Revision history [back]

click to hide/show revision 1
initial version

Keystone / Swift authentication challenges

I had a working Swift deployment (one proxy, 10 storage nodes) using tempauth/swauth and with that config everything works fine. Add/remove objects, list etc. I am now in the process of trying to integrate Keystone and getting confused with number of possible problems the more I research so I figured I'd post it here.

I built a new Keystone server using the following documents: Configuring keystone I also updated Swift to use Keystone using the following document: Configure Swift to Use Keystone

Problem: Unable to authenticate using service:swift + "password". I'm mostly getting 401 Connection Refused errors and service catalog errors, depending which method I try. What am I missing?

User-list in Keystone:

$ keystone user-list`<br>
+----------------------------------+---------+-------+-------+
|                id                | enabled | email |  name |
+----------------------------------+---------+-------+-------+
| 3b26d681b7b5448b94c563b1d8bb55fd | True    | None  | admin |
| e186d19ab0ab4cc681b24196e76b9032 | True    | None  | swift |
+----------------------------------+---------+-------+-------+

User-get in Keystone:

$ keystone user-get e186d19ab0ab4cc681b24196e76b9032
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
| email    | None                             |
| enabled  | True                             |
| id       | e186d19ab0ab4cc681b24196e76b9032 |
| name     | swift                            |
| tenantId | 7e9b8a64252340c2ba4dd292acf18e80 |
+----------+----------------------------------+

Tenant-list in Keystone:

$ keystone tenant-list
+----------------------------------+---------+---------+
|                id                |   name  | enabled |
+----------------------------------+---------+---------+
| 539749c631044f64be5f29066ae486c4 | demo    | True    |
| 6140b18239284cce8b51305649dbb792 | admin   | True    |
| 7e9b8a64252340c2ba4dd292acf18e80 | service | True    |
+----------------------------------+---------+---------+

Role-list in Keystone:

$ keystone role-list
+----------------------------------+-------+
|                id                |  name |
+----------------------------------+-------+
| 6d64ff8265d6404983d774e34159dcd5 | admin |
+----------------------------------+-------+

Service-list in keystone

$ keystone service-list
+----------------------------------+----------+--------------+------------------+
|                id                |   name   |     type     |   description    |
+----------------------------------+----------+--------------+------------------+
| 0b2248b31e37499192d4e3cdf4288223 | keystone | identity     | Identity Service |
| 5ef2c32abd274473ab8b42f480feeb72 | swift    | object-store | Swift Service    |
+----------------------------------+----------+--------------+------------------+

Endpoint-list in Keystone:

$ keystone endpoint-list
+----------------------------------+-----------+------------------------------------------------+------------------------------------------------+--------------------------------+
|                id                |   region  |                   publicurl                    |                  internalurl                   |            adminurl            |
+----------------------------------+-----------+------------------------------------------------+------------------------------------------------+--------------------------------+
| 46600a4c54a94eee881e9a4a2c648b8b | RegionOne | http://10.173.0.165:8888/v1/AUTH_%(tenant_id)s | http://10.173.0.165:8888/v1/AUTH_%(tenant_id)s | http://10.173.0.165:8888/v1    |
| 660c5babbe7746d485d31d85353ab1b8 | RegionOne | http://10.173.0.165.:5000/v2.0                 | http://10.173.0.165:5000/v2.0                  | http://10.173.0.165:35357/v2.0 |
+----------------------------------+-----------+------------------------------------------------+------------------------------------------------+--------------------------------+

/etc/swift/proxy-server.conf on Swift proxy:

[DEFAULT]
cert_file = /etc/swift/cert.crt
key_file = /etc/swift/cert.key
bind_port = 8080
workers = 8
user = swift

[pipeline:main]
pipeline = healthcheck proxy-logging cache authtoken keystoneauth proxy-logging proxy-server

[app:proxy-server]
use = egg:swift#proxy
allow_account_management = true
account_autocreate = true

[filter:proxy-logging]
use = egg:swift#proxy_logging

[filter:tempauth]
use = egg:swift#tempauth
user_system_root = testpass .admin

[filter:healthcheck]
use = egg:swift#healthcheck

[filter:cache]
use = egg:swift#memcache
memcache_servers = 10.173.0.66:11211

[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
auth_host = 10.173.0.165
auth_port = 35357
auth_protocol = http
auth_uri = http://10.173.0.165:5000/
admin_tenant_name = service
admin_user = swift
admin_password = password
cache = swift.cache
include_service_catalog = True

[filter:keystoneauth]
use = egg:swift#keystoneauth
operator_roles = admin, swiftoperator

Test command:

export OS_AUTH_URL=http://10.173.0.165:5000/v2.0
export OS_USERNAME=swift
export OS_PASSWORD=password
swift -V 2 stat

Command output:

    raise exceptions.EmptyCatalog('The service catalog is empty.')
keystoneclient.exceptions.EmptyCatalog: The service catalog is empty.

Other commands I've tried include:

 swift -A https://$PROXY_LOCAL_NET_IP:8080/auth/v2 -U service:swift -K password stat

...which also fail for other reasons...

Auth GET failed: https://10.173.0.66:8080/auth/v2 401 Unauthorized

Thoughts? I'm stumped.