openstack team mailing list archive

Thread
Date

Swift with Keystone middleware -- Keep getting 401s from Swift (Launchpad question Question #179733 followup)

To: openstack@xxxxxxxxxxxxxxxxxxx
From: Florian Daniel Otel <florian.otel@xxxxxxxxx>
Date: Thu, 23 Feb 2012 21:10:19 +0100
Authentication-results: mr.google.com; spf=pass (google.com: domain of florian.otel@xxxxxxxxx designates 10.236.122.12 as permitted sender) smtp.mail=florian.otel@xxxxxxxxx; dkim=pass header.i=florian.otel@xxxxxxxxx

Hello all,

During the last few days I've been struggling to get Swift to use Keystone
middleware. Problem is that even if Keystone works fine  when trying to
access the Swift  configured with Keystone middleware I keep getting 401s,
no matter how I try i.e. which Swift url I try to access (admin_url,
internal or public):

So, after quite a bit of researching, collaborating different docs
(outdated to different degrees...)  I found someone experienced the exact
same symptioms --  Question #179733 on Launchpad Q&A
https://answers.launchpad.net/swift/+question/179733

Now, I don't want to make this too long a mail by copy&paste too much
inline, so I've posted most of the stuff (commands, MySQL tables configu
files  etc.) here:

http://pastebin.com/6YGzV9PA

My Setup is Ubuntu 11.10 x64, running "2011.3-d5-rcb8~oneiric" packages
from http://ops.rcb.me/packages/

My questions:

1) The format of the curl requests while testing keystone:

For some reasons the format of curl requests (and returns) is different as
from the latest docs. I.e. this works:

curl -s -d '{"tenantName": "MyTenant", "passwordCredentials": {"username":
"myuser", "password": "mypassword"}}' -H 'Content-type: application/json'
http://10.2.20.51:5001/v2.0/tokens

{"auth": {"token": {"expires": "2015-02-05T00:00:00", "id":
"999888777666"}, "serviceCatalog": {"keystone": [{"adminURL": "
http://10.2.20.51:5001/v2.0";, "region": "RegionOne", "internalURL": "
http://10.2.20.51:5000/v2.0";, "publicURL": "http://10.2.20.51:5000/v2.0"}],
"glance": [{"adminURL": "http://10.2.20.51:9292/v1.1/MyTenant";, "region":
"RegionOne", "internalURL": "http://10.2.20.51:9292/v1.1/MyTenant";,
"publicURL": "http://10.2.20.51:9292/v1.1/MyTenant"}], "swift":
[{"adminURL": "http://10.2.20.51:8080/";, "region": "RegionOne",
"internalURL": "http://10.2.20.51:8080/v1/AUTH_MyTenant";, "publicURL": "
http://10.2.20.51:8080/v1/AUTH_MyTenant"}], "nova": [{"adminURL": "
http://10.2.20.51:8774/v1.1/MyTenant";, "region": "RegionOne",
"internalURL": "http://10.2.20.51:8774/v1.1/MyTenant";, "publicURL": "
http://10.2.20.51:8774/v1.1/MyTenant"}]}}}


.... But specifying "auth" fails with a 400 code:

root@Swift1:/etc/swift# curl -s -d '{"auth": {"tenantName": "MyTenant",
"passwordCredentials": {"username": "myuser", "password": "mypassword"}}}'
-H 'Content-type: application/json' http://10.2.20.51:5001/v2.0/tokens |
python -mjson.tool
{
    "badRequest": {
        "code": "400",
        "message": "Expecting passwordCredentials"
    }
}


 Any suggestions ? Am I missing something ?


2)  In all the references I found the format of the Swift "admin_url" in
the endpointTemplate. I used "<IP>:8080", for the admin_url whereas the
internal and public are parameterized with %tenant_id% e.g. "
http://10.2.20.51:8080/v1/AUTH_%tenant_id%";  . Is this correct i.e. not
even a version number ?

3) Last but most importantly -- my problem:  Accessing Swift admin_url,
internal / public  with the "keystone_admin_token" does result in a 401
(coyping only the attempt to access the admin_url here):

root@Swift1:~# curl -v -H 'X-Auth-Token: AUTH_999888777666'
http://10.2.20.51:8080
* About to connect() to 10.2.20.51 port 8080 (#0)
*   Trying 10.2.20.51... connected
* Connected to 10.2.20.51 (10.2.20.51) port 8080 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.21.6 (x86_64-pc-linux-gnu) libcurl/7.21.6
OpenSSL/1.0.0e zlib/1.2.3.4 libidn/1.22 librtmp/2.3
> Host: 10.2.20.51:8080
> Accept: */*
> X-Auth-Token: AUTH_999888777666
>
< HTTP/1.1 401 Unauthorized
< Content-Length: 358
< Content-Type: text/html; charset=UTF-8
< X-Trans-Id: txec38e4f2018240ffad2aeff57936cd96
< Date: Thu, 23 Feb 2012 20:03:35 GMT
<
<html>
 <head>
  <title>401 Unauthorized</title>
 </head>
 <body>
  <h1>401 Unauthorized</h1>
  This server could not verify that you are authorized to access the
document you requested. Either you supplied the wrong credentials (e.g.,
bad password), or your browser does not understand how to supply the
credentials required.<br /><br />


Sorry for cross-posting this on this list (instead of following up on
Question #179733 on launchpad) but the question on Launchpad doesn't list a
resolution and  I couldn't get in touch with the person that originally
posted it.

Kind thanks in advance for the help,

Florian Otel