← Back to team overview

openstack team mailing list archive

[Swift][Keystone] Authentication problems with Swift and Keystone by Grizzly release

 

Heyho Guys,

i'm testing Swift and Keystone (Grizzly).

!NOTE!
I'm posting only the importent stuff (output, responses, configs)

I've upgraded and migrate the database, the migration are working not
correct (kyestone-manage db_sync) because in the role table will create
a new column but with NULL values and this will break the auth (first
issue).

The next command of keystone they you will need is
keystone-manage pki_setup => done without errors but you will need to
change the rights of the generated files.



#############
## Output / Log ###

My request to keystone are correct if i try to get a token with curl. I
get a token with all endpoints and other stuff.

        "token": {
            "expires": "2013-02-15T14:29:59Z",
            "id":
"MIIL-wYJKoZIhvcNAQcCoIIL8DCCC+wCAQExCTAHBgUrDgMCGjCCCtgGCSqGSIb3DQEHAaCCCskEggrFeyJhY2Nlc3MiOiB7InRva2VuIjogeyJpc3N1ZWRfYXQiOiAiMjAxMy0wMi0xNFQxNDoyOTo1OS44NDI0MjQiLCAiZXhwaXJlcyI6ICIyMDEzLTAyLTE1VDE0OjI5OjU5WiIsICJpZCI6ICJwbGFjZWhvbGRlciIsICJ0ZW5hbnQiOiB7ImVuYWJsZWQiOiB0cnVlLCAiaWQiOiAiNTY5NzdiYjVhMDU1NDc2MWJmMGViOWQ2Y2E3NzBkNzUiLCAibmFtZSI6ICJ0ZXN0aW5nIn19LCAic2VydmljZUNhdGFsb2ciOiBbeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vMTAuMC4wLjE6ODc3NC92Mi81Njk3N2JiNWEwNTU0NzYxYmYwZWI5ZDZjYTc3MGQ3NSIsICJyZWdpb24iOiAidGVzdGluZyIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMTAuMC4wLjE6ODc3NC92Mi81Njk3N2JiNWEwNTU0NzYxYmYwZWI5ZDZjYTc3MGQ3NSIsICJpZCI6ICJiOGQ3YTQzMWZjY2M0MWY2YTYzMzFjZTY3NjBlYjI1ZSIsICJwdWJsaWNVUkwiOiAiaHR0cDovLzg4LjE5OC42LjE1Mjo4Nzc0L3YyLzU2OTc3YmI1YTA1NTQ3NjFiZjBlYjlkNmNhNzcwZDc1In1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImNvbXB1dGUiLCAibmFtZSI6ICJub3ZhIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzEwLjAuMC4xOjk2OTYiLCAicmVnaW9uIjogInRlc3RpbmciLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEwLjAuMC4xOjk2OTYiLCAiaWQiOiAiM2ZjNTcxNzUyMDA3NDY3OWI3MTlkM2VmNTlmZGViYzMiLCAicHVibGljVVJMIjogImh0dHA6Ly8xMC4wLjAuMTo5Njk2In1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogIm5ldHdvcmsiLCAibmFtZSI6ICJxdWFudHVtIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzEwLjAuMC4xOjkyOTIvdjIiLCAicmVnaW9uIjogInRlc3RpbmciLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEwLjAuMC4xOjkyOTIvdjIiLCAiaWQiOiAiMWZlZTllNDQ1NjNjNDcwYzhkNjFmNjE5NDNjYmIxM2YiLCAicHVibGljVVJMIjogImh0dHA6Ly84OC4xOTguNi4xNTI6OTI5Mi92MiJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJpbWFnZSIsICJuYW1lIjogImdsYW5jZSJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xMC4wLjAuMTo4Nzc2L3YxLzU2OTc3YmI1YTA1NTQ3NjFiZjBlYjlkNmNhNzcwZDc1IiwgInJlZ2lvbiI6ICJ0ZXN0aW5nIiwgImludGVybmFsVVJMIjogImh0dHA6Ly8xMC4wLjAuMTo4Nzc2L3YxLzU2OTc3YmI1YTA1NTQ3NjFiZjBlYjlkNmNhNzcwZDc1IiwgImlkIjogIjFmMjVlMDUwMjdmMTRmNGI5MDFmMWFmNjJiZTZhMzAwIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vODguMTk4LjYuMTUyOjg3NzYvdjEvNTY5NzdiYjVhMDU1NDc2MWJmMGViOWQ2Y2E3NzBkNzUifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAidm9sdW1lIiwgIm5hbWUiOiAiY2luZGVyIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzEwLjAuMC4xOjg3NzMvc2VydmljZXMvQWRtaW4iLCAicmVnaW9uIjogInRlc3RpbmciLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEwLjAuMC4xOjg3NzMvc2VydmljZXMvQ2xvdWQiLCAiaWQiOiAiMWIyZTViZjkzNTI2NGI2ODljZmZkZWViMTk1ZDRjMWQiLCAicHVibGljVVJMIjogImh0dHA6Ly84OC4xOTguNi4xNTI6ODc3My9zZXJ2aWNlcy9DbG91ZCJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJlYzIiLCAibmFtZSI6ICJlYzIifSwgeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vMTAuMC4wLjE6ODA4MC92MSIsICJyZWdpb24iOiAidGVzdGluZyIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMTAuMC4wLjE6ODA4MC92MS9BVVRIXzU2OTc3YmI1YTA1NTQ3NjFiZjBlYjlkNmNhNzcwZDc1IiwgImlkIjogIjI3YTEyYTBkMGI2ODQ2YjJhMDQzNjMwZmJlYzUwNmJhIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vODguMTk4LjYuMTUyOjgwODAvdjEvQVVUSF81Njk3N2JiNWEwNTU0NzYxYmYwZWI5ZDZjYTc3MGQ3NSJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJvYmplY3Qtc3RvcmUiLCAibmFtZSI6ICJzd2lmdCJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xMC4wLjAuMTozNTM1Ny92Mi4wIiwgInJlZ2lvbiI6ICJ0ZXN0aW5nIiwgImludGVybmFsVVJMIjogImh0dHA6Ly8xMC4wLjAuMTo1MDAwL3YyLjAiLCAiaWQiOiAiMDI2NWNmOTUyZDRmNGZhYWEyZjdlZGIzNGZlMGQxYTUiLCAicHVibGljVVJMIjogImh0dHA6Ly84OC4xOTguNi4xNTI6NTAwMC92Mi4wIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImlkZW50aXR5IiwgIm5hbWUiOiAia2V5c3RvbmUifV0sICJ1c2VyIjogeyJ1c2VybmFtZSI6ICJkbGVpZGlzY2giLCAicm9sZXNfbGlua3MiOiBbXSwgImlkIjogIjRjZDRhNzRlMTVlMTQ4MmY5ZmExNmY1MjRhZmQ4ZWJlIiwgInJvbGVzIjogW3sibmFtZSI6ICJhZG1pbiJ9LCB7Im5hbWUiOiAiS2V5c3RvbmVTZXJ2aWNlQWRtaW4ifSwgeyJuYW1lIjogIktleXN0b25lQWRtaW4ifV0sICJuYW1lIjogImRsZWlkaXNjaCJ9LCAibWV0YWRhdGEiOiB7ImlzX2FkbWluIjogMCwgInJvbGVzIjogWyI0NzA3YzJmNDg3ODg0MmM1ODUzMWJkN2U4MGU0ZDkzMCIsICI4ZjRmNGNhNmJmZGM0NWUwOTdjMTc1YmViNzUwNjU0ZCIsICI0Y2Y5OWU0ZGQ1YTg0NjZiOTlmZTRmZTIyNTAxYjg5NyJdfX19MYH-MIH8AgEBMFwwVzELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVVuc2V0MQ4wDAYDVQQHEwVVbnNldDEOMAwGA1UEChMFVW5zZXQxGDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbQIBATAHBgUrDgMCGjANBgkqhkiG9w0BAQEFAASBgD0cne0M65sCpOWFFSBqmA9rm14ecxkLtI9+fYJapMFIY3URuFxp8dWD2YPNeR7Jxw0lBcGLX418nG15G559pAqtk7-vKVV+X4tvJYRuHOt33fw37-b4hsX3ZEbdeif24j4eQEJKqDe2r7cLy8Iox2rCMjC2yKfZwjhIZdmNf7ZS",

