Ask Your Question
0

Auth server recovery

asked 2010-11-22 16:48:05 -0500

spiccolo gravatar image

With Openstack we can have one auth-server: if it fails we'll have some problems... I try to install another auth server and then to restore the auth.db file. It's all ok, I can login with old accounts, but if I try to add a new user I have the "401 Unauthorized" error when I check that I can HEAD the account with the command curl -k -v -H 'X-Auth-Token: <token-from-x-auth-token-above>' <url-from-x-storage-url-above> with the correct x-auth-token and x-store-url.

And now my question: is there a procedure that I can follow to restore my auth-server configuration to the old state???

edit retag flag offensive close merge delete

5 answers

Sort by ยป oldest newest most voted
0

answered 2010-11-23 15:47:36 -0500

spiccolo gravatar image

Perfect, I tried and it solved my problem. Thanks.

edit flag offensive delete link more
0

answered 2010-11-23 14:47:13 -0500

cthier gravatar image

If you move the auth server to another server, then you need to tell the proxy how to reach the auth server. Add the following under [filter:auth]:

ip = AUTH_SERVER_IP

then restart your proxy, and you should be able to add users again and users should be able to access their data.

edit flag offensive delete link more
0

answered 2010-11-23 09:08:50 -0500

spiccolo gravatar image

I think you are right ... the proxy can't get back to the new auth server. The first auth-server is on the same proxy node ... the new auth-server is on a new machine but the proxy is the same (Openstack1 172.16.0.249).

This is my syslog on the proxy node Nov 22 17:58:48 Openstack1 auth-server validate_token('AUTH_tkd33746117d48421aaa19af8e5fdd90e6', _, _) = False [0.00] Nov 22 17:58:48 Openstack1 auth-server 127.0.0.1 - - [22/Nov/2010:16:58:48 +0000] "GET /token/AUTH_tkd33746117d48421aaa19af8e5fdd90e6 HTTP/1.0" 404 - "-" "-" - - - - - - - - - "-" "127.0.0.1" "-" 0.0008

proxy-server.conf

[DEFAULT] cert_file = /etc/swift/cert.crt key_file = /etc/swift/cert.key bind_port = 8080 workers = 8 user = swift

[pipeline:main] pipeline = healthcheck cache auth proxy-server

[app:proxy-server] use = egg:swift#proxy

[filter:auth] use = egg:swift#auth ssl = true

[filter:healthcheck] use = egg:swift#healthcheck

[filter:cache] use = egg:swift#memcache memcache_servers = 172.16.0.249:11211

auth-server.conf

[DEFAULT] cert_file = /etc/swift/cert.crt key_file = /etc/swift/cert.key user = swift

[pipeline:main] pipeline = auth-server

[app:auth-server] use = egg:swift#auth default_cluster_url = https://Openstack1:8080/v1

Highly recommended to change this key to something else!

super_admin_key = devauth

edit flag offensive delete link more
0

answered 2010-11-23 03:47:15 -0500

clay-gerrard gravatar image

it sounds like the auth server was able to create the account on the cluster - but the proxy can verify the token with the auth server... so maybe the proxy can't get back to the new auth server?

I'm not sure about the cert/ssl exchange - do you have any errors in /var/log/syslog (or /var/log/swift/)?

can you post your proxy-server.conf and auth-server.conf?

edit flag offensive delete link more
0

answered 2010-11-22 16:53:33 -0500

spiccolo gravatar image

It seems there are problem with x-auth-token ... and ssl exchange fails.... any ideas for the solution?

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2010-11-22 16:48:05 -0500

Seen: 53 times

Last updated: Nov 23 '10