[Openstack] Swift/Keystone authentication problem?

Adam Young ayoung at redhat.com
Thu Mar 6 18:58:44 UTC 2014 

On 03/03/2014 02:24 PM, Adam Lawson wrote:
> Hola folks!
>
> I had a working Swift deployment (one proxy, 10 storage nodes) using 
> tempauth/swauth and with that config everything works fine. Add/remove 
> objects, list etc. I am now in the process of trying to integrate 
> Keystone and getting confused with number of possible problems the 
> more I research so I figured I'd post it here.
>
> I built a new Keystone server using the following documents: 
> Configuring keystone 
> <http://docs.openstack.org/developer/keystone/configuration.html> I 
> also updated Swift to use Keystone using the following document: 
> Configure Swift to Use Keystone 
> <http://docs.openstack.org/developer/swift/overview_auth.html#configuring-swift-to-use-keystone>
>
> Problem: Unable to authenticate using service:swift + "password". I'm 
> mostly getting 401 Connection Refused errors and service catalog 
> errors, depending which method I try. What am I missing?
>


Sounds like an SSL problem.  Make sure your swift auth_token section has 
the appropriate values set for SSL certs.

> *User-list in Keystone:*
>
> |$ keystone user-list`<br>
> +----------------------------------+---------+-------+-------+
> |                id                | enabled | email |  name |
> +----------------------------------+---------+-------+-------+
> | 3b26d681b7b5448b94c563b1d8bb55fd | True    | None  | admin |
> | e186d19ab0ab4cc681b24196e76b9032 | True    | None  | swift |
> +----------------------------------+---------+-------+-------+|
>
> *User-get in Keystone:*
>
> |$ keystone user-get  e186d19ab0ab4cc681b24196e76b9032
> +----------+----------------------------------+
> |  Property  |               Value                |
> +----------+----------------------------------+
> |  email|  None                              |
> |  enabled|  True                              |
> |  id|  e186d19ab0ab4cc681b24196e76b9032|
> |  name|  swift|
> |  tenantId|  7e9b8a64252340c2ba4dd292acf18e80  |
> +----------+----------------------------------+|
>
> *Tenant-list in Keystone:*
>
> |$ keystone tenant-list
> +----------------------------------+---------+---------+
> |                 id|    name|  enabled|
> +----------------------------------+---------+---------+
> |  539749c631044f64be5f29066ae486c4  |  demo|  True     |
> |  6140b18239284cce8b51305649dbb792  |  admin|  True     |
> |  7e9b8a64252340c2ba4dd292acf18e80  |  service|  True     |
> +----------------------------------+---------+---------+|
>
> *Role-list in Keystone:*
>
> |$ keystone role-list
> +----------------------------------+-------+
> |                 id|   name|
> +----------------------------------+-------+
> |  6d64ff8265d6404983d774e34159dcd5  |  admin|
> +----------------------------------+-------+|
>
> *Service-list in keystone*
>
> |$ keystone service-list
> +----------------------------------+----------+--------------+------------------+
> |                 id|    name|      type|    description|
> +----------------------------------+----------+--------------+------------------+
> |  0b2248b31e37499192d4e3cdf4288223  |  keystone|  identity|  Identity  Service  |
> |  5ef2c32abd274473ab8b42f480feeb72  |  swift|  object-store|  Swift  Service     |
> +----------------------------------+----------+--------------+------------------+|
>
> *Endpoint-list in Keystone:*
>
> |$ keystone endpoint-list
> +----------------------------------+-----------+------------------------------------------------+------------------------------------------------+--------------------------------+
> |                 id|    region|                    publicurl|                   internalurl|             adminurl|
> +----------------------------------+-----------+------------------------------------------------+------------------------------------------------+--------------------------------+
> |  46600a4c54a94eee881e9a4a2c648b8b  |  RegionOne  |  http://10.173.0.165:8888/v1/AUTH_%(tenant_id)s  <http://10.173.0.165:8888/v1/AUTH_%%28tenant_id%29s>  |http://10.173.0.165:8888/v1/AUTH_%(tenant_id)s  <http://10.173.0.165:8888/v1/AUTH_%%28tenant_id%29s>  |http://10.173.0.165:8888/v1     |
> |  660c5babbe7746d485d31d85353ab1b8  |  RegionOne  |  http://10.173.0.165.:5000/v2.0                 |http://10.173.0.165:5000/v2.0                   |http://10.173.0.165:35357/v2.0  |
> +----------------------------------+-----------+------------------------------------------------+------------------------------------------------+--------------------------------+|
>
> */etc/swift/proxy-server.conf on Swift proxy:*
>
> |[DEFAULT]
> cert_file=  /etc/swift/cert.crt
> key_file=  /etc/swift/cert.key
> bind_port=  8080
> workers=  8
> user=  swift
>
> [pipeline:main]
> pipeline=  healthcheck proxy-logging cache authtoken keystoneauth proxy-logging proxy-server
>
> [app:proxy-server]
> use  =  egg:swift#proxy
> allow_account_management=  true
> account_autocreate=  true
>
> [filter:proxy-logging]
> use  =  egg:swift#proxy_logging
>
> [filter:tempauth]
> use  =  egg:swift#tempauth
> user_system_root=  testpass.admin
>
> [filter:healthcheck]
> use  =  egg:swift#healthcheck
>
> [filter:cache]
> use  =  egg:swift#memcache
> memcache_servers=  10.173.0.66:11211
>
> [filter:authtoken]
> paste.filter_factory=  keystoneclient.middleware.auth_token:filter_factory
> auth_host=  10.173.0.165
> auth_port=  35357
> auth_protocol=  http
> auth_uri=  http://10.173.0.165:5000/  <http://10.173.0.165:5000/>
> admin_tenant_name=  service
> admin_user=  swift
> admin_password=  password
> cache=  swift.cache
> include_service_catalog=  True
>
> [filter:keystoneauth]
> use  =  egg:swift#keystoneauth
> operator_roles=  admin,  swiftoperator|
>
> *Test command:*
>
> |export  OS_AUTH_URL=http://10.173.0.165:5000/v2.0  <http://10.173.0.165:5000/v2.0>
> export  OS_USERNAME=swift
> export  OS_PASSWORD=password
> swift-V2  stat|
>
> *Command output:*
>
> |     raise  exceptions.EmptyCatalog('The service catalog is empty.')
> keystoneclient.exceptions.EmptyCatalog:  The  service catalogis  empty.|
>
> Other commands I've tried include:
>
> |  swift-A https://$PROXY_LOCAL_NET_IP:8080/auth/v2 -U service:swift -K password stat|
>
> *...which also fail for other reasons...*
>
> |Auth  GET failed:  https://10.173.0.66:8080/auth/v2  <http://10.173.0.66:8080/auth/v2>  401 Unauthorized|
>
> Thoughts? I'm stumped.
>
> */
> Adam Lawson/*
> AQORN, Inc.
> 427 North Tatnall Street
> Ste. 58461
> Wilmington, Delaware 19801-2230
> Toll-free: (888) 406-7620
>
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140306/fba35036/attachment.html>

More information about the Openstack mailing list