On Tue, Sep 20, 2016 at 5:45 AM, Brian Chang-Chien
> 2016-09-20 10:14:38.761635 7f2049ffb700 20
> 2016-09-20 10:14:38.761636 7f2049ffb700 20 QUERY_STRING=
> 2016-09-20 10:14:38.761720 7f2049ffb700 2 req 3:0.000078:swift:HEAD
> 2016-09-20 10:14:38.761725 7f2049ffb700 10 failed to authorize request
> 2016-09-20 10:14:38.761726 7f2049ffb700 20 handler->ERRORHANDLER: err_no=-1
Those logs show there was no jump to the Keystone code
at all. This is because the "token_id=..." debug message 
is absent. The sole reason I see for such behavior is that
the RadosGW instance internally sees rgw_keystone_url
as empty .
Are you absolutely sure that the instance that got debug_rgw
to its configuration file has rgw_keystone_url properly set?
I mean whether the setting is in the same section, is written
in pure ASCII (without some crazy UTF characters) and so
on? I saw you posted the config earlier but we really need
to double check.
Could you also provide output from following curl command
and corresponding RadosGW's log? 401 is fully expected
as we'll intensionally send an invalid token.
curl -i "http://<rgw_ip>:<rgw_port>/swift/v1" -X HEAD -H
> I also have some problems
> Q1 : if use keystone, radosgw need create user and subuser?
> in the case , i create admin user and admin:admin subuser , but i think it
> don't need , and i rght?
Yup, this is unnecessary when using the Keystone auth.
> And i found a phenomenon,
> Once I connect keystone and ceph radosgw before, and i use " rados --pool
> default.rgw.users.uid ls "
> It will detail a like token uid
> but if swift response 401
> i can't find the token uid
> Do you know keystone how to add token user to default.rgw.users.uid
> finally , hope bellow msgs can help me to slove
> anyway, thx your support greate
You don't need to add anything. RadosGW will create
RGWUserInfo if necessary on the first, successfully
authenticated request . The RADOS object will be
named after the tenant ID in Keystone.
ceph-users mailing list