[Openstack] Verifying Swift - X-Auth problem

Adam Lawson alawson at aqorn.com
Sat Feb 8 00:55:32 UTC 2014


To help with troubleshooting, here is what I've executed thus far on my
proxy node...
Obvious problem/symptom = inability to verify a new Swift install from
scratch due to 401 Unauthorized.

   - 1x proxy node
   - 5x storage nodes

I'll continue working this but anyone have any thoughts? See email to
-operators list for further history.

Thanks!
Adam

Below is a bash history/output of what is happening right now:

> login as: c5201274
> c5201274 at 10.173.0.66's password:
> Welcome to Ubuntu 12.04.3 LTS (GNU/Linux 3.2.0-55-generic x86_64)
>  * Documentation:  https://help.ubuntu.com/
> Last login: Thu Feb  6 21:05:32 2014 from 10.7.106.110
>  Powered by Monsoon (Version 2.2.465)          Platform: ubuntu 12.04
>  Hostname     : mo-ad1469a10.mo.sap.corp       Name    : node0p
>  Organization : c5201274                       Project : swift_poc
>  Url          : https://monsoon.mo.sap.corp/instances/mo-ad1469a10
> c5201274 at mo-ad1469a10:~$ sudo su
> root at mo-ad1469a10:/home/c5201274# . credrc.sh
> root at mo-ad1469a10:/home/c5201274# swift-init proxy start
> proxy-server running (5502 - /etc/swift/proxy-server.conf)
> proxy-server already started...
> root at mo-ad1469a10:/home/c5201274# curl -k -v -H 'X-Storage-User:
> test:tester' -H 'X-Storage-Pass: testing' https://
> $PROXY_LOCAL_NET_IP:8080/auth/v1.0
> * About to connect() to 10.173.0.66 port 8080 (#0)
> *   Trying 10.173.0.66... connected
> * successfully set certificate verify locations:
> *   CAfile: none
>   CApath: /etc/ssl/certs
> * SSLv3, TLS handshake, Client hello (1):
> * SSLv3, TLS handshake, Server hello (2):
> * SSLv3, TLS handshake, CERT (11):
> * SSLv3, TLS handshake, Server finished (14):
> * SSLv3, TLS handshake, Client key exchange (16):
> * SSLv3, TLS change cipher, Client hello (1):
> * SSLv3, TLS handshake, Finished (20):
> * SSLv3, TLS change cipher, Client hello (1):
> * SSLv3, TLS handshake, Finished (20):
> * SSL connection using AES256-SHA
> * Server certificate:
> *        subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
> *        start date: 2014-01-29 00:34:55 GMT
> *        expire date: 2014-02-28 00:34:55 GMT
> * SSL: unable to obtain common name from peer certificate
> > GET /auth/v1.0 HTTP/1.1
> > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
> OpenSSL/1.0.1 zlib/1.2.3.4libidn/1.23 librtmp/2.3
> > Host: 10.173.0.66:8080
> > Accept: */*
> > X-Storage-User: test:tester
> > X-Storage-Pass: testing
> >
> < HTTP/1.1 401 Unauthorized
> < Content-Length: 131
> < Content-Type: text/html; charset=UTF-8
> < Date: Fri, 07 Feb 2014 18:20:13 GMT
> <
> * Connection #0 to host 10.173.0.66 left intact
> * Closing connection #0
> * SSLv3, TLS alert, Client hello (1):
> <html><h1>Unauthorized</h1><p>This server could not verify that you are
> authorized to access the document you requested.</p></html>root at mo-ad1469a10
> :/home/c5201274#
> root at mo-ad1469a10:/home/c5201274# curl -k -v -H 'X-Auth-Token:
> AUTH_tkf85b7788c36143ac99e5a5b42d95d628' https://
> $PROXY_LOCAL_NET_IP:8080/v1/AUTH_system
> * About to connect() to 10.173.0.66 port 8080 (#0)
> *   Trying 10.173.0.66... connected
> * successfully set certificate verify locations:
> *   CAfile: none
>   CApath: /etc/ssl/certs
> * SSLv3, TLS handshake, Client hello (1):
> * SSLv3, TLS handshake, Server hello (2):
> * SSLv3, TLS handshake, CERT (11):
> * SSLv3, TLS handshake, Server finished (14):
> * SSLv3, TLS handshake, Client key exchange (16):
> * SSLv3, TLS change cipher, Client hello (1):
> * SSLv3, TLS handshake, Finished (20):
> * SSLv3, TLS change cipher, Client hello (1):
> * SSLv3, TLS handshake, Finished (20):
> * SSL connection using AES256-SHA
> * Server certificate:
> *        subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
> *        start date: 2014-01-29 00:34:55 GMT
> *        expire date: 2014-02-28 00:34:55 GMT
> * SSL: unable to obtain common name from peer certificate
> > GET /v1/AUTH_system HTTP/1.1
> > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
> OpenSSL/1.0.1 zlib/1.2.3.4libidn/1.23 librtmp/2.3
> > Host: 10.173.0.66:8080
> > Accept: */*
> > X-Auth-Token: AUTH_tkf85b7788c36143ac99e5a5b42d95d628
> >
> < HTTP/1.1 401 Unauthorized
> < Content-Length: 131
> < Content-Type: text/html; charset=UTF-8
> < Date: Fri, 07 Feb 2014 18:21:22 GMT
> <
> * Connection #0 to host 10.173.0.66 left intact
> * Closing connection #0
> * SSLv3, TLS alert, Client hello (1):
> <html><h1>Unauthorized</h1><p>This server could not verify that you are
> authorized to access the document you requested.</p></html>root at mo-ad1469a10:/home/c5201274#
> ^C
> root at mo-ad1469a10:/home/c5201274# ^C
> root at mo-ad1469a10:/home/c5201274# curl -k -v -H 'X-Auth-Token:
> AUTH_tkf85b7788c36143ac99e5a5b42d95d628' https://
> $PROXY_LOCAL_NET_IP:8080/v1/AUTH_system
> * About to connect() to 10.173.0.66 port 8080 (#0)
> *   Trying 10.173.0.66... connected
> * successfully set certificate verify locations:
> *   CAfile: none
>   CApath: /etc/ssl/certs
> * SSLv3, TLS handshake, Client hello (1):
> * SSLv3, TLS handshake, Server hello (2):
> * SSLv3, TLS handshake, CERT (11):
> * SSLv3, TLS handshake, Server finished (14):
> * SSLv3, TLS handshake, Client key exchange (16):
> * SSLv3, TLS change cipher, Client hello (1):
> * SSLv3, TLS handshake, Finished (20):
> * SSLv3, TLS change cipher, Client hello (1):
> * SSLv3, TLS handshake, Finished (20):
> * SSL connection using AES256-SHA
> * Server certificate:
> *        subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
> *        start date: 2014-01-29 00:34:55 GMT
> *        expire date: 2014-02-28 00:34:55 GMT
> * SSL: unable to obtain common name from peer certificate
> > GET /v1/AUTH_system HTTP/1.1
> > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
> OpenSSL/1.0.1 zlib/1.2.3.4libidn/1.23 librtmp/2.3
> > Host: 10.173.0.66:8080
> > Accept: */*
> > X-Auth-Token: AUTH_tkf85b7788c36143ac99e5a5b42d95d628
> >
> < HTTP/1.1 401 Unauthorized
> < Content-Length: 131
> < Content-Type: text/html; charset=UTF-8
> < Date: Fri, 07 Feb 2014 18:22:52 GMT
> <
> * Connection #0 to host 10.173.0.66 left intact
> * Closing connection #0
> * SSLv3, TLS alert, Client hello (1):
> <html><h1>Unauthorized</h1><p>This server could not verify that you are
> authorized to access the document you requ
> root at mo-ad1469a10:/home/c5201274# swift -A https://$PROXY_LOCAL_NET_IP:8080/auth/v1.0
> -U test:tester -K testing stat
> Auth GET failed: https://10.173.0.66:8080/auth/v1.0 401 Unauthorized
> root at mo-ad1469a10:/home/c5201274#



