2 keys

asked 2017-05-11 15:42:14 -0500

jep gravatar image

I have a working Swift in CentOS 7, version Ocata, installed following the installation guides. I'm trying to add the S3 API (swift3). There's a lot of old/outdated information online, but I think I managed to get the correct configuration options in proxy-server.conf (pipeline, filters) and keystone-paste.ini (ec2_extension, s3_extension)

My setup is almost exactly like harshalx in this thread:

https://ask.openstack.org/en/question...

When testing a connection with s3curl, I get:

<?xml version='1.0' encoding='UTF-8'?>
<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message><RequestId>tx98c3a8c4e75d43489ba9e-005914c402</RequestId></Error>

In keystone.log, I get:

2017-05-11 16:05:22.453 6081 INFO keystone.common.wsgi [req-ddd8c06b-d4a2-46ba-9c0e-34aa597d6734 - - - - -] POST http://controller:35357/v2.0/s3tokens
2017-05-11 16:05:22.721 6081 ERROR keystone.common.wsgi [req-ddd8c06b-d4a2-46ba-9c0e-34aa597d6734 - - - - -] need more than 4 values to unpack
2017-05-11 16:05:22.721 6081 ERROR keystone.common.wsgi Traceback (most recent call last):
2017-05-11 16:05:22.721 6081 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 228, in __call__
2017-05-11 16:05:22.721 6081 ERROR keystone.common.wsgi     result = method(req, **params)
2017-05-11 16:05:22.721 6081 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/oslo_log/versionutils.py", line 178, in wrapped
2017-05-11 16:05:22.721 6081 ERROR keystone.common.wsgi     return func_or_cls(*args, **kwargs)
2017-05-11 16:05:22.721 6081 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/contrib/ec2/controllers.py", line 264, in authenticate
2017-05-11 16:05:22.721 6081 ERROR keystone.common.wsgi     ec2credentials=ec2Credentials)
2017-05-11 16:05:22.721 6081 ERROR keystone.common.wsgi ValueError: need more than 4 values to unpack
2017-05-11 16:05:22.721 6081 ERROR keystone.common.wsgi

I only get this error when the keys are correct, so I guess it's authenticating before collapsing. I have tried deleting and recreating ec2 credentials multiple times (openstack ec2 credentials create), with the same result.

When testing using signatures v4 instead of v2, I get a different error:

2017-05-11 16:08:19.077 6080 INFO keystone.common.wsgi [req-b924084a-d48c-4c34-a561-33913787d994 - - - - -] POST http://controller:35357/v2.0/s3tokens
2017-05-11 16:08:19.087 6080 WARNING keystone.common.wsgi [req-b924084a-d48c-4c34-a561-33913787d994 - - - - -] Authorization failed. The request you have made requires authentication.

Any suggestions are welcome. If someone has a working S3 API in Ocata, I'd love to see the configuration files.

edit retag flag offensive close merge delete
add a comment

1 answer

Sort by ยป oldest newest most voted
1

answered 2017-07-05 12:26:35 -0500

tburke gravatar image

Unfortunately, Ocata Keystone doesn't support the s3tokens endpoint. This was broken with the removal of issue_v2_token in https://review.openstack.org/#/c/386762/ (openstack/keystone@dd1e705), but we hadn't noticed until after Ocata was cut. This was fixed in https://review.openstack.org/#/c/437012/ (openstack/keystone@3ec1aa4) (so, will be fixed in Pike) by switching to support Keystone v3 tokens. Given how rarely those modules are touched, it should be fairly easy to backport (either in your own fork or as a stable patch upstream). Note that swift3 will need to be able to make sense of the different response format -- that work was done in https://review.openstack.org/#/c/419721/ (openstack/swift3@807ed38); I should work with Kota to tag a release.

That all has to do with the traceback for v2 signatures -- the v4 failure likely has to do with a difference in how the canonical request (which gets signed using the secret) was constructed on the client and server. I'd be interested in seeing debugging output from the client to look for bugs in what swift3's doing, but even if we got that sorted out, we'd hit a similar traceback when keystone tries to send back a 200 OK.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2017-05-11 15:42:14 -0500

Seen: 758 times

Last updated: Jul 05 '17

Related questions

Keystone rejecting swift service token auth request

swift keystone authentication : This server could not verify that you are authorized to access the document you requested [closed]

How to authorize keystone users to access their swift objects

Do we really need these many swift auths S3, TempAuth, SwiftAuth, cacheAuth.....?

what is use of ec2-credentials table in keystone database?

How many objects per container?

how to Migrate mysql user data to LDAP

Rocky keystone: admin role on project is too permissive

Swift connection time out

Snapshot of Instances is Queued forever