<div dir="ltr">Yes, I have faced totally same problem a few days before.</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Mar 1, 2013 at 7:37 PM, Heiko Krämer <span dir="ltr"><<a href="mailto:info@honeybutcher.de" target="_blank">info@honeybutcher.de</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <div>Hi Adam,<br>
      <br>
      thx for your repli. The problem was the new PKI authentification.<br>
      <br>
      I've change from PKI to<br>
      <br>
      [signing]<br>
      token_format = UUID<br>
      <br>
      <br>
      and it works now :)<br>
      <br>
      <br>
      Thx and Greetings<span class="HOEnZb"><font color="#888888"><br>
      Heiko</font></span><div><div class="h5"><br>
      On 17.02.2013 03:23, Adam Young wrote:<br>
    </div></div></div><div><div class="h5">
    <blockquote type="cite">
      
      <div>On 02/14/2013 09:38 AM, Heiko Krämer
        wrote:<br>
      </div>
      <blockquote type="cite">
        <pre>Heyho Guys,

i'm testing Swift and Keystone (Grizzly).

!NOTE!
I'm posting only the importent stuff (output, responses, configs)

I've upgraded and migrate the database, the migration are working not
correct (kyestone-manage db_sync) because in the role table will create
a new column but with NULL values and this will break the auth (first
issue).

The next command of keystone they you will need is
keystone-manage pki_setup => done without errors but you will need to
change the rights of the generated files.



#############
## Output / Log ###

My request to keystone are correct if i try to get a token with curl. I
get a token with all endpoints and other stuff.

