Ask Your Question
0

Invalid user token - deferring reject downstream (swift proxy)

asked 2014-06-18 23:00:48 -0600

kevin.purcell gravatar image

My test environment looks like:

 - controller (keystone) - 10.10.1.111
 - swift (proxy) - 10.10.1.112
 - storage(cluster1) - 10.10.1.113
 - storage(cluster2) - 10.10.1.115

I, finally, got everything working (or so I thought). From my proxy server I was able to run the "test" commands and get a result back from keystone: (using http://10.10.1.111:35357/v2.0 )

[root@openstack_swift ~(swift)]# swift --debug list
DEBUG:keystoneclient.session:REQ: curl -i -X POST http://controller:35357/v2.0/tokens -H "Content-Type: application/json" -H "User-Agent: python-keystoneclient" -d '{"auth": {"tenantName": "service", "passwordCredentials": {"username": "swift", "password": "swift"}}}'
INFO:urllib3.connectionpool:Starting new HTTP connection (1): controller
DEBUG:urllib3.connectionpool:"POST /v2.0/tokens HTTP/1.1" 200 1136
DEBUG:keystoneclient.session:RESP: [200] {'date': 'Thu, 19 Jun 2014 03:51:03 GMT', 'content-type': 'application/json', 'content-length': '1136', 'vary': 'X-Auth-Token'}
RESP BODY: {"access": {"token": {"issued_at": "2014-06-19T03:51:03.586599", "expires": "2014-06-19T04:51:03Z", "id": "8a53f47c41e54eb3b807b6dbd806903e", "tenant": {"description": "Service Tenant", "enabled": true, "id": "f1458b9e3c8c4d1388671a322d145799", "name": "service"}}, "serviceCatalog": [{"endpoints": [{"adminURL": "http://10.10.1.112:8080/v1", "region": "regionOne", "internalURL": "http://10.10.1.112:8080/v1/AUTH_f1458b9e3c8c4d1388671a322d145799", "id": "72ebd90eb8fb4b629445acd1cbca2152", "publicURL": "http://10.10.1.112:8080/v1/AUTH_f1458b9e3c8c4d1388671a322d145799"}], "endpoints_links": [], "type": "object-store", "name": "swift"}, {"endpoints": [{"adminURL": "http://controller:35357/v2.0", "region": "regionOne", "internalURL": "http://controller:5000/v2.0", "id": "aae73a88b50a4886990521677f494890", "publicURL": "http://controller:5000/v2.0"}], "endpoints_links": [], "type": "identity", "name": "keystone"}], "user": {"username": "swift", "roles_links": [], "id": "184c513932514611a0b0d6175a6a9167", "roles": [{"name": "admin"}], "name": "swift"}, "metadata": {"is_admin": 0, "roles": ["d6fef3ca810c485ca1dadc675d102442"]}}}

DEBUG:iso8601.iso8601:Parsed 2014-06-19T04:51:03Z into {'tz_sign': None, 'second_fraction': None, 'hour': u'04', 'daydash': u'19', 'tz_hour': None, 'month': None, 'timezone': u'Z', 'second': u'03', 'tz_minute': None, 'year': u'2014', 'separator': u'T', 'monthdash': u'06', 'day': None, 'minute': u'51'} with default timezone <iso8601.iso8601.Utc object at 0x134da10>
DEBUG:iso8601.iso8601:Got u'2014' for 'year' with default None
DEBUG:iso8601.iso8601:Got u'06' for 'monthdash' with default 1
DEBUG:iso8601.iso8601:Got 6 for 'month' with default 6
DEBUG:iso8601.iso8601:Got u'19' for 'daydash' with default 1
DEBUG:iso8601.iso8601:Got 19 for 'day' with default 19
DEBUG:iso8601.iso8601:Got u'04' for 'hour' with default None
DEBUG:iso8601.iso8601:Got u'51' for 'minute' with default None
DEBUG:iso8601.iso8601:Got u'03' for 'second' with default None
INFO:urllib3.connectionpool:Starting new HTTP connection (1): 10.10.1.112
DEBUG:urllib3.connectionpool:"GET /v1/AUTH_f1458b9e3c8c4d1388671a322d145799?format=json HTTP/1.1" 200 51
DEBUG:swiftclient:REQ: curl -i http://10.10.1.112:8080/v1/AUTH_f1458b9e3c8c4d1388671a322d145799?format=json -X GET -H "X-Auth-Token: 8a53f47c41e54eb3b807b6dbd806903e"
DEBUG:swiftclient:RESP STATUS: 200 OK
DEBUG:swiftclient:RESP HEADERS: [('content-length', '51'), ('accept-ranges', 'bytes'), ('x-timestamp', '1402916327.54569'), ('x-trans-id', 'txc7649b843c8a481cb7d71-0053a25df7'), ('date', 'Thu, 19 Jun 2014 03:50:17 GMT'), ('x-account-bytes-used', '24996082'), ('x-account-container-count', '1'), ('content-type', 'application/json; charset=utf-8'), ('x-account-object-count', '5')]
DEBUG:swiftclient:RESP BODY: [{"count": 5, "bytes": 24996082, "name": "backup"}]
backup
INFO:urllib3.connectionpool:Starting new HTTP connection (1): 10.10.1.112
DEBUG:urllib3.connectionpool:"GET ...
(more)
edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
0

