[kolla-ansible] [swift] access denied to various APIs
I set up a cloud with the Victoria version of Kolla-Ansible. I enabled Swift and configured Swift as backend for Glance and Cinder-Backup. The Glance backend works, the Cinder-Backup backend doesn't. Furthermore, as a non-admin user I can't do anything with Swift. These two headscratchers that may or may not be related. I seek for help how to troubleshoot this. *Headscratcher 1*: Swift doesn't accept unauthenticated /info API, although expose_info is explicitly set to "true". This is why Cinder-Backup fails; it performs this API when starting up: curl http://192.168.122.253:8080/info {"error": {"code": 401, "title": "Unauthorized", "message": "The request you have made requires authentication."}} When I add a valid token, this works. *Headscratcher 2*: Swift refuses access except for the admin role. I get this when I don't have the admin role: $ source demorc.sh $ swift stat Account HEAD failed: http://192.168.122.253:8080/v1/AUTH_06d5618863294187bf46c611c0ebb4a7 403 Forbidden Failed Transaction ID: tx7e8d958e3c7b410880000-0060d81a25 To add insult to injury, I don't see relevant messages in the centralized Elasticsearch log, and logging does not go to any log files. Any thoughts? Thanks, Bernd
On Sun, 27 Jun 2021 at 07:32, Bernd Bausch <berndbausch@gmail.com> wrote:
I set up a cloud with the Victoria version of Kolla-Ansible. I enabled Swift and configured Swift as backend for Glance and Cinder-Backup. The Glance backend works, the Cinder-Backup backend doesn't. Furthermore, as a non-admin user I can't do anything with Swift. These two headscratchers that may or may not be related. I seek for help how to troubleshoot this.
Headscratcher 1: Swift doesn't accept unauthenticated /info API, although expose_info is explicitly set to "true". This is why Cinder-Backup fails; it performs this API when starting up:
curl http://192.168.122.253:8080/info {"error": {"code": 401, "title": "Unauthorized", "message": "The request you have made requires authentication."}}
When I add a valid token, this works.
Headscratcher 2: Swift refuses access except for the admin role. I get this when I don't have the admin role:
$ source demorc.sh $ swift stat Account HEAD failed: http://192.168.122.253:8080/v1/AUTH_06d5618863294187bf46c611c0ebb4a7 403 Forbidden Failed Transaction ID: tx7e8d958e3c7b410880000-0060d81a25
To add insult to injury, I don't see relevant messages in the centralized Elasticsearch log, and logging does not go to any log files.
Hi Bernd, we had some issues with a broken fluentd release breaking the logging pipeline. We have since pinned the version, and pulling a new fluentd image should resolve the issue.
Any thoughts?
Thanks,
Bernd
participants (2)
-
Bernd Bausch
-
Mark Goddard