        "token": {
            "expires": "2013-02-15T14:29:59Z",
            "id":
"MIIL-wYJKoZIhvcNAQcCoIIL8DCCC+wCAQExCTAHBgUrDgMCGjCCCtgGCSqGSIb3DQEHAaCCCskEggrFeyJhY2Nlc3MiOiB7InRva2VuIjogeyJpc3N1ZWRfYXQiOiAiMjAxMy0wMi0xNFQxNDoyOTo1OS44NDI0MjQiLCAiZXhwaXJlcyI6ICIyMDEzLTAyLTE1VDE0OjI5OjU5WiIsICJpZCI6ICJwbGFjZWhvbGRlciIsICJ0ZW5hbnQiOiB7ImVuYWJsZWQiOiB0cnVlLCAiaWQiOiAiNTY5NzdiYjVhMDU1NDc2MWJmMGViOWQ2Y2E3NzBkNzUiLCAibmFtZSI6ICJ0ZXN0aW5nIn19LCAic2VydmljZUNhdGFsb2ciOiBbeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vMTAuMC4wLjE6ODc3NC92Mi81Njk3N2JiNWEwNTU0NzYxYmYwZWI5ZDZjYTc3MGQ3NSIsICJyZWdpb24iOiAidGVzdGluZyIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMTAuMC4wLjE6ODc3NC92Mi81Njk3N2JiNWEwNTU0NzYxYmYwZWI5ZDZjYTc3MGQ3NSIsICJpZCI6ICJiOGQ3YTQzMWZjY2M0MWY2YTYzMzFjZTY3NjBlYjI1ZSIsICJwdWJsaWNVUkwiOiAiaHR0cDovLzg4LjE5OC42LjE1Mjo4Nzc0L3YyLzU2OTc3YmI1YTA1NTQ3NjFiZjBlYjlkNmNhNzcwZDc1In1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImNvbXB1dGUiLCAibmFtZSI6ICJub3ZhIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzEwLjAuMC4xOjk2OTYiLCAicmVnaW9uIjogInRlc3RpbmciLCAiaW50ZXJuYWxVUkwi!
 OiAiaHR0cD
ovLzEwLjAuMC4xOjk2OTYiLCAiaWQiOiAiM2ZjNTcxNzUyMDA3NDY3OWI3MTlkM2VmNTlmZGViYzMiLCAicHVibGljVVJMIjogImh0dHA6Ly8xMC4wLjAuMTo5Njk2In1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogIm5ldHdvcmsiLCAibmFtZSI6ICJxdWFudHVtIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzEwLjAuMC4xOjkyOTIvdjIiLCAicmVnaW9uIjogInRlc3RpbmciLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEwLjAuMC4xOjkyOTIvdjIiLCAiaWQiOiAiMWZlZTllNDQ1NjNjNDcwYzhkNjFmNjE5NDNjYmIxM2YiLCAicHVibGljVVJMIjogImh0dHA6Ly84OC4xOTguNi4xNTI6OTI5Mi92MiJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJpbWFnZSIsICJuYW1lIjogImdsYW5jZSJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xMC4wLjAuMTo4Nzc2L3YxLzU2OTc3YmI1YTA1NTQ3NjFiZjBlYjlkNmNhNzcwZDc1IiwgInJlZ2lvbiI6ICJ0ZXN0aW5nIiwgImludGVybmFsVVJMIjogImh0dHA6Ly8xMC4wLjAuMTo4Nzc2L3YxLzU2OTc3YmI1YTA1NTQ3NjFiZjBlYjlkNmNhNzcwZDc1IiwgImlkIjogIjFmMjVlMDUwMjdmMTRmNGI5MDFmMWFmNjJiZTZhMzAwIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vODguMTk4LjYuMTUyOjg3NzYvdjEvNTY5NzdiYjVhMDU1NDc2MWJmMGViOWQ2Y2E3NzBkNzUifV0sICJlbmRwb2ludHN!
 fbGlua3MiO
iBbXSwgInR5cGUiOiAidm9sdW1lIiwgIm5hbWUiOiAiY2luZGVyIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzEwLjAuMC4xOjg3NzMvc2VydmljZXMvQWRtaW4iLCAicmVnaW9uIjogInRlc3RpbmciLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEwLjAuMC4xOjg3NzMvc2VydmljZXMvQ2xvdWQiLCAiaWQiOiAiMWIyZTViZjkzNTI2NGI2ODljZmZkZWViMTk1ZDRjMWQiLCAicHVibGljVVJMIjogImh0dHA6Ly84OC4xOTguNi4xNTI6ODc3My9zZXJ2aWNlcy9DbG91ZCJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJlYzIiLCAibmFtZSI6ICJlYzIifSwgeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vMTAuMC4wLjE6ODA4MC92MSIsICJyZWdpb24iOiAidGVzdGluZyIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMTAuMC4wLjE6ODA4MC92MS9BVVRIXzU2OTc3YmI1YTA1NTQ3NjFiZjBlYjlkNmNhNzcwZDc1IiwgImlkIjogIjI3YTEyYTBkMGI2ODQ2YjJhMDQzNjMwZmJlYzUwNmJhIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vODguMTk4LjYuMTUyOjgwODAvdjEvQVVUSF81Njk3N2JiNWEwNTU0NzYxYmYwZWI5ZDZjYTc3MGQ3NSJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJvYmplY3Qtc3RvcmUiLCAibmFtZSI6ICJzd2lmdCJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xMC4wLjAuMTozNTM1Ny92Mi4wIi!
 wgInJlZ2lv
biI6ICJ0ZXN0aW5nIiwgImludGVybmFsVVJMIjogImh0dHA6Ly8xMC4wLjAuMTo1MDAwL3YyLjAiLCAiaWQiOiAiMDI2NWNmOTUyZDRmNGZhYWEyZjdlZGIzNGZlMGQxYTUiLCAicHVibGljVVJMIjogImh0dHA6Ly84OC4xOTguNi4xNTI6NTAwMC92Mi4wIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImlkZW50aXR5IiwgIm5hbWUiOiAia2V5c3RvbmUifV0sICJ1c2VyIjogeyJ1c2VybmFtZSI6ICJkbGVpZGlzY2giLCAicm9sZXNfbGlua3MiOiBbXSwgImlkIjogIjRjZDRhNzRlMTVlMTQ4MmY5ZmExNmY1MjRhZmQ4ZWJlIiwgInJvbGVzIjogW3sibmFtZSI6ICJhZG1pbiJ9LCB7Im5hbWUiOiAiS2V5c3RvbmVTZXJ2aWNlQWRtaW4ifSwgeyJuYW1lIjogIktleXN0b25lQWRtaW4ifV0sICJuYW1lIjogImRsZWlkaXNjaCJ9LCAibWV0YWRhdGEiOiB7ImlzX2FkbWluIjogMCwgInJvbGVzIjogWyI0NzA3YzJmNDg3ODg0MmM1ODUzMWJkN2U4MGU0ZDkzMCIsICI4ZjRmNGNhNmJmZGM0NWUwOTdjMTc1YmViNzUwNjU0ZCIsICI0Y2Y5OWU0ZGQ1YTg0NjZiOTlmZTRmZTIyNTAxYjg5NyJdfX19MYH-MIH8AgEBMFwwVzELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVVuc2V0MQ4wDAYDVQQHEwVVbnNldDEOMAwGA1UEChMFVW5zZXQxGDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbQIBATAHBgUrDgMCGjANBgkqhkiG9w0BAQEFAASBgD0cne0M65sCpOWFFSBqmA9rm14ecxkLtI9+fYJapMFIY3URuFxp8dWD2!
 YPNeR7Jxw0
lBcGLX418nG15G559pAqtk7-vKVV+X4tvJYRuHOt33fw37-b4hsX3ZEbdeif24j4eQEJKqDe2r7cLy8Iox2rCMjC2yKfZwjhIZdmNf7ZS",

