openstack team mailing list archive

Thread
Date

Re: [Swift][Keystone] Authentication problems with Swift and Keystone by Grizzly release

To: openstack@xxxxxxxxxxxxxxxxxxx
From: Adam Young <ayoung@xxxxxxxxxx>
Date: Sat, 16 Feb 2013 21:23:42 -0500
In-reply-to: <511CF6D2.8070009@avarteq.de>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130110 Thunderbird/17.0.2

On 02/14/2013 09:38 AM, Heiko Krämer wrote:

Heyho Guys,

i'm testing Swift and Keystone (Grizzly).

!NOTE!
I'm posting only the importent stuff (output, responses, configs)

I've upgraded and migrate the database, the migration are working not
correct (kyestone-manage db_sync) because in the role table will create
a new column but with NULL values and this will break the auth (first
issue).

The next command of keystone they you will need is
keystone-manage pki_setup => done without errors but you will need to
change the rights of the generated files.



#############
## Output / Log ###

My request to keystone are correct if i try to get a token with curl. I
get a token with all endpoints and other stuff.

         "token": {
             "expires": "2013-02-15T14:29:59Z",
             "id":
"MIIL-wYJKoZIhvcNAQcCoIIL8DCCC+wCAQExCTAHBgUrDgMCGjCCCtgGCSqGSIb3DQEHAaCCCskEggrFeyJhY2Nlc3MiOiB7InRva2VuIjogeyJpc3N1ZWRfYXQiOiAiMjAxMy0wMi0xNFQxNDoyOTo1OS44NDI0MjQiLCAiZXhwaXJlcyI6ICIyMDEzLTAyLTE1VDE0OjI5OjU5WiIsICJpZCI6ICJwbGFjZWhvbGRlciIsICJ0ZW5hbnQiOiB7ImVuYWJsZWQiOiB0cnVlLCAiaWQiOiAiNTY5NzdiYjVhMDU1NDc2MWJmMGViOWQ2Y2E3NzBkNzUiLCAibmFtZSI6ICJ0ZXN0aW5nIn19LCAic2VydmljZUNhdGFsb2ciOiBbeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vMTAuMC4wLjE6ODc3NC92Mi81Njk3N2JiNWEwNTU0NzYxYmYwZWI5ZDZjYTc3MGQ3NSIsICJyZWdpb24iOiAidGVzdGluZyIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMTAuMC4wLjE6ODc3NC92Mi81Njk3N2JiNWEwNTU0NzYxYmYwZWI5ZDZjYTc3MGQ3NSIsICJpZCI6ICJiOGQ3YTQzMWZjY2M0MWY2YTYzMzFjZTY3NjBlYjI1ZSIsICJwdWJsaWNVUkwiOiAiaHR0cDovLzg4LjE5OC42LjE1Mjo4Nzc0L3YyLzU2OTc3YmI1YTA1NTQ3NjFiZjBlYjlkNmNhNzcwZDc1In1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImNvbXB1dGUiLCAibmFtZSI6ICJub3ZhIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzEwLjAuMC4xOjk2OTYiLCAicmVnaW9uIjogInRlc3RpbmciLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEwLjAuMC4xOjk2OTYiLCAiaWQiOiAiM2ZjNTcxNzUyMDA3NDY3OWI3MTlkM2VmNTlmZGViYzMiLCAicHVibGljVVJMIjogImh0dHA6Ly8xMC4wLjAuMTo5Njk2In1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogIm5ldHdvcmsiLCAibmFtZSI6ICJxdWFudHVtIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzEwLjAuMC4xOjkyOTIvdjIiLCAicmVnaW9uIjogInRlc3RpbmciLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEwLjAuMC4xOjkyOTIvdjIiLCAiaWQiOiAiMWZlZTllNDQ1NjNjNDcwYzhkNjFmNjE5NDNjYmIxM2YiLCAicHVibGljVVJMIjogImh0dHA6Ly84OC4xOTguNi4xNTI6OTI5Mi92MiJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJpbWFnZSIsICJuYW1lIjogImdsYW5jZSJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xMC4wLjAuMTo4Nzc2L3YxLzU2OTc3YmI1YTA1NTQ3NjFiZjBlYjlkNmNhNzcwZDc1IiwgInJlZ2lvbiI6ICJ0ZXN0aW5nIiwgImludGVybmFsVVJMIjogImh0dHA6Ly8xMC4wLjAuMTo4Nzc2L3YxLzU2OTc3YmI1YTA1NTQ3NjFiZjBlYjlkNmNhNzcwZDc1IiwgImlkIjogIjFmMjVlMDUwMjdmMTRmNGI5MDFmMWFmNjJiZTZhMzAwIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vODguMTk4LjYuMTUyOjg3NzYvdjEvNTY5NzdiYjVhMDU1NDc2MWJmMGViOWQ2Y2E3NzBkNzUifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAidm9sdW1lIiwgIm5hbWUiOiAiY2luZGVyIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzEwLjAuMC4xOjg3NzMvc2VydmljZXMvQWRtaW4iLCAicmVnaW9uIjogInRlc3RpbmciLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEwLjAuMC4xOjg3NzMvc2VydmljZXMvQ2xvdWQiLCAiaWQiOiAiMWIyZTViZjkzNTI2NGI2ODljZmZkZWViMTk1ZDRjMWQiLCAicHVibGljVVJMIjogImh0dHA6Ly84OC4xOTguNi4xNTI6ODc3My9zZXJ2aWNlcy9DbG91ZCJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJlYzIiLCAibmFtZSI6ICJlYzIifSwgeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vMTAuMC4wLjE6ODA4MC92MSIsICJyZWdpb24iOiAidGVzdGluZyIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMTAuMC4wLjE6ODA4MC92MS9BVVRIXzU2OTc3YmI1YTA1NTQ3NjFiZjBlYjlkNmNhNzcwZDc1IiwgImlkIjogIjI3YTEyYTBkMGI2ODQ2YjJhMDQzNjMwZmJlYzUwNmJhIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vODguMTk4LjYuMTUyOjgwODAvdjEvQVVUSF81Njk3N2JiNWEwNTU0NzYxYmYwZWI5ZDZjYTc3MGQ3NSJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJvYmplY3Qtc3RvcmUiLCAibmFtZSI6ICJzd2lmdCJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xMC4wLjAuMTozNTM1Ny92Mi4wIiwgInJlZ2lvbiI6ICJ0ZXN0aW5nIiwgImludGVybmFsVVJMIjogImh0dHA6Ly8xMC4wLjAuMTo1MDAwL3YyLjAiLCAiaWQiOiAiMDI2NWNmOTUyZDRmNGZhYWEyZjdlZGIzNGZlMGQxYTUiLCAicHVibGljVVJMIjogImh0dHA6Ly84OC4xOTguNi4xNTI6NTAwMC92Mi4wIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImlkZW50aXR5IiwgIm5hbWUiOiAia2V5c3RvbmUifV0sICJ1c2VyIjogeyJ1c2VybmFtZSI6ICJkbGVpZGlzY2giLCAicm9sZXNfbGlua3MiOiBbXSwgImlkIjogIjRjZDRhNzRlMTVlMTQ4MmY5ZmExNmY1MjRhZmQ4ZWJlIiwgInJvbGVzIjogW3sibmFtZSI6ICJhZG1pbiJ9LCB7Im5hbWUiOiAiS2V5c3RvbmVTZXJ2aWNlQWRtaW4ifSwgeyJuYW1lIjogIktleXN0b25lQWRtaW4ifV0sICJuYW1lIjogImRsZWlkaXNjaCJ9LCAibWV0YWRhdGEiOiB7ImlzX2FkbWluIjogMCwgInJvbGVzIjogWyI0NzA3YzJmNDg3ODg0MmM1ODUzMWJkN2U4MGU0ZDkzMCIsICI4ZjRmNGNhNmJmZGM0NWUwOTdjMTc1YmViNzUwNjU0ZCIsICI0Y2Y5OWU0ZGQ1YTg0NjZiOTlmZTRmZTIyNTAxYjg5NyJdfX19MYH-MIH8AgEBMFwwVzELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVVuc2V0MQ4wDAYDVQQHEwVVbnNldDEOMAwGA1UEChMFVW5zZXQxGDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbQIBATAHBgUrDgMCGjANBgkqhkiG9w0BAQEFAASBgD0cne0M65sCpOWFFSBqmA9rm14ecxkLtI9+fYJapMFIY3URuFxp8dWD2YPNeR7Jxw0lBcGLX418nG15G559pAqtk7-vKVV+X4tvJYRuHOt33fw37-b4hsX3ZEbdeif24j4eQEJKqDe2r7cLy8Iox2rCMjC2yKfZwjhIZdmNf7ZS",

