OpenStack Object Storage (swift)

SSL problem on SAIO instance

Asked by Flint Calvin

Hello,

We have a working SAIO 1.3 instance on which we are trying to enable SSL access (e.g., to be able to access the instance from Cyberduck). We are basically trying to follow section 5.1.1 of the OpenStack Object Storage Administration Manual (Cactus).

After making the modifications specified by section 5.1.1, we performed the following:

1) resetswift
2) remakerings
3) startmain

However, when we try to invoke recreateaccounts, it fails. In fact, if we just try to run the swauth-prep command (i,e, "swauth-prep -K swauthkey"), we get the following error:

Traceback (most recent call last):
  File "/usr/bin/swauth-prep", line 56, in <module>
    ssl=(parsed.scheme == 'https'))
  File "/usr/lib/pymodules/python2.6/swift/common/bufferedhttp.py", line 168, in http_connect_raw
    conn.endheaders()
  File "/usr/lib/python2.6/httplib.py", line 904, in endheaders
    self._send_output()
  File "/usr/lib/python2.6/httplib.py", line 776, in _send_output
    self.send(msg)
  File "/usr/lib/python2.6/httplib.py", line 735, in send
    self.connect()
  File "/usr/lib/pymodules/python2.6/swift/common/bufferedhttp.py", line 80, in connect
    return HTTPConnection.connect(self)
  File "/usr/lib/python2.6/httplib.py", line 716, in connect
    self.timeout)
  File "/usr/lib/pymodules/python2.6/eventlet/green/socket.py", line 59, in create_connection
    raise error, msg
socket.error: [Errno 111] ECONNREFUSED

Here are the contents of our proxy-server.conf file:

[DEFAULT]
bind_port = 443
user = meter
log_facility = LOG_LOCAL1

cert_file = /etc/swift/cert.crt
key_file = /etc/swift/cert.key

[pipeline:main]
pipeline = healthcheck cache swauth proxy-server

[app:proxy-server]
use = egg:swift#proxy
allow_account_management = true

[filter:swauth]
use = egg:swift#swauth
# Highly recommended to change this.
super_admin_key = swauthkey

[filter:healthcheck]
use = egg:swift#healthcheck

[filter:cache]
use = egg:swift#memcache

We are wondering if we made an error in the process of enabling SSL or if it is even possible to enable SSL on an SAIO instance.

Any help someone can provide would be greatly appreciated!

Thanks,
Flint

Question information

Language:
English Edit question
Status:
Solved
For:
OpenStack Object Storage (swift) Edit question
Assignee:
No assignee Edit question
Solved by:
Flint Calvin
Solved:
Last query:
Last reply:
Revision history for this message
Marcelo Martins (btorch) said : 		#1

Hi Flint, the problem here is that swauth-prep and any other swauth command will try to use the default ADMIN_URL which is "http://127.0.0.1:8080/auth/". Since you are now using SSL you need to specify the -A flag with the command. Try running "swauth-prep -K swauthkey -A https://127.0.0.1/auth/" and then adding an admin user with "swauth-add-user -K swauthkey -A https://127.0.0.1/auth/ -a swiftops swiftops swiftops" ....

Please note that I'm assuming here that your ADMIN_KEY is indeed "swauthkey".

root@saio-2:~# swauth-prep --help
Usage: swauth-prep [options]

Options:
  -h, --help show this help message and exit
  -A ADMIN_URL, --admin-url=ADMIN_URL
                        The URL to the auth subsystem (default:
                        http://127.0.0.1:8080/auth/
  -U ADMIN_USER, --admin-user=ADMIN_USER
                        The user with admin rights to add users (default:
                        .super_admin).
  -K ADMIN_KEY, --admin-key=ADMIN_KEY
                        The key for the user with admin rights to add users.

Revision history for this message
Flint Calvin (fcalvin) said : 		#2

Thanks for your help Marcelo!

Those changes got us beyond the ECONNREFUSED error and the swauth-prep command completes successfully.

However, with the addition of the "-A https://127..." change, the swauth-add-user command fails with "Account creation failed: 500 Server Error" and "User creation failed: 500 Server Error" errors.

The specific command is:

swauth-add-user -K swauthkey -A https://127.0.0.1/auth -a test tester testing

We additionally tried appending "/v1" and "/v1.0" to the IP address of the command and got "Account creation failed: 400 Bad Request" and "User creation failed: 400 Bad Request" errors.

The specific commands we tried were:

swauth-add-user -K swauthkey -A https://127.0.0.1/auth/v1 -a test tester testing

swauth-add-user -K swauthkey -A https://127.0.0.1/auth/v1.0 -a test tester testing

Thanks in advance for any additional help you can provide,
Flint

Revision history for this message
Marcelo Martins (btorch) said : 		#3

Hi Flint,

Try adding the following to the [filter:swauth] section of the proxy-server.conf and restart swift.

default_swift_cluster = local#https://127.0.0.1/v1

Also, you will need to modify the storage url for accounts created prior to the SSL setup if you still would like to use them. Please check on swauth-set-account-service --help for information/example on how to change that.

Revision history for this message
Flint Calvin (fcalvin) said : 		#4

Thanks Marcelo...that was the last stumbling block for us!