Ask Your Question

How to fix 401 error when I ran swift command to get authorizaition through keystone?

asked 2013-05-20 14:43:43 -0500

robert young gravatar image

updated 2013-05-21 12:18:13 -0500

I'm trying to use keystone with MySql to work with proxy server authorization.

I have setup keystone with MySql. I can run command like "keystone user-list" and "keystone tenant-list". I can run curl command and it return correct information.

But, I got 401 error when I ran swift command. I ran:

 # swift -v -A http://localhost:9199/auth/v2.0 -U exampleTenant:exampleUser -K example stat

where exampleTenant is the tenan name, exampleUser is the user name, and example is the password.

and got:

# Auth GET failed: http://localhost:9199/auth/v1.0/ 401 Unauthorized

I saw the following message in /var/log/syslog:

May 17 15:04:52 staging-proxy01-infra staging-proxy01-infra STDOUT: No handlers could be found for logger "keystone.middleware.auth_token" (txn: txe4126a2a5d7c45ed901554b23f80be01)
May 17 15:04:53 staging-proxy01-infra staging-proxy01-infra STDOUT: No handlers could be found for logger "keystone.middleware.auth_token" (txn: tx837b389d9ec94e598007d01870171d2f)

Looks like it could not find authtoken. But, I can see in my keystone installation.

I have googled for similar situation, but got no where.

Our system information:

Our company is Snapfish under HP. We want to use keystone with openstack so we can easily managing users.

Right now, keystone and swift-proxy are on the same box. And, I'm testing on the same box.

OS system: Ubuntu 12.04

Architecture: Linux 3.2.0-23-generic #36-Ubuntu SMP Tue Apr 10 20:39:51 UTC 2012 x8664 x8664 x86_64 GNU/Linux

Package Info:

swift : Version: 1.4.8-0ubuntu2
swift-proxy: Version: 1.4.8-0ubuntu2
python-swift: Version: 1.4.8-0ubuntu2
keystone: Version: 2012.1+stable~20120824-a16a0ab9-0ubuntu2.3
python-keystone: Version: 2012.1+stable~20120824-a16a0ab9-0ubuntu2.3

Content of /etc/swift/prosy-server.conf:

bind_port = 9199
workers = 20
user = swift
log_facility = LOG_LOCAL1
log_level = INFO
log_name = staging-proxy01-infra
log_requests = true

pipeline = informant healthcheck catch_errors cache authtoken swiftauth proxy-server

use = egg:swift#catch_errors

use = egg:swift#proxy
allow_account_management = true
account_autocreate = true

use = egg:swift#healthcheck

use = egg:swift#memcache

paste.filter_factory = keystone.middleware.swift_auth:filter_factory
operator_roles = admin, SwiftOperator
is_admin = false

paste.filter_factory = keystone.middleware.auth_token:filter_factory
service_protocol = http
service_host =
service_port = 5000
auth_protocol = http
auth_host =
auth_port = 35357
#admin_tenant_name = service
#admin_user = keystone
#admin_password = storage
delay_auth_decision = 0

memcache_servers =,,

use = egg:informant#informant
statsd_host =
metric_name_prepend = storage.

Content of /etc/keystone/keystone.conf:

#bind_host =
public_port = 5000
admin_port = 35357
admin_token = ADMIN
compute_port = 8774
verbose = True
debug = True
log_config = /etc/keystone/logging.conf

# ================= Syslog Options ============================
# Send logs to syslog (/dev/log) instead of to file specified
# by `log-file`
use_syslog = False

# Facility to use. If unset defaults to LOG_USER.
# syslog_log_facility = LOG_LOCAL0

#connection = sqlite:////var/lib/keystone/keystone.db
connection = mysql://keystone:storage@staging-mysqlapi01-infra/keystone
idle_timeout = 200

#url = ldap://localhost
#tree_dn = dc=example,dc=com
#user_tree_dn = ou=Users,dc=example,dc=com
#role_tree_dn = ou=Roles,dc=example ...
edit retag flag offensive close merge delete

3 answers

Sort by ยป oldest newest most voted

answered 2013-05-21 17:01:13 -0500

annegentle gravatar image

I think your swift proxy-server.conf has these lines commented out:

#admintenantname = service #adminuser = keystone #adminpassword = storage

Which means that swift proxy itself can't passthrough the commands from the swift CLI to keystone. You're able to get a token directly from keystone, but your proxy-server.conf is misconfigured (prosy-server.conf above).

edit flag offensive delete link more


This was not my issue, but ultimatly pointed me in the right direction. My auth host was off: "auth_host = cloud-ctrlr". The "/etc/swift/proxy-server.conf" file is the problem.

shawnz gravatar imageshawnz ( 2014-02-01 20:38:02 -0500 )edit

answered 2013-08-20 11:10:24 -0500

rbrady gravatar image

Do you have the "SwiftOperator" role in the database that your proxy-server.conf file is looking for? I had a similar issue with "Unauthorized" responses from keystone when non-admin users tried to execute swift commands from both the api and the UI.

edit flag offensive delete link more

answered 2013-05-21 17:41:07 -0500

robert young gravatar image

Thanks for taking time to look at my problem.

I have tried that without success by uncommenting those lines. It still failed with the same error messages.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools


Asked: 2013-05-20 14:43:43 -0500

Seen: 2,217 times

Last updated: May 21 '13