← Back to team overview

openstack team mailing list archive

Re: swift tempURL requests yield 401 Unauthorized

 

thanks for the help.
along with your, and other people's in #openstack-swift on irc, we fixed it.

i had not added tempurl to the pipeline in proxy-server.conf. once that was
fixed, it worked immediately on 1.7, but not on 1.4 which started saying "500
Internal Server Error".  after some more tinkering, still couldn't get it to work.
ultimately i just upgraded this cluster to 1.7 too, and it worked straight away.

Dieter

On Wed, 24 Oct 2012 11:24:38 -0700
Orion Auld <orion@xxxxxxxxxxxxxx> wrote:

> First, is that the exact logging code that you have?  Because AFAIK,
> 
> self.logger("Message")
> 
> won't work.  self.logger is just the logger object.  You'd need to say
> something like:
> 
> self.logger.info("Message")
> 
> to see the message.  So you might try that, and then you can see what the
> issue is more clearly.  For me, it's usually one of the following, in order
> of likelihood:
> 
>    1. I bungled the TempUrlKey header name setting it with the swift
>    utility.
>    2. I have a mismatched TempUrlKey.
>    3. I forgot to set the TempUrlKey.
>    4. Clock skew.
> 
> -- Orion
> 
> >
> > Hi,
> > using swift 1.4.8 on Centos machines. (latest packages for centos.  note
> > that i'm assuming tempurl works with this version merely because all the
> > code seems to be there, i couldn't find clear docs on whether it should
> > work or not?)
> > I want to use the swift tempURL feature as per
> > http://failverse.com/using-temporary-urls-on-rackspace-cloud-files/
> >
> > http://docs.rackspace.com/files/api/v1/cf-devguide/content/TempURL-d1a4450.html
> >
> > http://docs.rackspace.com/files/api/v1/cf-devguide/content/Set_Account_Metadata-d1a4460.html
> >
> > TLDR: set up metadata correctly, but tempurl requests yield http 401,
> > can't figure it out, _get_hmac() doesn't seem to be called.
> >
> > First, I set the key metadata (this works fine) (tried both the swift CLI
> > program as well as curl), and I tried setting it both on container level
> > (container "uploads") as well as account level
> > (though i would prefer container level)
> >
> > alias vimeoswift=swift -A http://$ip:8080/auth/v1.0 -U system:root -K
> > testpass'
> > vimeoswift post -m Temp-Url-Key:key uploads
> > vimeoswift post -m Temp-Url-Key:key
> > curl -i -X POST -H X-Auth-Token:$t -H X-Account-Meta-Temp-URL-Key:key
> > http://$ip:8080/v1/AUTH_system
> >
> > this seems to work, because when I stat the account and the container, they
> > show up:
> >
> >
> > [root@dfvimeodfsproxy1 ~]# vimeoswift stat uploads
> >   Account: AUTH_system
> > Container: uploads
> >   Objects: 1
> >     Bytes: 1253
> >  Read ACL:
> > Write ACL:
> >   Sync To:
> >  Sync Key:
> > Meta Temp-Url-Key: key <------------------
> > Accept-Ranges: bytes
> > [root@dfvimeodfsproxy1 ~]# vimeoswift stat
> >    Account: AUTH_system
> > Containers: 1
> >    Objects: 1
> >      Bytes: 1253
> > Meta Temp-Url-Key: key <------------------
> > Accept-Ranges: bytes
> > [root@dfvimeodfsproxy1 ~]#
> >
> > I have already put a file in container uploads (which I can retrieve just
> > fine using an auth token):
> > [root@dfvimeodfsproxy1 ~]# vimeoswift stat uploads mylogfile.log | grep
> > 'Content Length'
> > Content Length: 1253
> >
> > now however, if i want to retrieve this file using the tempURL feature, it
> > doesn't work:
> >
> > using this script
> > #!/usr/bin/python2
> > import hmac
> > from hashlib import sha1
> > from time import time
> > method = 'GET'
> > expires = int(time() + 60)
> > base = 'http://10.90.151.5:8080'
> > path = '/v1/AUTH_system/uploads/mylogfile.log'
> > key = 'key'
> > hmac_body = '%s\n%s\n%s' % (method, expires, path)
> > sig = hmac.new(key, hmac_body, sha1).hexdigest()
> > print '%s%s?temp_url_sig=%s&temp_url_expires=%s' % (base, path, sig,
> > expires)
> >
> > ~ ❯ openstack-signed-url2.py
> >
> > http://10.90.151.5:8080/v1/AUTH_system/uploads/mylogfile.log?temp_url_sig=e700f568cd099a432890db00e263b29b999d3604&temp_url_expires=1350666309
> > ~ ❯ wget '
> > http://10.90.151.5:8080/v1/AUTH_system/uploads/mylogfile.log?temp_url_sig=e700f568cd099a432890db00e263b29b999d3604&temp_url_expires=1350666309
> > '
> > --2012-10-19 13:04:14--
> > http://10.90.151.5:8080/v1/AUTH_system/uploads/mylogfile.log?temp_url_sig=e700f568cd099a432890db00e263b29b999d3604&temp_url_expires=1350666309
> > Connecting to 10.90.151.5:8080... connected.
> > HTTP request sent, awaiting response... 401 Unauthorized
> > Authorization failed.
> >
> >
> > I thought I could easily debug this myself by changing the _get_hmac()
> > function
> > in /usr/lib/python2.6/site-packages/swift/common/middleware/tempurl.py
> > like so:
> >
> >     def _get_hmac(self, env, expires, key, request_method=None):
> >         """
> >        (...)
> >         """
> >         if not request_method:
> >             request_method = env['REQUEST_METHOD']
> >         self.logger("getting HMAC for method %s, expires %s, path %s" %
> > (request_method, expires, env['PATH_INFO']))
> >         hmac = hmac.new(key, '%s\n%s\n%s' % (request_method, expires,
> >             env['PATH_INFO']), sha1).hexdigest()
> >         self.logger("hmac is " + hmac)
> >         return hmac
> >
> >
> > however, after restarting the proxy, I don't see my messages showing up
> > anywhere (logging works otherwise, because proxy-server messages are
> > showing
> > up in /var/log/message, showing all incoming http requests and their
> > responses
> >
> >
> > any help is appreciated, thanks!
> >
> > Dieter
> >
> > _______________________________________________
> > Mailing list: https://launchpad.net/~openstack
> > Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> > Unsubscribe : https://launchpad.net/~openstack
> > More help   : https://help.launchpad.net/ListHelp
> >
> >



References