Invalid user token - rejecting request

Asked by Mesut Muhammet Şahin on 2014-07-15

I have Ubuntu 12.04 on Virtul machine and I use Swift , Keystone, Python-swiftclient on this machine.

I create user, role, account, endpoint for kesytone. And I create endpoint for keystone - swift connection like this:

$ SERVICEID=$(keystone service-create --name=swift --type=object-store --description="Swift Service" | grep "id " | cut -d "|" -f 3)
$ echo $SERVICEID # just making sure we got a SERVICEID
$ keystone endpoint-create --service_id $SERVICEID --publicurl "http://127.0.0.1:8080/v1/AUTH_\$(tenant_id)s" --adminurl "http://127.0.0.1:8080/v1/AUTH_\$(tenant_id)s" --internalurl "http://127.0.0.1:8080/v1/AUTH_\$(tenant_id)s"

I use command with python-swiftclient. There is no problem. All commands in https://support.rc.nectar.org.au/docs/python-swiftclient (this) link is working. But I check url on browser there is problem.

swift stat deneme1 :

Account: AUTH_918112e49f2a4530a146efcb46d4af80
Container: deneme1
Objects: 11
Bytes: 4077682
Read ACL: .r:*,.rlistings
Write ACL:
Sync To:
Sync Key:
Accept-Ranges: bytes
X-Storage-Policy: gold
X-Timestamp: 1405411686.78453
X-Trans-Id: txe6afced19aa441499586f-0053c4f75e
Content-Type: text/plain; charset=utf-8

swift list deneme1 :

50cuteanimpic6.jpg
Weird-pictures-art-pictures-Igor-Morski.jpg
Wolf Pictures 033.jpg
images.jpeg
pictures_1400077785.jpg
powerful-pictures-of-earth-being-destroyed.jpg
Browser :

http://127.0.0.1:8080/v1/AUTH_918112e49f2a4530a146efcb46d4af80/deneme1/images.jpeg
-- > Click address seem: Authentication required

How can ı see my object on browser? İf you look given link there is an example but didnt work on my swift. I add proxy logs and my configuration.

I added log when url enterede on command line:
swift --debug --os-auth-token ADMIN --os-storage-url http://127.0.0.1:8080/v1/AUTH_918112e49f2a4530a146efcb46d4af80s/deneme1/images.jpeg list
Result :
INFO:urllib3.connectionpool:Starting new HTTP connection (1): 127.0.0.1
DEBUG:urllib3.connectionpool:"GET /v1/AUTH_918112e49f2a4530a146efcb46d4af80s/deneme1/images.jpeg?format=json HTTP/1.1" 401 23
INFO:swiftclient:REQ: curl -i http://127.0.0.1:8080/v1/AUTH_918112e49f2a4530a146efcb46d4af80s/deneme1/images.jpeg?format=json -X GET -H "X-Auth-Token: ADMIN"
INFO:swiftclient:RESP STATUS: 401 Unauthorized
INFO:swiftclient:RESP HEADERS: [('date', 'Tue, 15 Jul 2014 09:57:49 GMT'), ('content-length', '23'), ('content-type', 'text/plain'), ('www-authenticate', "Keystone uri='http://127.0.0.1:5000/'"), ('x-trans-id', 'txd970ef4f98754c0e9e2cc-0053c4fb1d')]
INFO:swiftclient:RESP BODY: Authentication required
INFO:urllib3.connectionpool:Starting new HTTP connection (1): 127.0.0.1
DEBUG:urllib3.connectionpool:"GET /v1/AUTH_918112e49f2a4530a146efcb46d4af80s/deneme1/images.jpeg?format=json HTTP/1.1" 401 23
INFO:swiftclient:REQ: curl -i http://127.0.0.1:8080/v1/AUTH_918112e49f2a4530a146efcb46d4af80s/deneme1/images.jpeg?format=json -X GET -H "X-Auth-Token: ADMIN"
INFO:swiftclient:RESP STATUS: 401 Unauthorized
INFO:swiftclient:RESP HEADERS: [('date', 'Tue, 15 Jul 2014 09:57:50 GMT'), ('content-length', '23'), ('content-type', 'text/plain'), ('www-authenticate', "Keystone uri='http://127.0.0.1:5000/'"), ('x-trans-id', 'tx30111ae54eb642e58146c-0053c4fb1e')]
INFO:swiftclient:RESP BODY: Authentication required
ERROR:swiftclient:Account GET failed: http://127.0.0.1:8080/v1/AUTH_918112e49f2a4530a146efcb46d4af80s/deneme1/images.jpeg?format=json 401 Unauthorized Authentication required
Traceback (most recent call last):
File "/root/python-swiftclient/swiftclient/client.py", line 1208, in _retry
rv = func(self.url, self.token, *args, **kwargs)
File "/root/python-swiftclient/swiftclient/client.py", line 461, in get_account
http_response_content=body)
ClientException: Account GET failed: http://127.0.0.1:8080/v1/AUTH_918112e49f2a4530a146efcb46d4af80s/deneme1/images.jpeg?format=json 401 Unauthorized Authentication required
Account GET failed: http://127.0.0.1:8080/v1/AUTH_918112e49f2a4530a146efcb46d4af80s/deneme1/images.jpeg?format=json 401 Unauthorized Authentication required

