[Openstack] Swift/Keystone authentication problem?
Adam Lawson
alawson at aqorn.com
Mon Mar 3 19:24:08 UTC 2014
Hola folks!
I had a working Swift deployment (one proxy, 10 storage nodes) using
tempauth/swauth and with that config everything works fine. Add/remove
objects, list etc. I am now in the process of trying to integrate Keystone
and getting confused with number of possible problems the more I research
so I figured I'd post it here.
I built a new Keystone server using the following documents: Configuring
keystone <http://docs.openstack.org/developer/keystone/configuration.html> I
also updated Swift to use Keystone using the following document: Configure
Swift to Use Keystone<http://docs.openstack.org/developer/swift/overview_auth.html#configuring-swift-to-use-keystone>
Problem: Unable to authenticate using service:swift + "password". I'm
mostly getting 401 Connection Refused errors and service catalog errors,
depending which method I try. What am I missing?
*User-list in Keystone:*
$ keystone user-list`<br>
+----------------------------------+---------+-------+-------+
| id | enabled | email | name |
+----------------------------------+---------+-------+-------+
| 3b26d681b7b5448b94c563b1d8bb55fd | True | None | admin |
| e186d19ab0ab4cc681b24196e76b9032 | True | None | swift |
+----------------------------------+---------+-------+-------+
*User-get in Keystone:*
$ keystone user-get
e186d19ab0ab4cc681b24196e76b9032+----------+----------------------------------+|
Property | Value
|+----------+----------------------------------+| email | None
|| enabled | True
|| id | e186d19ab0ab4cc681b24196e76b9032 || name | swift
|| tenantId | 7e9b8a64252340c2ba4dd292acf18e80
|+----------+----------------------------------+
*Tenant-list in Keystone:*
$ keystone tenant-list+----------------------------------+---------+---------+|
id | name | enabled
|+----------------------------------+---------+---------+|
539749c631044f64be5f29066ae486c4 | demo | True ||
6140b18239284cce8b51305649dbb792 | admin | True ||
7e9b8a64252340c2ba4dd292acf18e80 | service | True
|+----------------------------------+---------+---------+
*Role-list in Keystone:*
$ keystone role-list+----------------------------------+-------+|
id | name
|+----------------------------------+-------+|
6d64ff8265d6404983d774e34159dcd5 | admin
|+----------------------------------+-------+
*Service-list in keystone*
$ keystone service-list+----------------------------------+----------+--------------+------------------+|
id | name | type |
description |+----------------------------------+----------+--------------+------------------+|
0b2248b31e37499192d4e3cdf4288223 | keystone | identity | Identity
Service || 5ef2c32abd274473ab8b42f480feeb72 | swift | object-store
| Swift Service
|+----------------------------------+----------+--------------+------------------+
*Endpoint-list in Keystone:*
$ keystone endpoint-list+----------------------------------+-----------+------------------------------------------------+------------------------------------------------+--------------------------------+|
id | region |
publicurl | internalurl
| adminurl
|+----------------------------------+-----------+------------------------------------------------+------------------------------------------------+--------------------------------+|
46600a4c54a94eee881e9a4a2c648b8b | RegionOne |
http://10.173.0.165:8888/v1/AUTH_%(tenant_id)s |
http://10.173.0.165:8888/v1/AUTH_%(tenant_id)s |
http://10.173.0.165:8888/v1 || 660c5babbe7746d485d31d85353ab1b8 |
RegionOne | http://10.173.0.165.:5000/v2.0 |
http://10.173.0.165:5000/v2.0 |
http://10.173.0.165:35357/v2.0
|+----------------------------------+-----------+------------------------------------------------+------------------------------------------------+--------------------------------+
*/etc/swift/proxy-server.conf on Swift proxy:*
[DEFAULT]
cert_file = /etc/swift/cert.crt
key_file = /etc/swift/cert.key
bind_port = 8080
workers = 8
user = swift
[pipeline:main]
pipeline = healthcheck proxy-logging cache authtoken keystoneauth
proxy-logging proxy-server
[app:proxy-server]use = egg:swift#proxy
allow_account_management = true
account_autocreate = true
[filter:proxy-logging]use = egg:swift#proxy_logging
[filter:tempauth]use = egg:swift#tempauth
user_system_root = testpass .admin
[filter:healthcheck]use = egg:swift#healthcheck
[filter:cache]use = egg:swift#memcache
memcache_servers = 10.173.0.66:11211
[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
auth_host = 10.173.0.165
auth_port = 35357
auth_protocol = http
auth_uri = http://10.173.0.165:5000/
admin_tenant_name = service
admin_user = swift
admin_password = password
cache = swift.cache
include_service_catalog = True
[filter:keystoneauth]use = egg:swift#keystoneauth
operator_roles = admin, swiftoperator
*Test command:*
export OS_AUTH_URL=http://10.173.0.165:5000/v2.0export
OS_USERNAME=swiftexport OS_PASSWORD=password
swift -V 2 stat
*Command output:*
raise exceptions.EmptyCatalog('The service catalog is empty.')
keystoneclient.exceptions.EmptyCatalog: The service catalog is empty.
Other commands I've tried include:
swift -A https://$PROXY_LOCAL_NET_IP:8080/auth/v2 -U service:swift -K
password stat
*...which also fail for other reasons...*
Auth GET failed: https://10.173.0.66:8080/auth/v2 401 Unauthorized
Thoughts? I'm stumped.
*Adam Lawson*
AQORN, Inc.
427 North Tatnall Street
Ste. 58461
Wilmington, Delaware 19801-2230
Toll-free: (888) 406-7620
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140303/cb216956/attachment.html>
More information about the Openstack
mailing list