            "issued_at": "2013-02-14T14:29:59.842424",
            "tenant": {
                "enabled": true,
                "id": "56977bb5a0554761bf0eb9d6ca770d75",
                "name": "testing"
            }
        },
        "user": {
            "id": "4cd4a74e15e1482f9fa16f524afd8ebe",
            "name": "user",
            "roles": [
                {
                    "name": "admin"
                },
                {
                    "name": "KeystoneServiceAdmin"
                },
                {
                    "name": "KeystoneAdmin"
                }
            ],
            "roles_links": [],
            "username": "user"
        }
    }
}


Next try with swift client:

swift -V 2.0 -A <a href="http://localhost:5000/v2.0" target="_blank">http://localhost:5000/v2.0</a> -U testing:user -K
user_testing2013 stat
~> Account HEAD failed:
<a href="http://xx.xx.xx.xx:8080/v1/AUTH_56977bb5a0554761bf0eb9d6ca770d75" target="_blank">http://xx.xx.xx.xx:8080/v1/AUTH_56977bb5a0554761bf0eb9d6ca770d75</a> 401
Unauthorized



In Swift Log:

<a href="http://paste.ubuntu.com/1650988/" target="_blank">http://paste.ubuntu.com/1650988/</a>



############
## Swift config ##
#
# The importent parts of config



[pipeline:main]
pipeline = catch_errors healthcheck proxy-logging cache ratelimit
authtoken keystoneauth container-quotas proxy-logging proxy-server

[app:proxy-server]
use = egg:swift#proxy
recheck_account_existence = 60
recheck_container_existence = 60
set log_level = DEBUG
allow_account_management = true
account_autocreate = true

[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
auth_host = localhost
auth_port = 35357
auth_protocol = http
auth_uri = <a href="http://localhost:5000/" target="_blank">http://localhost:5000/</a></pre>
      </blockquote>
      <br>
      Is this corrrect?  Are they running on the same server?<br>
      <br>
      <blockquote type="cite">
        <pre>admin_tenant_name = service
admin_user = swift
admin_password = swift_testing2012</pre>
      </blockquote>
      set these as the envvars and make sure you can talk to Keystone
      using them.<br>
      <br>
      OS_USERNAME<br>
      OS_PASSWORD<br>
      <br>
      Or with curl as above.<br>
      <br>
      If it is ssl, make sure the certs are set up correctly on both
      sides of the connection.  Again, curl should allow you to debug. 
      Keystone certs are in /etc/keystone/ssl/certs<br>
      <br>
      <br>
      <br>
      <blockquote type="cite">
        <pre>admin_token = xx
auth_token = xx
service_port = 5000
service_host = 127.0.0.1
delay_auth_decision = 1
signing_dir=/etc/swift


[filter:keystoneauth]
use = egg:swift#keystoneauth
# Operator roles is the role which user would be allowed to manage a
# tenant and be able to create container or give ACL to others.
operator_roles = admin, Member



I think the problem is the openssl validation or parsing, i don't know.
You see exit status of openssl in swift log and i think thats the problem.
Is it a bug or i've configured some thinks wrong ? Do anyone runs in a
similar problem ?


If anyone have questions or need detailled informations, please let me know.

Greetings
Heiko

</pre>
        <br>
        <fieldset></fieldset>
        <br>
        <pre>_______________________________________________
Mailing list: <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a>
Post to     : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a>
Unsubscribe : <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a>
More help   : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a>
</pre>
      </blockquote>
      <br>
      <br>
      <fieldset></fieldset>
      <br>
      <pre>_______________________________________________
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a>
Post to     : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a>
More help   : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a>
</pre>
    </blockquote>
    <br>
  </div></div></div>

<br>_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to     : <a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help   : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr"><font color="#444444">Gareth</font><div><i><font color="#444444">Cloud Computing, Openstack, Fitness, Basketball<br></font></i></div><div><i><font color="#666666">Novice Openstack contributer</font></i></div>
<div><i><font color="#999999">My promise: if you find any spelling or grammar mistake in my email from Mar 1 2013, notice me </font></i></div><div><i><font color="#999999">and I'll donate 1$ or 1￥ to open organization specified by you.</font></i></div>
</div>
</div>