Curl + Swift + Keystone

Asked by Heiko Krämer on 2011-11-23

Heyho guys,

so i'm verry confused about how to use swift + keystone.

My swift config:
[pipeline:main]
pipeline = healthcheck cache keystone proxy-server

[filter:keystone]
use = egg:keystone#swiftauth
admin_token = 1111222233334444
keystone_url= http://127.0.0.1:5001/v2.0

Keystone and Swift are running correctly. Now i try to get all informations with curl (Username/PW) to Keystone URL

curl -d '{"auth": {"passwordCredentials": {"username": "testuser", "password": "testing"}}}' -H "Content-type: application/json" http://192.168.0.2:5000/v2.0/tokens

and i get the output:
{"access": {"token": {"expires": "2011-11-23T15:36:14", "id": "30abaeac-b8dc-46f9-9aa1-db146c513099", "tenant": {"id": "7", "name": "testing"}}, "serviceCatalog": [{"endpoints": [{"adminURL": "http://192.168.0.2:8774/v1.1/7", "region": "RegionOne", "internalURL": "http://192.168.0.2:8774/v1.1/7", "publicURL": "http://192.168.0.2:8774/v1.1/7"}], "type": "compute", "name": "nova"}, {"endpoints": [{"adminURL": "http://192.168.0.2:9292/v1.0", "region": "RegionOne", "internalURL": "http://192.168.0.2:9292/v1.0/", "publicURL": "http://192.168.0.2:9292/v1.0"}], "type": "image", "name": "glance"}, {"endpoints": [{"adminURL": "http://192.168.0.2:8080/", "region": "RegionOne", "internalURL": "http://192.168.0.2:8080/v1/AUTH_7", "publicURL": "http://78.109.54.196:8080/v1/AUTH_7"}], "type": "object-store", "name": "swift"}, {"endpoints": [{"adminURL": "http://192.168.0.2:5001/v2.0", "region": "RegionOne", "internalURL": "http://192.168.0.2:5001/v2.0", "publicURL": "http://192.168.0.2:5000/v2.0"}], "type": "identity", "name": "keystone"}, {"endpoints": [{"adminURL": "http://192.168.0.2:8774/v1.0", "region": "RegionOne", "internalURL": "http://192.168.0.2:8774/v1.0", "publicURL": "http://192.168.0.2:8774/v1.0"}], "type": "compute", "name": "Nova_compat"}], "user": {"id": "8", "roles": [{"tenantId": "7", "id": "5", "name": "Admin"}], "name": "testuser"}}}

So it looks good.

If i try now

curl -v -H 'X-Auth-Token: 30abaeac-b8dc-46f9-9aa1-db146c513099' http://192.168.0.2:8080/v1

or

curl -v -H 'X-Auth-Token: 30abaeac-b8dc-46f9-9aa1-db146c513099' http://192.168.0.2:8080/v1/AUTH_7

i get every time 401!!

Now i looked in the Keystone log and found this:

http://pastebin.com/T139FdrD

but the token are correct:

*************************** 2. row ***************************
       id: 30abaeac-b8dc-46f9-9aa1-db146c513099
  user_id: 8
tenant_id: 7
  expires: 2011-11-23 15:36:14
2 rows in set (0.00 sec)

Do any knows whats wrong? My endpoint_templates should be correct. I've checked this many times.

greetings
Heiko

Question information

Language:
English Edit question
Status:
Answered
For:
OpenStack Object Storage (swift) Edit question
Assignee:
No assignee Edit question
Last query:
2011-11-23
Last reply:
2012-02-24
Chmouel Boudjnah (chmouel) said : #1

Which version of keysone/swift are you using?

Heiko Krämer (foexle) said : #2

hiho chmouel,

Swift:
Version: 1.4.5~20111117.1632-0ubuntu0ppa1~lucid1

Keystone:
Version was a stable from Razique. If i try with --version i get a hex, but i see the last file change was 2011-11-08. I hope this helps.

