openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #21474
Re: [Swift][Keystone] Authentication problems with Swift and Keystone by Grizzly release
Yes, I have faced totally same problem a few days before.
On Fri, Mar 1, 2013 at 7:37 PM, Heiko Krämer <info@xxxxxxxxxxxxxxx> wrote:
> Hi Adam,
>
> thx for your repli. The problem was the new PKI authentification.
>
> I've change from PKI to
>
> [signing]
> token_format = UUID
>
>
> and it works now :)
>
>
> Thx and Greetings
> Heiko
>
> On 17.02.2013 03:23, Adam Young wrote:
>
> On 02/14/2013 09:38 AM, Heiko Krämer wrote:
>
> Heyho Guys,
>
> i'm testing Swift and Keystone (Grizzly).
>
> !NOTE!
> I'm posting only the importent stuff (output, responses, configs)
>
> I've upgraded and migrate the database, the migration are working not
> correct (kyestone-manage db_sync) because in the role table will create
> a new column but with NULL values and this will break the auth (first
> issue).
>
> The next command of keystone they you will need is
> keystone-manage pki_setup => done without errors but you will need to
> change the rights of the generated files.
>
>
>
> #############
> ## Output / Log ###
>
> My request to keystone are correct if i try to get a token with curl. I
> get a token with all endpoints and other stuff.
>
> "token": {
> "expires": "2013-02-15T14:29:59Z",
> "id":
> "MIIL-wYJKoZIhvcNAQcCoIIL8DCCC+wCAQExCTAHBgUrDgMCGjCCCtgGCSqGSIb3DQEHAaCCCskEggrFeyJhY2Nlc3MiOiB7InRva2VuIjogeyJpc3N1ZWRfYXQiOiAiMjAxMy0wMi0xNFQxNDoyOTo1OS44NDI0MjQiLCAiZXhwaXJlcyI6ICIyMDEzLTAyLTE1VDE0OjI5OjU5WiIsICJpZCI6ICJwbGFjZWhvbGRlciIsICJ0ZW5hbnQiOiB7ImVuYWJsZWQiOiB0cnVlLCAiaWQiOiAiNTY5NzdiYjVhMDU1NDc2MWJmMGViOWQ2Y2E3NzBkNzUiLCAibmFtZSI6ICJ0ZXN0aW5nIn19LCAic2VydmljZUNhdGFsb2ciOiBbeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vMTAuMC4wLjE6ODc3NC92Mi81Njk3N2JiNWEwNTU0NzYxYmYwZWI5ZDZjYTc3MGQ3NSIsICJyZWdpb24iOiAidGVzdGluZyIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMTAuMC4wLjE6ODc3NC92Mi81Njk3N2JiNWEwNTU0NzYxYmYwZWI5ZDZjYTc3MGQ3NSIsICJpZCI6ICJiOGQ3YTQzMWZjY2M0MWY2YTYzMzFjZTY3NjBlYjI1ZSIsICJwdWJsaWNVUkwiOiAiaHR0cDovLzg4LjE5OC42LjE1Mjo4Nzc0L3YyLzU2OTc3YmI1YTA1NTQ3NjFiZjBlYjlkNmNhNzcwZDc1In1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImNvbXB1dGUiLCAibmFtZSI6ICJub3ZhIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzEwLjAuMC4xOjk2OTYiLCAicmVnaW9uIjogInRlc3RpbmciLCAiaW50ZXJuYWxVUkwi!
