[Openstack] Verifying Swift - X-Auth problem
Adam Lawson
alawson at aqorn.com
Mon Feb 10 21:57:51 UTC 2014
Thanks for your ideas John. I checked proxy-server.conf and it appears the
user exists as it should and tempauth is denoted correctly as well.
I am able to perform Step1 without an error but Step2 gives me an
unauthorized reply and Step3 says account could not be HEADED. Exact
response below.
Below are the steps I'm executing, the result and the contents of
proxy-server.conf.
*STEPS:*
> # 1 Aqcuire X-Storage-Url and X-Auth-Token
> curl -k -v -H 'X-Storage-User: system:root' -H 'X-Storage-Pass: testing'
> https://$PROXY_LOCAL_NET_IP:8080/AUTH/v1.0
> # 2 Test HEAD account process
> # SAMPLE: curl -k -v -H 'X-Auth-Token: <token-from-x-auth-token-above>'
> <url-from-x-storage-url-above>
> curl -k -v -H 'X-Auth-Token: AUTH_tkf85b7788c36143ac99e5a5b42d95d628'
> https://$PROXY_LOCAL_NET_IP:8080/v1/AUTH_system
> # 3 Test Swift is actually working
> swift -A https://$PROXY_LOCAL_NET_IP:8080/AUTH/v1.0 -U system:root -K
> testpass stat
*OUTPUT:*
> root at mo-ad1469a10:/home/c52xxx74# swift -A https://$PROXY_LOCAL_NET_IP:8080/auth/v1.0
> -U system:root -K testpass stat
> Account HEAD failed: https://10.173.0.66:8080/v1/AUTH_system 401
> Unauthorized
> root at mo-ad1469a10:/home/c52xxx74# curl -k -v -H 'X-Storage-User:
> system:root' -H 'X-Storage-Pass: testpass' https://
> $PROXY_LOCAL_NET_IP:8080/auth/v1.0
> * About to connect() to 10.173.0.66 port 8080 (#0)
> * Trying 10.173.0.66... connected
> * successfully set certificate verify locations:
> * CAfile: none
> CApath: /etc/ssl/certs
> * SSLv3, TLS handshake, Client hello (1):
> * SSLv3, TLS handshake, Server hello (2):
> * SSLv3, TLS handshake, CERT (11):
> * SSLv3, TLS handshake, Server finished (14):
> * SSLv3, TLS handshake, Client key exchange (16):
> * SSLv3, TLS change cipher, Client hello (1):
> * SSLv3, TLS handshake, Finished (20):
> * SSLv3, TLS change cipher, Client hello (1):
> * SSLv3, TLS handshake, Finished (20):
> * SSL connection using AES256-SHA
> * Server certificate:
> * subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
> * start date: 2014-01-29 00:34:55 GMT
> * expire date: 2014-02-28 00:34:55 GMT
> * SSL: unable to obtain common name from peer certificate
> > GET /auth/v1.0 HTTP/1.1
> > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
> OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> > Host: 10.173.0.66:8080
> > Accept: */*
> > X-Storage-User: system:root
> > X-Storage-Pass: testpass
> >
> < HTTP/1.1 200 OK
> < X-Storage-Url: https://10.173.0.66:8080/v1/AUTH_system
> < X-Auth-Token: AUTH_tk43103ea556414c57a5aecad62155a8e4
> < Content-Type: text/html; charset=UTF-8
> < X-Storage-Token: AUTH_tk43103ea556414c57a5aecad62155a8e4
> < Content-Length: 0
> < Date: Mon, 10 Feb 2014 21:41:54 GMT
> <
> * Connection #0 to host 10.173.0.66 left intact
> * Closing connection #0
> * SSLv3, TLS alert, Client hello (1):
> root at mo-ad1469a10:/home/c52xxx74# curl -k -v -H 'X-Auth-Token:
> AUTH_tk43103ea556414c57a5aecad62155a8e4'
> https://10.173.0.66:8080/v1/AUTH_system
> * About to connect() to 10.173.0.66 port 8080 (#0)
> * Trying 10.173.0.66... connected
> * successfully set certificate verify locations:
> * CAfile: none
> CApath: /etc/ssl/certs
> * SSLv3, TLS handshake, Client hello (1):
> * SSLv3, TLS handshake, Server hello (2):
> * SSLv3, TLS handshake, CERT (11):
> * SSLv3, TLS handshake, Server finished (14):
> * SSLv3, TLS handshake, Client key exchange (16):
> * SSLv3, TLS change cipher, Client hello (1):
> * SSLv3, TLS handshake, Finished (20):
