Ask Your Question
0

Invalid user token - rejecting request [closed]

asked 2014-07-15 04:30:58 -0500

messah gravatar image

updated 2014-08-19 12:50:01 -0500

briancline gravatar image

I have Ubuntu 12.04 on Virtul machine and I use Swift , Keystone, Python-swiftclient on this machine.

I create user, role, account, endpoint for kesytone. And I create endpoint for keystone - swift connection like this:

$ SERVICEID=$(keystone  service-create --name=swift --type=object-store --description="Swift Service" | grep "id " | cut -d "|" -f 3)
$ echo $SERVICEID # just making sure we got a SERVICEID
$ keystone endpoint-create --service_id $SERVICEID --publicurl "http://127.0.0.1:8080/v1/AUTH_\$(tenant_id)s" --adminurl "http://127.0.0.1:8080/v1/AUTH_\$(tenant_id)s" --internalurl "http://127.0.0.1:8080/v1/AUTH_\$(tenant_id)s"

I use command with python-swiftclient. There is no problem. All commands in https://support.rc.nectar.org.au/docs/python-swiftclient (this) link is working. But I check url on browser there is problem.

swift stat deneme1 :

Account: AUTH_918112e49f2a4530a146efcb46d4af80
Container: deneme1
Objects: 11
Bytes: 4077682
Read ACL: .r:*,.rlistings
Write ACL:
Sync To:
Sync Key:
Accept-Ranges: bytes
X-Storage-Policy: gold
X-Timestamp: 1405411686.78453
X-Trans-Id: txe6afced19aa441499586f-0053c4f75e
Content-Type: text/plain; charset=utf-8

swift list deneme1 :

50cuteanimpic6.jpg
Weird-pictures-art-pictures-Igor-Morski.jpg
Wolf Pictures 033.jpg
images.jpeg
pictures_1400077785.jpg
powerful-pictures-of-earth-being-destroyed.jpg

Browser :

http://127.0.0.1:8080/v1/AUTH_918112e49f2a4530a146efcb46d4af80/deneme1/images.jpeg

-- > Click address seem: Authentication required

How can ı see my object on browser? İf you look given link there is an example but didnt work on my swift. I add proxy logs and my configuration.

==> proxy.log <==

Jul 15 12:21:36 openstack proxy-server: Authenticating user token
Jul 15 12:21:36 openstack proxy-server: Removing headers from request environment: X-Identity-Status,X-Domain-Id,X-Domain-Name,X-Project-  Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-User-Id,X-User-Name,X-User-Domain-Id,X-User-Domain-Name,X-Roles,X-Service- Catalog,X-User,X-Tenant-Id,X-Tenant-Name,X-Tenant,X-Role
Jul 15 12:21:36 openstack proxy-server: Headers: {'wsgi.multithread': False, 'SCRIPT_NAME': '', 'wsgi.input': <StringIO.StringIO instance at  0x2f57830>, 'REQUEST_METHOD': 'HEAD', 'HTTP_HOST': '127.0.0.1:8080', 'PATH_INFO': '/v1/AUTH_918112e49f2a4530a146efcb46d4af80',  'SERVER_PROTOCOL': 'HTTP/1.0', 'QUERY_STRING': '', 'swift.authorize': <function <lambda> at 0x2ec87d0>, 'swift.source': 'GET_INFO',  'HTTP_USER_AGENT': 'Swift', 'wsgi.version': (1, 0), 'eventlet.posthooks': [], 'SERVER_NAME': '127.0.0.1', 'wsgi.errors': <cStringIO.StringI object at  0x2f52300>, 'wsgi.multiprocess': False, 'swift.trans_id': 'tx7009f6436df34f378774f-0053c4f2a0', 'wsgi.url_scheme': 'http', 'REMOTE_USER':  '.wsgi.pre_authed', 'SERVER_PORT': '8080', 'swift.cache': <swift.common.memcached.MemcacheRing object at 0x2ecfd50>,  'swift.authorize_override': True}
Jul 15 12:21:36 openstack proxy-server: Invalid user token - rejecting request
Jul 15 12:21:36 openstack proxy-server: Authenticating user token
Jul 15 12:21:36 openstack proxy-server: Removing headers from request environment: X-Identity-Status,X-Domain-Id,X-Domain-Name,X-Project-   Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-User-Id,X-User-Name,X-User-Domain-Id,X-User-Domain-Name,X-Roles,X-Service-Catalog,X-User,X-Tenant-Id,X-Tenant-Name,X-Tenant,X-Role
Jul 15 12:21:36 openstack proxy-server: Headers: {'SCRIPT_NAME': '', 'swift.proxy_access_log_made': True, 'REQUEST_METHOD': 'GET', 'PATH_INFO': '/v1/AUTH_918112e49f2a4530a146efcb46d4af80/public', 'staticweb.start_time': 1405416096.257779, 'SERVER_PROTOCOL': 'HTTP/1.0', 'HTTP_USER_AGENT': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0', 'HTTP_CONNECTION': 'keep-alive', 'REMOTE_PORT': '39502', 'SERVER_NAME': '127.0.0.1', 'REMOTE_ADDR': '127.0.0.1', 'eventlet.input': <eventlet.wsgi.Input object at 0x2f510d0>, 'wsgi.url_scheme': 'http', 'SERVER_PORT': '8080', 'wsgi.input': <swift.common.utils.InputProxy object at 0x2f4eb90>, 'HTTP_HOST': '127.0.0.1:8080 ...
(more)
edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by messah
close date 2014-07-18 08:10:39.836291

