[Openstack] Swift/Keystone authentication problem?
mehmet hacısalihoğlu
esedmehmet at gmail.com
Fri Mar 7 11:32:41 UTC 2014
Hi Adam,
You can try command in thhis link (
http://docs.openstack.org/grizzly/openstack-compute/admin/content/configuring-swift-to-use-keystone.html)
Thanks
2014-03-06 20:58 GMT+02:00 Adam Young <ayoung at redhat.com>:
> On 03/03/2014 02:24 PM, Adam Lawson wrote:
>
> Hola folks!
>
> I had a working Swift deployment (one proxy, 10 storage nodes) using
> tempauth/swauth and with that config everything works fine. Add/remove
> objects, list etc. I am now in the process of trying to integrate Keystone
> and getting confused with number of possible problems the more I research
> so I figured I'd post it here.
>
> I built a new Keystone server using the following documents: Configuring
> keystone <http://docs.openstack.org/developer/keystone/configuration.html> I
> also updated Swift to use Keystone using the following document: Configure
> Swift to Use Keystone<http://docs.openstack.org/developer/swift/overview_auth.html#configuring-swift-to-use-keystone>
>
> Problem: Unable to authenticate using service:swift + "password". I'm
> mostly getting 401 Connection Refused errors and service catalog errors,
> depending which method I try. What am I missing?
>
>
>
> Sounds like an SSL problem. Make sure your swift auth_token section has
> the appropriate values set for SSL certs.
>
> *User-list in Keystone:*
>
> $ keystone user-list`<br>
> +----------------------------------+---------+-------+-------+
> | id | enabled | email | name |
> +----------------------------------+---------+-------+-------+
> | 3b26d681b7b5448b94c563b1d8bb55fd | True | None | admin |
> | e186d19ab0ab4cc681b24196e76b9032 | True | None | swift |
> +----------------------------------+---------+-------+-------+
>
> *User-get in Keystone:*
>
> $ keystone user-get e186d19ab0ab4cc681b24196e76b9032+----------+----------------------------------+| Property | Value |+----------+----------------------------------+| email | None || enabled | True || id | e186d19ab0ab4cc681b24196e76b9032 || name | swift || tenantId | 7e9b8a64252340c2ba4dd292acf18e80 |+----------+----------------------------------+
>
> *Tenant-list in Keystone:*
>
> $ keystone tenant-list+----------------------------------+---------+---------+| id | name | enabled |+----------------------------------+---------+---------+| 539749c631044f64be5f29066ae486c4 | demo | True || 6140b18239284cce8b51305649dbb792 | admin | True || 7e9b8a64252340c2ba4dd292acf18e80 | service | True |+----------------------------------+---------+---------+
>
> *Role-list in Keystone:*
>
> $ keystone role-list+----------------------------------+-------+| id | name |+----------------------------------+-------+| 6d64ff8265d6404983d774e34159dcd5 | admin |+----------------------------------+-------+
>
> *Service-list in keystone*
>
> $ keystone service-list+----------------------------------+----------+--------------+------------------+| id | name | type | description |+----------------------------------+----------+--------------+------------------+| 0b2248b31e37499192d4e3cdf4288223 | keystone | identity | Identity Service || 5ef2c32abd274473ab8b42f480feeb72 | swift | object-store | Swift Service |+----------------------------------+----------+--------------+------------------+
>
> *Endpoint-list in Keystone:*
>
> $ keystone endpoint-list+----------------------------------+-----------+------------------------------------------------+------------------------------------------------+--------------------------------+| id | region | publicurl | internalurl | adminurl |+----------------------------------+-----------+------------------------------------------------+------------------------------------------------+--------------------------------+| 46600a4c54a94eee881e9a4a2c648b8b | RegionOne | http://10.173.0.165:8888/v1/AUTH_%(tenant_id)s | http://10.173.0.165:8888/v1/AUTH_%(tenant_id)s | http://10.173.0!
> .165:8888/
> v1 <http://10.173.0.165:8888/v1> || 660c5babbe7746d485d31d85353ab1b8 | RegionOne | http://10.173.0.165.:5000/v2.0 | http://10.173.0.165:5000/v2.0 | http://10.173.0.165:35357/v2.0 |+----------------------------------+-----------+------------------------------------------------+------------------------------------------------+--------------------------------+
>
> */etc/swift/proxy-server.conf on Swift proxy:*
>
> [DEFAULT]
> cert_file = /etc/swift/cert.crt
> key_file = /etc/swift/cert.key
> bind_port = 8080
> workers = 8
> user = swift
> [pipeline:main]
> pipeline = healthcheck proxy-logging cache authtoken keystoneauth proxy-logging proxy-server
> [app:proxy-server]use = egg:swift#proxy
> allow_account_management = true
> account_autocreate = true
> [filter:proxy-logging]use = egg:swift#proxy_logging
> [filter:tempauth]use = egg:swift#tempauth
> user_system_root = testpass .admin
> [filter:healthcheck]use = egg:swift#healthcheck
> [filter:cache]use = egg:swift#memcache
> memcache_servers = 10.173.0.66:11211
> [filter:authtoken]
> paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
> auth_host = 10.173.0.165
> auth_port = 35357
> auth_protocol = http
> auth_uri = http://10.173.0.165:5000/
> admin_tenant_name = service
> admin_user = swift
> admin_password = password
> cache = swift.cache
> include_service_catalog = True
> [filter:keystoneauth]use = egg:swift#keystoneauth
> operator_roles = admin, swiftoperator
>
> *Test command:*
>
> export OS_AUTH_URL=http://10.173.0.165:5000/v2.0export OS_USERNAME=swiftexport OS_PASSWORD=password
> swift -V 2 stat
>
> *Command output:*
>
> raise exceptions.EmptyCatalog('The service catalog is empty.')
> keystoneclient.exceptions.EmptyCatalog: The service catalog is empty.
>
> Other commands I've tried include:
>
> swift -A https://$PROXY_LOCAL_NET_IP:8080/auth/v2 -U !
> service:sw
> ift -K password stat
>
> *...which also fail for other reasons...*
>
> Auth GET failed: https://10.173.0.66:8080/auth/v2 401 Unauthorized
>
> Thoughts? I'm stumped.
>
> * Adam Lawson*
> AQORN, Inc.
> 427 North Tatnall Street
> Ste. 58461
> Wilmington, Delaware 19801-2230
> Toll-free: (888) 406-7620
>
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140307/7aa4ed33/attachment.html>
More information about the Openstack
mailing list