> * SSLv3, TLS change cipher, Client hello (1):
> * SSLv3, TLS handshake, Finished (20):
> * SSL connection using AES256-SHA
> * Server certificate:
> * subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
> * start date: 2014-01-29 00:34:55 GMT
> * expire date: 2014-02-28 00:34:55 GMT
> * SSL: unable to obtain common name from peer certificate
> > GET /v1/AUTH_system HTTP/1.1
> > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
> OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> > Host: 10.173.0.66:8080
> > Accept: */*
> > X-Auth-Token: AUTH_tk43103ea556414c57a5aecad62155a8e4
> >
> < HTTP/1.1 401 Unauthorized
> < Content-Length: 131
> < Content-Type: text/html; charset=UTF-8
> < Date: Mon, 10 Feb 2014 21:43:29 GMT
> <
> * Connection #0 to host 10.173.0.66 left intact
> * Closing connection #0
> * SSLv3, TLS alert, Client hello (1):
> <html><h1>Unauthorized</h1><p>This server could not verify that you are
> authorized to access the document you requested.</p></html>root at mo-ad1469a10
> :/home/c52xxx74#
> root at mo-ad1469a10:/home/c52xxx74# swift -A https://$PROXY_LOCAL_NET_IP:8080/auth/v1.0
> -U system:root -K testpass stat
> Account HEAD failed: https://10.173.0.66:8080/v1/AUTH_system 401
> Unauthorized
*PROXY-SERVER.CONF*
> [DEFAULT]
> cert_file = /etc/swift/cert.crt
> key_file = /etc/swift/cert.key
> bind_port = 8080
> workers = 8
> user = swift
> [pipeline:main]
> pipeline = healthcheck proxy-logging cache tempauth proxy-logging
> proxy-server
> [app:proxy-server]
> use = egg:swift#proxy
> allow_account_management = true
> account_autocreate = true
> [filter:proxy-logging]
> use = egg:swift#proxy_logging
> [filter:tempauth]
> use = egg:swift#tempauth
> user_system_root = testpass .admin https://10.173.0.66:8080/v1/AUTH_system
> [filter:healthcheck]
> use = egg:swift#healthcheck
> [filter:cache]
> use = egg:swift#memcache
> memcache_servers = 10.173.0.66:11211
What am I missing here?
*Adam Lawson*
AQORN, Inc.
427 North Tatnall Street
Ste. 58461
Wilmington, Delaware 19801-2230
Toll-free: (888) 406-7620
On Fri, Feb 7, 2014 at 6:19 PM, John Dickinson <me at not.mn> wrote:
> In the output you pasted, you don't have any successful response. I'd
> suggest looking at the tempauth stanza in the proxy server conf to make
> sure the users are set up correctly.
>
> --John
>
>
>
> On Feb 7, 2014, at 4:55 PM, Adam Lawson <alawson at aqorn.com> wrote:
>
> > To help with troubleshooting, here is what I've executed thus far on my
> proxy node...
> > Obvious problem/symptom = inability to verify a new Swift install from
> scratch due to 401 Unauthorized.
> > * 1x proxy node
> > * 5x storage nodes
> > I'll continue working this but anyone have any thoughts? See email to
> -operators list for further history.
> >
> > Thanks!
> > Adam
> >
> > Below is a bash history/output of what is happening right now:
> > login as: c5201274
> > c5201274 at 10.173.0.66's password:
> > Welcome to Ubuntu 12.04.3 LTS (GNU/Linux 3.2.0-55-generic x86_64)
> > * Documentation: https://help.ubuntu.com/
> > Last login: Thu Feb 6 21:05:32 2014 from 10.7.106.110
> > Powered by Monsoon (Version 2.2.465) Platform: ubuntu 12.04
> > Hostname : mo-ad1469a10.mo.sap.corp Name : node0p
> > Organization : c5201274 Project : swift_poc
> > Url : https://monsoon.mo.sap.corp/instances/mo-ad1469a10
> > c5201274 at mo-ad1469a10:~$ sudo su
> > root at mo-ad1469a10:/home/c5201274# . credrc.sh
> > root at mo-ad1469a10:/home/c5201274# swift-init proxy start
> > proxy-server running (5502 - /etc/swift/proxy-server.conf)
> > proxy-server already started...