Greetings

Chmouel Boudjnah (chmouel) said : #3

Nice, in which roles your user is in (in keystone).

Heiko Krämer (foexle) said : #4

Roles:

mysql> select * from roles;
+----+----------------------+------+------------+
| id | name | desc | service_id |
+----+----------------------+------+------------+
| 5 | Admin | NULL | 11 |
| 6 | KeystoneServiceAdmin | NULL | 11 |
| 7 | KeystoneAdmin | NULL | 11 |
| 12 | netadmin | NULL | NULL |
| 10 | User | NULL | NULL |
| 13 | sysadmin | NULL | 8 |
| 15 | Member | NULL | 11 |

user_roles;
*************************** 5. row ***************************
       id: 22
  user_id: 8
  role_id: 5
tenant_id: 7
*************************** 6. row ***************************
       id: 23
  user_id: 8
  role_id: 15
tenant_id: NULL

So Admin and Member, but i would prefere this user have no admin rights ... but i dont know if it works

Chmouel Boudjnah (chmouel) said : #5
Chmouel Boudjnah (chmouel) said : #6

restart proxy and look over your /var/log/messages (depend of your distro) when doing that same curl requests.

Heiko Krämer (foexle) said : #7

Nov 23 12:50:58 test1-os swift Keystone middleware called (txn: txd3e1f3f92ad34b1897cf64e17a846978)

Nov 23 12:50:58 test1-os swift token: 30abaeac-b8dc-46f9-9aa1-db146c513099 (txn: txd3e1f3f92ad34b1897cf64e17a846978)

Nov 23 12:50:58 test1-os swift Asking keystone to validate token (txn: txd3e1f3f92ad34b1897cf64e17a846978)

Nov 23 12:50:58 test1-os swift headers: {'Content-type': 'application/json', 'Accept': 'text/json', 'X-Auth-Token': None} (txn: txd3e1f3f92ad34b1897cf64e17a846978)

Nov 23 12:50:58 test1-os swift url: ParseResult(scheme='http', netloc='127.0.0.1:5001', path='/v2.0', params='', query='', fragment='') (txn: txd3e1f3f92ad34b1897cf64e17a846978)

it looks that swift dont have the admin token ?
swift headers: {'Content-type': 'application/json', 'Accept': 'text/json', 'X-Auth-Token': None

hmmm but it is set in the config

Heiko Krämer (foexle) said : #8

curl -k -v -H 'X-Auth-Token:30abaeac-b8dc-46f9-9aa1-db146c513099' http://192.168.0.2:8080/v1/
* About to connect() to 192.168.0.2 port 8080 (#0)
* Trying 192.168.0.2... connected
* Connected to 192.168.0.2 (192.168.0.2) port 8080 (#0)
> GET /v1/ HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
> Host: 192.168.0.2:8080
> Accept: */*
> X-Auth-Token:30abaeac-b8dc-46f9-9aa1-db146c513099
>
< HTTP/1.1 412 Precondition Failed
< Content-Type: text/html; charset=UTF-8
< Content-Length: 7
< X-Trans-Id: txd805d5de071b4651ad5d7205d4856e97
< Date: Wed, 23 Nov 2011 11:57:03 GMT
<
* Connection #0 to host 192.168.0.2 left intact
* Closing connection #0

ok i think the attribute name of admin_token was changed to keystone_admin_token

but now i get

curl -k -v -H 'X-Auth-Token:30abaeac-b8dc-46f9-9aa1-db146c513099' http://192.168.0.2:8080/v1/
* About to connect() to 192.168.0.2 port 8080 (#0)
* Trying 192.168.0.2... connected
* Connected to 192.168.0.2 (192.168.0.2) port 8080 (#0)
> GET /v1/ HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
> Host: 192.168.0.2:8080
> Accept: */*
> X-Auth-Token:30abaeac-b8dc-46f9-9aa1-db146c513099
>
< HTTP/1.1 412 Precondition Failed
< Content-Type: text/html; charset=UTF-8
< Content-Length: 7
< X-Trans-Id: txd805d5de071b4651ad5d7205d4856e97
< Date: Wed, 23 Nov 2011 11:57:03 GMT
<
* Connection #0 to host 192.168.0.2 left intact
* Closing connection #0

