[Openstack] s3token, getting HTTP 403 (Forbidden)

Axel Christiansen axel.christiansen at softreset.de
Wed Aug 14 15:27:20 UTC 2013


Hello List.


Does anyone using grizzly swift3 with keystone successful?

I just can not manage to get it working.


Keystone does autheticate the request. At the end swift returns a HTTP
403 (Forbidden).

It lookes like the problem occurs at the last 2 lines of the log.
Keystone grants a token and returns all kinds if things like the
tenant-ID. So that looks good. swift proxy is using that tenant-ID but
returns a HTTP 403 (Forbidden).


I have any occurrence of "log_level" set to "DEBUG" in
proxy-server.conf. Is there a way to increase the logging even more.


Thx, Axel




Here is a snippet from the log:

Aug 14 16:56:23 swift-proxy1 swift-proxy Calling Swift3 Middleware (txn:
tx287e0d33583b46c9bb8b77b2614616b6)
Aug 14 16:56:23 swift-proxy1 swift-proxy {'headers': {'Accept-Encoding':
'gzip,deflate', 'X-Ssl-Cipher': 'RC4-MD5                 SSLv3 Kx=RSA
   Au=RSA  Enc=RC4(128)  Mac=MD5', 'X-Forwarded-For': '93.92.132.6',
'Host': 'api.opencloudstorage.de:443', 'User-Agent': 'Cyberduck/4.3 (Mac
OS X/10.8.4) (i386)', 'Connection': 'close', 'Date': 'Wed, 14 Aug 2013
14:56:27 GMT', 'Content-Type': None, 'Authorization': 'AWS
b7f63c4b6e7f41539940e328df9d9a1d:VEgaPNnrWUHVHv19cQ6deHp032o='},
'environ': {'HTTP_AUTHORIZATION': 'AWS
b7f63c4b6e7f41539940e328df9d9a1d:VEgaPNnrWUHVHv19cQ6deHp032o=',
'SCRIPT_NAME': '', 'swift.trans_id':
'tx287e0d33583b46c9bb8b77b2614616b6', 'HTTP_X_SSL_CIPHER': 'RC4-MD5
            SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5',
'REQUEST_METHOD': 'GET', 'PATH_INFO': '/', 'SERVER_PROTOCOL':
'HTTP/1.0', 'HTTP_USER_AGENT': 'Cyberduck/4.3 (Mac OS X/10.8.4) (i386)',
'HTTP_CONNECTION': 'close', 'REMOTE_PORT': '56446', 'SERVER_NAME':
'10.42.44.203', 'REMOTE_ADDR': '10.42.44.201', 'eventlet.input':
<eventlet.wsgi.Input object at 0x2382550>, 'wsgi.url_scheme': 'http',
'SERVER_PORT': '8080', 'HTTP_DATE': 'Wed, 14 Aug 2013 14:56:27 GMT',
'HTTP_HOST': 'api.opencloudstorage.de:443', 'swift.cache':
<swift.common.memcached.MemcacheRing object at 0x2c413d0>,
'wsgi.multithread': True, 'eventlet.posthooks': [], 'wsgi.version': (1,
0), 'RAW_PATH_INFO': '/', 'GATEWAY_INTERFACE': 'CGI/1.1',
'wsgi.run_once': False, 'wsgi.errors':
<swift.common.utils.LoggerFileObject object at 0x1cf4750>,
'wsgi.multiprocess': False, 'wsgi.input': <swift.common.utils.InputProxy
object at 0x2382b10>, 'HTTP_X_FORWARDED_FOR': '93.92.132.6',
'CONTENT_TYPE': None, 'HTTP_ACCEPT_ENCODING': 'gzip,deflate'}}
Aug 14 16:56:23 swift-proxy1 swift-proxy Calling S3Token middleware.
(txn: tx287e0d33583b46c9bb8b77b2614616b6)
Aug 14 16:56:23 swift-proxy1 swift-proxy Connecting to Keystone sending
this JSON: {"credentials": {"access":
"b7f63c4b6e7f41539940e328df9d9a1d", "token":
"R0VUCgoKV2VkLCAxNCBBdWcgMjAxMyAxNDo1NjoyNyBHTVQKLw==", "signature":
"VEgaPNnrWUHVHv19cQ6deHp032o="}} (txn: tx287e0d33583b46c9bb8b77b2614616b6)
Aug 14 16:56:24 swift-proxy1 swift-proxy Keystone Reply: Status: 200,
