[Openstack] Swift/Keystone authentication problem?

Ali, Haneef haneef.ali at hp.com
Fri Mar 7 15:39:31 UTC 2014


Did you check here?



From: mehmet hacısalihoğlu [mailto:esedmehmet at gmail.com]
Sent: Friday, March 07, 2014 3:33 AM
To: Adam Young
Cc: openstack at lists.openstack.org
Subject: Re: [Openstack] Swift/Keystone authentication problem?

Hi Adam,

You can try command in thhis link ( http://docs.openstack.org/grizzly/openstack-compute/admin/content/configuring-swift-to-use-keystone.html )
Thanks

2014-03-06 20:58 GMT+02:00 Adam Young <ayoung at redhat.com<mailto:ayoung at redhat.com>>:
On 03/03/2014 02:24 PM, Adam Lawson wrote:
Hola folks!


I had a working Swift deployment (one proxy, 10 storage nodes) using tempauth/swauth and with that config everything works fine. Add/remove objects, list etc. I am now in the process of trying to integrate Keystone and getting confused with number of possible problems the more I research so I figured I'd post it here.

I built a new Keystone server using the following documents: Configuring keystone<http://docs.openstack.org/developer/keystone/configuration.html> I also updated Swift to use Keystone using the following document: Configure Swift to Use Keystone<http://docs.openstack.org/developer/swift/overview_auth.html#configuring-swift-to-use-keystone>

Problem: Unable to authenticate using service:swift + "password". I'm mostly getting 401 Connection Refused errors and service catalog errors, depending which method I try. What am I missing?


Sounds like an SSL problem.  Make sure your swift auth_token section has the appropriate values set for SSL certs.



User-list in Keystone:



$ keystone user-list`<br>

+----------------------------------+---------+-------+-------+

|                id                | enabled | email |  name |

+----------------------------------+---------+-------+-------+

| 3b26d681b7b5448b94c563b1d8bb55fd | True    | None  | admin |

| e186d19ab0ab4cc681b24196e76b9032 | True    | None  | swift |

+----------------------------------+---------+-------+-------+

User-get in Keystone:



$ keystone user-get e186d19ab0ab4cc681b24196e76b9032

+----------+----------------------------------+

| Property |              Value               |

+----------+----------------------------------+

| email    | None                             |

| enabled  | True                             |

| id       | e186d19ab0ab4cc681b24196e76b9032 |

| name     | swift                            |

| tenantId | 7e9b8a64252340c2ba4dd292acf18e80 |

+----------+----------------------------------+

Tenant-list in Keystone:



$ keystone tenant-list

+----------------------------------+---------+---------+

|                id                |   name  | enabled |

+----------------------------------+---------+---------+

| 539749c631044f64be5f29066ae486c4 | demo    | True    |

| 6140b18239284cce8b51305649dbb792 | admin   | True    |

| 7e9b8a64252340c2ba4dd292acf18e80 | service | True    |

+----------------------------------+---------+---------+

Role-list in Keystone:



$ keystone role-list

+----------------------------------+-------+

|                id                |  name |

+----------------------------------+-------+

| 6d64ff8265d6404983d774e34159dcd5 | admin |

+----------------------------------+-------+

Service-list in keystone



$ keystone service-list

+----------------------------------+----------+--------------+------------------+

|                id                |   name   |     type     |   description    |

+----------------------------------+----------+--------------+------------------+

| 0b2248b31e37499192d4e3cdf4288223 | keystone | identity     | Identity Service |

| 5ef2c32abd274473ab8b42f480feeb72 | swift    | object-store | Swift Service    |

+----------------------------------+----------+--------------+------------------+

Endpoint-list in Keystone:



$ keystone endpoint-list

+----------------------------------+-----------+------------------------------------------------+------------------------------------------------+--------------------------------+

|                id                |   region  |                   publicurl                    |                  internalurl                   |            adminurl            |

+----------------------------------+-----------+------------------------------------------------+------------------------------------------------+--------------------------------+

| 46600a4c54a94eee881e9a4a2c648b8b | RegionOne | http://10.173.0.165:8888/v1/AUTH_%(tenant_id)s<http://10.173.0.165:8888/v1/AUTH_%25%28tenant_id%29s> | http://10.173.0.165:8888/v1/AUTH_%(tenant_id)s<http://10.173.0.165:8888/v1/AUTH_%25%28tenant_id%29s> | http://10.173.0!<http://10.173.0.165:8888/v1>

 .165:8888/<http://10.173.0.165:8888/v1>

v1<http://10.173.0.165:8888/v1>    |

| 660c5babbe7746d485d31d85353ab1b8 | RegionOne | http://10.173.0.165.:5000/v2.0                 | http://10.173.0.165:5000/v2.0                  | http://10.173.0.165:35357/v2.0 |

+----------------------------------+-----------+------------------------------------------------+------------------------------------------------+--------------------------------+

/etc/swift/proxy-server.conf on Swift proxy:



[DEFAULT]

cert_file = /etc/swift/cert.crt

key_file = /etc/swift/cert.key

bind_port = 8080

workers = 8

user = swift



[pipeline:main]

pipeline = healthcheck proxy-logging cache authtoken keystoneauth proxy-logging proxy-server



[app:proxy-server]

use = egg:swift#proxy

allow_account_management = true

account_autocreate = true



[filter:proxy-logging]

use = egg:swift#proxy_logging



[filter:tempauth]

use = egg:swift#tempauth

user_system_root = testpass .admin



[filter:healthcheck]

use = egg:swift#healthcheck



[filter:cache]

use = egg:swift#memcache

memcache_servers = 10.173.0.66:11211



[filter:authtoken]

paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory

auth_host = 10.173.0.165

auth_port = 35357

auth_protocol = http

auth_uri = http://10.173.0.165:5000/<http://10.173.0.165:5000/>

admin_tenant_name = service

admin_user = swift

admin_password = password

cache = swift.cache

include_service_catalog = True



[filter:keystoneauth]

use = egg:swift#keystoneauth

operator_roles = admin, swiftoperator

Test command:



export OS_AUTH_URL=http://10.173.0.165:5000/v2.0<http://10.173.0.165:5000/v2.0>

export OS_USERNAME=swift

export OS_PASSWORD=password

swift -V 2 stat

Command output:



    raise exceptions.EmptyCatalog('The service catalog is empty.')

keystoneclient.exceptions.EmptyCatalog: The service catalog is empty.

Other commands I've tried include:



 swift -A https://$PROXY_LOCAL_NET_IP:8080/auth/v2 -U !

 service:sw

ift -K password stat

...which also fail for other reasons...



Auth GET failed: https://10.173.0.66:8080/auth/v2<http://10.173.0.66:8080/auth/v2> 401 Unauthorized

Thoughts? I'm stumped.

Adam Lawson
AQORN, Inc.
427 North Tatnall Street
Ste. 58461
Wilmington, Delaware 19801-2230
Toll-free: (888) 406-7620<tel:%28888%29%20406-7620>
[http://www.aqorn.com/images/logo.png]


_______________________________________________

Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Post to     : openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>

Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack


_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140307/4d6bf9d2/attachment.html>


More information about the Openstack mailing list