Ask Your Question
0

Setting up users for swift

asked 2013-11-20 14:44:46 -0600

AMusingFool gravatar image

updated 2013-11-21 07:24:30 -0600

I hope I've just missed something that seems obvious (I'm just a developer trying to set this up for testing; not complex needs); I have swift set up to use keystone for authorization (via proxy-server.conf). But every time I try to run a curl command to do anything (even just a GET on /v1.0), I get a 401 Unauthorized response.

The proxy-server.conf has

[pipeline:main]
pipeline = healthcheck cache authtoken keystone proxy-server

and

[filter:keystone]
paste.filter_factory = keystone.middleware.swift_auth:filter_factory
operator_roles = admin, SwiftOperator
is_admin = true
cache = swift.cache

[filter:authtoken]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
admin_tenant_name = service 
admin_user = swift 
admin_password = swift
auth_host = 127.0.0.1
auth_port = 35357
auth_protocol = http
signing_dir = /tmp/keystone-signing-swift

(And, if it matters, yes, this is pulled straight out of the instructions at http://tiewei.github.io/openstack/Install-Openstack-Folsom-@-centos_6.3_x86_64/ )

I have a role created for SwiftOperator, to match the line in the above. I have three tenants: demo, service, and swift-user (I think I created the latter).

The 'swift stat' output is:

   Account: AUTH_5dc5e5f200d942348ec5f82b5d63c887
Containers: 0
   Objects: 0
     Bytes: 0
Accept-Ranges: bytes
X-Timestamp: 1384810304.10104

The 5dc... bit matches the tenant id of the 'demo' group.

Now, I've tried creating users that have the user role of SwiftOperator (with any of the three tenants). Two things about that. One is that none of them show up in 'keystone user-role-list' output (though I'll get a duplication error if I try to create the same one a second time). Two is that I still can't login as that user after creating (and using, presumably) the role.

So, first question: does that AUTH_... bit from 'swift stat' indicate that demo is the tenant I need to use for any users I create?

Second question: is there some other step in creating a user, to allow that user to do things via swift?

Thanks in advance,

Dave

edit: fixed formatting (sorry, still learning how to use this site).

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
1

answered 2013-11-20 23:03:32 -0600

dheeru gravatar image

Unauthorized definitely means that you are sending wrong credentials to

  1. Did you verify that keystone is working properly ? like running the command like 'keystone token-get', 'keystone user-list' etc ?
  2. What is the curl command you are executing ? Can you paste that ?
edit flag offensive delete link more

Comments

Yes, I can do both of those (and I tested the former with the user I'm using to try to use to connect to swift) curl -i -H "X-Auth-Key: xxxx" -H "X-Auth-User: xxxx" http://localhost:8080/v1.0 Like I said, nothing complex there. And yes, I am sure the user & pw are correct.

AMusingFool gravatar imageAMusingFool ( 2013-11-21 07:22:14 -0600 )edit

Problem with version of the command you are putting. Place the following command. Fill the appropriate values for user, password and tenant. See what happens. curl -d '{"auth":{"passwordCredentials":{"username": "putyouruser", "password": "password"},"tenantName":"SS"}}' -H "Content-type: application/json" http://localhost:5000/v2.0/tokens | python -mjson.tool

dheeru gravatar imagedheeru ( 2013-11-21 07:36:29 -0600 )edit

That seems to've worked. It listed access metadata, then known endpoints, then token and user info. The swift endpoint publicurl was v1, not v1.0, but changing that in the above curl command didn't change the result.

AMusingFool gravatar imageAMusingFool ( 2013-11-21 07:53:08 -0600 )edit

I'm assuming that command what I sent you worked. So you have use different curl command versions. Command what you used is old command and did not work. So it is not a issue with your setup. Hope that clarifies and solved your issue.

dheeru gravatar imagedheeru ( 2013-11-21 08:02:57 -0600 )edit

Well, if what I listed is what the output should be, then yes, it worked. But that was a command against the auth server (port 5000), not against the swift server (port 8080), so I'm not sure what your point is. Maybe I missed it. running out of space...

AMusingFool gravatar imageAMusingFool ( 2013-11-21 08:16:39 -0600 )edit

Trying to do the swift curl command against v2 or v2.0 gives the same result as going against v1 or v1.0.

AMusingFool gravatar imageAMusingFool ( 2013-11-21 08:17:25 -0600 )edit

And to get back to the output of your curl admin command, the endpoint info listed for the swift endpoint was http://localhost:8080/v1 (adminurl; the public and internal urls listed added on AUTH_ and the tenant id for swift-user)

AMusingFool gravatar imageAMusingFool ( 2013-11-21 08:20:59 -0600 )edit

Does the endpoint having that tenant id indicate that the SwiftOperator role should have tenant id of swift-user as well?

AMusingFool gravatar imageAMusingFool ( 2013-11-21 08:21:49 -0600 )edit

Ok. since you said that you are getting "authorization failed" message, I suggested you to use the command I sent to verify that it is not a issue with authentication and authorization. I see that you don't issue with authentication/authorization. Now As you said "keystone user-role-list" returns nothing. I have observed it. I did not care much about this. Are you facing problem in getting the stats for different users ? Is this problem ? I need to understand the issue faced by you now.

dheeru gravatar imagedheeru ( 2013-11-21 08:31:32 -0600 )edit

The issue hasn't changed. 'keystone user-role-list' does return a value, but it's only one value (admin); none of the ones I created for swift. Yes, I can authenticate keystone with a user, but still can't access swift with that user.

AMusingFool gravatar imageAMusingFool ( 2013-11-21 08:41:41 -0600 )edit

I thought (wrongly, it would appear) that all I needed to do was create a user and give it the swift-user role to allow that user to access swift. Apparently, there's another step I'm missing. Or something's wrong with what I have done.

AMusingFool gravatar imageAMusingFool ( 2013-11-21 08:42:45 -0600 )edit

create user, tenant and role. e.g pasted below. Hope you have done the same thing. $ keystone role-create --name swiftoperator $ keystone user-create --name 'swiftuser' --pass testing123 $ keystone tenant-create --name 'swifttenant' $ keystone user-role-add --user <id> --role <id> --tenant-id <id>

dheeru gravatar imagedheeru ( 2013-11-21 09:01:57 -0600 )edit

Yes, I created a user (tester), gave it the role SwiftOperator (matching what's in proxy-server.conf, above), with tenant of demo (to match AUTH line of swift stat output), service, or swift-user (tried all three).

AMusingFool gravatar imageAMusingFool ( 2013-11-21 09:13:08 -0600 )edit

Ok, have found that 'keystone user-role-list' seems to only list roles defined for the user in $OS_USERNAME. That's one side-question answered.

AMusingFool gravatar imageAMusingFool ( 2013-11-21 09:26:41 -0600 )edit
1

answered 2013-11-21 15:18:53 -0600

AMusingFool gravatar image

dheeru helped me work through some things here. I wonder if the authentication example I was working from (shown above; came from http://docs.openstack.org/api/openstack-object-storage/1.0/content/authentication-examples-curl.html ) is out of date.

Running both keystone and swift with --debug helped a bunch.

Anyway, once I set OS_USERNAME, OS_PASSWORD, and (!) OS_TENANT_NAME, I was able to run swift to do commands. And I could use 'keystone token-get' with

curl -H 'X-Auth-Token: 41c94c75b21f44baae3688bb7f270b44'

to run commands I wanted.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2013-11-20 14:44:46 -0600

Seen: 768 times

Last updated: Nov 21 '13