Auth server recovery

asked 2010-11-22 16:48:05 -0500

spiccolo gravatar image

With Openstack we can have one auth-server: if it fails we'll have some problems... I try to install another auth server and then to restore the auth.db file. It's all ok, I can login with old accounts, but if I try to add a new user I have the "401 Unauthorized" error when I check that I can HEAD the account with the command curl -k -v -H 'X-Auth-Token: <token-from-x-auth-token-above>' <url-from-x-storage-url-above> with the correct x-auth-token and x-store-url.

And now my question: is there a procedure that I can follow to restore my auth-server configuration to the old state???

edit retag flag offensive close merge delete

5 answers

Sort by ยป oldest newest most voted

answered 2010-11-23 15:47:36 -0500

spiccolo gravatar image

Perfect, I tried and it solved my problem. Thanks.

edit flag offensive delete link more

answered 2010-11-22 16:53:33 -0500

spiccolo gravatar image

It seems there are problem with x-auth-token ... and ssl exchange fails.... any ideas for the solution?

edit flag offensive delete link more

answered 2010-11-23 03:47:15 -0500

clay-gerrard gravatar image

it sounds like the auth server was able to create the account on the cluster - but the proxy can verify the token with the auth server... so maybe the proxy can't get back to the new auth server?

I'm not sure about the cert/ssl exchange - do you have any errors in /var/log/syslog (or /var/log/swift/)?

can you post your proxy-server.conf and auth-server.conf?

edit flag offensive delete link more

answered 2010-11-23 09:08:50 -0500

spiccolo gravatar image

I think you are right ... the proxy can't get back to the new auth server. The first auth-server is on the same proxy node ... the new auth-server is on a new machine but the proxy is the same (Openstack1

This is my syslog on the proxy node Nov 22 17:58:48 Openstack1 auth-server validate_token('AUTH_tkd33746117d48421aaa19af8e5fdd90e6', _, _) = False [0.00] Nov 22 17:58:48 Openstack1 auth-server - - [22/Nov/2010:16:58:48 +0000] "GET /token/AUTH_tkd33746117d48421aaa19af8e5fdd90e6 HTTP/1.0" 404 - "-" "-" - - - - - - - - - "-" "" "-" 0.0008


[DEFAULT] cert_file = /etc/swift/cert.crt key_file = /etc/swift/cert.key bind_port = 8080 workers = 8 user = swift

[pipeline:main] pipeline = healthcheck cache auth proxy-server

[app:proxy-server] use = egg:swift#proxy

[filter:auth] use = egg:swift#auth ssl = true

[filter:healthcheck] use = egg:swift#healthcheck

[filter:cache] use = egg:swift#memcache memcache_servers =


[DEFAULT] cert_file = /etc/swift/cert.crt key_file = /etc/swift/cert.key user = swift

[pipeline:main] pipeline = auth-server

[app:auth-server] use = egg:swift#auth default_cluster_url = https://Openstack1:8080/v1

Highly recommended to change this key to something else!

super_admin_key = devauth

edit flag offensive delete link more

answered 2010-11-23 14:47:13 -0500

cthier gravatar image

If you move the auth server to another server, then you need to tell the proxy how to reach the auth server. Add the following under [filter:auth]:


then restart your proxy, and you should be able to add users again and users should be able to access their data.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2010-11-22 16:48:05 -0500

Seen: 81 times

Last updated: Nov 23 '10