Swift Keystone Authentication Fails

asked 2013-06-24 13:13:23 -0600

vmtrooper gravatar image

Hello Team,

I am unable to login to Swift using the Keystone integration. Here is sample output when I try to get swift status:

vagrant@swift:~$ swift -A http://172.16.0.201:5000/v2.0 -U service:swift -K swift stat Auth GET failed: http://172.16.0.201:5000/v2.0 200 OK

I tried adding TempAuth entries to the Proxy config as well, but that is not working for me either. Please see my Proxy Config file contents below:

172.16.0.203 is my Swift Server 172.16.0.201 is my Controller Node, which runs Keystone

[DEFAULT] bind_port = 443 cert_file = /etc/swift/cert.crt key_file = /etc/swift/cert.key user = swift log_facility = LOG_LOCAL1

[pipeline:main] pipeline = catch_errors healthcheck cache authtoken keystoneauth proxy-server

[app:proxy-server] use = egg:swift#proxy account_autocreate = true allow_account_management = true

[filter:tempauth] use = egg:swift#tempauth user_admin_admin = admin .admin .rseller_admin

[filter:healthcheck] use = egg:swift#healthcheck

[filter:cache] use = egg:swift#memcache

[filter:keystone] paste.filter_factory = keystoneclient.middleware.swift_auth:filter_factory operator_roles = Member,admin

[filter:authtoken] paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory service_port = 5000 service_host = 172.16.0.201 auth_port = 35357 auth_host = 172.16.0.201 auth_protocol = http auth_token = ADMIN admin_token = ADMIN admin_tenant_name = service admin_user = swift admin_password = swift cache = swift.cache

[filter:catch_errors] use = egg:swift#catch_errors

[filter:swift3] use = egg:swift#swift3

[filter:keystoneauth] use = egg:swift#keystoneauth operator_roles = admin, swiftoperator

[filter:swiftauth] use = egg:keystone#swiftauth keystone_url = http://172.16.0.201:5000/v2.0 keystone_admin_token = 999888777666 keystone_swift_operator_roles = Admin, SwiftOperator keystone_tenant_user_admin = true

[filter:tokenauth] paste.filter_factory = keystone.middleware.auth_token:filter_factory auth_protocol = http auth_host = 172.16.0.201 auth_port = 35357 auth_uri = http://172.16.0.201:5000/ admin_token = 999888777666 delay_auth_decision = 0 memecache_host = 172.16.0.203:11211

The keystone endpoint was successfully created: +----------------------------------+-----------+------------------------------------------------+------------------------------------------------+-------------------------------------------+----------------------------------+ | id | region | publicurl | internalurl | adminurl | service_id | +----------------------------------+-----------+------------------------------------------------+------------------------------------------------+-------------------------------------------+----------------------------------+ | 3bb430404e1f4da0a8f22fdfa8b906a2 | RegionOne | http://172.16.0.201:8773/services/Cloud | http://172.16.0.201:8773/services/Cloud | http://172.16.0.201:8773/services/Admin | fcfddafdc36b4708a3bfddd39cd5bd57 | | 6cc1aedc3e154344922b34100a0a5c95 | RegionOne | https://172.16.0.203:443/v1/AUTH_$(tenant_id)s (https://172.16.0.203:443/v1/AUTH_$(te...) | https://172.16.0.203:443/v1/AUTH_$(tenant_id)s (https://172.16.0.203:443/v1/AUTH_$(te...) | https://172.16.0.203:443/v1 | 0c342438b82a461f98494ef7f7d3abb7 | | 78fda6ce75034e8b821aadaef72b3a8b | RegionOne | http://172.16.0.201:8776/v1/%25(tenant_id)s (http://172.16.0.201:8776/v1/%(tenant_...) | http://172.16.0.201:8776/v1/%25(tenant_id)s (http://172.16.0.201:8776/v1/%(tenant_...) | http://172.16.0.201:8776/v1/%25(tenant_id)s (http://172.16.0.201:8776/v1/%(tenant_...) | 2410a1924e764513805b9d6f62639226 | | 9bf69ed68d404a959521f1099e0aae5b | RegionOne | http://172.16.0.201:5000/v2.0 | http://172.16.0.201:5000/v2.0 | http://172.16.0.201:35357/v2.0 | 839a2b67a6f1450fa8666507e49476d3 | | b4d2945af5d24e50aae51c935452f36d | RegionOne | http://172.16.0.201:9292/v1 | http://172.16.0.201:9292/v1 | http://172.16.0.201:9292/v1 | 3a172fa1190a40ddb8bedafdffc26e08 | | e5e3664088be4295942bce38e611f420 | RegionOne | http://172.16.0.201:8774/v2/$(tenant_id)s (http://172.16.0.201:8774/v2/$(tenant_...) | http://172 ... (more)

