essex: glance and swift intergration question.

Asked by askstack on 2012-04-26

I have a swift and glance intergration question.

I varified swift was working with:
[root@core01 swift]# swift -v -V 2.0 -A http://127.0.0.1:5000/v2.0/ -U service:swift -K verybadpass stat
StorageURL: http://127.0.0.1:8080/v1/AUTH_c67bdd38c56f4ca0956cf5ca8d47ff41
Auth Token: 6d844c5299a44ac48aaa7d02af3565d9
   Account: AUTH_c67bdd38c56f4ca0956cf5ca8d47ff41
Containers: 1
   Objects: 0
     Bytes: 0
Accept-Ranges: bytes
X-Trans-Id: tx75a4e1ca2465493582aebbf465a95cd1
[root@core01 swift]# swift -v -V 2.0 -A http://127.0.0.1:5000/v2.0/ -U service:swift -K verybadpass list
glance:

my glance-api.conf looks like

# ============ Swift Store Options =============================
swift_store_auth_version = 2
swift_store_auth_address = http://127.0.0.1:8080/v1.0/
swift_store_user = service:swift
swift_store_key = a19c602bc5f8c10c47ea
swift_store_container = glance
swift_store_create_container_on_put = True
swift_store_large_object_size = 5120
swift_store_large_object_chunk_size = 200
swift_enable_snet = False
=============================

I do not know how to setup "swift_store_key" , so I copied the keystone's admin_token.

[root@core01 ~]# glance --os_auth_token=a19c602bc5f8c10c47ea add name=f16-heos is_public=true disk_format=qcow2 container_format=ovf copy_from=http://berrange.fedorapeople.org/images/2012-02-29/f16-x86_64-openstack-sda.qcow2
Failed to add image. Got error:
You are not authenticated.
Details: 401 Unauthorized

This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.

 Authentication required
Note: Your image metadata may still be in the registry, but the image's status will likely be 'killed'.

Any help is greatly appreciated.

Question information

Language:
English Edit question
Status:
Solved
For:
Glance Edit question
Assignee:
No assignee Edit question
Solved by:
Jay Pipes
Solved:
2012-05-02
Last query:
2012-05-02
Last reply:
2012-04-27

Have you tried using the same key as in your swift cli command (ie "verybadpass")?

askstack (askstack) said : #2

Stuart
I changed "swift_store_key" to "verybadpass" and did some testing.

First, keystone said the token was not found.
I tried to get a new token with
keystone --os_username swift --os_password verybadpass --os_auth_url http://127.0.0.1:5000/v2.0/ token-get
glance -A 1c418960beb34db2ad7ee350fd414e56 -I swift -K verybadpass -T service index

I noticed keystone log says " 'is_admin': False "

So I tried "keystone user-role-add " to add user swift with admin rights to tenant service. but glance didn't get authenticated.

keystone --os_username swift --os_password verybadpass --os_auth_url http://127.0.0.1:5000/v2.0/ token-get
glance -A 480ea3441b324a88811e6584a726612b -I swift -K verybadpass -T service index
Failed to show index. Got error:
You are not authenticated.
Details: 401 Unauthorized

******************** keystone log ********************
 SCRIPT_NAME = /v2.0
 webob.adhoc_attrs = {'response': <Response at 0x3d9fd90 200 OK>}
 REQUEST_METHOD = GET
 PATH_INFO = /tokens/480ea3441b324a88811e6584a726612b
 SERVER_PROTOCOL = HTTP/1.0
 HTTP_X_AUTH_TOKEN = b76ca38475704e649f0e4522bdb986f0
 eventlet.posthooks = []
 SERVER_NAME = 127.0.0.1
 REMOTE_ADDR = 127.0.0.1
 eventlet.input = <eventlet.wsgi.Input object at 0x3d7d390>
 wsgi.url_scheme = http
 SERVER_PORT = 35357
 wsgi.input = <eventlet.wsgi.Input object at 0x3d7d390>
 HTTP_HOST = 127.0.0.1:35357
 wsgi.multithread = True
 HTTP_ACCEPT = application/json
 wsgi.version = (1, 0)
 openstack.context = {'token_id': 'b76ca38475704e649f0e4522bdb986f0', 'is_admin': False}
 GATEWAY_INTERFACE = CGI/1.1
 wsgi.run_once = False
 wsgi.errors = <open file '<stderr>', mode 'w' at 0x7fc75ac93270>
 wsgi.multiprocess = False
 CONTENT_TYPE = application/json
 HTTP_ACCEPT_ENCODING = identity

 ******************** REQUEST BODY ********************

 Matched GET /tokens/480ea3441b324a88811e6584a726612b
 Route path: '{path_info:.*}', defaults: {'controller': <keystone.contrib.admin_crud.core.CrudExtension object at 0x38566d0>}
 Match dict: {'controller': <keystone.contrib.admin_crud.core.CrudExtension object at 0x38566d0>, 'path_info': '/tokens/480ea3441b324a88811e6584a726612b'}
 Matched GET /tokens/480ea3441b324a88811e6584a726612b
 Route path: '{path_info:.*}', defaults: {'controller': <keystone.service.AdminRouter object at 0x2bc67d0>}
 Match dict: {'controller': <keystone.service.AdminRouter object at 0x2bc67d0>, 'path_info': '/tokens/480ea3441b324a88811e6584a726612b'}
 Matched GET /tokens/480ea3441b324a88811e6584a726612b
 Route path: '/tokens/{token_id}', defaults: {'action': u'validate_token', 'controller': <keystone.service.TokenController object at 0x3742e90>}
 Match dict: {'action': u'validate_token', 'token_id': u'480ea3441b324a88811e6584a726612b', 'controller': <keystone.service.TokenController object at 0x3742e90>}
 arg_dict: {'token_id': u'480ea3441b324a88811e6584a726612b'}
 enforce admin_required: {'tenant_id': u'c67bdd38c56f4ca0956cf5ca8d47ff41', 'user_id': u'cfe238c7ccd74ccf9586ccbc471c2b50', u'roles': [u'admin']}
 ******************** RESPONSE HEADERS ********************
 Content-Type = application/json
 Vary = X-Auth-Token
 Content-Length = 222

 ******************** RESPONSE BODY ********************
 {"access": {"token": {"expires": "2012-04-28T16:22:08Z", "id": "480ea3441b324a88811e6584a726612b"}, "user": {"username": "swift", "roles_links": [], "id": "1601e902c4024993a163538869aa99ed", "roles": [], "name": "swift"}}}
 127.0.0.1 - - [27/Apr/2012 12:22:44] "GET /v2.0/tokens/480ea3441b324a88811e6584a726612b HTTP/1.1" 200 351 0.014305

askstack (askstack) said : #3

again, the nice people on IRC helped.

<dolphm> askstack: you probably also want to pass a --os_tenant_name to keystone, so you get a scoped token?

these two command work together.
keystone --os_username swift --os_password verybadpass --os_tenant_name service --os_auth_url http://127.0.0.1:5000/v2.0/ token-get
glance -A bb0d49f5f2b74f9085fc67cc9d8f4e02 -I swift -K verybadpass -T service index

however , "glance add" still fails. I am using openstack-glance-2012.1-4.fc16.noarch on Fedora 16.

glance -A bb0d49f5f2b74f9085fc67cc9d8f4e02 -I swift -K verybadpass -T service add name=f16-heos is_public=true disk_format=qcow2 container_format=ovf copy_from=http://berrange.fedorapeople.org/images/2012-02-29/f16-x86_64-openstack-sda.qcow2
Failed to add image. Got error:
Data supplied was not valid.
Details: 400 Bad Request

The server could not comply with the request since it is either malformed or otherwise incorrect.

 Error uploading image: (TypeError): __init__() got an unexpected keyword argument 'auth_version'
Note: Your image metadata may still be in the registry, but the image's status will likely be 'killed'.

Best Jay Pipes (jaypipes) said : #4

Hi! That last error means that the Swift client is old -- it does not include the new auth_version parameter in its constructor. The solution is to install a new version of python-swift package

All the best,
-jay

askstack (askstack) said : #5

Thanks Jay

Fedora has taken all the swift packages out of the yum repo, http://repos.fedorapeople.org/repos/apevec/openstack-preview/. Maybe they are updating these packages. I will report back when I can install the new rpms.

askstack (askstack) said : #6

Fedora still hasn't added swift back to the preview repo yet.
I find another source for the swift RPMs, http://mirrors.kernel.org/fedora/updates/testing/17/x86_64/

openstack-swift-1.4.8-1.fc17.noarch
openstack-swift-proxy-1.4.8-1.fc17.noarch
openstack-swift-account-1.4.8-1.fc17.noarch
openstack-swift-object-1.4.8-1.fc17.noarch
openstack-swift-doc-1.4.8-1.fc17.noarch
openstack-swift-container-1.4.8-1.fc17.noarch

After upgrading to these RPMs, I got this error message.

Error uploading image: (ClientException): Auth GET failed: http://127.0.0.1:8080/v1.0/tokens 401 Unauthorized

I found this mail thread, https://lists.launchpad.net/openstack/msg07641.html.
I changed /etc/glance/glance-api.conf
from
swift_store_auth_address = http://127.0.0.1:8080/v1.0/
to
swift_store_auth_address = http://127.0.0.1:5000/v2.0/

then I am able to "glance add".

Thanks for everyone's help.

askstack (askstack) said : #7

Thanks Jay Pipes, that solved my question.