answered 2014-06-19 00:50:48 -0600

  • User will first connect to keystone server and get the token.
  • Swift servers' url is in the service catalog which is part of token. They will get swift server url from the catalog and l call swift with that token. ( If you look at swiftclient code, it will do all these steps)
  • Swift will once again call keystone to verify the token.
  • If the verification is successful, then swift will allow listing.

You can verify this from the logs that you have posted. In this case , instead of user calling keystone directly , swift client calls keystone and gets the token and then passes the token to swift. So the url the client needs to know is that of keystone and not swift.

Authentication ( get token) is keystone api. If you point cloudberry to keystone, it will work since keystone understands authentication request. If you point cloudberry to swift url then it won't work since it doesn't understand that api.

edit flag offensive delete link more

Comments

If you look at the diagram here:

http://docs.openstack.org/icehouse/install-guide/install/yum/content/example-object-storage-installation-architecture.html (http://docs.openstack.org/icehouse/in...)

It shows the proxy as the client connection method. This doesn't show the authentication server and doesn't imply that keystone and proxy are on the same server.

I guess I am a bit concerned that you would present your accounts database to the internet and then the auth server does it's own hand off to the proxy servers once you are authenticated. I assumed the user connected to the proxy and that the proxy would authenticate in the background and not the other way around where the user connects to keystone and keystone hands off the connection once you are authenticated.

kevin.purcell gravatar imagekevin.purcell ( 2014-06-19 01:27:08 -0600 )edit

Yes, proxy is the client connection method provided you have valid authentication token from keystone. Keystone is the identity management server. It is responsible for your credential and authentication. Also keystone doesn't do the hand off ( redirect). it gives the url of the services that the credentials can access. The user decides which service to access. If he wants to access swift , then he calls swift proxy with the token or nova api server if he want to create a vm.

  • Assuming it is designed as you have explained then you pass the credential to swift and it passes to keystone. In this case swift knows your credentials besides keystone. Openstack has around 10+ service. All you need to do is hack one service to get access to all the credentials
Haneef Ali gravatar imageHaneef Ali ( 2014-06-19 01:55:35 -0600 )edit
-1

answered 2014-12-25 22:59:31 -0600

Sorry I join asking here because I experienced the same problem and I have tried to search but have not found a solution. Here are links to tutorials that I do and I have tried all the stages. http://docs.openstack.org/juno/install-guide/install/yum/content/ (http://docs.openstack.org/juno/instal...) There are 5 nodes that I use: controller node: 10.10.10.4 compute nodes: 10.10.10.5 blokstorage node: 10.10.10.6 objectstorage1 node: 10.10.10.7 objectstorage2 node: 10.10.10.8 All OS CentOS 7 64 bit All of the installation went smoothly without encountering an error Except when the install package python-keystone-auth-token can not be with the error: No package python-keystone-auth-token available.

The problem that I experienced that when trying to login using a windows application to mount the data from the storage object that the application "ExpanDrive and Cyberduck" always failed login with error log is:

Dec 26 09:43:52 controller-node proxy-server: Invalid user token - deferring reject downstream Dec 26 09:43:52 controller-node proxy-server: Invalid user token - deferring reject downstream Dec 26 09:43:52 controller-node proxy-server: Invalid user token - deferring reject downstream

I need help what should I do, I have tried to find a solution but have not found

Regards, Andre

edit flag offensive delete link more

Comments

You may check the comment given for my query on "python-keystone-auth-token available"

https://ask.openstack.org/en/question... Could you please paste Proxy-Server.conf / Pipeline configuration?

bala2014 gravatar imagebala2014 ( 2015-01-05 03:39:39 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-06-18 23:00:48 -0600

Seen: 3,671 times

Last updated: Dec 25 '14