openstack team mailing list archive

Thread
Date
Re: [Swift][Keystone] Authentication problems with Swift and Keystone by Grizzly release

To: Heiko Krämer <info@xxxxxxxxxxxxxxx>
From: Gareth <academicgareth@xxxxxxxxx>
Date: Mon, 4 Mar 2013 03:16:34 +0800
Cc: "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <513092F1.80909@honeybutcher.de>
Yes, I have faced totally same problem a few days before.


On Fri, Mar 1, 2013 at 7:37 PM, Heiko Krämer <info@xxxxxxxxxxxxxxx> wrote:

>  Hi Adam,
>
> thx for your repli. The problem was the new PKI authentification.
>
> I've change from PKI to
>
> [signing]
> token_format = UUID
>
>
> and it works now :)
>
>
> Thx and Greetings
> Heiko
>
> On 17.02.2013 03:23, Adam Young wrote:
>
> On 02/14/2013 09:38 AM, Heiko Krämer wrote:
>
> Heyho Guys,
>
> i'm testing Swift and Keystone (Grizzly).
>
> !NOTE!
> I'm posting only the importent stuff (output, responses, configs)
>
> I've upgraded and migrate the database, the migration are working not
> correct (kyestone-manage db_sync) because in the role table will create
> a new column but with NULL values and this will break the auth (first
> issue).
>
> The next command of keystone they you will need is
> keystone-manage pki_setup => done without errors but you will need to
> change the rights of the generated files.
>
>
>
> #############
> ## Output / Log ###
>
> My request to keystone are correct if i try to get a token with curl. I
> get a token with all endpoints and other stuff.
>
>         "token": {
>             "expires": "2013-02-15T14:29:59Z",
>             "id":
> "MIIL-wYJKoZIhvcNAQcCoIIL8DCCC+wCAQExCTAHBgUrDgMCGjCCCtgGCSqGSIb3DQEHAaCCCskEggrFeyJhY2Nlc3MiOiB7InRva2VuIjogeyJpc3N1ZWRfYXQiOiAiMjAxMy0wMi0xNFQxNDoyOTo1OS44NDI0MjQiLCAiZXhwaXJlcyI6ICIyMDEzLTAyLTE1VDE0OjI5OjU5WiIsICJpZCI6ICJwbGFjZWhvbGRlciIsICJ0ZW5hbnQiOiB7ImVuYWJsZWQiOiB0cnVlLCAiaWQiOiAiNTY5NzdiYjVhMDU1NDc2MWJmMGViOWQ2Y2E3NzBkNzUiLCAibmFtZSI6ICJ0ZXN0aW5nIn19LCAic2VydmljZUNhdGFsb2ciOiBbeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vMTAuMC4wLjE6ODc3NC92Mi81Njk3N2JiNWEwNTU0NzYxYmYwZWI5ZDZjYTc3MGQ3NSIsICJyZWdpb24iOiAidGVzdGluZyIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMTAuMC4wLjE6ODc3NC92Mi81Njk3N2JiNWEwNTU0NzYxYmYwZWI5ZDZjYTc3MGQ3NSIsICJpZCI6ICJiOGQ3YTQzMWZjY2M0MWY2YTYzMzFjZTY3NjBlYjI1ZSIsICJwdWJsaWNVUkwiOiAiaHR0cDovLzg4LjE5OC42LjE1Mjo4Nzc0L3YyLzU2OTc3YmI1YTA1NTQ3NjFiZjBlYjlkNmNhNzcwZDc1In1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImNvbXB1dGUiLCAibmFtZSI6ICJub3ZhIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzEwLjAuMC4xOjk2OTYiLCAicmVnaW9uIjogInRlc3RpbmciLCAiaW50ZXJuYWxVUkwi!
>  OiAiaHR0cD
> ovLzEwLjAuMC4xOjk2OTYiLCAiaWQiOiAiM2ZjNTcxNzUyMDA3NDY3OWI3MTlkM2VmNTlmZGViYzMiLCAicHVibGljVVJMIjogImh0dHA6Ly8xMC4wLjAuMTo5Njk2In1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogIm5ldHdvcmsiLCAibmFtZSI6ICJxdWFudHVtIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzEwLjAuMC4xOjkyOTIvdjIiLCAicmVnaW9uIjogInRlc3RpbmciLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEwLjAuMC4xOjkyOTIvdjIiLCAiaWQiOiAiMWZlZTllNDQ1NjNjNDcwYzhkNjFmNjE5NDNjYmIxM2YiLCAicHVibGljVVJMIjogImh0dHA6Ly84OC4xOTguNi4xNTI6OTI5Mi92MiJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJpbWFnZSIsICJuYW1lIjogImdsYW5jZSJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xMC4wLjAuMTo4Nzc2L3YxLzU2OTc3YmI1YTA1NTQ3NjFiZjBlYjlkNmNhNzcwZDc1IiwgInJlZ2lvbiI6ICJ0ZXN0aW5nIiwgImludGVybmFsVVJMIjogImh0dHA6Ly8xMC4wLjAuMTo4Nzc2L3YxLzU2OTc3YmI1YTA1NTQ3NjFiZjBlYjlkNmNhNzcwZDc1IiwgImlkIjogIjFmMjVlMDUwMjdmMTRmNGI5MDFmMWFmNjJiZTZhMzAwIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vODguMTk4LjYuMTUyOjg3NzYvdjEvNTY5NzdiYjVhMDU1NDc2MWJmMGViOWQ2Y2E3NzBkNzUifV0sICJlbmRwb2ludHN!
>  fbGlua3MiO
> iBbXSwgInR5cGUiOiAidm9sdW1lIiwgIm5hbWUiOiAiY2luZGVyIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzEwLjAuMC4xOjg3NzMvc2VydmljZXMvQWRtaW4iLCAicmVnaW9uIjogInRlc3RpbmciLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEwLjAuMC4xOjg3NzMvc2VydmljZXMvQ2xvdWQiLCAiaWQiOiAiMWIyZTViZjkzNTI2NGI2ODljZmZkZWViMTk1ZDRjMWQiLCAicHVibGljVVJMIjogImh0dHA6Ly84OC4xOTguNi4xNTI6ODc3My9zZXJ2aWNlcy9DbG91ZCJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJlYzIiLCAibmFtZSI6ICJlYzIifSwgeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vMTAuMC4wLjE6ODA4MC92MSIsICJyZWdpb24iOiAidGVzdGluZyIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMTAuMC4wLjE6ODA4MC92MS9BVVRIXzU2OTc3YmI1YTA1NTQ3NjFiZjBlYjlkNmNhNzcwZDc1IiwgImlkIjogIjI3YTEyYTBkMGI2ODQ2YjJhMDQzNjMwZmJlYzUwNmJhIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vODguMTk4LjYuMTUyOjgwODAvdjEvQVVUSF81Njk3N2JiNWEwNTU0NzYxYmYwZWI5ZDZjYTc3MGQ3NSJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJvYmplY3Qtc3RvcmUiLCAibmFtZSI6ICJzd2lmdCJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xMC4wLjAuMTozNTM1Ny92Mi4wIi!
>  wgInJlZ2lv
> biI6ICJ0ZXN0aW5nIiwgImludGVybmFsVVJMIjogImh0dHA6Ly8xMC4wLjAuMTo1MDAwL3YyLjAiLCAiaWQiOiAiMDI2NWNmOTUyZDRmNGZhYWEyZjdlZGIzNGZlMGQxYTUiLCAicHVibGljVVJMIjogImh0dHA6Ly84OC4xOTguNi4xNTI6NTAwMC92Mi4wIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImlkZW50aXR5IiwgIm5hbWUiOiAia2V5c3RvbmUifV0sICJ1c2VyIjogeyJ1c2VybmFtZSI6ICJkbGVpZGlzY2giLCAicm9sZXNfbGlua3MiOiBbXSwgImlkIjogIjRjZDRhNzRlMTVlMTQ4MmY5ZmExNmY1MjRhZmQ4ZWJlIiwgInJvbGVzIjogW3sibmFtZSI6ICJhZG1pbiJ9LCB7Im5hbWUiOiAiS2V5c3RvbmVTZXJ2aWNlQWRtaW4ifSwgeyJuYW1lIjogIktleXN0b25lQWRtaW4ifV0sICJuYW1lIjogImRsZWlkaXNjaCJ9LCAibWV0YWRhdGEiOiB7ImlzX2FkbWluIjogMCwgInJvbGVzIjogWyI0NzA3YzJmNDg3ODg0MmM1ODUzMWJkN2U4MGU0ZDkzMCIsICI4ZjRmNGNhNmJmZGM0NWUwOTdjMTc1YmViNzUwNjU0ZCIsICI0Y2Y5OWU0ZGQ1YTg0NjZiOTlmZTRmZTIyNTAxYjg5NyJdfX19MYH-MIH8AgEBMFwwVzELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVVuc2V0MQ4wDAYDVQQHEwVVbnNldDEOMAwGA1UEChMFVW5zZXQxGDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbQIBATAHBgUrDgMCGjANBgkqhkiG9w0BAQEFAASBgD0cne0M65sCpOWFFSBqmA9rm14ecxkLtI9+fYJapMFIY3URuFxp8dWD2!
>  YPNeR7Jxw0
> lBcGLX418nG15G559pAqtk7-vKVV+X4tvJYRuHOt33fw37-b4hsX3ZEbdeif24j4eQEJKqDe2r7cLy8Iox2rCMjC2yKfZwjhIZdmNf7ZS",
>
>             "issued_at": "2013-02-14T14:29:59.842424",
>             "tenant": {
>                 "enabled": true,
>                 "id": "56977bb5a0554761bf0eb9d6ca770d75",
>                 "name": "testing"
>             }
>         },
>         "user": {
>             "id": "4cd4a74e15e1482f9fa16f524afd8ebe",
>             "name": "user",
>             "roles": [