edit retag flag offensive close merge delete

12 answers

Sort by » oldest newest most voted
0

answered 2013-06-24 17:01:49 -0600

Could you show your keystone log here? Your current config seems correct. Watching keystone's log could be more helpful

edit flag offensive delete link more
0

answered 2013-06-24 17:52:52 -0600

vmtrooper gravatar image

Thanks Ken! I will upload the log file as soon as I am back in front of the server.

Just to confirm, I should forward the contents of /var/log/keystone? Are there any other logs that would be beneficial?

Also, how should I enable detailed debugging? I tried looking at the log file, and I didn't see much detail there.

edit flag offensive delete link more
0

answered 2013-06-25 02:35:05 -0600

Just setting log level to DEBUG is ok for watching details.

If you're not familiar with keystone log, you could just post a link here.

edit flag offensive delete link more
0

answered 2013-06-25 05:39:38 -0600

vmtrooper gravatar image

Here is the output with debug and verbose enabled in keystone.conf:

2013-06-24 22:32:27 DEBUG [keystone-all] ************************* 2013-06-24 22:32:27 DEBUG [keystone-all] Configuration options gathered from: 2013-06-24 22:32:27 DEBUG [keystone-all] command line args: [] 2013-06-24 22:32:27 DEBUG [keystone-all] config files: ['/etc/keystone/keystone.conf'] 2013-06-24 22:32:27 DEBUG [keystone-all] ================================================================================ 2013-06-24 22:32:27 DEBUG [keystone-all] admin_endpoint = http://localhost:%25(admin_port)d/ (http://localhost:%(admin_port)d/) 2013-06-24 22:32:27 DEBUG [keystone-all] admin_port = 35357 2013-06-24 22:32:27 DEBUG [keystone-all] admin_token = 2013-06-24 22:32:27 DEBUG [keystone-all] auth_admin_prefix = 2013-06-24 22:32:27 DEBUG [keystone-all] bind_host = 0.0.0.0 2013-06-24 22:32:27 DEBUG [keystone-all] compute_port = 8774 2013-06-24 22:32:27 DEBUG [keystone-all] config_dir = None 2013-06-24 22:32:27 DEBUG [keystone-all] config_file = ['/etc/keystone/keystone.conf'] 2013-06-24 22:32:27 DEBUG [keystone-all] crypt_strength = 40000 2013-06-24 22:32:27 DEBUG [keystone-all] debug = True 2013-06-24 22:32:27 DEBUG [keystone-all] log_config = None 2013-06-24 22:32:27 DEBUG [keystone-all] log_date_format = %Y-%m-%d %H:%M:%S 2013-06-24 22:32:27 DEBUG [keystone-all] log_dir = /var/log/keystone 2013-06-24 22:32:27 DEBUG [keystone-all] log_file = keystone.log 2013-06-24 22:32:27 DEBUG [keystone-all] log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s 2013-06-24 22:32:27 DEBUG [keystone-all] max_param_size = 64 2013-06-24 22:32:27 DEBUG [keystone-all] max_request_body_size = 114688 2013-06-24 22:32:27 DEBUG [keystone-all] max_token_size = 8192 2013-06-24 22:32:27 DEBUG [keystone-all] member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab 2013-06-24 22:32:27 DEBUG [keystone-all] member_role_name = _member_ 2013-06-24 22:32:27 DEBUG [keystone-all] onready = None 2013-06-24 22:32:27 DEBUG [keystone-all] policy_default_rule = None 2013-06-24 22:32:27 DEBUG [keystone-all] policy_file = policy.json 2013-06-24 22:32:27 DEBUG [keystone-all] public_endpoint = http://localhost:%25(public_port)d/ (http://localhost:%(public_port)d/) 2013-06-24 22:32:27 DEBUG [keystone-all] public_port = 5000 2013-06-24 22:32:27 DEBUG [keystone-all] pydev_debug_host = None 2013-06-24 22:32:27 DEBUG [keystone-all] pydev_debug_port = None 2013-06-24 22:32:27 DEBUG [keystone-all] standard_threads = False 2013-06-24 22:32:27 DEBUG [keystone-all] syslog_log_facility = LOG_USER 2013-06-24 22:32:27 DEBUG [keystone-all] use_syslog = False 2013-06-24 22:32:27 DEBUG [keystone-all] verbose = True 2013-06-24 22:32:27 DEBUG [keystone-all] signing.ca_certs = /etc/keystone/ssl/certs/ca.pem 2013-06-24 22:32:27 DEBUG [keystone-all] signing.ca_password = None 2013-06-24 22:32:27 DEBUG [keystone-all] signing.certfile = /etc/keystone/ssl/certs/signing_cert.pem 2013-06-24 22:32:27 DEBUG [keystone-all] signing.key_size = 1024 2013-06-24 22:32:27 DEBUG [keystone-all] signing.keyfile = /etc/keystone/ssl/private/signing_key.pem 2013-06-24 22:32:27 DEBUG [keystone-all] signing.token_format = PKI 2013-06-24 22:32:27 DEBUG [keystone-all] signing.valid_days = 3650 2013-06-24 22:32:27 DEBUG [keystone-all] stats.driver = keystone.contrib.stats.backends.kvs.Stats 2013-06-24 22:32:27 DEBUG [keystone-all] ldap.alias_dereferencing = default 2013-06-24 22:32:27 DEBUG [keystone-all] ldap.allow_subtree_delete = False 2013-06-24 22:32:27 DEBUG [keystone-all] ldap.domain_allow_create = True 2013-06-24 22:32:27 DEBUG [keystone-all] ldap.domain_allow_delete = True 2013-06-24 22:32:27 DEBUG [keystone-all] ldap.domain_allow_update = True 2013-06-24 22:32:27 DEBUG [keystone-all] ldap.domain_attribute_ignore = 2013-06-24 22:32:27 DEBUG [keystone-all] ldap.domain_desc_attribute = description 2013-06-24 22:32:27 DEBUG [keystone-all] ldap ... (more)

edit flag offensive delete link more
0

answered 2013-06-25 06:02:15 -0600

vmtrooper gravatar image

by the way, the output above is generated when executing the following command: vagrant@swift:/etc/swift$ swift -A http://172.16.0.201:5000/v2.0 -U service:swift -K swift stat Auth GET failed: http://172.16.0.201:5000/v2.0 200 OK

I tried https instead of http at the command line URL, and got the following error below: vagrant@swift:/etc/swift$ swift -A https://172.16.0.201:5000/v2.0 -U service:swift -K swift stat [Errno 1] _ssl.c:504: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol Also the output in keystone.log from that command was 2013-06-24 22:41:21 DEBUG [eventlet.wsgi.server] (1939) accepted ('172.16.0.203', 45859)

2013-06-24 22:41:27 DEBUG [eventlet.wsgi.server] (1939) accepted ('172.16.0.203', 45860)

2013-06-24 22:41:29 DEBUG [eventlet.wsgi.server] (1939) accepted ('172.16.0.203', 45861)

2013-06-24 22:41:33 DEBUG [eventlet.wsgi.server] (1939) accepted ('172.16.0.203', 45862)

2013-06-24 22:41:46 DEBUG [eventlet.wsgi.server] (1939) accepted ('172.16.0.203', 45863)

