[Openstack] [swift] Using --debug option to list curl commands

Snider, Tim Tim.Snider at netapp.com
Mon Oct 7 14:32:02 UTC 2013

I'd like to use curl to access a Ceph cluster. The swift API works and I thought I could use the debug option to look at the curl commands generated for access.
Does the --debug option of swift print the entire command for all curl commands during execution?

Debug output from the 2nd curl command in the example below doesn't seem to show all the headers -- authentication header(s) specifically.
Entering the command by hand results in a  403 response.

I'd like to understand how the authentiation token is generated from the tenant (rados) user (swift) and the swift secret_key.
The following token is generated:

The first part looks like a header: 'AUTH_rgwtk', (rados gateway token) a length == 11  and a prefix == rados:swift
  AUTH_rgwtk 0b 00000072 61 64 6f 73 3a 73 77 69 66 74
length = 0xb          r  a  d  o  s  :  s  w  i  f  t

How is the remainder of the token generated? It doesn't appear to be unencoded or a plain hex/ascii translatation of the ceph keys shown by the radowgw-admin command.
046eff2c 9ac6a504 1b00545 248a7893 b9006776 83adaaca 1095128 b6edf8fc 378d7d49 d8

Get the ceph user information:
        root at controller21:~/ssbench-0.2.16# radosgw-admin user info --uid=rados
        2013-10-07 05:55:34.804639 7ff1c3f6c780  0 WARNING: cannot read region map
        { "user_id": "rados",
          "display_name": "rados",
          "email": "non at none.com",
          "suspended": 0,
          "max_buckets": 1000,
          "auid": 0,
  "subusers": [
{ "id": "rados:swift",
  "permissions": "full-control"},
{ "id": "rados:swift1",
  "permissions": "full-control"}],
  "keys": [
{ "user": "rados",
  "access_key": "R5F0D2UCSK3618DJ829A",
  "secret_key": "PJR1rvV2+Xrzlwo+AZZKXextsDl45EaLljzopgjD"}],
  "swift_keys": [
{ "user": "rados:swift",
  "secret_key": "77iJvemrxWvYk47HW7pxsL+eHdA53AtLl2T0OyuG"},
{ "user": "rados:swift1",
  "secret_key": "l9Xlg66JvbNvMmZAj91AeQByEiP8R8sBahCJeqAG"}],
  "caps": [],
  "op_mask": "read, write, delete",
  "default_placement": "",
  "placement_tags": []}

Use the debug option in swift to look at the curl commands generated:
        swift --debug -V 1.0 -A http://ictp-R2C4-Controller21.ict.englab.netapp.com/auth -U rados:swift -K "77iJvemrxWvYk47HW7pxsL+eHdA53AtLl2T0OyuG"  list

This one appears to be incomplete:
DEBUG:swiftclient:REQ: curl -i http://ictp-R2C4-Controller21.ict.englab.netapp.com/auth -X GET

DEBUG:swiftclient:RESP STATUS: 204

Want to understand how this key was generated:
        DEBUG:swiftclient:REQ: curl -i http://ictp-R2C4-Controller21.ict.englab.netapp.com/swift/v1?format=json -X GET -H"X-Auth-Token: AUTH_rgwtk0b0000007261646f733a7377696674046eff2c9ac6a5041b00545248a7893b900677683adaaca1095128b6edf8fc378d7d49d8"

The swift command works:
DEBUG:swiftclient:RESP STATUS: 200

DEBUG:swiftclient:RESP BODY: [{"name":"ssbench_000000","count":832,"bytes":85196800},...{"name":"xxx","count":1,"bytes":604}]


        DEBUG:swiftclient:REQ: curl -i http://ictp-R2C4-Controller21.ict.englab.netapp.com/swift/v1?format=json&marker=xxx -X GET -H "X-Auth-Token: AUTH_rgwtk0b0000007261646f733a7377696674046eff2c9ac6a5041b00545248a7893b900677683adaaca1095128b6edf8fc378d7d49d8"

DEBUG:swiftclient:RESP STATUS: 200

        DEBUG:swiftclient:RESP BODY: []

Entering the  2nd curl command by hand fails:
        root at controller21:~/ssbench-0.2.16# curl -i http://ictp-R2C4-Controller21.ict.englab.netapp.com/auth -X GET
        HTTP/1.1 403 Forbidden
        Date: Mon, 07 Oct 2013 14:06:30 GMT
        Server: Apache/2.2.22 (Ubuntu)
        Accept-Ranges: bytes
        Content-Length: 23
        Content-Type: application/json


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131007/8589978e/attachment.html>

More information about the Openstack mailing list