# Setting up users for swift

I hope I've just missed something that seems obvious (I'm just a developer trying to set this up for testing; not complex needs); I have swift set up to use keystone for authorization (via proxy-server.conf). But every time I try to run a curl command to do anything (even just a GET on /v1.0), I get a 401 Unauthorized response.

The proxy-server.conf has

[pipeline:main]
pipeline = healthcheck cache authtoken keystone proxy-server


and

[filter:keystone]
paste.filter_factory = keystone.middleware.swift_auth:filter_factory
cache = swift.cache

[filter:authtoken]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
auth_host = 127.0.0.1
auth_port = 35357
auth_protocol = http
signing_dir = /tmp/keystone-signing-swift


(And, if it matters, yes, this is pulled straight out of the instructions at http://tiewei.github.io/openstack/Install-Openstack-Folsom-@-centos_6.3_x86_64/ )

I have a role created for SwiftOperator, to match the line in the above. I have three tenants: demo, service, and swift-user (I think I created the latter).

The 'swift stat' output is:

   Account: AUTH_5dc5e5f200d942348ec5f82b5d63c887
Containers: 0
Objects: 0
Bytes: 0
Accept-Ranges: bytes
X-Timestamp: 1384810304.10104


The 5dc... bit matches the tenant id of the 'demo' group.

Now, I've tried creating users that have the user role of SwiftOperator (with any of the three tenants). Two things about that. One is that none of them show up in 'keystone user-role-list' output (though I'll get a duplication error if I try to create the same one a second time). Two is that I still can't login as that user after creating (and using, presumably) the role.

So, first question: does that AUTH_... bit from 'swift stat' indicate that demo is the tenant I need to use for any users I create?

Second question: is there some other step in creating a user, to allow that user to do things via swift?

Dave

edit: fixed formatting (sorry, still learning how to use this site).

edit retag close merge delete

Sort by » oldest newest most voted

dheeru helped me work through some things here. I wonder if the authentication example I was working from (shown above; came from http://docs.openstack.org/api/openstack-object-storage/1.0/content/authentication-examples-curl.html ) is out of date.

Running both keystone and swift with --debug helped a bunch.

Anyway, once I set OS_USERNAME, OS_PASSWORD, and (!) OS_TENANT_NAME, I was able to run swift to do commands. And I could use 'keystone token-get' with

curl -H 'X-Auth-Token: 41c94c75b21f44baae3688bb7f270b44'


to run commands I wanted.

more

Unauthorized definitely means that you are sending wrong credentials to

1. Did you verify that keystone is working properly ? like running the command like 'keystone token-get', 'keystone user-list' etc ?
2. What is the curl command you are executing ? Can you paste that ?
more

Yes, I can do both of those (and I tested the former with the user I'm using to try to use to connect to swift) curl -i -H "X-Auth-Key: xxxx" -H "X-Auth-User: xxxx" http://localhost:8080/v1.0 Like I said, nothing complex there. And yes, I am sure the user & pw are correct.

( 2013-11-21 07:22:14 -0500 )edit

Problem with version of the command you are putting. Place the following command. Fill the appropriate values for user, password and tenant. See what happens. curl -d '{"auth":{"passwordCredentials":{"username": "putyouruser", "password": "password"},"tenantName":"SS"}}' -H "Content-type: application/json" http://localhost:5000/v2.0/tokens | python -mjson.tool

( 2013-11-21 07:36:29 -0500 )edit

That seems to've worked. It listed access metadata, then known endpoints, then token and user info. The swift endpoint publicurl was v1, not v1.0, but changing that in the above curl command didn't change the result.

( 2013-11-21 07:53:08 -0500 )edit

I'm assuming that command what I sent you worked. So you have use different curl command versions. Command what you used is old command and did not work. So it is not a issue with your setup. Hope that clarifies and solved your issue.

( 2013-11-21 08:02:57 -0500 )edit

Well, if what I listed is what the output should be, then yes, it worked. But that was a command against the auth server (port 5000), not against the swift server (port 8080), so I'm not sure what your point is. Maybe I missed it. running out of space...

( 2013-11-21 08:16:39 -0500 )edit