==> proxy.error <==
Jul 15 12:21:36 openstack proxy-server: Unable to find authentication token in headers

proxy-server.conf :

[DEFAULT]
bind_port = 8080
workers = 1
user = root
log_level = DEBUG
log_facility = LOG_LOCAL1
eventlet_debug = true

[pipeline:main]
pipeline = catch_errors gatekeeper healthcheck proxy-logging cache bulk tempurl slo dlo ratelimit crossdomain list-endpoints staticweb container-quotas account-quotas authtoken keystoneauth staticweb proxy-logging proxy-server

[filter:catch_errors]
use = egg:swift#catch_errors

[filter:healthcheck]
use = egg:swift#healthcheck

[filter:proxy-logging]
use = egg:swift#proxy_logging

[filter:bulk]
use = egg:swift#bulk

[filter:ratelimit]
use = egg:swift#ratelimit

[filter:crossdomain]
use = egg:swift#crossdomain

[filter:dlo]
use = egg:swift#dlo

[filter:slo]
use = egg:swift#slo

[filter:tempurl]
use = egg:swift#tempurl

[filter:account-quotas]
use = egg:swift#account_quotas

[filter:container-quotas]
use = egg:swift#container_quotas

[filter:cache]
use = egg:swift#memcache
memcache_servers = 127.0.0.1:11211

[filter:gatekeeper]
use = egg:swift#gatekeeper

[app:proxy-server]
use = egg:swift#proxy
allow_account_management = true
account_autocreate = true

[filter:list-endpoints]
use = egg:swift#list_endpoints

[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
auth_host = 127.0.0.1
auth_port = 35357
auth_protocol = http
auth_uri = http://127.0.0.1:5000/
admin_tenant_name = admin
admin_user = admin
admin_password = adminpass
admin_token = ADMIN
auth_token = ADMIN
cache = swift.cache
include_service_catalog = False

[filter:keystoneauth]
use = egg:swift#keystoneauth
operator_roles = admin, swiftoperator, swift, member

[filter:staticweb]
use = egg:swift#staticweb
set access_log_name = staticweb
set log_level = DEBUG
set log_headers = False
# Seconds to cache container x-container-meta-web-* header values.
# cache_timeout = 300
# You can override the default log routing for this filter here:
# set log_name = staticweb
# set log_facility = LOG_LOCAL0
# set log_level = INFO
# set access_log_name = staticweb
# set access_log_facility = LOG_LOCAL0
# set access_log_level = INFO
# set log_headers = False

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu swift Edit question
Assignee:
No assignee Edit question
Solved by:
Mesut Muhammet Şahin
Solved:
2014-07-18
Last query:
2014-07-18
Last reply:
2014-07-15

Hi Mesut,

İf you get object list with curl command, you should try as follows:

Firstly, you can get aut token and account name from keystone

command:
curl -s -d '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "admin"}}}' -H 'Content-type: application/json' http://10.1.36.32:5000/v2.0/tokens

Result:
curl -s -d '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "admin"}}}' -H 'Content-type: application/json' http://10.1.36.32:5000/v2.0/tokens
{"access": {"token": {"expires": "2014-07-16T11:43:16Z", "id": "b7e31a6a8b0448908ff09319fe8fd118", "tenant": {"description": null, "enabled": true, "id": "45d1b2fe644b4b85a29c1801432af0e2", "name": "admin"}}, "serviceCatalog": [{"endpoints": [{"adminURL": "http://127.0.0.1:8080/", "region": "RegionOne", "internalURL": "http://127.0.0.1:8080/v1.0/AUTH_45d1b2fe644b4b85a29c1801432af0e2", "publicURL": "http://127.0.0.1:8080/v1.0/AUTH_45d1b2fe644b4b85a29c1801432af0e2"}], "endpoints_links": [], "type": "object-store", "name": "swift"}, {"endpoints": [{"adminURL": "http://127.0.0.1:8774/v2/45d1b2fe644b4b85a29c1801432af0e2", "region": "RegionOne", "internalURL": "http://127.0.0.1:8774/v2/45d1b2fe644b4b85a29c1801432af0e2", "publicURL": "http://127.0.0.1:8774/v2/45d1b2fe644b4b85a29c1801432af0e2"}], "endpoints_links": [], "type": "compute", "name": "nova"}, {"endpoints": [{"adminURL": "http://127.0.0.1:35357/v2.0", "region": "RegionOne", "internalURL": "http://127.0.0.1:5000/v2.0", "publicURL": "http://127.0.0.1:5000/v2.0"}], "endpoints_links": [], "type": "identity", "name": "keystone"}], "user": {"username": "admin", "roles_links": [], "id": "d65edf7b8849481f9b6fb04a95d5944e", "roles": [{"id": "fdfa487b6ba9452bb6c623a081a4eb71", "name": "admin"}], "name": "admin"}}}

Id ("id": "b7e31a6a8b0448908ff09319fe8fd118") is aut token.
AUTH_45d1b2fe644b4b85a29c1801432af0e2 is account name.