> > root at mo-ad1469a10:/home/c5201274# curl -k -v -H 'X-Storage-User:
> test:tester' -H 'X-Storage-Pass: testing' https://
> $PROXY_LOCAL_NET_IP:8080/auth/v1.0
> > * About to connect() to 10.173.0.66 port 8080 (#0)
> > * Trying 10.173.0.66... connected
> > * successfully set certificate verify locations:
> > * CAfile: none
> > CApath: /etc/ssl/certs
> > * SSLv3, TLS handshake, Client hello (1):
> > * SSLv3, TLS handshake, Server hello (2):
> > * SSLv3, TLS handshake, CERT (11):
> > * SSLv3, TLS handshake, Server finished (14):
> > * SSLv3, TLS handshake, Client key exchange (16):
> > * SSLv3, TLS change cipher, Client hello (1):
> > * SSLv3, TLS handshake, Finished (20):
> > * SSLv3, TLS change cipher, Client hello (1):
> > * SSLv3, TLS handshake, Finished (20):
> > * SSL connection using AES256-SHA
> > * Server certificate:
> > * subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
> > * start date: 2014-01-29 00:34:55 GMT
> > * expire date: 2014-02-28 00:34:55 GMT
> > * SSL: unable to obtain common name from peer certificate
> > > GET /auth/v1.0 HTTP/1.1
> > > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
> OpenSSL/1.0.1 zlib/1.2.3.4libidn/1.23 librtmp/2.3
> > > Host: 10.173.0.66:8080
> > > Accept: */*
> > > X-Storage-User: test:tester
> > > X-Storage-Pass: testing
> > >
> > < HTTP/1.1 401 Unauthorized
> > < Content-Length: 131
> > < Content-Type: text/html; charset=UTF-8
> > < Date: Fri, 07 Feb 2014 18:20:13 GMT
> > <
> > * Connection #0 to host 10.173.0.66 left intact
> > * Closing connection #0
> > * SSLv3, TLS alert, Client hello (1):
> > <html><h1>Unauthorized</h1><p>This server could not verify that you are
> authorized to access the document you requested.</p></html>root at mo-ad1469a10
> :/home/c5201274#
> > root at mo-ad1469a10:/home/c5201274# curl -k -v -H 'X-Auth-Token:
> AUTH_tkf85b7788c36143ac99e5a5b42d95d628' https://
> $PROXY_LOCAL_NET_IP:8080/v1/AUTH_system
> > * About to connect() to 10.173.0.66 port 8080 (#0)
> > * Trying 10.173.0.66... connected
> > * successfully set certificate verify locations:
> > * CAfile: none
> > CApath: /etc/ssl/certs
> > * SSLv3, TLS handshake, Client hello (1):
> > * SSLv3, TLS handshake, Server hello (2):
> > * SSLv3, TLS handshake, CERT (11):
> > * SSLv3, TLS handshake, Server finished (14):
> > * SSLv3, TLS handshake, Client key exchange (16):
> > * SSLv3, TLS change cipher, Client hello (1):
> > * SSLv3, TLS handshake, Finished (20):
> > * SSLv3, TLS change cipher, Client hello (1):
> > * SSLv3, TLS handshake, Finished (20):
> > * SSL connection using AES256-SHA
> > * Server certificate:
> > * subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
> > * start date: 2014-01-29 00:34:55 GMT
> > * expire date: 2014-02-28 00:34:55 GMT
> > * SSL: unable to obtain common name from peer certificate
> > > GET /v1/AUTH_system HTTP/1.1
> > > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
> OpenSSL/1.0.1 zlib/1.2.3.4libidn/1.23 librtmp/2.3
> > > Host: 10.173.0.66:8080
> > > Accept: */*
> > > X-Auth-Token: AUTH_tkf85b7788c36143ac99e5a5b42d95d628
> > >
> > < HTTP/1.1 401 Unauthorized
> > < Content-Length: 131
> > < Content-Type: text/html; charset=UTF-8
> > < Date: Fri, 07 Feb 2014 18:21:22 GMT
> > <
> > * Connection #0 to host 10.173.0.66 left intact
> > * Closing connection #0
> > * SSLv3, TLS alert, Client hello (1):
> > <html><h1>Unauthorized</h1><p>This server could not verify that you are
> authorized to access the document you requested.</p></html>root at mo-ad1469a10:/home/c5201274#
> ^C
> > root at mo-ad1469a10:/home/c5201274# ^C
> > root at mo-ad1469a10:/home/c5201274# curl -k -v -H 'X-Auth-Token:
> AUTH_tkf85b7788c36143ac99e5a5b42d95d628' https://
> $PROXY_LOCAL_NET_IP:8080/v1/AUTH_system
> > * About to connect() to 10.173.0.66 port 8080 (#0)