412 :)

Chmouel Boudjnah (chmouel) said : #9

change admin_token to keystone_admin_token

Chmouel Boudjnah (chmouel) said : #10

Do you have anything in the logs ?

NB: This is the old version of the middleware there is a complete rewrite in trunk/

Heiko Krämer (foexle) said : #12

ok i have checked out now the trunk version of keystone and installed it.
I changed the attribute, too.

i try now
curl -v -H 'X-Auth-Token: 30abaeac-b8dc-46f9-9aa1-db146c513099' http://192.168.0.2:8080/v1

and see in the logs:

Nov 23 13:27:45 test1-os swift Initialise keystone middleware (txn: txdc93b99128e548a890510aac2c7c77e0)
Nov 23 13:27:45 test1-os swift Got token: 30abaeac-b8dc-46f9-9aa1-db146c513099 (txn: txdc93b99128e548a890510aac2c7c77e0)
Nov 23 13:27:45 test1-os swift STDOUT: ERROR:root:Error talking to memcached: 192.168.0.2:11211#012Traceback (most recent call last):#012 File "/usr/lib/pymodules/python2.6/swift/common/memcached.py", line 160, in get#012 while line[0].upper() != 'END':#012IndexError: list index out of range (txn: txdc93b99128e548a890510aac2c7c77e0)
Nov 23 13:27:45 test1-os swift No memcache, requesting it from keystone (txn: txdc93b99128e548a890510aac2c7c77e0)
Nov 23 13:27:45 test1-os swift Error: http_connect_raw() got an unexpected keyword argument 'timeout': #012Traceback (most recent call last):#012 File "/usr/lib/pymodules/python2.6/swift/common/middleware/catch_errors.py", line 47, in __call__#012 return self.app(env, my_start_response)#012 File "/usr/lib/pymodules/python2.6/swift/common/middleware/memcache.py", line 32, in __call__#012 return self.app(env, start_response)#012 File "/usr/local/lib/python2.6/dist-packages/keystone-2012.1-py2.6.egg/keystone/middleware/swift_auth.py", line 109, in __call__#012 identity = self._keystone_validate_token(token)#012 File "/usr/local/lib/python2.6/dist-packages/keystone-2012.1-py2.6.egg/keystone/middleware/swift_auth.py", line 152, in _keystone_validate_token#012 timeout=self.auth_timeout)#012TypeError: http_connect_raw() got an unexpected keyword argument 'timeout' (txn: txdc93b99128e548a890510aac2c7c77e0)

Memcached are installad and running.

Chmouel Boudjnah (chmouel) said : #13

I am fixing that error just now, sorry about the confusion, you can
remove the timeout=self.auth_timeout() line in 152 and retry?

Heiko Krämer (foexle) said : #14

done but now again HTTP-Code 412

Nov 23 13:45:24 test1-os swift Initialise keystone middleware (txn: tx3d9599a6a8c748f3b453b2d320acf769)
Nov 23 13:45:24 test1-os swift Got token: 30abaeac-b8dc-46f9-9aa1-db146c513099 (txn: tx3d9599a6a8c748f3b453b2d320acf769)
Nov 23 13:45:24 test1-os swift No memcache, requesting it from keystone (txn: tx3d9599a6a8c748f3b453b2d320acf769)