2 answers

Sort by » oldest newest most voted
2

answered 2014-07-18 08:07:27 -0500

messah gravatar image

updated 2014-07-18 08:12:57 -0500

I solved my problem to discuss in #openstack-swift irc channel. irc channel discuss log link : http://eavesdrop.openstack.org/irclogs/%23openstack-swift/%23openstack-swift.2014-07-16.log (http://eavesdrop.openstack.org/irclog...)

The changes made:

1) You need at first make sure you have a service endpoint of type object-store in keystone pointing to your Swift proxy. For example having this in your /etc/keystone/default_catalog.templates

catalog.RegionOne.object_store.name = Swift Service
catalog.RegionOne.object_store.publicURL = http://swiftproxy:8080/v1/AUTH_$(tenant_id)s
catalog.RegionOne.object_store.adminURL = http://swiftproxy:8080/
catalog.RegionOne.object_store.internalURL = http://swiftproxy:8080/v1/AUTH_$(tenant_id)s

I added this lines to /etc/keystone/default_catalog.templates

2) need to set "delay_auth_decision = true" in [filter:authtoken] in proxy-server.conf

swift-init proxy-server restart

And Then;

3) It returns json which have tokenid, tenantid etc... You must get tokenid and tenantid here.

curl -s -d '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "password"}}}' -H 'Content-type: application/json' http://127.0.0.1:5000/v2.0/tokens

4)

curl -v -H 'X-Auth-Token: b7e31a6a8b0448908ff09319fe8fd118 ...longtokenid' http://127.0.0.1:8080/v1.0/AUTH_<tenantid>

5)

swift post --read-acl ".r:*,.rlistings" container
swift post -m 'X-Container-Read: .r:*,.rlistings' container

And now you can access your object like that link : http://127.0.0.1:8080/v1/AUTH_tenant-id/container/images.jpeg (http://127.0.0.1:8080/v1/AUTH_tenant-...)

Optional;

6) I saw I dont use endpoint-list in proxy-server.conf. I removed that.

7) You can do better your link with tempurl;

swift post -m "Temp-URL-Key:testkeyhere"
echo http://127.0.0.1:8080`swift-temp-url GET 3600 /v1/AUTH_<tenant-id>/container/50cuteanimpic6.jpg testkeyhere`

command return a link which you can access link 3600 seconds (1 hour)

we can access our link at the end:

http://127.0.0.1:8080/v1/AUTH_tenant-id/container/50cuteanimpic6.jpg?temp_url_sig=c98dd137c01e1726260563f9b45c7e25e9ed79b3&temp_url_expires=1405696637 (http://127.0.0.1:8080/v1/AUTH_tenant-...)