            "issued_at": "2013-02-14T14:29:59.842424",
            "tenant": {
                "enabled": true,
                "id": "56977bb5a0554761bf0eb9d6ca770d75",
                "name": "testing"
            }
        },
        "user": {
            "id": "4cd4a74e15e1482f9fa16f524afd8ebe",
            "name": "user",
            "roles": [
                {
                    "name": "admin"
                },
                {
                    "name": "KeystoneServiceAdmin"
                },
                {
                    "name": "KeystoneAdmin"
                }
            ],
            "roles_links": [],
            "username": "user"
        }
    }
}


Next try with swift client:

swift -V 2.0 -A http://localhost:5000/v2.0 -U testing:user -K
user_testing2013 stat
~> Account HEAD failed:
http://xx.xx.xx.xx:8080/v1/AUTH_56977bb5a0554761bf0eb9d6ca770d75 401
Unauthorized



In Swift Log:

http://paste.ubuntu.com/1650988/



############
## Swift config ##
#
# The importent parts of config



[pipeline:main]
pipeline = catch_errors healthcheck proxy-logging cache ratelimit
authtoken keystoneauth container-quotas proxy-logging proxy-server

[app:proxy-server]
use = egg:swift#proxy
recheck_account_existence = 60
recheck_container_existence = 60
set log_level = DEBUG
allow_account_management = true
account_autocreate = true

[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
auth_host = localhost
auth_port = 35357
auth_protocol = http
auth_uri = http://localhost:5000/
admin_tenant_name = service
admin_user = swift
admin_password = swift_testing2012
admin_token = xx
auth_token = xx
service_port = 5000
service_host = 127.0.0.1
delay_auth_decision = 1
signing_dir=/etc/swift


[filter:keystoneauth]
use = egg:swift#keystoneauth
# Operator roles is the role which user would be allowed to manage a
# tenant and be able to create container or give ACL to others.
operator_roles = admin, Member



I think the problem is the openssl validation or parsing, i don't know.
You see exit status of openssl in swift log and i think thats the problem.
Is it a bug or i've configured some thinks wrong ? Do anyone runs in a
similar problem ?


If anyone have questions or need detailled informations, please let me know.

Greetings
Heiko

-- 
B. Sc. Informatik
Heiko Krämer
CIO/Administrator

Twitter: @railshoster
Avarteq GmbH
Zweigstelle:
Prinzessinnenstr. 20, 10969 Berlin

----
Geschäftsführer: Alexander Faißt, Dipl.-Inf.(FH) Julian Fischer
Handelsregister: AG Saarbrücken HRB 17413, Ust-IdNr.: DE262633168
Sitz:
Science Park 2
66123 Saarbrücken

Tel: +49 (0)681 / 309 64 190
Fax: +49 (0)681 / 309 64 191

Visit:
http://www.enterprise-rails.de/

begin:vcard
fn;quoted-printable:Heiko Kr=C3=A4mer
n;quoted-printable:Kr=C3=A4mer;Heiko
org:Avarteq GmbH / Enterprise-Rails;Hosting
adr:;;Prinzessinnenstr. 20;Berlin;Berlin;10919;Germany
email;internet:kraemer@xxxxxxxxxx
title:CIO/Administrator
tel;work:Avarteq GmbH
x-mozilla-html:TRUE
url:https://www.enterprise-rails.de
version:2.1
end:vcard


Follow ups