Ask Your Question
1

Keystone / Swift authentication challenges

asked 2014-03-03 13:17:08 -0600

aplawson gravatar image

I had a working Swift deployment (one proxy, 10 storage nodes) using tempauth/swauth and with that config everything works fine. Add/remove objects, list etc. I am now in the process of trying to integrate Keystone and getting confused with number of possible problems the more I research so I figured I'd post it here.

I built a new Keystone server using the following documents: Configuring keystone I also updated Swift to use Keystone using the following document: Configure Swift to Use Keystone

Problem: Unable to authenticate using service:swift + "password". I'm mostly getting 401 Connection Refused errors and service catalog errors, depending which method I try. What am I missing?

User-list in Keystone:

$ keystone user-list`<br>
+----------------------------------+---------+-------+-------+
|                id                | enabled | email |  name |
+----------------------------------+---------+-------+-------+
| 3b26d681b7b5448b94c563b1d8bb55fd | True    | None  | admin |
| e186d19ab0ab4cc681b24196e76b9032 | True    | None  | swift |
+----------------------------------+---------+-------+-------+

User-get in Keystone:

$ keystone user-get e186d19ab0ab4cc681b24196e76b9032
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
| email    | None                             |
| enabled  | True                             |
| id       | e186d19ab0ab4cc681b24196e76b9032 |
| name     | swift                            |
| tenantId | 7e9b8a64252340c2ba4dd292acf18e80 |
+----------+----------------------------------+

Tenant-list in Keystone:

$ keystone tenant-list
+----------------------------------+---------+---------+
|                id                |   name  | enabled |
+----------------------------------+---------+---------+
| 539749c631044f64be5f29066ae486c4 | demo    | True    |
| 6140b18239284cce8b51305649dbb792 | admin   | True    |
| 7e9b8a64252340c2ba4dd292acf18e80 | service | True    |
+----------------------------------+---------+---------+

Role-list in Keystone:

$ keystone role-list
+----------------------------------+-------+
|                id                |  name |
+----------------------------------+-------+
| 6d64ff8265d6404983d774e34159dcd5 | admin |
+----------------------------------+-------+

Service-list in keystone

$ keystone service-list
+----------------------------------+----------+--------------+------------------+
|                id                |   name   |     type     |   description    |
+----------------------------------+----------+--------------+------------------+
| 0b2248b31e37499192d4e3cdf4288223 | keystone | identity     | Identity Service |
| 5ef2c32abd274473ab8b42f480feeb72 | swift    | object-store | Swift Service    |
+----------------------------------+----------+--------------+------------------+

Endpoint-list in Keystone:

$ keystone endpoint-list
+----------------------------------+-----------+------------------------------------------------+------------------------------------------------+--------------------------------+
|                id                |   region  |                   publicurl                    |                  internalurl                   |            adminurl            |
+----------------------------------+-----------+------------------------------------------------+------------------------------------------------+--------------------------------+
| 46600a4c54a94eee881e9a4a2c648b8b | RegionOne | http://10.173.0.165:8888/v1/AUTH_%(tenant_id)s | http://10.173.0.165:8888/v1/AUTH_%(tenant_id)s | http://10.173.0.165:8888/v1    |
| 660c5babbe7746d485d31d85353ab1b8 | RegionOne | http://10.173.0.165.:5000/v2.0                 | http://10.173.0.165:5000/v2.0                  | http://10.173.0.165:35357/v2.0 |
+----------------------------------+-----------+------------------------------------------------+------------------------------------------------+--------------------------------+

/etc/swift/proxy-server.conf on Swift proxy:

[DEFAULT]
cert_file = /etc/swift/cert.crt
key_file = /etc/swift/cert.key
bind_port = 8080
workers = 8
user = swift

[pipeline:main]
pipeline = healthcheck proxy-logging cache authtoken keystoneauth proxy-logging proxy-server

[app:proxy-server]
use = egg:swift#proxy
allow_account_management = true
account_autocreate = true

[filter:proxy-logging]
use = egg:swift#proxy_logging

[filter:tempauth]
use = egg:swift#tempauth
user_system_root = testpass .admin

[filter:healthcheck]
use = egg:swift#healthcheck

[filter:cache]
use = egg:swift#memcache
memcache_servers = 10.173.0.66:11211

[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
auth_host = 10.173.0.165
auth_port = 35357
auth_protocol = http
auth_uri = http://10.173.0.165:5000/
admin_tenant_name = service
admin_user = swift
admin_password = password
cache = swift.cache
include_service_catalog = True

[filter:keystoneauth]
use = egg:swift#keystoneauth
operator_roles = admin, swiftoperator

Test command:

export OS_AUTH_URL=http://10.173.0.165:5000/v2.0
export OS_USERNAME=swift
export OS_PASSWORD=password
swift -V 2 stat

Command output:

    raise exceptions.EmptyCatalog('The service catalog is empty.')
keystoneclient.exceptions.EmptyCatalog: The service catalog is empty.

