Ask Your Question

AMusingFool's profile - activity

2014-04-23 11:57:31 -0600 received badge  Famous Question (source)
2013-11-22 18:46:38 -0600 received badge  Self-Learner (source)
2013-11-22 18:46:38 -0600 received badge  Teacher (source)
2013-11-21 15:18:53 -0600 answered a question Setting up users for swift

dheeru helped me work through some things here. I wonder if the authentication example I was working from (shown above; came from http://docs.openstack.org/api/openstack-object-storage/1.0/content/authentication-examples-curl.html ) is out of date.

Running both keystone and swift with --debug helped a bunch.

Anyway, once I set OS_USERNAME, OS_PASSWORD, and (!) OS_TENANT_NAME, I was able to run swift to do commands. And I could use 'keystone token-get' with

curl -H 'X-Auth-Token: 41c94c75b21f44baae3688bb7f270b44'

to run commands I wanted.

2013-11-21 12:29:05 -0600 received badge  Notable Question (source)
2013-11-21 11:07:59 -0600 commented answer Setting up users for swift

If I can't authenticate using swift, how would I upload or list? I can fake a taken, I think, using 'keystone token-get', but not the storage URL. Is there a way to email you without posting address here? I don't see an address (or button/link for PM) on your page.

2013-11-21 09:45:18 -0600 commented answer Setting up users for swift

And matching what you wrote above exactly didn't help; still same result.

2013-11-21 09:31:29 -0600 commented answer Setting up users for swift

I guess one subquestion would be, "which tenant SHOULD I be using for the SwiftOperator role"? How do I figure that out?

2013-11-21 09:26:41 -0600 commented answer Setting up users for swift

Ok, have found that 'keystone user-role-list' seems to only list roles defined for the user in $OS_USERNAME. That's one side-question answered.

2013-11-21 09:26:41 -0600 received badge  Commentator
2013-11-21 09:13:08 -0600 commented answer Setting up users for swift

Yes, I created a user (tester), gave it the role SwiftOperator (matching what's in proxy-server.conf, above), with tenant of demo (to match AUTH line of swift stat output), service, or swift-user (tried all three).

2013-11-21 08:42:45 -0600 commented answer Setting up users for swift

I thought (wrongly, it would appear) that all I needed to do was create a user and give it the swift-user role to allow that user to access swift. Apparently, there's another step I'm missing. Or something's wrong with what I have done.

2013-11-21 08:41:41 -0600 commented answer Setting up users for swift

The issue hasn't changed. 'keystone user-role-list' does return a value, but it's only one value (admin); none of the ones I created for swift. Yes, I can authenticate keystone with a user, but still can't access swift with that user.

2013-11-21 08:36:34 -0600 received badge  Popular Question (source)
2013-11-21 08:21:49 -0600 commented answer Setting up users for swift

Does the endpoint having that tenant id indicate that the SwiftOperator role should have tenant id of swift-user as well?

2013-11-21 08:20:59 -0600 commented answer Setting up users for swift

And to get back to the output of your curl admin command, the endpoint info listed for the swift endpoint was http://localhost:8080/v1 (adminurl; the public and internal urls listed added on AUTH_ and the tenant id for swift-user)

2013-11-21 08:17:25 -0600 commented answer Setting up users for swift

Trying to do the swift curl command against v2 or v2.0 gives the same result as going against v1 or v1.0.

2013-11-21 08:16:39 -0600 commented answer Setting up users for swift

Well, if what I listed is what the output should be, then yes, it worked. But that was a command against the auth server (port 5000), not against the swift server (port 8080), so I'm not sure what your point is. Maybe I missed it. running out of space...

2013-11-21 07:53:08 -0600 commented answer Setting up users for swift

That seems to've worked. It listed access metadata, then known endpoints, then token and user info. The swift endpoint publicurl was v1, not v1.0, but changing that in the above curl command didn't change the result.

2013-11-21 07:24:30 -0600 received badge  Editor (source)
2013-11-21 07:22:14 -0600 commented answer Setting up users for swift

Yes, I can do both of those (and I tested the former with the user I'm using to try to use to connect to swift) curl -i -H "X-Auth-Key: xxxx" -H "X-Auth-User: xxxx" http://localhost:8080/v1.0 Like I said, nothing complex there. And yes, I am sure the user & pw are correct.

2013-11-20 14:46:59 -0600 answered a question Setting up users for swift

Didn't pay enough attention to block below typing. Here's the proxy-server.conf contents mentioned (hopefully more legible):

[pipeline:main]
pipeline = healthcheck cache authtoken keystone proxy-server

and

[filter:keystone]
paste.filter_factory = keystone.middleware.swift_auth:filter_factory
operator_roles = admin, SwiftOperator
is_admin = true
cache = swift.cache

[filter:authtoken]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
admin_tenant_name = service 
admin_user = swift 
admin_password = swift
auth_host = 127.0.0.1
auth_port = 35357
auth_protocol = http
signing_dir = /tmp/keystone-signing-swift
2013-11-20 14:44:46 -0600 asked a question Setting up users for swift

I hope I've just missed something that seems obvious (I'm just a developer trying to set this up for testing; not complex needs); I have swift set up to use keystone for authorization (via proxy-server.conf). But every time I try to run a curl command to do anything (even just a GET on /v1.0), I get a 401 Unauthorized response.

The proxy-server.conf has

[pipeline:main]
pipeline = healthcheck cache authtoken keystone proxy-server

and

[filter:keystone]
paste.filter_factory = keystone.middleware.swift_auth:filter_factory
operator_roles = admin, SwiftOperator
is_admin = true
cache = swift.cache

[filter:authtoken]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
admin_tenant_name = service 
admin_user = swift 
admin_password = swift
auth_host = 127.0.0.1
auth_port = 35357
auth_protocol = http
signing_dir = /tmp/keystone-signing-swift

(And, if it matters, yes, this is pulled straight out of the instructions at http://tiewei.github.io/openstack/Install-Openstack-Folsom-@-centos_6.3_x86_64/ )

I have a role created for SwiftOperator, to match the line in the above. I have three tenants: demo, service, and swift-user (I think I created the latter).

The 'swift stat' output is:

   Account: AUTH_5dc5e5f200d942348ec5f82b5d63c887
Containers: 0
   Objects: 0
     Bytes: 0
Accept-Ranges: bytes
X-Timestamp: 1384810304.10104

The 5dc... bit matches the tenant id of the 'demo' group.

Now, I've tried creating users that have the user role of SwiftOperator (with any of the three tenants). Two things about that. One is that none of them show up in 'keystone user-role-list' output (though I'll get a duplication error if I try to create the same one a second time). Two is that I still can't login as that user after creating (and using, presumably) the role.

So, first question: does that AUTH_... bit from 'swift stat' indicate that demo is the tenant I need to use for any users I create?

Second question: is there some other step in creating a user, to allow that user to do things via swift?

Thanks in advance,

Dave

edit: fixed formatting (sorry, still learning how to use this site).