*Adam Lawson*
AQORN, Inc.
427 North Tatnall Street
Ste. 58461
Wilmington, Delaware 19801-2230
Toll-free: (888) 406-7620



On Thu, Feb 6, 2014 at 1:57 PM, Adam Lawson <alawson at aqorn.com> wrote:

> Hey OpenStack peeps!
>
> I'm trying to verify a Swift manual installation with 1x proxy and 5x
> storage nodes. I turned on all services with no errors (well, no errors I
> didn't fix anyway).
> My problem is with trying to create an account and heading it. Below is
> what I'm scripting as I go along.
>
> I executed Step1 successfully using system:root as the user. But when I
> executed Step2, I received a 401 Unauthorized reply.
> Undaunted I executed Step3 which produced nothing. I then tried running
> Step1 again as shown below with test:tester as the user (thinking it was
> because I don't actually run as root but I run commands via sudo) and now
> it always gives me 401 unauthorized replies.
>
> Is this an obvious problem with an easy remedy?
>
>
> # 1 Aqcuire X-Storage-Url and X-Auth-Token
>> curl -k -v -H 'X-Storage-User: test:tester' -H 'X-Storage-Pass: testing'
>> https://$PROXY_LOCAL_NET_IP:8080/auth/v1.0
>
>
> # 2 Test HEAD account process
>> # SAMPLE: curl -k -v -H 'X-Auth-Token: <token-from-x-auth-token-above>'
>> <url-from-x-storage-url-above>
>> curl -k -v -H 'X-Auth-Token: AUTH_tkf85b7788c36143ac99e5a5b42d95d628'
>> https://$PROXY_LOCAL_NET_IP:8080/v1/AUTH_system
>
>
> # Test Swift is actually working
>> swift -A https://$PROXY_LOCAL_NET_IP:8080/auth/v1.0 -U system:testuser
>> -K testpass stat
>
>
> Thoughts?
>
> *Adam Lawson*
> AQORN, Inc.
> 427 North Tatnall Street
> Ste. 58461
> Wilmington, Delaware 19801-2230
> Toll-free: (888) 406-7620
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140207/fc8392e9/attachment.html>


More information about the Openstack mailing list