[Openstack] swift tempURL requests yield 401 Unauthorized

Dieter Plaetinck dieter at plaetinck.be
Fri Oct 19 17:17:39 UTC 2012

using swift 1.4.8 on Centos machines. (latest packages for centos.  note that i'm assuming tempurl works with this version merely because all the code seems to be there, i couldn't find clear docs on whether it should work or not?)
I want to use the swift tempURL feature as per

TLDR: set up metadata correctly, but tempurl requests yield http 401, can't figure it out, _get_hmac() doesn't seem to be called.

First, I set the key metadata (this works fine) (tried both the swift CLI program as well as curl), and I tried setting it both on container level (container "uploads") as well as account level
(though i would prefer container level)

alias vimeoswift=swift -A http://$ip:8080/auth/v1.0 -U system:root -K testpass'
vimeoswift post -m Temp-Url-Key:key uploads
vimeoswift post -m Temp-Url-Key:key
curl -i -X POST -H X-Auth-Token:$t -H X-Account-Meta-Temp-URL-Key:key http://$ip:8080/v1/AUTH_system

this seems to work, because when I stat the account and the container, they
show up:

[root at dfvimeodfsproxy1 ~]# vimeoswift stat uploads
  Account: AUTH_system
Container: uploads
  Objects: 1
    Bytes: 1253
 Read ACL: 
Write ACL: 
  Sync To: 
 Sync Key: 
Meta Temp-Url-Key: key <------------------
Accept-Ranges: bytes
[root at dfvimeodfsproxy1 ~]# vimeoswift stat        
   Account: AUTH_system
Containers: 1
   Objects: 1
     Bytes: 1253
Meta Temp-Url-Key: key <------------------
Accept-Ranges: bytes
[root at dfvimeodfsproxy1 ~]# 

I have already put a file in container uploads (which I can retrieve just fine using an auth token):
[root at dfvimeodfsproxy1 ~]# vimeoswift stat uploads mylogfile.log | grep 'Content Length'
Content Length: 1253

now however, if i want to retrieve this file using the tempURL feature, it doesn't work:

using this script
import hmac
from hashlib import sha1
from time import time
method = 'GET'
expires = int(time() + 60)
base = ''
path = '/v1/AUTH_system/uploads/mylogfile.log'
key = 'key'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
sig = hmac.new(key, hmac_body, sha1).hexdigest()
print '%s%s?temp_url_sig=%s&temp_url_expires=%s' % (base, path, sig, expires)

~ ❯ openstack-signed-url2.py
~ ❯ wget ''
--2012-10-19 13:04:14--
Connecting to connected.
HTTP request sent, awaiting response... 401 Unauthorized
Authorization failed.

I thought I could easily debug this myself by changing the _get_hmac()
in /usr/lib/python2.6/site-packages/swift/common/middleware/tempurl.py like so:

    def _get_hmac(self, env, expires, key, request_method=None):
        if not request_method:
            request_method = env['REQUEST_METHOD']
        self.logger("getting HMAC for method %s, expires %s, path %s" % (request_method, expires, env['PATH_INFO']))
        hmac = hmac.new(key, '%s\n%s\n%s' % (request_method, expires,
            env['PATH_INFO']), sha1).hexdigest()
        self.logger("hmac is " + hmac)
        return hmac

however, after restarting the proxy, I don't see my messages showing up
anywhere (logging works otherwise, because proxy-server messages are showing
up in /var/log/message, showing all incoming http requests and their responses

any help is appreciated, thanks!


More information about the Openstack mailing list