Other commands I've tried include:

 swift -A https://$PROXY_LOCAL_NET_IP:8080/auth/v2 -U service:swift -K password stat

...which also fail for other reasons...

Auth GET failed: https://10.173.0.66:8080/auth/v2 401 Unauthorized

Thoughts? I'm stumped.

edit retag flag offensive close merge delete
add a comment

3 answers

Sort by ยป oldest newest most voted
1

answered 2014-11-05 11:43:48 -0600

James gravatar image

You have bound swift port to 8080, but you specified 8888 in your endpoint creation.

edit flag offensive delete link more
add a comment
0

answered 2014-07-10 12:48:40 -0600

DeepVish gravatar image

updated 2014-07-15 11:07:17 -0600

smaffulli gravatar image

As Haneef said, looks like you are missing the mapping between user role and tenant I am using swift with keystone, I have following mapping in keystone

$keystone user-role-list --user swift
+-------+-------+---------+-----------+
|   id  |  name | user_id | tenant_id |
+-------+-------+---------+-----------+
| admin | admin |  swift  |    service    |
+-------+-------+---------+-----------+

If it is not there in your setup you need to add this using following command,

keystone user-role-add --user=swift --tenant=service --role=admin

Hope this is useful.

edit flag offensive delete link more
add a comment
0

answered 2014-03-05 00:34:42 -0600

Haneef Ali gravatar image

updated 2014-07-15 11:09:16 -0600

smaffulli gravatar image

Looks like you are missing user tenant role association. You need to associate the role with tenant and the user.

Try keystone user-role-add.

It is easier to verify this. 1) using curl get the token directly from keystone using username/password/tenant. If that returns roles, then it will work via swift. You need to use keystone-user-role-add to add tenant role association. After that curl and swift comamnd work. In general if you want to know the curl syntax run keystone command with --debug option.

There are 2 types of token in keystone , one is unscoped and other is scoped token. You are trying to get a scoped token and it will fail unless you have user tenant association with a role.

Try this link for example 

curl  -H "Content-Type: application/json" -X POST --data "@request.json" http://<keystone_host>:35357/v2/tokens

where request.json file has the payload with current username and password

edit flag offensive delete link more

Comments

Can you give me an example of what would the curl syntax should look like in this case? The curl commands I've tried from the documentation are failing with the same 401 unauth errors. I can curl and head the account with tempauth, it fails with keystone. This is only going to get more complex but a base understanding will be of great usefulness in the near term. Thanks!

aplawson gravatar imageaplawson ( 2014-03-07 15:25:19 -0600 )edit

You need to use keystone-user-role-add to add tenant role association. After that curl and swift comamnd work. In general if you want to know the curl syntax run keystone command with --debug option. There are 2 types of token in keystone , one is unscoped and other is scoped token. You are trying to get a scoped token and it will fail unless you have user tenant association with a role. Try this link for example 

http://docs.openstack.org/api/openstack-identity-service/2.0/content/POST_admin-authenticate_v2.0_tokens_Token_Operations.html#POST_admin-authenticate_v2.0_tokens_Token_Operations-Request
curl -H "Content-Type: application/json" -X POST --data "@request.json" http://<keystone_host>:35357/v2/tokens where request.json file has the payload with current username and password

Haneef Ali gravatar imageHaneef Ali ( 2014-03-07 21:46:40 -0600 )edit
add a comment

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2014-03-03 13:17:08 -0600

Seen: 1,768 times

Last updated: Jul 15 '14

Related questions

can't access swift remotelly

The partition is always 0.

swift check cluster health

failed to start swift-object [closed]

Keystone-manage command not found.

Swift and Cinder high availability

How to run unit test?

Devstack installation failure

swift: search objects in container by name

authorization failed (keystone logs)