             "issued_at": "2013-02-14T14:29:59.842424",
             "tenant": {
                 "enabled": true,
                 "id": "56977bb5a0554761bf0eb9d6ca770d75",
                 "name": "testing"
             }
         },
         "user": {
             "id": "4cd4a74e15e1482f9fa16f524afd8ebe",
             "name": "user",
             "roles": [
                 {
                     "name": "admin"
                 },
                 {
                     "name": "KeystoneServiceAdmin"
                 },
                 {
                     "name": "KeystoneAdmin"
                 }
             ],
             "roles_links": [],
             "username": "user"
         }
     }
}


Next try with swift client:

swift -V 2.0 -A http://localhost:5000/v2.0 -U testing:user -K
user_testing2013 stat
~> Account HEAD failed:
http://xx.xx.xx.xx:8080/v1/AUTH_56977bb5a0554761bf0eb9d6ca770d75 401
Unauthorized



In Swift Log:

http://paste.ubuntu.com/1650988/



############
## Swift config ##
#
# The importent parts of config



[pipeline:main]
pipeline = catch_errors healthcheck proxy-logging cache ratelimit
authtoken keystoneauth container-quotas proxy-logging proxy-server

[app:proxy-server]
use = egg:swift#proxy
recheck_account_existence = 60
recheck_container_existence = 60
set log_level = DEBUG
allow_account_management = true
account_autocreate = true

[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
auth_host = localhost
auth_port = 35357
auth_protocol = http
auth_uri = http://localhost:5000/


Is this corrrect?  Are they running on the same server?

admin_tenant_name = service
admin_user = swift
admin_password = swift_testing2012

set these as the envvars and make sure you can talk to Keystone using them.

OS_USERNAME
OS_PASSWORD

Or with curl as above.

If it is ssl, make sure the certs are set up correctly on both sides ofthe connection. Again, curl should allow you to debug. Keystone certsare in /etc/keystone/ssl/certs

admin_token = xx
auth_token = xx
service_port = 5000
service_host = 127.0.0.1
delay_auth_decision = 1
signing_dir=/etc/swift


[filter:keystoneauth]
use = egg:swift#keystoneauth
# Operator roles is the role which user would be allowed to manage a
# tenant and be able to create container or give ACL to others.
operator_roles = admin, Member



I think the problem is the openssl validation or parsing, i don't know.
You see exit status of openssl in swift log and i think thats the problem.
Is it a bug or i've configured some thinks wrong ? Do anyone runs in a
similar problem ?


If anyone have questions or need detailled informations, please let me know.

Greetings
Heiko



_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Follow ups

Re: [Swift][Keystone] Authentication problems with Swift and Keystone by Grizzly release
From: Heiko Krämer, 2013-03-01

References

[Swift][Keystone] Authentication problems with Swift and Keystone by Grizzly release
From: Heiko Krämer, 2013-02-14