← Back to team overview

openstack team mailing list archive

Re: swift tempURL requests yield 401 Unauthorized

 

I upgraded our test cluster to 1.7.4, and still have the same issue.
I also bumped the expires to time() + 600 and made sure the clocks on client and servers are in sync to the second (client was 2 minutes off earlier)
but so that didn't change anything. expires is def. higher than the current time on the server so..

any help appreciated.

thanks,
Dieter

On Fri, 19 Oct 2012 13:17:39 -0400
Dieter Plaetinck <dieter@xxxxxxxxxxxx> wrote:

> Hi,
> using swift 1.4.8 on Centos machines. (latest packages for centos.  note that i'm assuming tempurl works with this version merely because all the code seems to be there, i couldn't find clear docs on whether it should work or not?)
> I want to use the swift tempURL feature as per
> http://failverse.com/using-temporary-urls-on-rackspace-cloud-files/
> http://docs.rackspace.com/files/api/v1/cf-devguide/content/TempURL-d1a4450.html
> http://docs.rackspace.com/files/api/v1/cf-devguide/content/Set_Account_Metadata-d1a4460.html
> 
> TLDR: set up metadata correctly, but tempurl requests yield http 401, can't figure it out, _get_hmac() doesn't seem to be called.
> 
> First, I set the key metadata (this works fine) (tried both the swift CLI program as well as curl), and I tried setting it both on container level (container "uploads") as well as account level
> (though i would prefer container level)
> 
> alias vimeoswift=swift -A http://$ip:8080/auth/v1.0 -U system:root -K testpass'
> vimeoswift post -m Temp-Url-Key:key uploads
> vimeoswift post -m Temp-Url-Key:key
> curl -i -X POST -H X-Auth-Token:$t -H X-Account-Meta-Temp-URL-Key:key http://$ip:8080/v1/AUTH_system
> 
> this seems to work, because when I stat the account and the container, they
> show up:
> 
> 
> [root@dfvimeodfsproxy1 ~]# vimeoswift stat uploads
>   Account: AUTH_system
> Container: uploads
>   Objects: 1
>     Bytes: 1253
>  Read ACL: 
> Write ACL: 
>   Sync To: 
>  Sync Key: 
> Meta Temp-Url-Key: key <------------------
> Accept-Ranges: bytes
> [root@dfvimeodfsproxy1 ~]# vimeoswift stat        
>    Account: AUTH_system
> Containers: 1
>    Objects: 1
>      Bytes: 1253
> Meta Temp-Url-Key: key <------------------
> Accept-Ranges: bytes
> [root@dfvimeodfsproxy1 ~]# 
> 
> I have already put a file in container uploads (which I can retrieve just fine using an auth token):
> [root@dfvimeodfsproxy1 ~]# vimeoswift stat uploads mylogfile.log | grep 'Content Length'
> Content Length: 1253
> 
> now however, if i want to retrieve this file using the tempURL feature, it doesn't work:
> 
> using this script
> #!/usr/bin/python2
> import hmac
> from hashlib import sha1
> from time import time
> method = 'GET'
> expires = int(time() + 60)
> base = 'http://10.90.151.5:8080'
> path = '/v1/AUTH_system/uploads/mylogfile.log'
> key = 'key'
> hmac_body = '%s\n%s\n%s' % (method, expires, path)
> sig = hmac.new(key, hmac_body, sha1).hexdigest()
> print '%s%s?temp_url_sig=%s&temp_url_expires=%s' % (base, path, sig, expires)
> 
> ~ ❯ openstack-signed-url2.py
> http://10.90.151.5:8080/v1/AUTH_system/uploads/mylogfile.log?temp_url_sig=e700f568cd099a432890db00e263b29b999d3604&temp_url_expires=1350666309
> ~ ❯ wget 'http://10.90.151.5:8080/v1/AUTH_system/uploads/mylogfile.log?temp_url_sig=e700f568cd099a432890db00e263b29b999d3604&temp_url_expires=1350666309'
> --2012-10-19 13:04:14--  http://10.90.151.5:8080/v1/AUTH_system/uploads/mylogfile.log?temp_url_sig=e700f568cd099a432890db00e263b29b999d3604&temp_url_expires=1350666309
> Connecting to 10.90.151.5:8080... connected.
> HTTP request sent, awaiting response... 401 Unauthorized
> Authorization failed.
> 
> 
> I thought I could easily debug this myself by changing the _get_hmac()
> function
> in /usr/lib/python2.6/site-packages/swift/common/middleware/tempurl.py like so:
> 
>     def _get_hmac(self, env, expires, key, request_method=None):
>         """
>        (...)
>         """
>         if not request_method:
>             request_method = env['REQUEST_METHOD']
>         self.logger("getting HMAC for method %s, expires %s, path %s" % (request_method, expires, env['PATH_INFO']))
>         hmac = hmac.new(key, '%s\n%s\n%s' % (request_method, expires,
>             env['PATH_INFO']), sha1).hexdigest()
>         self.logger("hmac is " + hmac)
>         return hmac
> 
> 
> however, after restarting the proxy, I don't see my messages showing up
> anywhere (logging works otherwise, because proxy-server messages are showing
> up in /var/log/message, showing all incoming http requests and their responses
> 
> 
> any help is appreciated, thanks!
> 
> Dieter



References