> OiAiaHR0cD
> ovLzEwLjAuMC4xOjk2OTYiLCAiaWQiOiAiM2ZjNTcxNzUyMDA3NDY3OWI3MTlkM2VmNTlmZGViYzMiLCAicHVibGljVVJMIjogImh0dHA6Ly8xMC4wLjAuMTo5Njk2In1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogIm5ldHdvcmsiLCAibmFtZSI6ICJxdWFudHVtIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzEwLjAuMC4xOjkyOTIvdjIiLCAicmVnaW9uIjogInRlc3RpbmciLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEwLjAuMC4xOjkyOTIvdjIiLCAiaWQiOiAiMWZlZTllNDQ1NjNjNDcwYzhkNjFmNjE5NDNjYmIxM2YiLCAicHVibGljVVJMIjogImh0dHA6Ly84OC4xOTguNi4xNTI6OTI5Mi92MiJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJpbWFnZSIsICJuYW1lIjogImdsYW5jZSJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xMC4wLjAuMTo4Nzc2L3YxLzU2OTc3YmI1YTA1NTQ3NjFiZjBlYjlkNmNhNzcwZDc1IiwgInJlZ2lvbiI6ICJ0ZXN0aW5nIiwgImludGVybmFsVVJMIjogImh0dHA6Ly8xMC4wLjAuMTo4Nzc2L3YxLzU2OTc3YmI1YTA1NTQ3NjFiZjBlYjlkNmNhNzcwZDc1IiwgImlkIjogIjFmMjVlMDUwMjdmMTRmNGI5MDFmMWFmNjJiZTZhMzAwIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vODguMTk4LjYuMTUyOjg3NzYvdjEvNTY5NzdiYjVhMDU1NDc2MWJmMGViOWQ2Y2E3NzBkNzUifV0sICJlbmRwb2ludHN!
> fbGlua3MiO
> iBbXSwgInR5cGUiOiAidm9sdW1lIiwgIm5hbWUiOiAiY2luZGVyIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzEwLjAuMC4xOjg3NzMvc2VydmljZXMvQWRtaW4iLCAicmVnaW9uIjogInRlc3RpbmciLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEwLjAuMC4xOjg3NzMvc2VydmljZXMvQ2xvdWQiLCAiaWQiOiAiMWIyZTViZjkzNTI2NGI2ODljZmZkZWViMTk1ZDRjMWQiLCAicHVibGljVVJMIjogImh0dHA6Ly84OC4xOTguNi4xNTI6ODc3My9zZXJ2aWNlcy9DbG91ZCJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJlYzIiLCAibmFtZSI6ICJlYzIifSwgeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vMTAuMC4wLjE6ODA4MC92MSIsICJyZWdpb24iOiAidGVzdGluZyIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMTAuMC4wLjE6ODA4MC92MS9BVVRIXzU2OTc3YmI1YTA1NTQ3NjFiZjBlYjlkNmNhNzcwZDc1IiwgImlkIjogIjI3YTEyYTBkMGI2ODQ2YjJhMDQzNjMwZmJlYzUwNmJhIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vODguMTk4LjYuMTUyOjgwODAvdjEvQVVUSF81Njk3N2JiNWEwNTU0NzYxYmYwZWI5ZDZjYTc3MGQ3NSJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJvYmplY3Qtc3RvcmUiLCAibmFtZSI6ICJzd2lmdCJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xMC4wLjAuMTozNTM1Ny92Mi4wIi!
> wgInJlZ2lv
> biI6ICJ0ZXN0aW5nIiwgImludGVybmFsVVJMIjogImh0dHA6Ly8xMC4wLjAuMTo1MDAwL3YyLjAiLCAiaWQiOiAiMDI2NWNmOTUyZDRmNGZhYWEyZjdlZGIzNGZlMGQxYTUiLCAicHVibGljVVJMIjogImh0dHA6Ly84OC4xOTguNi4xNTI6NTAwMC92Mi4wIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImlkZW50aXR5IiwgIm5hbWUiOiAia2V5c3RvbmUifV0sICJ1c2VyIjogeyJ1c2VybmFtZSI6ICJkbGVpZGlzY2giLCAicm9sZXNfbGlua3MiOiBbXSwgImlkIjogIjRjZDRhNzRlMTVlMTQ4MmY5ZmExNmY1MjRhZmQ4ZWJlIiwgInJvbGVzIjogW3sibmFtZSI6ICJhZG1pbiJ9LCB7Im5hbWUiOiAiS2V5c3RvbmVTZXJ2aWNlQWRtaW4ifSwgeyJuYW1lIjogIktleXN0b25lQWRtaW4ifV0sICJuYW1lIjogImRsZWlkaXNjaCJ9LCAibWV0YWRhdGEiOiB7ImlzX2FkbWluIjogMCwgInJvbGVzIjogWyI0NzA3YzJmNDg3ODg0MmM1ODUzMWJkN2U4MGU0ZDkzMCIsICI4ZjRmNGNhNmJmZGM0NWUwOTdjMTc1YmViNzUwNjU0ZCIsICI0Y2Y5OWU0ZGQ1YTg0NjZiOTlmZTRmZTIyNTAxYjg5NyJdfX19MYH-MIH8AgEBMFwwVzELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVVuc2V0MQ4wDAYDVQQHEwVVbnNldDEOMAwGA1UEChMFVW5zZXQxGDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbQIBATAHBgUrDgMCGjANBgkqhkiG9w0BAQEFAASBgD0cne0M65sCpOWFFSBqmA9rm14ecxkLtI9+fYJapMFIY3URuFxp8dWD2!
