Ask Your Question

Setting up users for swift

asked 2013-11-20 14:44:46 -0500

AMusingFool gravatar image

updated 2013-11-21 07:24:30 -0500

I hope I've just missed something that seems obvious (I'm just a developer trying to set this up for testing; not complex needs); I have swift set up to use keystone for authorization (via proxy-server.conf). But every time I try to run a curl command to do anything (even just a GET on /v1.0), I get a 401 Unauthorized response.

The proxy-server.conf has

pipeline = healthcheck cache authtoken keystone proxy-server


paste.filter_factory = keystone.middleware.swift_auth:filter_factory
operator_roles = admin, SwiftOperator
is_admin = true
cache = swift.cache

paste.filter_factory = keystone.middleware.auth_token:filter_factory
admin_tenant_name = service 
admin_user = swift 
admin_password = swift
auth_host =
auth_port = 35357
auth_protocol = http
signing_dir = /tmp/keystone-signing-swift

(And, if it matters, yes, this is pulled straight out of the instructions at )

I have a role created for SwiftOperator, to match the line in the above. I have three tenants: demo, service, and swift-user (I think I created the latter).

The 'swift stat' output is:

   Account: AUTH_5dc5e5f200d942348ec5f82b5d63c887
Containers: 0
   Objects: 0
     Bytes: 0
Accept-Ranges: bytes
X-Timestamp: 1384810304.10104

The 5dc... bit matches the tenant id of the 'demo' group.

Now, I've tried creating users that have the user role of SwiftOperator (with any of the three tenants). Two things about that. One is that none of them show up in 'keystone user-role-list' output (though I'll get a duplication error if I try to create the same one a second time). Two is that I still can't login as that user after creating (and using, presumably) the role.

So, first question: does that AUTH_... bit from 'swift stat' indicate that demo is the tenant I need to use for any users I create?

Second question: is there some other step in creating a user, to allow that user to do things via swift?

Thanks in advance,


edit: fixed formatting (sorry, still learning how to use this site).

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2013-11-20 23:03:32 -0500

dheeru gravatar image

Unauthorized definitely means that you are sending wrong credentials to

  1. Did you verify that keystone is working properly ? like running the command like 'keystone token-get', 'keystone user-list' etc ?
  2. What is the curl command you are executing ? Can you paste that ?
edit flag offensive delete link more


Yes, I can do both of those (and I tested the former with the user I'm using to try to use to connect to swift) curl -i -H "X-Auth-Key: xxxx" -H "X-Auth-User: xxxx" http://localhost:8080/v1.0 Like I said, nothing complex there. And yes, I am sure the user & pw are correct.

AMusingFool gravatar imageAMusingFool ( 2013-11-21 07:22:14 -0500 )edit

Problem with version of the command you are putting. Place the following command. Fill the appropriate values for user, password and tenant. See what happens. curl -d '{"auth":{"passwordCredentials":{"username": "putyouruser", "password": "password"},"tenantName":"SS"}}' -H "Content-type: application/json" http://localhost:5000/v2.0/tokens | python -mjson.tool

dheeru gravatar imagedheeru ( 2013-11-21 07:36:29 -0500 )edit

That seems to've worked. It listed access metadata, then known endpoints, then token and user info. The swift endpoint publicurl was v1, not v1.0, but changing that in the above curl command didn't change the result.

AMusingFool gravatar imageAMusingFool ( 2013-11-21 07:53:08 -0500 )edit

I'm assuming that command what I sent you worked. So you have use different curl command versions. Command what you used is old command and did not work. So it is not a issue with your setup. Hope that clarifies and solved your issue.

dheeru gravatar imagedheeru ( 2013-11-21 08:02:57 -0500 )edit

Well, if what I listed is what the output should be, then yes, it worked. But that was a command against the auth server (port 5000), not against the swift server (port 8080), so I'm not sure what your point is. Maybe I missed it. running out of space...

AMusingFool gravatar imageAMusingFool ( 2013-11-21 08:16:39 -0500 )edit

answered 2013-11-21 15:18:53 -0500

AMusingFool gravatar image

dheeru helped me work through some things here. I wonder if the authentication example I was working from (shown above; came from ) is out of date.

Running both keystone and swift with --debug helped a bunch.

Anyway, once I set OS_USERNAME, OS_PASSWORD, and (!) OS_TENANT_NAME, I was able to run swift to do commands. And I could use 'keystone token-get' with

curl -H 'X-Auth-Token: 41c94c75b21f44baae3688bb7f270b44'

to run commands I wanted.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2013-11-20 14:44:46 -0500

Seen: 906 times

Last updated: Nov 21 '13