[Openstack] [swift] Using --debug option to list curl commands

Clay Gerrard clay.gerrard at gmail.com
Mon Oct 7 18:03:44 UTC 2013 

The token may not be (is probably not) deterministicly created.  You give a
username and password to the auth system - and it returns the token for you
to associate with future requests.

The request for the token (the auth request) seems to be missing some
headers:

curl -i http://ictp-R2C4-Controller21.ict.englab.netapp.com/auth -X GET

Should probably be:

curl -i http://ictp-R2C4-Controller21.ict.englab.netapp.com/auth -X GET -H
"X-Auth-User: rados:swift" -H "X-Auth-Key:
77iJvemrxWvYk47HW7pxsL+eHdA53AtLl2T0OyuG"

More information can be found here:

http://docs.openstack.org/developer/swift/overview_auth.html

^ it's a little down in the weeds, but it does sorta cover the gist of it -
there's lots of ways to do auth with Swift.

-Clay


On Mon, Oct 7, 2013 at 7:32 AM, Snider, Tim <Tim.Snider at netapp.com> wrote:

>  I'd like to use curl to access a Ceph cluster. The swift API works and I
> thought I could use the debug option to look at the curl commands generated
> for access. ****
>
> Does the --debug option of swift print the entire command for all curl
> commands during execution?****
>
> ** **
>
> Debug output from the 2nd curl command in the example below doesn't seem
> to show all the headers -- authentication header(s) specifically.****
>
> Entering the command by hand results in a  403 response.****
>
> ** **
>
> I'd like to understand how the authentiation token is generated from the
> tenant (rados) user (swift) and the swift secret_key.****
>
> The following token is generated:****
>
>
>            "AUTH_rgwtk0b0000007261646f733a7377696674046eff2c9ac6a5041b00545248a7893b900677683adaaca1095128b6edf8fc378d7d49d8"
> ****
>
> ** **
>
> The first part looks like a header: 'AUTH_rgwtk', (rados gateway token) a
> length == 11  and a prefix == rados:swift****
>
>   AUTH_rgwtk 0b 00000072 61 64 6f 73 3a 73 77 69 66 74****
>
> length = 0xb          r  a  d  o  s  :  s  w  i  f  t****
>
> ** **
>
> How is the remainder of the token generated? It doesn't appear to be
> unencoded or a plain hex/ascii translatation of the ceph keys shown by the
> radowgw-admin command.****
>
> 046eff2c 9ac6a504 1b00545 248a7893 b9006776 83adaaca 1095128 b6edf8fc
> 378d7d49 d8****
>
> ** **
>
> Get the ceph user information:****
>
>         root at controller21:~/ssbench-0.2.16# radosgw-admin user info
> --uid=rados****
>
>         2013-10-07 05:55:34.804639 7ff1c3f6c780  0 WARNING: cannot read
> region map****
>
>         { "user_id": "rados",****
>
>           "display_name": "rados",****
>
>           "email": "non at none.com",****
>
>           "suspended": 0,****
>
>           "max_buckets": 1000,****
>
>           "auid": 0,****
>
>   "subusers": [****
>
> { "id": "rados:swift",****
>
>   "permissions": "full-control"},****
>
> { "id": "rados:swift1",****
>
>   "permissions": "full-control"}],****
>
>   "keys": [****
>
> { "user": "rados",****
>
>   "access_key": "R5F0D2UCSK3618DJ829A",****
>
>   "secret_key": "PJR1rvV2+Xrzlwo+AZZKXextsDl45EaLljzopgjD"}],****
>
>   "swift_keys": [****
>
> { "user": "rados:swift",****
>
>   "secret_key": "77iJvemrxWvYk47HW7pxsL+eHdA53AtLl2T0OyuG"},****
>
> { "user": "rados:swift1",****
>
>   "secret_key": "l9Xlg66JvbNvMmZAj91AeQByEiP8R8sBahCJeqAG"}],****
>
>   "caps": [],****
>
>   "op_mask": "read, write, delete",****
>
>   "default_placement": "",****
>
>   "placement_tags": []}****
>
> ** **
>
> Use the debug option in swift to look at the curl commands generated:****
>
>         swift --debug -V 1.0 -A
> http://ictp-R2C4-Controller21.ict.englab.netapp.com/auth -U rados:swift
> -K "77iJvemrxWvYk47HW7pxsL+eHdA53AtLl2T0OyuG"  list****
>
> ** **
>
> This one appears to be incomplete:****
>
> DEBUG:swiftclient:REQ: curl -i
> http://ictp-R2C4-Controller21.ict.englab.netapp.com/auth -X GET****
>
> ** **
>
> DEBUG:swiftclient:RESP STATUS: 204****
>
> ** **
>
> Want to understand how this key was generated:****
>
>         DEBUG:swiftclient:REQ: curl -i
> http://ictp-R2C4-Controller21.ict.englab.netapp.com/swift/v1?format=json-X GET -H"X-Auth-Token:
> AUTH_rgwtk0b0000007261646f733a7377696674046eff2c9ac6a5041b00545248a7893b900677683adaaca1095128b6edf8fc378d7d49d8"
> ****
>
> ** **
>
> The swift command works:****
>
> DEBUG:swiftclient:RESP STATUS: 200****
>
> ** **
>
> DEBUG:swiftclient:RESP BODY:
> [{"name":"ssbench_000000","count":832,"bytes":85196800},...{"name":"xxx","count":1,"bytes":604}]
> ****
>
> ** **
>
> ssbench_000000****
>
> ssbench_000099****
>
> xxx****
>
> ** **
>
>         DEBUG:swiftclient:REQ: curl -i
> http://ictp-R2C4-Controller21.ict.englab.netapp.com/swift/v1?format=json&marker=xxx-X GET -H "X-Auth-Token:
> AUTH_rgwtk0b0000007261646f733a7377696674046eff2c9ac6a5041b00545248a7893b900677683adaaca1095128b6edf8fc378d7d49d8"
> ****
>
> ** **
>
> DEBUG:swiftclient:RESP STATUS: 200****
>
> ** **
>
>         DEBUG:swiftclient:RESP BODY: []****
>
> ** **
>
> Entering the  2nd curl command by hand fails:****
>
>         root at controller21:~/ssbench-0.2.16# curl -i
> http://ictp-R2C4-Controller21.ict.englab.netapp.com/auth -X GET****
>
>         HTTP/1.1 403 Forbidden****
>
>         Date: Mon, 07 Oct 2013 14:06:30 GMT****
>
>         Server: Apache/2.2.22 (Ubuntu)****
>
>         Accept-Ranges: bytes****
>
>         Content-Length: 23****
>
>         Content-Type: application/json****
>
> ** **
>
> Thanks,****
>
> Tim****
>
> ** **
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131007/86cc6ea8/attachment.html>

More information about the Openstack mailing list