> > * Trying 10.173.0.66... connected
> > * successfully set certificate verify locations:
> > * CAfile: none
> > CApath: /etc/ssl/certs
> > * SSLv3, TLS handshake, Client hello (1):
> > * SSLv3, TLS handshake, Server hello (2):
> > * SSLv3, TLS handshake, CERT (11):
> > * SSLv3, TLS handshake, Server finished (14):
> > * SSLv3, TLS handshake, Client key exchange (16):
> > * SSLv3, TLS change cipher, Client hello (1):
> > * SSLv3, TLS handshake, Finished (20):
> > * SSLv3, TLS change cipher, Client hello (1):
> > * SSLv3, TLS handshake, Finished (20):
> > * SSL connection using AES256-SHA
> > * Server certificate:
> > * subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
> > * start date: 2014-01-29 00:34:55 GMT
> > * expire date: 2014-02-28 00:34:55 GMT
> > * SSL: unable to obtain common name from peer certificate
> > > GET /v1/AUTH_system HTTP/1.1
> > > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
> OpenSSL/1.0.1 zlib/1.2.3.4libidn/1.23 librtmp/2.3
> > > Host: 10.173.0.66:8080
> > > Accept: */*
> > > X-Auth-Token: AUTH_tkf85b7788c36143ac99e5a5b42d95d628
> > >
> > < HTTP/1.1 401 Unauthorized
> > < Content-Length: 131
> > < Content-Type: text/html; charset=UTF-8
> > < Date: Fri, 07 Feb 2014 18:22:52 GMT
> > <
> > * Connection #0 to host 10.173.0.66 left intact
> > * Closing connection #0
> > * SSLv3, TLS alert, Client hello (1):
> > <html><h1>Unauthorized</h1><p>This server could not verify that you are
> authorized to access the document you requ
> > root at mo-ad1469a10:/home/c5201274# swift -A https://$PROXY_LOCAL_NET_IP:8080/auth/v1.0
> -U test:tester -K testing stat
> > Auth GET failed: https://10.173.0.66:8080/auth/v1.0 401 Unauthorized
> > root at mo-ad1469a10:/home/c5201274#
> >
> >
> > Adam Lawson
> > AQORN, Inc.
> > 427 North Tatnall Street
> > Ste. 58461
> > Wilmington, Delaware 19801-2230
> > Toll-free: (888) 406-7620
> >
> >
> >
> > On Thu, Feb 6, 2014 at 1:57 PM, Adam Lawson <alawson at aqorn.com> wrote:
> > Hey OpenStack peeps!
> >
> > I'm trying to verify a Swift manual installation with 1x proxy and 5x
> storage nodes. I turned on all services with no errors (well, no errors I
> didn't fix anyway).
> > My problem is with trying to create an account and heading it. Below is
> what I'm scripting as I go along.
> >
> > I executed Step1 successfully using system:root as the user. But when I
> executed Step2, I received a 401 Unauthorized reply.
> > Undaunted I executed Step3 which produced nothing. I then tried running
> Step1 again as shown below with test:tester as the user (thinking it was
> because I don't actually run as root but I run commands via sudo) and now
> it always gives me 401 unauthorized replies.
> >
> > Is this an obvious problem with an easy remedy?
> >
> >
> > # 1 Aqcuire X-Storage-Url and X-Auth-Token
> > curl -k -v -H 'X-Storage-User: test:tester' -H 'X-Storage-Pass: testing'
> https://$PROXY_LOCAL_NET_IP:8080/auth/v1.0
> >
> > # 2 Test HEAD account process
> > # SAMPLE: curl -k -v -H 'X-Auth-Token: <token-from-x-auth-token-above>'
> <url-from-x-storage-url-above>
> > curl -k -v -H 'X-Auth-Token: AUTH_tkf85b7788c36143ac99e5a5b42d95d628'
> https://$PROXY_LOCAL_NET_IP:8080/v1/AUTH_system
> >
> > # Test Swift is actually working
> > swift -A https://$PROXY_LOCAL_NET_IP:8080/auth/v1.0 -U system:testuser
> -K testpass stat
> >
> > Thoughts?
> >
> > Adam Lawson
> > AQORN, Inc.
> > 427 North Tatnall Street
> > Ste. 58461
> > Wilmington, Delaware 19801-2230
> > Toll-free: (888) 406-7620
> >
> >
> > _______________________________________________
> > Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> > Post to : openstack at lists.openstack.org
> > Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140210/87b2cb9d/attachment.html>
More information about the Openstack
mailing list