Hi, Additional info from openstack swift team : #openstack-swift IRC: <kevko> delay_auth_decision is this dangerous in swift ? <kevko> or why it is default false ? <kevko> i found that if it is false ..discoverability not working <zaitcev> IIRC it defaults to false because tempauth does not need it, so SAIO works without. But basically all it does is letting 2 auths coexist, or have an auth that has 2 middlewares like authtoken (obtains the tokens) and keystone (makes the decision). <zaitcev> So it's "delayed" in a sense that it invokes the auth hook after all the middlewares had a chance to execute. <zaitcev> But of course it occurs before the request proceeds. <kevko> hmm, so if I am using keystoneauth, i should set it to True, shouldn't I ? <zaitcev> Yes. <zaitcev> Well, strictly speaking, if middleware is in the correct order, you can get keystone itself to work. But not things like tempurl. <zaitcev> So just set it. <zaitcev> There's no security concern with it. So, from my perspective of view, we should set this to True in kolla-ansible and add Release note to inform users default value has changed. Kevko Michal Arbet Openstack Engineer Ultimum Technologies a.s. Na Poříčí 1047/26, 11000 Praha 1 Czech Republic +420 604 228 897 michal.arbet@ultimum.io *https://ultimum.io <https://ultimum.io/>* LinkedIn <https://www.linkedin.com/company/ultimum-technologies> | Twitter <https://twitter.com/ultimumtech> | Facebook <https://www.facebook.com/ultimumtechnologies/timeline> út 14. 12. 2021 v 17:09 odesílatel Michal Arbet <michal.arbet@ultimum.io> napsal:
Hi,
Sorry I broke a diff because of manual edit, below is the fix.
[filter:authtoken] -delay_auth_decision = False +delay_auth_decision = True
Thank to Pierre Riteau (priteau) that he catched my fault :)
Kevko
Michal Arbet Openstack Engineer
Ultimum Technologies a.s. Na Poříčí 1047/26, 11000 Praha 1 Czech Republic
+420 604 228 897 michal.arbet@ultimum.io *https://ultimum.io <https://ultimum.io/>*
LinkedIn <https://www.linkedin.com/company/ultimum-technologies> | Twitter <https://twitter.com/ultimumtech> | Facebook <https://www.facebook.com/ultimumtechnologies/timeline>
út 14. 12. 2021 v 16:25 odesílatel Michal Arbet <michal.arbet@ultimum.io> napsal:
Hi,
[filter:authtoken] -delay_auth_decision = True +delay_auth_decision = True
Above does the trick and now working :)
Thank you
Michal Arbet Openstack Engineer
Ultimum Technologies a.s. Na Poříčí 1047/26, 11000 Praha 1 Czech Republic
+420 604 228 897 michal.arbet@ultimum.io *https://ultimum.io <https://ultimum.io/>*
LinkedIn <https://www.linkedin.com/company/ultimum-technologies> | Twitter <https://twitter.com/ultimumtech> | Facebook <https://www.facebook.com/ultimumtechnologies/timeline>
út 14. 12. 2021 v 0:52 odesílatel Ghanshyam Mann <gmann@ghanshyammann.com> napsal:
Hello to eveyrone, Please, could someone help me with swift capabilities not working when I'm tempesting openstack test stack ? Tempest : rm -rf /tmp/tempest-lock/; refstack-client test -v -c /opt/tempest/tempest.conf -- --regex tempest.api.object_storage.test_account_quotas_negative.AccountQuotasNegativeTest
(.venv) root@ca6353106d83:/opt/refstack-client# rm -rf /tmp/tempest-lock/; refstack-client test -v -c /opt/tempest/tempest.conf -- --regex tempest.api.object_storage.test_account_quotas_negative.AccountQuotasNegativeTest 2021-12-13 17:44:33.001 4358 INFO tempest [-] Using tempest config file /etc/tempest/tempest.conf 2021-12-13 17:44:33,839 refstack_client:518 INFO Starting Tempest test... 2021-12-13 17:44:33.839 4358 INFO refstack_client [-] Starting Tempest test... {0} setUpClass (tempest.api.object_storage.test_account_quotas_negative.AccountQuotasNegativeTest) [0.000000s] ... FAILED
Captured traceback: ~~~~~~~~~~~~~~~~~~~ Traceback (most recent call last):
File "/opt/refstack-client/.tempest/tempest/test.py", line 181, in setUpClass raise value.with_traceback(trace)
File "/opt/refstack-client/.tempest/tempest/test.py", line 174, in setUpClass cls.resource_setup()
File "/opt/refstack-client/.tempest/tempest/api/object_storage/test_account_quotas_negative.py",
---- On Mon, 13 Dec 2021 11:33:27 -0600 Michal Arbet < michal.arbet@ultimum.io> wrote ---- line 36, in resource_setup
super(AccountQuotasNegativeTest, cls).resource_setup()
File
"/opt/refstack-client/.tempest/tempest/api/object_storage/base.py", line 95, in resource_setup
body = cls.capabilities_client.list_capabilities()
File
"/opt/refstack-client/.tempest/tempest/lib/services/object_storage/capabilities_client.py", line 32, in list_capabilities
self._error_checker(resp, body)
File
"/opt/refstack-client/.tempest/tempest/lib/common/rest_client.py", line 799, in _error_checker
raise exceptions.Unauthorized(resp_body, resp=resp)
tempest.lib.exceptions.Unauthorized: Unauthorized Details: {'code': 401, 'title': 'Unauthorized', 'message': 'The
request you have made requires authentication.'}
============================== Failed 1 tests - output below: ==============================
setUpClass
(tempest.api.object_storage.test_account_quotas_negative.AccountQuotasNegativeTest)
----------------------------------------------------------------------------------------------
Captured traceback: ~~~~~~~~~~~~~~~~~~~ Traceback (most recent call last):
File "/opt/refstack-client/.tempest/tempest/test.py", line 181,
in setUpClass
raise value.with_traceback(trace)
File "/opt/refstack-client/.tempest/tempest/test.py", line 174,
in setUpClass
cls.resource_setup()
File
"/opt/refstack-client/.tempest/tempest/api/object_storage/test_account_quotas_negative.py", line 36, in resource_setup
super(AccountQuotasNegativeTest, cls).resource_setup()
File
"/opt/refstack-client/.tempest/tempest/api/object_storage/base.py", line 95, in resource_setup
body = cls.capabilities_client.list_capabilities()
File
"/opt/refstack-client/.tempest/tempest/lib/services/object_storage/capabilities_client.py", line 32, in list_capabilities
self._error_checker(resp, body)
File
"/opt/refstack-client/.tempest/tempest/lib/common/rest_client.py", line 799, in _error_checker
raise exceptions.Unauthorized(resp_body, resp=resp)
tempest.lib.exceptions.Unauthorized: Unauthorized Details: {'code': 401, 'title': 'Unauthorized', 'message': 'The
request you have made requires authentication.'}
====== Totals ====== Ran: 1 tests in 0.0000 sec. - Passed: 0 - Skipped: 0 - Expected Fail: 0 - Unexpected Success: 0 - Failed: 1 Sum of execute time for each test: 0.0000 sec.
