Invalid user token - rejecting request

Asked by Mesut Muhammet Şahin on 2014-07-15

I have Ubuntu 12.04 on Virtul machine and I use Swift , Keystone, Python-swiftclient on this machine.

I create user, role, account, endpoint for kesytone. And I create endpoint for keystone - swift connection like this:

$ SERVICEID=$(keystone service-create --name=swift --type=object-store --description="Swift Service" | grep "id " | cut -d "|" -f 3)
$ echo $SERVICEID # just making sure we got a SERVICEID
$ keystone endpoint-create --service_id $SERVICEID --publicurl "\$(tenant_id)s" --adminurl "\$(tenant_id)s" --internalurl "\$(tenant_id)s"

I use command with python-swiftclient. There is no problem. All commands in (this) link is working. But I check url on browser there is problem.

swift stat deneme1 :

Account: AUTH_918112e49f2a4530a146efcb46d4af80
Container: deneme1
Objects: 11
Bytes: 4077682
Read ACL: .r:*,.rlistings
Write ACL:
Sync To:
Sync Key:
Accept-Ranges: bytes
X-Storage-Policy: gold
X-Timestamp: 1405411686.78453
X-Trans-Id: txe6afced19aa441499586f-0053c4f75e
Content-Type: text/plain; charset=utf-8

swift list deneme1 :

Wolf Pictures 033.jpg
Browser :
-- > Click address seem: Authentication required

How can ı see my object on browser? İf you look given link there is an example but didnt work on my swift. I add proxy logs and my configuration.

I added log when url enterede on command line:
swift --debug --os-auth-token ADMIN --os-storage-url list
Result :
INFO:urllib3.connectionpool:Starting new HTTP connection (1):
DEBUG:urllib3.connectionpool:"GET /v1/AUTH_918112e49f2a4530a146efcb46d4af80s/deneme1/images.jpeg?format=json HTTP/1.1" 401 23
INFO:swiftclient:REQ: curl -i -X GET -H "X-Auth-Token: ADMIN"
INFO:swiftclient:RESP STATUS: 401 Unauthorized
INFO:swiftclient:RESP HEADERS: [('date', 'Tue, 15 Jul 2014 09:57:49 GMT'), ('content-length', '23'), ('content-type', 'text/plain'), ('www-authenticate', "Keystone uri=''"), ('x-trans-id', 'txd970ef4f98754c0e9e2cc-0053c4fb1d')]
INFO:swiftclient:RESP BODY: Authentication required
INFO:urllib3.connectionpool:Starting new HTTP connection (1):
DEBUG:urllib3.connectionpool:"GET /v1/AUTH_918112e49f2a4530a146efcb46d4af80s/deneme1/images.jpeg?format=json HTTP/1.1" 401 23
INFO:swiftclient:REQ: curl -i -X GET -H "X-Auth-Token: ADMIN"
INFO:swiftclient:RESP STATUS: 401 Unauthorized
INFO:swiftclient:RESP HEADERS: [('date', 'Tue, 15 Jul 2014 09:57:50 GMT'), ('content-length', '23'), ('content-type', 'text/plain'), ('www-authenticate', "Keystone uri=''"), ('x-trans-id', 'tx30111ae54eb642e58146c-0053c4fb1e')]
INFO:swiftclient:RESP BODY: Authentication required
ERROR:swiftclient:Account GET failed: 401 Unauthorized Authentication required
Traceback (most recent call last):
File "/root/python-swiftclient/swiftclient/", line 1208, in _retry
rv = func(self.url, self.token, *args, **kwargs)
File "/root/python-swiftclient/swiftclient/", line 461, in get_account
ClientException: Account GET failed: 401 Unauthorized Authentication required
Account GET failed: 401 Unauthorized Authentication required

==> proxy.error <==
Jul 15 12:21:36 openstack proxy-server: Unable to find authentication token in headers

proxy-server.conf :

bind_port = 8080
workers = 1
user = root
log_level = DEBUG
log_facility = LOG_LOCAL1
eventlet_debug = true

pipeline = catch_errors gatekeeper healthcheck proxy-logging cache bulk tempurl slo dlo ratelimit crossdomain list-endpoints staticweb container-quotas account-quotas authtoken keystoneauth staticweb proxy-logging proxy-server

use = egg:swift#catch_errors

use = egg:swift#healthcheck

use = egg:swift#proxy_logging

use = egg:swift#bulk

use = egg:swift#ratelimit

use = egg:swift#crossdomain

use = egg:swift#dlo

use = egg:swift#slo

use = egg:swift#tempurl

use = egg:swift#account_quotas

use = egg:swift#container_quotas

use = egg:swift#memcache
memcache_servers =

use = egg:swift#gatekeeper

use = egg:swift#proxy
allow_account_management = true
account_autocreate = true

use = egg:swift#list_endpoints

paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
auth_host =
auth_port = 35357
auth_protocol = http
auth_uri =
admin_tenant_name = admin
admin_user = admin
admin_password = adminpass
admin_token = ADMIN
auth_token = ADMIN
cache = swift.cache
include_service_catalog = False

use = egg:swift#keystoneauth
operator_roles = admin, swiftoperator, swift, member

use = egg:swift#staticweb
set access_log_name = staticweb
set log_level = DEBUG
set log_headers = False
# Seconds to cache container x-container-meta-web-* header values.
# cache_timeout = 300
# You can override the default log routing for this filter here:
# set log_name = staticweb
# set log_facility = LOG_LOCAL0
# set log_level = INFO
# set access_log_name = staticweb
# set access_log_facility = LOG_LOCAL0
# set access_log_level = INFO
# set log_headers = False

