Ask Your Question

How to fix 401 error when I ran swift command to get authorizaition through keystone?

asked 2013-05-20 14:43:43 -0500

robert young gravatar image

updated 2013-05-21 12:18:13 -0500

I'm trying to use keystone with MySql to work with proxy server authorization.

I have setup keystone with MySql. I can run command like "keystone user-list" and "keystone tenant-list". I can run curl command and it return correct information.

But, I got 401 error when I ran swift command. I ran:

 # swift -v -A http://localhost:9199/auth/v2.0 -U exampleTenant:exampleUser -K example stat

where exampleTenant is the tenan name, exampleUser is the user name, and example is the password.

and got:

# Auth GET failed: http://localhost:9199/auth/v1.0/ 401 Unauthorized

I saw the following message in /var/log/syslog:

May 17 15:04:52 staging-proxy01-infra staging-proxy01-infra STDOUT: No handlers could be found for logger "keystone.middleware.auth_token" (txn: txe4126a2a5d7c45ed901554b23f80be01)
May 17 15:04:53 staging-proxy01-infra staging-proxy01-infra STDOUT: No handlers could be found for logger "keystone.middleware.auth_token" (txn: tx837b389d9ec94e598007d01870171d2f)

Looks like it could not find authtoken. But, I can see in my keystone installation.

I have googled for similar situation, but got no where.

Our system information:

Our company is Snapfish under HP. We want to use keystone with openstack so we can easily managing users.

Right now, keystone and swift-proxy are on the same box. And, I'm testing on the same box.

OS system: Ubuntu 12.04

Architecture: Linux 3.2.0-23-generic #36-Ubuntu SMP Tue Apr 10 20:39:51 UTC 2012 x8664 x8664 x86_64 GNU/Linux

Package Info:

swift : Version: 1.4.8-0ubuntu2
swift-proxy: Version: 1.4.8-0ubuntu2
python-swift: Version: 1.4.8-0ubuntu2
keystone: Version: 2012.1+stable~20120824-a16a0ab9-0ubuntu2.3
python-keystone: Version: 2012.1+stable~20120824-a16a0ab9-0ubuntu2.3

Content of /etc/swift/prosy-server.conf:

bind_port = 9199
workers = 20
user = swift
log_facility = LOG_LOCAL1
log_level = INFO
log_name = staging-proxy01-infra
log_requests = true

pipeline = informant healthcheck catch_errors cache authtoken swiftauth proxy-server

use = egg:swift#catch_errors

use = egg:swift#proxy
allow_account_management = true
account_autocreate = true

use = egg:swift#healthcheck

use = egg:swift#memcache

paste.filter_factory = keystone.middleware.swift_auth:filter_factory
operator_roles = admin, SwiftOperator
is_admin = false

paste.filter_factory = keystone.middleware.auth_token:filter_factory
service_protocol = http
service_host =
service_port = 5000
auth_protocol = http
auth_host =
auth_port = 35357
#admin_tenant_name = service
#admin_user = keystone
#admin_password = storage
delay_auth_decision = 0

memcache_servers =,,

use = egg:informant#informant
statsd_host =
metric_name_prepend = storage.

Content of /etc/keystone/keystone.conf:

#bind_host =
public_port = 5000
admin_port = 35357
admin_token = ADMIN
compute_port = 8774
verbose = True
debug = True
log_config = /etc/keystone/logging.conf

# ================= Syslog Options ============================
# Send logs to syslog (/dev/log) instead of to file specified
# by `log-file`
use_syslog = False

# Facility to use. If unset defaults to LOG_USER.
# syslog_log_facility = LOG_LOCAL0

#connection = sqlite:////var/lib/keystone/keystone.db
connection = mysql://keystone:storage@staging-mysqlapi01-infra/keystone
idle_timeout = 200

#url = ldap://localhost
#tree_dn = dc=example,dc=com
#user_tree_dn = ou=Users,dc=example,dc=com
#role_tree_dn = ou=Roles,dc=example ...
edit retag flag offensive close merge delete

3 answers

Sort by ยป oldest newest most voted

answered 2013-05-21 17:01:13 -0500

annegentle gravatar image

I think your swift proxy-server.conf has these lines commented out:

#admintenantname = service #adminuser = keystone #adminpassword = storage

Which means that swift proxy itself can't passthrough the commands from the swift CLI to keystone. You're able to get a token directly from keystone, but your proxy-server.conf is misconfigured (prosy-server.conf above).

edit flag offensive delete link more


This was not my issue, but ultimatly pointed me in the right direction. My auth host was off: "auth_host = cloud-ctrlr". The "/etc/swift/proxy-server.conf" file is the problem.

shawnz gravatar imageshawnz ( 2014-02-01 20:38:02 -0500 )edit

answered 2013-08-20 11:10:24 -0500

rbrady gravatar image

Do you have the "SwiftOperator" role in the database that your proxy-server.conf file is looking for? I had a similar issue with "Unauthorized" responses from keystone when non-admin users tried to execute swift commands from both the api and the UI.

edit flag offensive delete link more

answered 2013-05-21 17:41:07 -0500

robert young gravatar image

Thanks for taking time to look at my problem.

I have tried that without success by uncommenting those lines. It still failed with the same error messages.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools


Asked: 2013-05-20 14:43:43 -0500

Seen: 2,293 times

Last updated: May 21 '13