TEMPEST LOG : Response - Headers: {'content-type': 'application/json',
'content-length': '114', 'www-authenticate': 'Keystone uri=" http://192.168.205.254:5000"', 'x-trans-id': 'tx815e181e33fb4854b2631-0061b7787a', 'x-openstack-request-id': 'tx815e181e33fb4854b2631-0061b7787a', 'date': 'Mon, 13 Dec 2021 16:44:42 GMT', 'connection': 'close', 'status': '401', 'content-location': ' https://api.refstack.ultimum.cloud:8080/info'}
Body: b'{"error": {"code": 401, "title": "Unauthorized",
"message": "The request you have made requires authentication."}}' _log_request_full /opt/refstack-client/.tempest/tempest/lib/common/rest_client.py:450
Test from command line and from curl . /etc/kolla/refstack.sh ; curl -H "X-Auth-Token: $(openstack token
issue -f value -c id)" https://api.refstack.ultimum.cloud:8080/info
{"swift": {"version": "2.27.1.dev9", "strict_cors_mode": true, "policies": [{"name": "Policy-0", "aliases": "Policy-0", "default": true}], "allow_account_management": true, "account_autocreate": true, "max_file_size": 5368709122, "max_meta_name_length": 128, "max_meta_value_length": 256, "max_meta_count": 90, "max_meta_overall_size": 4096, "max_header_size": 8192, "max_object_name_length": 1024, "container_listing_limit": 10000, "account_listing_limit": 10000, "max_account_name_length": 256, "max_container_name_length": 256, "extra_header_count": 0}, "container_sync": {"realms": {}}, "bulk_upload": {"max_containers_per_extraction": 10000, "max_failed_extractions": 1000}, "bulk_delete": {"max_deletes_per_request": 10000, "max_failed_deletes": 1000}, "tempurl": {"methods": ["GET", "HEAD", "PUT", "POST", "DELETE"], "incoming_remove_headers": ["x-timestamp"], "incoming_allow_headers": [], "outgoing_remove_headers": ["x-object-meta-*"], "outgoing_allow_headers": ["x-object-meta-public-*"], "allowed_digests": ["sha1", "sha256", "sha512"]}, "ratelimit": {"account_ratelimit": 0.0, "max_sleep_time_seconds": 60.0, "container_ratelimits": [], "container_listing_ratelimits": []}, "container_quotas": {}, "account_quotas": {}, "slo": {"max_manifest_segments": 1000, "max_manifest_size": 8388608, "yield_frequency": 10, "min_segment_size": 1, "allow_async_delete": false}}
Python Swiftclient : ubuntu@deploy:/opt/kolla-ansible$ . /etc/kolla/refstack.sh ; swift --os-auth-url http://192.168.205.254:5000/v3 --auth-version 3 --os-project-name refstack --os-project-domain-name default --os-username refstack --os-user-domain-name default --os-password SECRET capabilities Capabilities GET failed: http://192.168.205.254:8080/info 401 Unauthorized [first 60 chars of response] b'{"error": {"code": 401, "title": "Unauthorized", "message": ' Failed Transaction ID: txc1d8607e26eb4cd587459-0061b7791b
It looks like swift client is broken, isn't it ? Or ? Maybe kolla-ansible is creating bad roles and config ? (operator_roles, reselleradmin_roel ..etc ? ) Tempest is from master Thank you very much,Kevko
Are you running it with dynamic creds or pre-provisioned creds ?
Error is from cls.capabilities_client which is initialized from CONF.object_storage.operator_role[1] which is 'member' role by default. what is your configuration for this?
With default CONF.object_storage.operator_role as 'member' role, this test pass in upstream CI/CD so client is not broken but it is configuration issue: https://zuul.opendev.org/t/openstack/build/b29147647370418fb9fbb0182832749d/...
[1] https://github.com/openstack/tempest/blob/34432dc970d09a55572a68fa007575285e...
-gmann
Michal Arbet Openstack Engineer
Ultimum Technologies a.s. Na Poříčí 1047/26, 11000 Praha 1 Czech Republic
+420 604 228 897 michal.arbet@ultimum.io https://ultimum.io
LinkedIn | Twitter | Facebook