Ask Your Question

Swift Unable re-verifiy keystone v3 token from keystone v3 It self

asked 2015-09-03 06:50:45 -0500

latest_release gravatar image

I made a migration from keystone v2 to keystone v3. that is a setup a new server running keystone v3, and re-configured the storage proxy-server to handle v3 authenticated.

The user is authenticated very well from keystone v3 and the token is returned nicely and can even see it. But the proxy-server raises the following debugging info.

Sep  3 14:40:44 jet-client-1 proxy-server: Invalid user token - rejecting request
Sep  3 14:40:44 jet-client-1 proxy-server: Authorization failed for token
Sep  3 14:40:44 jet-client-1 proxy-server: Invalid user token - rejecting request

when I do connection.get_auth() a lengthy token is returned to me. from keystone v3

On the client side where I inititiate the connection here is what is going on

swiftclient.exceptions.ClientException: Account GET failed: 401 Unauthorized   Authentication required

The keystone v3 returns even the project url but proxy-server can't do it's job.

Here are my proxy-server.conf authtoken configurations.

paste.filter_factory = keystonemiddleware.auth_token:filter_factory
auth_uri =
auth_url =
auth_plugin = password
project_domain_name= swift
project_name =swift
username = swift
password = swift
auth_version = 3
#delay_auth_decision = true
#cache = swift.cache
#include_service_catalog = True

Is there something am doing wrong.

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2015-09-03 12:48:16 -0500

latest_release gravatar image

After Six hours of dedicated migration from keystone v2 to keystone v3 I got it working very well. and I will create blog post how to to perform clear migrations from keystone v2 to keystone v3, using openstack services. I my case it was swift. but should apply to all others.

I was using keystone client that I entirely wrong in python, looks like it is the one is much simpler when you are making your migrations.

This are the steps that I did in order get keystone v3 working with swift 1) Create the identify keystone service with the following names . name: keystone service type identity 2) Create the object-store service with the following names name: ObjectStore (any name should work) service type: object-store

3) Define the endpoint for identity service AKA keystone both admin, internal and public follow steps below i) Get the identity service id you created above ii) Then create the endpint passing the Id of the service, and the service type

endpoint = client.Client(endpoint="", token="S8@Wangolo")
        s = S8EndpointManager(client=endpoint)
        s.new_endpoint(service_id="db5f0c178ecd428abdd40e4bb563e978", url="", region="object-store", interface="admin")

 NOTE: `the interace="admin". Run the same command this time interface="public" and after interface="internal"
 But for the public and internal interface the url changes to  "" only the port.

4) Create the endpoint for the object-store service just the you did with the keystone identity service.

i) Use the object store ID, ii) Create url for both interface "public", "admin", "internal" iii) URL should be pointing to the proxy-server of the storage nodes.

Hope this helps

NOTE: even the users who you create matters alot there project, domain, roles work. For me it failed to work when swift user has the swiftoperator role when I re-created with the admin role it worked.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2015-09-03 06:50:45 -0500

Seen: 197 times

Last updated: Sep 03 '15