Nov 23 13:45:24 test1-os swift Keystone came back with: status:200, data:{"access": {"token": {"expires": "2011-11-23T15:36:14", "id": "30abaeac-b8dc-46f9-9aa1-db146c513099", "tenant": {"id": "7", "name": "testing"}}, "user": {"username": "testuser", "name": "testuser", "roles": [{"serviceId": "7", "id": "5", "name": "Admin"}, {"id": "15", "name": "Member"}], "tenantId": "7", "tenantName": "testing", "id": "8"}}} (txn: tx3d9599a6a8c748f3b453b2d320acf769)

Nov 23 13:45:24 test1-os swift setting memcache expiration to 2011-11-23 15:36:00 (txn: tx3d9599a6a8c748f3b453b2d320acf769)

Nov 23 13:45:24 test1-os swift Using identity: {'roles': [u'Admin', u'Member'], 'expires': 1322058960.0, 'user': u'testuser', 'tenant': (u'7', u'testing')} (txn: tx3d9599a6a8c748f3b453b2d320acf769)

Nov 23 13:45:24 test1-os swift Using identity: {'roles': [u'Admin', u'Member'], 'expires': 1322058960.0, 'user': u'testuser', 'tenant': (u'7', u'testing')} (txn: tx3d9599a6a8c748f3b453b2d320acf769)

Nov 23 13:45:24 test1-os swift 192.168.0.2 192.168.0.2 23/Nov/2011/12/45/24 GET /v1 HTTP/1.0 412 - curl/7.19.7%20%28x86_64-pc-linux-gnu%29%20libcurl/7.19.7%20OpenSSL/0.9.8k%20zlib/1.2.3.3%20libidn/1.15 30abaeac-b8dc-46f9-9aa1-db146c513099 - - - tx3d9599a6a8c748f3b453b2d320acf769 - 0.0005

any was wrong with parsing the result set ?

Heiko Krämer (foexle) said : #15

my proxy.conf

[DEFAULT]
bind_port = 8080
workers = 8
user = swift
log_name = swift
log_facility = LOG_LOCAL0
log_level = DEBUG

[pipeline:main]
pipeline = healthcheck catch_errors cache keystone proxy-server

[app:proxy-server]
use = egg:swift#proxy
allow_account_management = true
account_autocreate = true
 set log_name = proxy-server
 set log_facility = LOG_LOCAL0
 set log_level = DEBUG
 set access_log_name = proxy-server
 set access_log_facility = LOG_LOCAL0
 set access_log_level = DEBUG
 set log_headers = True

[filter:catch_errors]
use = egg:swift#catch_errors

[filter:keystone]
use = egg:keystone#swiftauth
keystone_admin_token = 1111222233334444
keystone_url= http://127.0.0.1:5001/v2.0

[filter:tempauth]
use = egg:swift#tempauth
user_system_root = testpass .admin http://192.168.0.2:8080/v1/AUTH_system
# set log_name = ratelimit
# set log_facility = LOG_LOCAL0
# set log_level = INFO
# set log_headers = False

[filter:healthcheck]
use = egg:swift#healthcheck

[filter:cache]
use = egg:swift#memcache
memcache_servers = 192.168.0.2:11211

[filter:swauth]
use = egg:swauth#swauth
set log_name = swauth
 set log_facility = LOG_LOCAL0
 set log_level = INFO
 set log_headers = False

super_admin_key = rails123

FlorianOtel (florian-otel) said : #16

Hello,

I'm experiencing the same issues on my setup ("2011.3-d5-rcb8~oneiric" Diablo D5 packages from http://ops.rcb.me/packages/

In particular, I keep getting 401s when I try to access the Swift admin_url.

I've tried to post it on the mailing list (here: https://lists.launchpad.net/openstack/msg07913.html ) but to no avail (sorry for cross-posting). The gory details of my setup & here: http://pastebin.com/6YGzV9PA

Any suggestion on how to get unstuck ?

Thanks,

Florian

Can you help with this problem?

Provide an answer of your own, or ask Heiko Krämer for more information if necessary.

To post a message you must log in.