> YPNeR7Jxw0
> lBcGLX418nG15G559pAqtk7-vKVV+X4tvJYRuHOt33fw37-b4hsX3ZEbdeif24j4eQEJKqDe2r7cLy8Iox2rCMjC2yKfZwjhIZdmNf7ZS",
>
> "issued_at": "2013-02-14T14:29:59.842424",
> "tenant": {
> "enabled": true,
> "id": "56977bb5a0554761bf0eb9d6ca770d75",
> "name": "testing"
> }
> },
> "user": {
> "id": "4cd4a74e15e1482f9fa16f524afd8ebe",
> "name": "user",
> "roles": [
> {
> "name": "admin"
> },
> {
> "name": "KeystoneServiceAdmin"
> },
> {
> "name": "KeystoneAdmin"
> }
> ],
> "roles_links": [],
> "username": "user"
> }
> }
> }
>
>
> Next try with swift client:
>
> swift -V 2.0 -A http://localhost:5000/v2.0 -U testing:user -K
> user_testing2013 stat
> ~> Account HEAD failed:http://xx.xx.xx.xx:8080/v1/AUTH_56977bb5a0554761bf0eb9d6ca770d75 401
> Unauthorized
>
>
>
> In Swift Log:
> http://paste.ubuntu.com/1650988/
>
>
>
> ############
> ## Swift config ##
> #
> # The importent parts of config
>
>
>
> [pipeline:main]
> pipeline = catch_errors healthcheck proxy-logging cache ratelimit
> authtoken keystoneauth container-quotas proxy-logging proxy-server
>
> [app:proxy-server]
> use = egg:swift#proxy
> recheck_account_existence = 60
> recheck_container_existence = 60
> set log_level = DEBUG
> allow_account_management = true
> account_autocreate = true
>
> [filter:authtoken]
> paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
> auth_host = localhost
> auth_port = 35357
> auth_protocol = http
> auth_uri = http://localhost:5000/
>
>
> Is this corrrect? Are they running on the same server?
>
> admin_tenant_name = service
> admin_user = swift
> admin_password = swift_testing2012
>
> set these as the envvars and make sure you can talk to Keystone using
> them.
>
> OS_USERNAME
> OS_PASSWORD
>
> Or with curl as above.
>
> If it is ssl, make sure the certs are set up correctly on both sides of
> the connection. Again, curl should allow you to debug. Keystone certs are
> in /etc/keystone/ssl/certs
>
>
>
> admin_token = xx
> auth_token = xx
> service_port = 5000
> service_host = 127.0.0.1
> delay_auth_decision = 1
> signing_dir=/etc/swift
>
>
> [filter:keystoneauth]
> use = egg:swift#keystoneauth
> # Operator roles is the role which user would be allowed to manage a
> # tenant and be able to create container or give ACL to others.
> operator_roles = admin, Member
>
>
>
> I think the problem is the openssl validation or parsing, i don't know.
> You see exit status of openssl in swift log and i think thats the problem.
> Is it a bug or i've configured some thinks wrong ? Do anyone runs in a
> similar problem ?
>
>
> If anyone have questions or need detailled informations, please let me know.
>
> Greetings
> Heiko
>
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>
--
Gareth
*Cloud Computing, Openstack, Fitness, Basketball
*
*Novice Openstack contributer*
*My promise: if you find any spelling or grammar mistake in my email from
Mar 1 2013, notice me *
*and I'll donate 1$ or 1¥ to open organization specified by you.*
References