>                 {
>                     "name": "admin"
>                 },
>                 {
>                     "name": "KeystoneServiceAdmin"
>                 },
>                 {
>                     "name": "KeystoneAdmin"
>                 }
>             ],
>             "roles_links": [],
>             "username": "user"
>         }
>     }
> }
>
>
> Next try with swift client:
>
> swift -V 2.0 -A http://localhost:5000/v2.0 -U testing:user -K
> user_testing2013 stat
> ~> Account HEAD failed:http://xx.xx.xx.xx:8080/v1/AUTH_56977bb5a0554761bf0eb9d6ca770d75 401
> Unauthorized
>
>
>
> In Swift Log:
> http://paste.ubuntu.com/1650988/
>
>
>
> ############
> ## Swift config ##
> #
> # The importent parts of config
>
>
>
> [pipeline:main]
> pipeline = catch_errors healthcheck proxy-logging cache ratelimit
> authtoken keystoneauth container-quotas proxy-logging proxy-server
>
> [app:proxy-server]
> use = egg:swift#proxy
> recheck_account_existence = 60
> recheck_container_existence = 60
> set log_level = DEBUG
> allow_account_management = true
> account_autocreate = true
>
> [filter:authtoken]
> paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
> auth_host = localhost
> auth_port = 35357
> auth_protocol = http
> auth_uri = http://localhost:5000/
>
>
> Is this corrrect?  Are they running on the same server?
>
>  admin_tenant_name = service
> admin_user = swift
> admin_password = swift_testing2012
>
>  set these as the envvars and make sure you can talk to Keystone using
> them.
>
> OS_USERNAME
> OS_PASSWORD
>
> Or with curl as above.
>
> If it is ssl, make sure the certs are set up correctly on both sides of
> the connection.  Again, curl should allow you to debug.  Keystone certs are
> in /etc/keystone/ssl/certs
>
>
>
>  admin_token = xx
> auth_token = xx
> service_port = 5000
> service_host = 127.0.0.1
> delay_auth_decision = 1
> signing_dir=/etc/swift
>
>
> [filter:keystoneauth]
> use = egg:swift#keystoneauth
> # Operator roles is the role which user would be allowed to manage a
> # tenant and be able to create container or give ACL to others.
> operator_roles = admin, Member
>
>
>
> I think the problem is the openssl validation or parsing, i don't know.
> You see exit status of openssl in swift log and i think thats the problem.
> Is it a bug or i've configured some thinks wrong ? Do anyone runs in a
> similar problem ?
>
>
> If anyone have questions or need detailled informations, please let me know.
>
> Greetings
> Heiko
>
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>


-- 
Gareth
*Cloud Computing, Openstack, Fitness, Basketball
*
*Novice Openstack contributer*
*My promise: if you find any spelling or grammar mistake in my email from
Mar 1 2013, notice me *
*and I'll donate 1$ or 1￥ to open organization specified by you.*
References

[Swift][Keystone] Authentication problems with Swift and Keystone by Grizzly release
From: Heiko Krämer, 2013-02-14
Re: [Swift][Keystone] Authentication problems with Swift and Keystone by Grizzly release
From: Adam Young, 2013-02-17
Re: [Swift][Keystone] Authentication problems with Swift and Keystone by Grizzly release
From: Heiko Krämer, 2013-03-01