OpenStack Object Storage (swift)

Auth server recovery

Asked by Salvatore Piccolo

With Openstack we can have one auth-server: if it fails we'll have some problems... I try to install another auth server and then to restore the auth.db file. It's all ok, I can login with old accounts, but if I try to add a new user I have the "401 Unauthorized" error when I check that I can HEAD the account with the command
curl -k -v -H 'X-Auth-Token: <token-from-x-auth-token-above>' <url-from-x-storage-url-above>
with the correct x-auth-token and x-store-url.

And now my question: is there a procedure that I can follow to restore my auth-server configuration to the old state???

Question information

Language:
English Edit question
Status:
Solved
For:
OpenStack Object Storage (swift) Edit question
Assignee:
No assignee Edit question
Solved by:
Salvatore Piccolo
Solved:
Last query:
Last reply:
Revision history for this message
Salvatore Piccolo (spiccolo) said : 		#1

It seems there are problem with x-auth-token ... and ssl exchange fails.... any ideas for the solution?

Revision history for this message
clayg (clay-gerrard) said : 		#2

it sounds like the auth server was able to create the account on the cluster - but the proxy can verify the token with the auth server... so maybe the proxy can't get back to the new auth server?

I'm not sure about the cert/ssl exchange - do you have any errors in /var/log/syslog (or /var/log/swift/)?

can you post your proxy-server.conf and auth-server.conf?

Revision history for this message
Salvatore Piccolo (spiccolo) said : 		#3

I think you are right ... the proxy can't get back to the new auth server.
The first auth-server is on the same proxy node ... the new auth-server is on a new machine but the proxy is the same (Openstack1 172.16.0.249).

This is my syslog on the proxy node
Nov 22 17:58:48 Openstack1 auth-server validate_token('AUTH_tkd33746117d48421aaa19af8e5fdd90e6', _, _) = False [0.00]
Nov 22 17:58:48 Openstack1 auth-server 127.0.0.1 - - [22/Nov/2010:16:58:48 +0000] "GET /token/AUTH_tkd33746117d48421aaa19af8e5fdd90e6 HTTP/1.0" 404 - "-" "-" - - - - - - - - - "-" "127.0.0.1" "-" 0.0008

proxy-server.conf

[DEFAULT]
cert_file = /etc/swift/cert.crt
key_file = /etc/swift/cert.key
bind_port = 8080
workers = 8
user = swift

[pipeline:main]
pipeline = healthcheck cache auth proxy-server

[app:proxy-server]
use = egg:swift#proxy

[filter:auth]
use = egg:swift#auth
ssl = true

[filter:healthcheck]
use = egg:swift#healthcheck

[filter:cache]
use = egg:swift#memcache
memcache_servers = 172.16.0.249:11211

auth-server.conf

[DEFAULT]
cert_file = /etc/swift/cert.crt
key_file = /etc/swift/cert.key
user = swift

[pipeline:main]
pipeline = auth-server

[app:auth-server]
use = egg:swift#auth
default_cluster_url = https://Openstack1:8080/v1
# Highly recommended to change this key to something else!
super_admin_key = devauth

Revision history for this message
Chuck Thier (cthier) said : 		#4

If you move the auth server to another server, then you need to tell the proxy how to reach the auth server. Add the following under [filter:auth]:

ip = AUTH_SERVER_IP

then restart your proxy, and you should be able to add users again and users should be able to access their data.

Revision history for this message
Salvatore Piccolo (spiccolo) said : 		#5

Perfect, I tried and it solved my problem.
Thanks.