Ask Your Question
0

swift-keystone

asked 2014-08-18 14:52:49 -0500

michaels gravatar image

updated 2014-08-19 00:29:51 -0500

smaffulli gravatar image

I have been working on connecting spark and swiftstack, but the driver only supports keystone authentication. So here comes my problem.

I already set up the identity service as describe in http://docs.openstack.org/havana/inst... and I am trying to follow these steps https://www.swiftstack.com/docs/integ... to set up the swift side.

I created the endpoint, but I am not sure whether it is right or not because I am not sure about the adminurl, internalurl, and publicurl. Which of them should be localhost and which of them should be the address of my swiftstack?

When I tried to check the connection using curl:

root@ubuntu:~# curl -v -H "X-Auth-Token: 65b5b5d4c95942969663f18c2401d803" http://10.205.1.20/v1/AUTH_9c6ca702ab2347778bfe6cf7d7713a68
* About to connect() to 10.205.1.20 port 80 (#0)
*   Trying 10.205.1.20... connected
> GET /v1/AUTH_9c6ca702ab2347778bfe6cf7d7713a68 HTTP/1.1
> User-Agent: curl/7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: 10.205.1.20
> Accept: */*
> X-Auth-Token: 65b5b5d4c95942969663f18c2401d803
> 
< HTTP/1.1 401 Unauthorized
< Content-Length: 131
< Content-Type: text/html; charset=UTF-8
< X-Trans-Id: txbc3d855c7b78481f9d419-0053f258bd
< Date: Mon, 18 Aug 2014 19:49:17 GMT
< 
* Connection #0 to host 10.205.1.20 left intact
* Closing connection #0
<html><h1>Unauthorized</h1><p>This server could not verify that you are authorized to access the document you requested.</p></html>
root@ubuntu:~#

any help would be really appriciated.

proxy-server.conf :

[DEFAULT]
bind_port = 80
user = spark

[pipeline:main]
pipeline = catch_errors healthcheck cache authtoken keystone proxy-server

[app:proxy-server]
use = egg:swift#proxy
account_autocreate = true

[filter:keystone]
paste.filter_factory = keystoneclient.middleware.swift_auth:filter_factory
operator_roles = admin, swiftoperator

[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
# Delaying the auth decision is required to support token-less
# usage for anonymous referrers ('.r:*').
delay_auth_decision = 10
auth_protocol = http
auth_port = 5000
auth_host = 127.0.0.1
auth_uri = http://127.0.0.1:5000/
service_host = 10.205.1.20
service_port = 80
admin_tenant_name = service
admin_user = swift
admin_password = swiftpass
cache = swift.cache
include_service_catalog = False

[filter:cache]
use = egg:swift#memcache
set log_name = cache

[filter:catch_errors]
use = egg:swift#catch_errors

[filter:healthcheck]
use = egg:swift#healthcheck

[filter:keystoneauth]
use = egg:swift#keystoneauth
operator_roles = admin, swiftoperator

root@ubuntu:~# keystone user-list
+----------------------------------+---------+------------------------------+-------+
|                id                | enabled |            email             |  name |
+----------------------------------+---------+------------------------------+-------+
| 4fed7bed36f44ebbbc6ba69c4c8e7a70 | True    | None                         | swift |
| 9c6ca702ab2347778bfe6cf7d7713a68 | True    | m*********i@company.com | spark |
| d045891fdfdf46069efa7a727cf85708 | True    | None                         | admin |
+----------------------------------+---------+------------------------------+-------+