2013-06-24 22:42:07 DEBUG [eventlet.wsgi.server] (1939) accepted ('172.16.0.203', 45864)

edit flag offensive delete link more
0

answered 2013-06-25 09:14:36 -0600

I‘m trying this, and find some similar problems. What's your swift log of that command? And you use the current codes on master branch?

edit flag offensive delete link more
0

answered 2013-06-25 09:53:47 -0600

Some errors on your ports? You use 443 at 172.16.0.201 for swift, so your should have an endpoint like 172.16.0.201:443, but in your post, 172.16.0.203:443 is used. Have a check on this.

edit flag offensive delete link more
0

answered 2013-06-25 12:34:00 -0600

vmtrooper gravatar image

On the Swift node, here I was getting continuous output like the following in /var/log/syslog:

Jun 25 05:23:15 swift proxy-server Started child 27544 Jun 25 05:23:15 swift proxy-server Starting keystone auth_token middleware Jun 25 05:23:15 swift proxy-server Using /tmp/keystone-signing as cache directory for signing certificate Jun 25 05:23:15 swift proxy-server UNCAUGHT EXCEPTION#012Traceback (most recent call last):#012 File "/usr/bin/swift-proxy-server", line 22, in <module>#012 run_wsgi(conf_file, 'proxy-server', default_port=8080, *options)#012 File "/usr/lib/python2.7/dist-packages/swift/common/wsgi.py", line 187, in run_wsgi#012 run_server()#012 File "/usr/lib/python2.7/dist-packages/swift/common/wsgi.py", line 149, in run_server#012 global_conf={'log_name': log_name})#012 File "/usr/lib/python2.7/dist-packages/paste/deploy/loadwsgi.py", line 247, in loadapp#012 return loadobj(APP, uri, name=name, *kw)#012 File "/usr/lib/python2.7/dist-packages/paste/deploy/loadwsgi.py", line 272, in loadobj#012 return context.create()#012 File "/usr/lib/python2.7/dist-packages/paste/deploy/loadwsgi.py", line 710, in create#012 return self.object_type.invoke(self)#012 File "/usr/lib/python2.7/dist-packages/paste/deploy/loadwsgi.py", line 207, in invoke#012 app = filter(app)#012 File "/usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py", line 1153, in auth_filter#012 return AuthProtocol(app, conf)#012 File "/usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py", line 301, in __init__#012 self.signing_dirname)#012ConfigurationError: unable to access signing dir /tmp/keystone-signing Jun 25 05:23:15 swift proxy-server Removing dead child 27544

I updated proxy-server.conf to use a directory owned by swift user and updated the permissions accordingly. I am no longer getting dir access error. However, it still did not solve my swift command error.

I obtained my Swift installation by performing the following commands

  1. echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu (http://ubuntu-cloud.archive.canonical...) precise-proposed/grizzly main" | sudo tee /etc/apt/sources.list.d/folsom.list

  2. sudo apt-get -y install ubuntu-cloud-keyring

  3. sudo apt-get install -y swift swift-proxy swift-account swift-container swift-object memcached xfsprogs curl python-webob python-keystoneclient python-keystone

Is that the correct method to obtain the released versions of Grizzly binaries?

Regarding port errors, do you mean in the endpoint-list? I have all of my swift components including the swift proxy installed on 172.16.0.203. Shouldn't I specify the proxy IP when I create my endpoint? keystone is 172.16.0.201

edit flag offensive delete link more
0

answered 2013-06-25 12:34:51 -0600

vmtrooper gravatar image

I'm using Ubuntu 12.04, by the way

edit flag offensive delete link more
0

answered 2013-06-26 02:04:43 -0600

Let's fix things one by one. 1. using apt-get is ok 2. use this: swift -V 2 -A http://172.16.0.201:5000/v2.0 -U service:swift -K swift stat (add the '-V 2')

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

Stats

Asked: 2013-06-24 13:13:23 -0600

Seen: 440 times

Last updated: Jun 26 '13