Question information

English Edit question
Ubuntu swift Edit question
No assignee Edit question
Solved by:
Mesut Muhammet Şahin
Last query:
Last reply:

Hi Mesut,

İf you get object list with curl command, you should try as follows:

Firstly, you can get aut token and account name from keystone

curl -s -d '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "admin"}}}' -H 'Content-type: application/json'

curl -s -d '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "admin"}}}' -H 'Content-type: application/json'
{"access": {"token": {"expires": "2014-07-16T11:43:16Z", "id": "b7e31a6a8b0448908ff09319fe8fd118", "tenant": {"description": null, "enabled": true, "id": "45d1b2fe644b4b85a29c1801432af0e2", "name": "admin"}}, "serviceCatalog": [{"endpoints": [{"adminURL": "", "region": "RegionOne", "internalURL": "", "publicURL": ""}], "endpoints_links": [], "type": "object-store", "name": "swift"}, {"endpoints": [{"adminURL": "", "region": "RegionOne", "internalURL": "", "publicURL": ""}], "endpoints_links": [], "type": "compute", "name": "nova"}, {"endpoints": [{"adminURL": "", "region": "RegionOne", "internalURL": "", "publicURL": ""}], "endpoints_links": [], "type": "identity", "name": "keystone"}], "user": {"username": "admin", "roles_links": [], "id": "d65edf7b8849481f9b6fb04a95d5944e", "roles": [{"id": "fdfa487b6ba9452bb6c623a081a4eb71", "name": "admin"}], "name": "admin"}}}

Id ("id": "b7e31a6a8b0448908ff09319fe8fd118") is aut token.
AUTH_45d1b2fe644b4b85a29c1801432af0e2 is account name.

After you have to use id and account name in curl command

curl -v -H 'X-Auth-Token: b7e31a6a8b0448908ff09319fe8fd118'

* About to connect() to port 8080 (#0)
* Trying
* Connected to ( port 8080 (#0)
> GET /v1.0/AUTH_45d1b2fe644b4b85a29c1801432af0e2 HTTP/1.1
> User-Agent: curl/7.29.0
> Host:
> Accept: */*
> X-Auth-Token: b7e31a6a8b0448908ff09319fe8fd118
< HTTP/1.1 200 OK
< X-Account-Object-Count: 1
< X-Account-Bytes-Used: 9731
< X-Account-Container-Count: 3
< Accept-Ranges: bytes
< Content-Length: 19
< Content-Type: text/plain; charset=utf-8
< Date: Tue, 15 Jul 2014 11:56:40 GMT
* Connection #0 to host left intact

Mesut Muhammet Şahin (messah) said : #2

I see list with `swift list` command with python-swiftclient. I want to ask exactly, How can I access my object on browser. I want to upload object which anyone access them with keys. I think ı can use tempurl and ı create key and temp_url_expires. And I read this document ( It says you Set the Container's ACL (Access Control List) or permissions to allow reading. And you access link on browser like

deneme1 permission: Read ACL: .r:*,.rlistings (My container)
images.jpeg picture in deneme1 container (My object)

so how can ı see my object on browser anywhere?

My test is:
-- > Click address seem: Authentication required

I know I say (swift --debug --os-auth-token ADMIN --os-storage-url list) and I mix some ideas.

(All request and response in first question)

Mesut Muhammet Şahin (messah) said : #3

I solved my problem to discuss in #openstack-swift irc channel.
irc channel discuss log link :

The changes made:

1) You need at first make sure you have a service endpoint of type object-store in keystone pointing to your Swift proxy. For example having this in your /etc/keystone/default_catalog.templates = Swift Service
    catalog.RegionOne.object_store.publicURL = http://swiftproxy:8080/v1/AUTH_$(tenant_id)s
    catalog.RegionOne.object_store.adminURL = http://swiftproxy:8080/
    catalog.RegionOne.object_store.internalURL = http://swiftproxy:8080/v1/AUTH_$(tenant_id)s

I added this lines to /etc/keystone/default_catalog.templates

2) need to set "delay_auth_decision = true" in [filter:authtoken] in proxy-server.conf

    swift-init proxy-server restart

And Then;

3) It returns json which have tokenid, tenantid etc... You must get tokenid and tenantid here.

    curl -s -d '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "password"}}}' -H 'Content-type: application/json'

    curl -v -H 'X-Auth-Token: b7e31a6a8b0448908ff09319fe8fd118 ...longtokenid'<tenantid>

    swift post --read-acl ".r:*,.rlistings" container
    swift post -m 'X-Container-Read: .r:*,.rlistings' container

And now you can access your object like that link :


6) I saw I dont use endpoint-list in proxy-server.conf. I removed that.

7) You can do better your link with tempurl;

    swift post -m "Temp-URL-Key:testkeyhere"
    echo`swift-temp-url GET 3600 /v1/AUTH_<tenant-id>/container/50cuteanimpic6.jpg testkeyhere`

command return a link which you can access link 3600 seconds (1 hour)

we can access our link at the end: