[Openstack] Verifying Swift - X-Auth problem

Adam Lawson alawson at aqorn.com
Mon Feb 10 22:35:28 UTC 2014


Update: Happy days are here again. I figured out my problem which was a
couple issues. I'll share with the group so others won't run into this.

I was using two sources of documentation that referenced the URL in two
different ways that I didn't catch earlier (one used /AUTH and the other
used /auth). That's obviously not going to work but I didn't see it
previously.

Second, after doing some further research I learned that tokens are stored
in memcached and without memcached running, access is impossible. So to be
sure it wasn't that I checked and lo and behold, it wasn't running and
wouldnt run even if i started the service. I checked
/etc/swift/memcached.conf and realized I had memcached listening on an IP
address listed as -1 10.173.0.66 and not -l 10.173.0.66 (basically I was
using number one instead of the letter L). Using L worked.

So, all is well for now. Just thought I'd share that with you guys.

Mahalo,
Adam


*Adam Lawson*
AQORN, Inc.
427 North Tatnall Street
Ste. 58461
Wilmington, Delaware 19801-2230
Toll-free: (888) 406-7620



On Mon, Feb 10, 2014 at 1:57 PM, Adam Lawson <alawson at aqorn.com> wrote:

> Thanks for your ideas John. I checked proxy-server.conf and it appears the
> user exists as it should and tempauth is denoted correctly as well.
>
> I am able to perform Step1 without an error but Step2 gives me an
> unauthorized reply and Step3 says account could not be HEADED. Exact
> response below.
>
> Below are the steps I'm executing, the result and the contents of
> proxy-server.conf.
>
> *STEPS:*
>
>> # 1 Aqcuire X-Storage-Url and X-Auth-Token
>> curl -k -v -H 'X-Storage-User: system:root' -H 'X-Storage-Pass: testing'
>> https://$PROXY_LOCAL_NET_IP:8080/AUTH/v1.0
>>
>> # 2 Test HEAD account process
>> # SAMPLE: curl -k -v -H 'X-Auth-Token: <token-from-x-auth-token-above>'
>> <url-from-x-storage-url-above>
>> curl -k -v -H 'X-Auth-Token: AUTH_tkf85b7788c36143ac99e5a5b42d95d628'
>> https://$PROXY_LOCAL_NET_IP:8080/v1/AUTH_system
>> # 3 Test Swift is actually working
>> swift -A https://$PROXY_LOCAL_NET_IP:8080/AUTH/v1.0 -U system:root -K
>> testpass stat
>
>
>
> *OUTPUT:*
>
>> root at mo-ad1469a10:/home/c52xxx74# swift -A https://$PROXY_LOCAL_NET_IP:8080/auth/v1.0
>> -U system:root -K testpass stat
>> Account HEAD failed: https://10.173.0.66:8080/v1/AUTH_system 401
>> Unauthorized
>> root at mo-ad1469a10:/home/c52xxx74# curl -k -v -H 'X-Storage-User:
>> system:root' -H 'X-Storage-Pass: testpass' https://
>> $PROXY_LOCAL_NET_IP:8080/auth/v1.0
>> * About to connect() to 10.173.0.66 port 8080 (#0)
>> *   Trying 10.173.0.66... connected
>> * successfully set certificate verify locations:
>> *   CAfile: none
>>   CApath: /etc/ssl/certs
>> * SSLv3, TLS handshake, Client hello (1):
>> * SSLv3, TLS handshake, Server hello (2):
>> * SSLv3, TLS handshake, CERT (11):
>> * SSLv3, TLS handshake, Server finished (14):
>> * SSLv3, TLS handshake, Client key exchange (16):
>> * SSLv3, TLS change cipher, Client hello (1):
>> * SSLv3, TLS handshake, Finished (20):
>> * SSLv3, TLS change cipher, Client hello (1):
>> * SSLv3, TLS handshake, Finished (20):
>> * SSL connection using AES256-SHA
>> * Server certificate:
>> *        subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
>> *        start date: 2014-01-29 00:34:55 GMT
>> *        expire date: 2014-02-28 00:34:55 GMT
>> * SSL: unable to obtain common name from peer certificate
>> > GET /auth/v1.0 HTTP/1.1
>> > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
>> OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
>> > Host: 10.173.0.66:8080
>> > Accept: */*
>> > X-Storage-User: system:root
>> > X-Storage-Pass: testpass
>> >
>> < HTTP/1.1 200 OK
>> < X-Storage-Url: https://10.173.0.66:8080/v1/AUTH_system
>> < X-Auth-Token: AUTH_tk43103ea556414c57a5aecad62155a8e4
>> < Content-Type: text/html; charset=UTF-8
>> < X-Storage-Token: AUTH_tk43103ea556414c57a5aecad62155a8e4
>> < Content-Length: 0
>> < Date: Mon, 10 Feb 2014 21:41:54 GMT
>> <
>> * Connection #0 to host 10.173.0.66 left intact
>> * Closing connection #0
>> * SSLv3, TLS alert, Client hello (1):
>> root at mo-ad1469a10:/home/c52xxx74# curl -k -v -H 'X-Auth-Token:
>> AUTH_tk43103ea556414c57a5aecad62155a8e4'
>> https://10.173.0.66:8080/v1/AUTH_system
>> * About to connect() to 10.173.0.66 port 8080 (#0)
>> *   Trying 10.173.0.66... connected
>> * successfully set certificate verify locations:
>> *   CAfile: none
>>   CApath: /etc/ssl/certs
>> * SSLv3, TLS handshake, Client hello (1):
>> * SSLv3, TLS handshake, Server hello (2):
>> * SSLv3, TLS handshake, CERT (11):
>> * SSLv3, TLS handshake, Server finished (14):
>> * SSLv3, TLS handshake, Client key exchange (16):
>> * SSLv3, TLS change cipher, Client hello (1):
>> * SSLv3, TLS handshake, Finished (20):
>> * SSLv3, TLS change cipher, Client hello (1):
>> * SSLv3, TLS handshake, Finished (20):
>> * SSL connection using AES256-SHA
>> * Server certificate:
>> *        subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
>> *        start date: 2014-01-29 00:34:55 GMT
>> *        expire date: 2014-02-28 00:34:55 GMT
>> * SSL: unable to obtain common name from peer certificate
>> > GET /v1/AUTH_system HTTP/1.1
>> > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
>> OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
>> > Host: 10.173.0.66:8080
>> > Accept: */*
>> > X-Auth-Token: AUTH_tk43103ea556414c57a5aecad62155a8e4
>> >
>> < HTTP/1.1 401 Unauthorized
>> < Content-Length: 131
>> < Content-Type: text/html; charset=UTF-8
>> < Date: Mon, 10 Feb 2014 21:43:29 GMT
>> <
>> * Connection #0 to host 10.173.0.66 left intact
>> * Closing connection #0
>> * SSLv3, TLS alert, Client hello (1):
>> <html><h1>Unauthorized</h1><p>This server could not verify that you are
>> authorized to access the document you requested.</p></html>root at mo-ad1469a10
>> :/home/c52xxx74#
>> root at mo-ad1469a10:/home/c52xxx74# swift -A https://$PROXY_LOCAL_NET_IP:8080/auth/v1.0
>> -U system:root -K testpass stat
>> Account HEAD failed: https://10.173.0.66:8080/v1/AUTH_system 401
>> Unauthorized
>
>
>
> *PROXY-SERVER.CONF*
>
>> [DEFAULT]
>> cert_file = /etc/swift/cert.crt
>> key_file = /etc/swift/cert.key
>> bind_port = 8080
>> workers = 8
>> user = swift
>> [pipeline:main]
>> pipeline = healthcheck proxy-logging cache tempauth proxy-logging
>> proxy-server
>> [app:proxy-server]
>> use = egg:swift#proxy
>> allow_account_management = true
>> account_autocreate = true
>> [filter:proxy-logging]
>> use = egg:swift#proxy_logging
>> [filter:tempauth]
>> use = egg:swift#tempauth
>> user_system_root = testpass .admin
>> https://10.173.0.66:8080/v1/AUTH_system
>> [filter:healthcheck]
>> use = egg:swift#healthcheck
>> [filter:cache]
>> use = egg:swift#memcache
>> memcache_servers = 10.173.0.66:11211
>
>
>
> What am I missing here?
>
>
>
> *Adam Lawson*
> AQORN, Inc.
> 427 North Tatnall Street
> Ste. 58461
> Wilmington, Delaware 19801-2230
> Toll-free: (888) 406-7620
>
>
>
> On Fri, Feb 7, 2014 at 6:19 PM, John Dickinson <me at not.mn> wrote:
>
>> In the output you pasted, you don't have any successful response. I'd
>> suggest looking at the tempauth stanza in the proxy server conf to make
>> sure the users are set up correctly.
>>
>> --John
>>
>>
>>
>> On Feb 7, 2014, at 4:55 PM, Adam Lawson <alawson at aqorn.com> wrote:
>>
>> > To help with troubleshooting, here is what I've executed thus far on my
>> proxy node...
>> > Obvious problem/symptom = inability to verify a new Swift install from
>> scratch due to 401 Unauthorized.
>> >       * 1x proxy node
>> >       * 5x storage nodes
>> > I'll continue working this but anyone have any thoughts? See email to
>> -operators list for further history.
>> >
>> > Thanks!
>> > Adam
>> >
>> > Below is a bash history/output of what is happening right now:
>> > login as: c5201274
>> > c5201274 at 10.173.0.66's password:
>> > Welcome to Ubuntu 12.04.3 LTS (GNU/Linux 3.2.0-55-generic x86_64)
>> >  * Documentation:  https://help.ubuntu.com/
>> > Last login: Thu Feb  6 21:05:32 2014 from 10.7.106.110
>> >  Powered by Monsoon (Version 2.2.465)          Platform: ubuntu 12.04
>> >  Hostname     : mo-ad1469a10.mo.sap.corp       Name    : node0p
>> >  Organization : c5201274                       Project : swift_poc
>> >  Url          : https://monsoon.mo.sap.corp/instances/mo-ad1469a10
>> > c5201274 at mo-ad1469a10:~$ sudo su
>> > root at mo-ad1469a10:/home/c5201274# . credrc.sh
>> > root at mo-ad1469a10:/home/c5201274# swift-init proxy start
>> > proxy-server running (5502 - /etc/swift/proxy-server.conf)
>> > proxy-server already started...
>> > root at mo-ad1469a10:/home/c5201274# curl -k -v -H 'X-Storage-User:
>> test:tester' -H 'X-Storage-Pass: testing' https://
>> $PROXY_LOCAL_NET_IP:8080/auth/v1.0
>> > * About to connect() to 10.173.0.66 port 8080 (#0)
>> > *   Trying 10.173.0.66... connected
>> > * successfully set certificate verify locations:
>> > *   CAfile: none
>> >   CApath: /etc/ssl/certs
>> > * SSLv3, TLS handshake, Client hello (1):
>> > * SSLv3, TLS handshake, Server hello (2):
>> > * SSLv3, TLS handshake, CERT (11):
>> > * SSLv3, TLS handshake, Server finished (14):
>> > * SSLv3, TLS handshake, Client key exchange (16):
>> > * SSLv3, TLS change cipher, Client hello (1):
>> > * SSLv3, TLS handshake, Finished (20):
>> > * SSLv3, TLS change cipher, Client hello (1):
>> > * SSLv3, TLS handshake, Finished (20):
>> > * SSL connection using AES256-SHA
>> > * Server certificate:
>> > *        subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
>> > *        start date: 2014-01-29 00:34:55 GMT
>> > *        expire date: 2014-02-28 00:34:55 GMT
>> > * SSL: unable to obtain common name from peer certificate
>> > > GET /auth/v1.0 HTTP/1.1
>> > > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
>> OpenSSL/1.0.1 zlib/1.2.3.4libidn/1.23 librtmp/2.3