I hope so this answer can help someone like me.

edit flag offensive delete link more
1

answered 2014-07-15 04:48:47 -0500

Kashyap Kopparam gravatar image

You can run the command using the client tools with the --debug option. This will output the URL that the command uses to query the object storage. I believe that it has some parameters like the keystone token that it adds to the POST request. Just entering that URL on the browser is expected to give an auth error.

edit flag offensive delete link more

Comments

I added log when url enterede on command line:

swift --debug --os-auth-token ADMIN  --os-storage-url http://127.0.0.1:8080/v1/AUTH_918112e49f2a4530a146efcb46d4af80s/deneme1/images.jpeg list

Result :

INFO:urllib3.connectionpool:Starting new HTTP connection (1): 127.0.0.1
DEBUG:urllib3.connectionpool:"GET /v1/AUTH_918112e49f2a4530a146efcb46d4af80s/deneme1/images.jpeg?format=json HTTP/1.1" 401 23
INFO:swiftclient:REQ: curl -i   http://127.0.0.1:8080/v1/AUTH_918112e49f2a4530a146efcb46d4af80s/deneme1/images.jpeg?format=json -X    GET -H "X-Auth-Token: ADMIN"
INFO:swiftclient:RESP STATUS: 401 Unauthorized
INFO:swiftclient:RESP HEADERS: [('date', 'Tue, 15 Jul 2014 09:57:49 GMT'), ('content-length', '23'),   ('content-type', 'text/plain'), ('www-authenticate', "Keystone uri='http://127.0.0.1:5000/'"), ('x-trans-id',   'txd970ef4f98754c0e9e2cc-0053c4fb1d')]
INFO:swiftclient:RESP BODY: Authentication required
INFO:urllib3.connectionpool:Starting new HTTP connection (1): 127.0.0.1
DEBUG:urllib3.connectionpool:"GET  /v1/AUTH_918112e49f2a4530a146efcb46d4af80s/deneme1/images.jpeg?format=json HTTP/1.1" 401 23
INFO:swiftclient:REQ ...
(more)
messah gravatar imagemessah ( 2014-07-15 05:02:23 -0500 )edit
  • I thought you said client tool would work, but I see a failure on the last line.
  • As you can see in this line

    INFO:swiftclient:REQ: curl -i http://127.0.0.1:8080/v1/AUTH_918112e... -X GET -H "X-Auth-Token: ADMIN"

the curl request has a header which contains the thing after -H. This will not be present if you simply paste the url on browser.

Kashyap Kopparam gravatar imageKashyap Kopparam ( 2014-07-15 07:25:13 -0500 )edit

I want to say I test command in this link https://support.rc.nectar.org.au/docs/python-swiftclient (https://support.rc.nectar.org.au/docs...) . I use upload - download - list - stat - read permission etc.. but ı dont access my object on browser which it is last of page in that link. So what can ı do remove -H option.

messah gravatar imagemessah ( 2014-07-15 13:44:19 -0500 )edit

You cannot escape that. Swift was designed to serve objects with authentication only.

Kashyap Kopparam gravatar imageKashyap Kopparam ( 2014-07-16 05:50:23 -0500 )edit

I dont escape that. But document in this link https://support.rc.nectar.org.au/docs/python-swiftclient#example_public_URL (https://support.rc.nectar.org.au/docs...) says container can public. And there is an example like: https://swift.rc.nectar.org.au:8888/v1/AUTH_26/new_container/Dexter_the_snooty_dog.jpg (https://swift.rc.nectar.org.au:8888/v...)

but I dont implement that. How can ı do that? I take Authentication failure

messah gravatar imagemessah ( 2014-07-16 05:57:59 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-07-15 04:30:58 -0500

Seen: 3,582 times

Last updated: Jul 18 '14