Output: {"access": {"token": {"issued_at": "2013-08-14T14:56:24.828377",
"expires": "2013-08-15T14:56:24Z", "id":
"3aaa6962acb5490d921b94e98a9363c4", "tenant": {"id":
"efc8e0f6b8b8406680f21d70470a64fe", "enabled": true, "domain_id":
"default", "name": "23000-023-achristiansen", "description": "Axel Test
Swift-Account"}}, "serviceCatalog": [{"endpoints": [{"adminURL":
"http://10.42.46.210:8774/v2/efc8e0f6b8b8406680f21d70470a64fe",
"region": "Hamburg (HAM)", "internalURL":
"http://10.42.46.210:8774/v2/efc8e0f6b8b8406680f21d70470a64fe", "id":
"bc90a602f2a14e2889fa6024166e7ef1", "publicURL":
"http://10.42.46.210:8774/v2/efc8e0f6b8b8406680f21d70470a64fe"}],
"endpoints_links": [], "type": "compute", "name": "nova"}, {"endpoints":
[{"adminURL": "http://10.42.44.210:9292", "region": "Hamburg (HAM)",
"internalURL": "http://10.42.44.210:9292", "id":
"3278d653d9b84066bc755c22a177fe03", "publicURL":
"http://10.42.46.210:9292"}], "endpoints_links": [], "type": "image",
"name": "glance"}, {"endpoints": [{"adminURL":
"http://10.42.46.210:8776/v1/efc8e0f6b8b8406680f21d70470a64fe",
"region": "Hamburg (HAM)", "internalURL":
"http://10.42.46.210:8776/v1/efc8e0f6b8b8406680f21d70470a64fe", "id":
"9a0e5aac68de4b5fb2b27e67e652ee2b", "publicURL":
"http://10.42.46.210:8776/v1/efc8e0f6b8b8406680f21d70470a64fe"}],
"endpoints_links": [], "type": "volume", "name": "cinder"},
{"endpoints": [{"adminURL": "http://10.42.46.206:8773/services/Admin",
"region": "Hamburg (HAM)", "internalURL":
"http://10.42.44.206:8773/services/Cloud", "id":
"48022dc337884116928e8d6562c9e206", "publicURL":
"http://10.42.46.206:8773/services/Cloud"}], "endpoints_links": [],
"type": "ec2", "name": "ec2"}, {"endpoints": [{"adminURL":
"https://api.opencloudstorage.de/v1", "region": "Hamburg (HAM)",
"internalURL":
"https://api.opencloudstorage.de/v1/AUTH_efc8e0f6b8b8406680f21d70470a64fe",
"id": "43017605582f49ecac0d9beb7fa9e3ef", "publicURL":
"https://api.opencloudstorage.de/v1/AUTH_efc8e0f6b8b8406680f21d70470a64fe"}],
"endpo
Aug 14 16:56:24 swift-proxy1 swift-proxy Connecting with tenant:
efc8e0f6b8b8406680f21d70470a64fe (txn: tx287e0d33583b46c9bb8b77b2614616b6)
Aug 14 16:56:24 swift-proxy1 swift 93.92.132.6 10.42.44.201
14/Aug/2013/14/56/24 GET
/v1/AUTH_efc8e0f6b8b8406680f21d70470a64fe%3Fformat%3Djson HTTP/1.0 403 -
Cyberduck/4.3%20%28Mac%20OS%20X/10.8.4%29%20%28i386%29
3aaa6962acb5490d921b94e98a9363c4 - 124 -
tx287e0d33583b46c9bb8b77b2614616b6
Authorization%3A%20AWS%20b7f63c4b6e7f41539940e328df9d9a1d%3AVEgaPNnrWUHVHv19cQ6deHp032o%3D%0AX-Ssl-Cipher%3A%20RC4-MD5%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20SSLv3%20Kx%3DRSA%20%20%20%20%20%20Au%3DRSA%20%20Enc%3DRC4%28128%29%20%20Mac%3DMD5%0AX-Auth-Token%3A%203aaa6962acb5490d921b94e98a9363c4%0AUser-Agent%3A%20Cyberduck/4.3%20%28Mac%20OS%20X/10.8.4%29%20%28i386%29%0AConnection%3A%20close%0ADate%3A%20Wed%2C%2014%20Aug%202013%2014%3A56%3A27%20GMT%0AHost%3A%20api.opencloudstorage.de%3A443%0AX-Forwarded-For%3A%2093.92.132.6%0AAccept-Encoding%3A%20gzip%2Cdeflate%0AContent-Type%3A%20None
0.0813 -




More information about the Openstack mailing list