>> > > Host: 10.173.0.66:8080
>> > > Accept: */*
>> > > X-Storage-User: test:tester
>> > > X-Storage-Pass: testing
>> > >
>> > < HTTP/1.1 401 Unauthorized
>> > < Content-Length: 131
>> > < Content-Type: text/html; charset=UTF-8
>> > < Date: Fri, 07 Feb 2014 18:20:13 GMT
>> > <
>> > * Connection #0 to host 10.173.0.66 left intact
>> > * Closing connection #0
>> > * SSLv3, TLS alert, Client hello (1):
>> > <html><h1>Unauthorized</h1><p>This server could not verify that you are
>> authorized to access the document you requested.</p></html>root at mo-ad1469a10
>> :/home/c5201274#
>> > root at mo-ad1469a10:/home/c5201274# curl -k -v -H 'X-Auth-Token:
>> AUTH_tkf85b7788c36143ac99e5a5b42d95d628' https://
>> $PROXY_LOCAL_NET_IP:8080/v1/AUTH_system
>> > * About to connect() to 10.173.0.66 port 8080 (#0)
>> > *   Trying 10.173.0.66... connected
>> > * successfully set certificate verify locations:
>> > *   CAfile: none
>> >   CApath: /etc/ssl/certs
>> > * SSLv3, TLS handshake, Client hello (1):
>> > * SSLv3, TLS handshake, Server hello (2):
>> > * SSLv3, TLS handshake, CERT (11):
>> > * SSLv3, TLS handshake, Server finished (14):
>> > * SSLv3, TLS handshake, Client key exchange (16):
>> > * SSLv3, TLS change cipher, Client hello (1):
>> > * SSLv3, TLS handshake, Finished (20):
>> > * SSLv3, TLS change cipher, Client hello (1):
>> > * SSLv3, TLS handshake, Finished (20):
>> > * SSL connection using AES256-SHA
>> > * Server certificate:
>> > *        subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
>> > *        start date: 2014-01-29 00:34:55 GMT
>> > *        expire date: 2014-02-28 00:34:55 GMT
>> > * SSL: unable to obtain common name from peer certificate
>> > > GET /v1/AUTH_system HTTP/1.1
>> > > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
>> OpenSSL/1.0.1 zlib/1.2.3.4libidn/1.23 librtmp/2.3
>> > > Host: 10.173.0.66:8080
>> > > Accept: */*
>> > > X-Auth-Token: AUTH_tkf85b7788c36143ac99e5a5b42d95d628
>> > >
>> > < HTTP/1.1 401 Unauthorized
>> > < Content-Length: 131
>> > < Content-Type: text/html; charset=UTF-8
>> > < Date: Fri, 07 Feb 2014 18:21:22 GMT
>> > <
>> > * Connection #0 to host 10.173.0.66 left intact
>> > * Closing connection #0
>> > * SSLv3, TLS alert, Client hello (1):
>> > <html><h1>Unauthorized</h1><p>This server could not verify that you are
>> authorized to access the document you requested.</p></html>root at mo-ad1469a10:/home/c5201274#
>> ^C
>> > root at mo-ad1469a10:/home/c5201274# ^C
>> > root at mo-ad1469a10:/home/c5201274# curl -k -v -H 'X-Auth-Token:
>> AUTH_tkf85b7788c36143ac99e5a5b42d95d628' https://
>> $PROXY_LOCAL_NET_IP:8080/v1/AUTH_system
>> > * About to connect() to 10.173.0.66 port 8080 (#0)
>> > *   Trying 10.173.0.66... connected
>> > * successfully set certificate verify locations:
>> > *   CAfile: none
>> >   CApath: /etc/ssl/certs
>> > * SSLv3, TLS handshake, Client hello (1):
>> > * SSLv3, TLS handshake, Server hello (2):
>> > * SSLv3, TLS handshake, CERT (11):
>> > * SSLv3, TLS handshake, Server finished (14):
>> > * SSLv3, TLS handshake, Client key exchange (16):
>> > * SSLv3, TLS change cipher, Client hello (1):
>> > * SSLv3, TLS handshake, Finished (20):
>> > * SSLv3, TLS change cipher, Client hello (1):
>> > * SSLv3, TLS handshake, Finished (20):
>> > * SSL connection using AES256-SHA
>> > * Server certificate:
>> > *        subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
>> > *        start date: 2014-01-29 00:34:55 GMT
>> > *        expire date: 2014-02-28 00:34:55 GMT
>> > * SSL: unable to obtain common name from peer certificate
>> > > GET /v1/AUTH_system HTTP/1.1
>> > > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
>> OpenSSL/1.0.1 zlib/1.2.3.4libidn/1.23 librtmp/2.3
>> > > Host: 10.173.0.66:8080
>> > > Accept: */*
>> > > X-Auth-Token: AUTH_tkf85b7788c36143ac99e5a5b42d95d628
>> > >
>> > < HTTP/1.1 401 Unauthorized
>> > < Content-Length: 131
>> > < Content-Type: text/html; charset=UTF-8
>> > < Date: Fri, 07 Feb 2014 18:22:52 GMT
>> > <
>> > * Connection #0 to host 10.173.0.66 left intact
>> > * Closing connection #0
>> > * SSLv3, TLS alert, Client hello (1):
>> > <html><h1>Unauthorized</h1><p>This server could not verify that you are
>> authorized to access the document you requ
>> > root at mo-ad1469a10:/home/c5201274# swift -A https://$PROXY_LOCAL_NET_IP:8080/auth/v1.0
>> -U test:tester -K testing stat
>> > Auth GET failed: https://10.173.0.66:8080/auth/v1.0 401 Unauthorized
>> > root at mo-ad1469a10:/home/c5201274#
>> >
>> >
>> > Adam Lawson
>> > AQORN, Inc.
>> > 427 North Tatnall Street
>> > Ste. 58461
>> > Wilmington, Delaware 19801-2230
>> > Toll-free: (888) 406-7620
>> >
>> >
>> >
>> > On Thu, Feb 6, 2014 at 1:57 PM, Adam Lawson <alawson at aqorn.com> wrote:
>> > Hey OpenStack peeps!
>> >
>> > I'm trying to verify a Swift manual installation with 1x proxy and 5x
>> storage nodes. I turned on all services with no errors (well, no errors I
>> didn't fix anyway).
>> > My problem is with trying to create an account and heading it. Below is
>> what I'm scripting as I go along.
>> >
>> > I executed Step1 successfully using system:root as the user. But when I
>> executed Step2, I received a 401 Unauthorized reply.
>> > Undaunted I executed Step3 which produced nothing. I then tried running
>> Step1 again as shown below with test:tester as the user (thinking it was
>> because I don't actually run as root but I run commands via sudo) and now
>> it always gives me 401 unauthorized replies.
>> >
>> > Is this an obvious problem with an easy remedy?
>> >
>> >
>> > # 1 Aqcuire X-Storage-Url and X-Auth-Token
>> > curl -k -v -H 'X-Storage-User: test:tester' -H 'X-Storage-Pass:
>> testing' https://$PROXY_LOCAL_NET_IP:8080/auth/v1.0
>> >
>> > # 2 Test HEAD account process
>> > # SAMPLE: curl -k -v -H 'X-Auth-Token: <token-from-x-auth-token-above>'
>> <url-from-x-storage-url-above>
>> > curl -k -v -H 'X-Auth-Token: AUTH_tkf85b7788c36143ac99e5a5b42d95d628'
>> https://$PROXY_LOCAL_NET_IP:8080/v1/AUTH_system
>> >
>> > # Test Swift is actually working
>> > swift -A https://$PROXY_LOCAL_NET_IP:8080/auth/v1.0 -U system:testuser
>> -K testpass stat
>> >
>> > Thoughts?
>> >
>> > Adam Lawson
>> > AQORN, Inc.
>> > 427 North Tatnall Street
>> > Ste. 58461
>> > Wilmington, Delaware 19801-2230
>> > Toll-free: (888) 406-7620
>> >
>> >
>> > _______________________________________________
>> > Mailing list:
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> > Post to     : openstack at lists.openstack.org
>> > Unsubscribe :
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140210/9633d45d/attachment.html>


More information about the Openstack mailing list