On 03/03/2014 02:24 PM, Adam Lawson wrote:
Hola folks!
I had a working Swift deployment (one proxy, 10 storage nodes) using
tempauth/swauth and with that config everything works fine. Add/remove
objects, list etc. I am now in the process of trying to integrate
Keystone and getting confused with number of possible problems the
more I research so I figured I'd post it here.
I built a new Keystone server using the following documents:
Configuring keystone
<http://docs.openstack.org/developer/keystone/configuration.html> I
also updated Swift to use Keystone using the following document:
Configure Swift to Use Keystone
<http://docs.openstack.org/developer/swift/overview_auth.html#configuring-swift-to-use-keystone>
Problem: Unable to authenticate using service:swift + "password". I'm
mostly getting 401 Connection Refused errors and service catalog
errors, depending which method I try. What am I missing?
Sounds like an SSL problem. Make sure your swift auth_token section has
the appropriate values set for SSL certs.
*User-list in Keystone:*
|$ keystone user-list`<br>
+----------------------------------+---------+-------+-------+
| id | enabled | email | name |
+----------------------------------+---------+-------+-------+
| 3b26d681b7b5448b94c563b1d8bb55fd | True | None | admin |
| e186d19ab0ab4cc681b24196e76b9032 | True | None | swift |
+----------------------------------+---------+-------+-------+|
*User-get in Keystone:*
|$ keystone user-get e186d19ab0ab4cc681b24196e76b9032
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email| None |
| enabled| True |
| id| e186d19ab0ab4cc681b24196e76b9032|
| name| swift|
| tenantId| 7e9b8a64252340c2ba4dd292acf18e80 |
+----------+----------------------------------+|
*Tenant-list in Keystone:*
|$ keystone tenant-list
+----------------------------------+---------+---------+
| id| name| enabled|
+----------------------------------+---------+---------+
| 539749c631044f64be5f29066ae486c4 | demo| True |
| 6140b18239284cce8b51305649dbb792 | admin| True |
| 7e9b8a64252340c2ba4dd292acf18e80 | service| True |
+----------------------------------+---------+---------+|
*Role-list in Keystone:*
|$ keystone role-list
+----------------------------------+-------+
| id| name|
+----------------------------------+-------+
| 6d64ff8265d6404983d774e34159dcd5 | admin|
+----------------------------------+-------+|
*Service-list in keystone*
|$ keystone service-list
+----------------------------------+----------+--------------+------------------+
| id| name| type| description|
+----------------------------------+----------+--------------+------------------+
| 0b2248b31e37499192d4e3cdf4288223 | keystone| identity| Identity Service
|
| 5ef2c32abd274473ab8b42f480feeb72 | swift| object-store| Swift Service
|
+----------------------------------+----------+--------------+------------------+|
*Endpoint-list in Keystone:*
|$ keystone endpoint-list
+----------------------------------+-----------+------------------------------------------------+------------------------------------------------+--------------------------------+
| id| region| publicurl|
internalurl| adminurl|
+----------------------------------+-----------+------------------------------------------------+------------------------------------------------+--------------------------------+
| 46600a4c54a94eee881e9a4a2c648b8b | RegionOne |
http://10.173.0.165:8888/v1/AUTH_%(tenant_id)s
<http://10.173.0.165:8888/v1/AUTH_%%28tenant_id%29s>
|http://10.173.0.165:8888/v1/AUTH_%(tenant_id)s
<http://10.173.0.165:8888/v1/AUTH_%%28tenant_id%29s> |http://10.173.0.165:8888/v1
|
| 660c5babbe7746d485d31d85353ab1b8 | RegionOne |
http://10.173.0.165.:5000/v2.0 |http://10.173.0.165:5000/v2.0
|http://10.173.0.165:35357/v2.0 |
+----------------------------------+-----------+------------------------------------------------+------------------------------------------------+--------------------------------+|
*/etc/swift/proxy-server.conf on Swift proxy:*
|[DEFAULT]
cert_file= /etc/swift/cert.crt
key_file= /etc/swift/cert.key
bind_port= 8080
workers= 8
user= swift
[pipeline:main]
pipeline= healthcheck proxy-logging cache authtoken keystoneauth proxy-logging
proxy-server
[app:proxy-server]
use = egg:swift#proxy
allow_account_management= true
account_autocreate= true
[filter:proxy-logging]
use = egg:swift#proxy_logging
[filter:tempauth]
use = egg:swift#tempauth
user_system_root= testpass.admin
[filter:healthcheck]
use = egg:swift#healthcheck
[filter:cache]
use = egg:swift#memcache
memcache_servers= 10.173.0.66:11211
[filter:authtoken]
paste.filter_factory= keystoneclient.middleware.auth_token:filter_factory
auth_host= 10.173.0.165
auth_port= 35357
auth_protocol= http
auth_uri= http://10.173.0.165:5000/ <http://10.173.0.165:5000/>
admin_tenant_name= service
admin_user= swift
admin_password= password
cache= swift.cache
include_service_catalog= True
[filter:keystoneauth]
use = egg:swift#keystoneauth
operator_roles= admin, swiftoperator|
*Test command:*
|export OS_AUTH_URL=http://10.173.0.165:5000/v2.0
<http://10.173.0.165:5000/v2.0>
export OS_USERNAME=swift
export OS_PASSWORD=password
swift-V2 stat|
*Command output:*
| raise exceptions.EmptyCatalog('The service catalog is empty.')
keystoneclient.exceptions.EmptyCatalog: The service catalogis empty.|
Other commands I've tried include:
| swift-A https://$PROXY_LOCAL_NET_IP:8080/auth/v2 -U service:swift -K
password stat|
*...which also fail for other reasons...*
|Auth GET failed: https://10.173.0.66:8080/auth/v2
<http://10.173.0.66:8080/auth/v2> 401 Unauthorized|
Thoughts? I'm stumped.
*/
Adam Lawson/*
AQORN, Inc.
427 North Tatnall Street
Ste. 58461
Wilmington, Delaware 19801-2230
Toll-free: (888) 406-7620
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : [email protected]
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : [email protected]
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