After you have to use id and account name in curl command

command:
curl -v -H 'X-Auth-Token: b7e31a6a8b0448908ff09319fe8fd118' http://10.1.36.32:8080/v1.0/AUTH_45d1b2fe644b4b85a29c1801432af0e2

Result:
* About to connect() to 10.1.36.32 port 8080 (#0)
* Trying 10.1.36.32...
* Connected to 10.1.36.32 (10.1.36.32) port 8080 (#0)
> GET /v1.0/AUTH_45d1b2fe644b4b85a29c1801432af0e2 HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 10.1.36.32:8080
> Accept: */*
> X-Auth-Token: b7e31a6a8b0448908ff09319fe8fd118
>
< HTTP/1.1 200 OK
< X-Account-Object-Count: 1
< X-Account-Bytes-Used: 9731
< X-Account-Container-Count: 3
< Accept-Ranges: bytes
< Content-Length: 19
< Content-Type: text/plain; charset=utf-8
< Date: Tue, 15 Jul 2014 11:56:40 GMT
<
cont1
deneme1
test
* Connection #0 to host 10.1.36.32 left intact

Mesut Muhammet Şahin (messah) said : #2

I see list with `swift list` command with python-swiftclient. I want to ask exactly, How can I access my object on browser. I want to upload object which anyone access them with keys. I think ı can use tempurl and ı create key and temp_url_expires. And I read this document (https://support.rc.nectar.org.au/docs/python-swiftclient) It says you Set the Container's ACL (Access Control List) or permissions to allow reading. And you access link on browser like https://swift.rc.nectar.org.au:8888/v1/AUTH_26/new_container/Dexter_the_snooty_dog.jpg.

deneme1 permission: Read ACL: .r:*,.rlistings (My container)
images.jpeg picture in deneme1 container (My object)

so how can ı see my object on browser anywhere?

My test is:
http://127.0.0.1:8080/v1/AUTH_918112e49f2a4530a146efcb46d4af80/deneme1/images.jpeg
-- > Click address seem: Authentication required

I know I say (swift --debug --os-auth-token ADMIN --os-storage-url http://127.0.0.1:8080/v1/AUTH_918112e49f2a4530a146efcb46d4af80s/deneme1/images.jpeg list) and I mix some ideas.

(All request and response in first question)

Mesut Muhammet Şahin (messah) said : #3

I solved my problem to discuss in #openstack-swift irc channel.
irc channel discuss log link : http://eavesdrop.openstack.org/irclogs/%23openstack-swift/%23openstack-swift.2014-07-16.log

The changes made:

1) You need at first make sure you have a service endpoint of type object-store in keystone pointing to your Swift proxy. For example having this in your /etc/keystone/default_catalog.templates

    catalog.RegionOne.object_store.name = Swift Service
    catalog.RegionOne.object_store.publicURL = http://swiftproxy:8080/v1/AUTH_$(tenant_id)s
    catalog.RegionOne.object_store.adminURL = http://swiftproxy:8080/
    catalog.RegionOne.object_store.internalURL = http://swiftproxy:8080/v1/AUTH_$(tenant_id)s

I added this lines to /etc/keystone/default_catalog.templates

2) need to set "delay_auth_decision = true" in [filter:authtoken] in proxy-server.conf

    swift-init proxy-server restart

And Then;

3) It returns json which have tokenid, tenantid etc... You must get tokenid and tenantid here.

    curl -s -d '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "password"}}}' -H 'Content-type: application/json' http://127.0.0.1:5000/v2.0/tokens

4)
    curl -v -H 'X-Auth-Token: b7e31a6a8b0448908ff09319fe8fd118 ...longtokenid' http://127.0.0.1:8080/v1.0/AUTH_<tenantid>

5)
    swift post --read-acl ".r:*,.rlistings" container
    swift post -m 'X-Container-Read: .r:*,.rlistings' container

And now you can access your object like that link : http://127.0.0.1:8080/v1/AUTH_tenant-id/container/images.jpeg

Optional;
---------

6) I saw I dont use endpoint-list in proxy-server.conf. I removed that.

7) You can do better your link with tempurl;

    swift post -m "Temp-URL-Key:testkeyhere"
    echo http://127.0.0.1:8080`swift-temp-url GET 3600 /v1/AUTH_<tenant-id>/container/50cuteanimpic6.jpg testkeyhere`

command return a link which you can access link 3600 seconds (1 hour)

we can access our link at the end:

http://127.0.0.1:8080/v1/AUTH_tenant-id/container/50cuteanimpic6.jpg?temp_url_sig=c98dd137c01e1726260563f9b45c7e25e9ed79b3&temp_url_expires=1405696637