root@ubuntu:~# keystone tenant-list
+----------------------------------+---------+---------+
|                id                |   name  | enabled |
+----------------------------------+---------+---------+
| 09beb54b84a243a1a0c87b7e1c7de27a | service | True    |
| eab7ad18e730417084c9dc90cb90a663 | admin   | True    |
| f0f42a4002cc4a72a7ff7e325d510454 | spark   | True    |
+----------------------------------+---------+---------+
root@ubuntu:~# keystone endpoint-list
+----------------------------------+-----------+-------------------------------------------------------------+-------------------------------------------------------------+-----------------------------+
|                id                |   region  |                          publicurl                          |                         internalurl                         |           adminurl          |
+----------------------------------+-----------+-------------------------------------------------------------+-------------------------------------------------------------+-----------------------------+
| 386c3c7c409843bd8034e4c211bb47fd | regionOne | http://127.0.0.1:5000/v2.0                                  | http://127.0.0.1:5000/v2.0                                  | http://127.0.0.1:35357/v2.0 |
| 3a84626c80254c909651614869464752 | regionOne | http://10.205.1.20/v1/AUTH_9c6ca702ab2347778bfe6cf7d7713a68 | http://10.205.1.20/v1/AUTH_9c6ca702ab2347778bfe6cf7d7713a68 | http://10.205.1.20/v1       |
+----------------------------------+-----------+-------------------------------------------------------------+-------------------------------------------------------------+-----------------------------+

I am not able to do command user-role-list. How do you restart proxy server?

edit retag flag offensive close merge delete

Comments

Please post proxy-server.conf and the output of keystone user-listkeystone user-role-listkeystone tenant-list and keystone endpoint-list

Also remember, you need to restart the proxy server after making any changes to the auth pipeline if you haven't already.

SamYaple gravatar imageSamYaple ( 2014-08-18 15:30:55 -0500 )edit

Edit your answer, add there the details as you debug the issue. Comments are too hard to read.

smaffulli gravatar imagesmaffulli ( 2014-08-19 00:30:27 -0500 )edit

2 answers

Sort by ยป oldest newest most voted
0

answered 2014-08-19 09:43:01 -0500

SamYaple gravatar image

updated 2014-08-19 09:43:17 -0500

Thank you for the confs. A couple of things for you to check on in the order I feel are most likely to cause the problem.

  • Endpoints:

First, you have some IP addresses in your endpoints, but you also have 127.0.0.1. If there is more than one node, your endpoints will no longer work. I suggest you use your 10.x.x.x addresses for your endpoints and recreate the keystone one.

Second, you have your swift endpoint wrong. It should be literally http://10.205.1.20/v1/AUTH_%(tenant_id)s. In this case it isn't a place holder for your values and the endpoint becomes different for each tenant. This alone may be the entire cause of your issue (it definetly needs to be fixed either way).

  • Swift Proxy Config:

You have the line operator_roles = admin, swiftoperator in your conf. This is good, but you need to know what it does. This allows _only_ users with the role admin/swiftoperator to create and delete accounts through Swift. With the appropriate swift ACLs, he would be able to add and delete objects from a container, but not create. If your user "spark" does not have one of these roles, he will be unable to create accounts (but that is a different error that 401, it is 403 I think). You did not list the output of keystone user-role-list but that is how your would check his roles. Just keep that in mind.

Also you have user = spark, that is wierd. It should be user swift. Please check that you have configured all the correct perms on the appropriate folders (and consider reverting back to the default user).


Make these changes and let me know if you still have an issue.

edit flag offensive delete link more
0

answered 2014-10-15 00:31:27 -0500

arun_vav gravatar image

HI,

I have the simialr issue - but i'm able to upload/download files from /to container, using CLI. But i'm looking for HTTP access to container, which i'm n't getting. swift stat works fine.

my swift end point is: public/internal url : http://10.100.1.156:8080/v1/AUTH_e4a3.. . controller :http://10.100.1.156:8080

when i try to access http for this url, it gives "This server could not verify that you are authorized to access the document you requested."

root@block1:/# swift stat -v StorageURL: http://10.100.1.156:8080/v1/AUTH_e4a3.. . Auth Token: MII Account: AUTH_e4a3267186b84ba6b2b1233ee15b5a76 Containers: 3 Objects: 42 Bytes: 13183123 Accept-Ranges: bytes ...

Please help me, url tried = 10.100.1.156:8080/v1/AUTH_e4a3267186b84ba6b2b1233ee15b5a76/account - no luck. 10.100.1.156:8080/v1/account/container/objects - no luck

edit flag offensive delete link more

Comments

It sounds like you want to list the content like a regular webserver. Youll need to set a few options to get that to work. Check this page: http://docs.openstack.org/api/opensta...

SamYaple gravatar imageSamYaple ( 2014-10-15 09:27:00 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-08-18 14:52:49 -0500

Seen: 1,416 times

Last updated: Oct 15 '14